184 Search Results

October 17, 2018 |
SEC Warns Public Companies on Cyber-Fraud Controls

Click for PDF On October 16, 2018, the Securities and Exchange Commission issued a report warning public companies about the importance of internal controls to prevent cyber fraud.  The report described the SEC Division of Enforcement’s investigation of multiple public companies which had collectively lost nearly $100 million in a range of cyber-scams typically involving phony emails requesting payments to vendors or corporate executives.[1] Although these types of cyber-crimes are common, the Enforcement Division notably investigated whether the failure of the companies’ internal accounting controls to prevent unauthorized payments violated the federal securities laws.  The SEC ultimately declined to pursue enforcement actions, but nonetheless issued a report cautioning public companies about the importance of devising and maintaining a system of internal accounting controls sufficient to protect company assets. While the SEC has previously addressed the need for public companies to promptly disclose cybersecurity incidents, the new report sees the agency wading into corporate controls designed to mitigate such risks.  The report encourages companies to calibrate existing internal controls, and related personnel training, to ensure they are responsive to emerging cyber threats.  The report (issued to coincide with National Cybersecurity Awareness Month) clearly intends to warn public companies that future investigations may result in enforcement action. The Report of Investigation Section 21(a) of the Securities Exchange Act of 1934 empowers the SEC to issue a public Report of Investigation where deemed appropriate.  While SEC investigations are confidential unless and until the SEC files an enforcement action alleging that an individual or entity has violated the federal securities laws, Section 21(a) reports provide a vehicle to publicize investigative findings even where no enforcement action is pursued.  Such reports are used sparingly, perhaps every few years, typically to address emerging issues where the interpretation of the federal securities laws may be uncertain.  (For instance, recent Section 21(a) reports have addressed the treatment of digital tokens as securities and the use of social media to disseminate material corporate information.) The October 16 report details the Enforcement Division’s investigations into the internal accounting controls of nine issuers, across multiple industries, that were victims of cyber-scams. The Division identified two specific types of cyber-fraud – typically referred to as business email compromises or “BECs” – that had been perpetrated.  The first involved emails from persons claiming to be unaffiliated corporate executives, typically sent to finance personnel directing them to wire large sums of money to a foreign bank account for time-sensitive deals. These were often unsophisticated operations, textbook fakes that included urgent, secret requests, unusual foreign transactions, and spelling and grammatical errors. The second type of business email compromises were harder to detect. Perpetrators hacked real vendors’ accounts and sent invoices and requests for payments that appeared to be for otherwise legitimate transactions. As a result, issuers made payments on outstanding invoices to foreign accounts controlled by impersonators rather than their real vendors, often learning of the scam only when the legitimate vendor inquired into delinquent bills. According to the SEC, both types of frauds often succeeded, at least in part, because responsible personnel failed to understand their company’s existing cybersecurity controls or to appropriately question the veracity of the emails.  The SEC explained that the frauds themselves were not sophisticated in design or in their use of technology; rather, they relied on “weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.” SEC Cyber-Fraud Guidance Cybersecurity has been a high priority for the SEC dating back several years. The SEC has pursued a number of enforcement actions against registered securities firms arising out of data breaches or deficient controls.  For example, just last month the SEC brought a settled action against a broker-dealer/investment-adviser which suffered a cyber-intrusion that had allegedly compromised the personal information of thousands of customers.  The SEC alleged that the firm had failed to comply with securities regulations governing the safeguarding of customer information, including the Identity Theft Red Flags Rule.[2] The SEC has been less aggressive in pursuing cybersecurity-related actions against public companies.  However, earlier this year, the SEC brought its first enforcement action against a public company for alleged delays in its disclosure of a large-scale data breach.[3] But such enforcement actions put the SEC in the difficult position of weighing charges against companies which are themselves victims of a crime.  The SEC has thus tried to be measured in its approach to such actions, turning to speeches and public guidance rather than a large number of enforcement actions.  (Indeed, the SEC has had to make the embarrassing disclosure that its own EDGAR online filing system had been hacked and sensitive information compromised.[4]) Hence, in February 2018, the SEC issued interpretive guidance for public companies regarding the disclosure of cybersecurity risks and incidents.[5]  Among other things, the guidance counseled the timely public disclosure of material data breaches, recognizing that such disclosures need not compromise the company’s cybersecurity efforts.  The guidance further discussed the need to maintain effective disclosure controls and procedures.  However, the February guidance did not address specific controls to prevent cyber incidents in the first place. The new Report of Investigation takes the additional step of addressing not just corporate disclosures of cyber incidents, but the procedures companies are expected to maintain in order to prevent these breaches from occurring.  The SEC noted that the internal controls provisions of the federal securities laws are not new, and based its report largely on the controls set forth in Section 13(b)(2)(B) of the Exchange Act.  But the SEC emphasized that such controls must be “attuned to this kind of cyber-related fraud, as well as the critical role training plays in implementing controls that serve their purpose and protect assets in compliance with the federal securities laws.”  The report noted that the issuers under investigation had procedures in place to authorize and process payment requests, yet were still victimized, at least in part “because the responsible personnel did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability.” The SEC concluded that public companies’ “internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds” and “must calibrate their internal accounting controls to the current risk environment.” Unfortunately, the vagueness of such guidance leaves the burden on companies to determine how best to address emerging risks.  Whether a company’s controls are adequate may be judged in hindsight by the Enforcement Division; not surprisingly, companies and individuals under investigation often find the staff asserting that, if the controls did not prevent the misconduct, they were by definition inadequate.  Here, the SEC took a cautious approach in issuing a Section 21(a) report highlighting the risk rather than publicly identifying and penalizing the companies which had already been victimized by these scams. However, companies and their advisors should assume that, with this warning shot across the bow, the next investigation of a similar incident may result in more serious action.  Persons responsible for designing and maintaining the company’s internal controls should consider whether improvements (such as enhanced trainings) are warranted; having now spoken on the issue, the Enforcement Division is likely to view corporate inaction as a factor in how it assesses the company’s liability for future data breaches and cyber-frauds.    [1]   SEC Press Release (Oct. 16, 2018), available at www.sec.gov/news/press-release/2018-236; the underlying report may be found at www.sec.gov/litigation/investreport/34-84429.pdf.    [2]   SEC Press Release (Sept. 16, 2018), available at www.sec.gov/news/press-release/2018-213.  This enforcement action was particularly notable as the first occasion the SEC relied upon the rules requiring financial advisory firms to maintain a robust program for preventing identify theft, thus emphasizing the significance of those rules.    [3]   SEC Press Release (Apr. 24, 2018), available at www.sec.gov/news/press-release/2018-71.    [4]   SEC Press Release (Oct. 2, 2017), available at www.sec.gov/news/press-release/2017-186.    [5]   SEC Press Release (Feb. 21, 2018), available at www.sec.gov/news/press-release/2018-22; the guidance itself can be found at www.sec.gov/rules/interp/2018/33-10459.pdf.  The SEC provided in-depth guidance in this release on disclosure processes and considerations related to cybersecurity risks and incidents, and complements some of the points highlighted in the Section 21A report. Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Securities Enforcement or Privacy, Cybersecurity and Consumer Protection practice groups, or the following authors: Marc J. Fagel – San Francisco (+1 415-393-8332, mfagel@gibsondunn.com) Alexander H. Southwell – New York (+1 212-351-3981, asouthwell@gibsondunn.com) Please also feel free to contact the following practice leaders and members: Securities Enforcement Group: New York Barry R. Goldsmith – Co-Chair (+1 212-351-2440, bgoldsmith@gibsondunn.com) Mark K. Schonfeld – Co-Chair (+1 212-351-2433, mschonfeld@gibsondunn.com) Reed Brodsky (+1 212-351-5334, rbrodsky@gibsondunn.com) Joel M. Cohen (+1 212-351-2664, jcohen@gibsondunn.com) Lee G. Dunst (+1 212-351-3824, ldunst@gibsondunn.com) Laura Kathryn O’Boyle (+1 212-351-2304, loboyle@gibsondunn.com) Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com) Avi Weitzman (+1 212-351-2465, aweitzman@gibsondunn.com) Lawrence J. Zweifach (+1 212-351-2625, lzweifach@gibsondunn.com) Washington, D.C. Richard W. Grime – Co-Chair (+1 202-955-8219, rgrime@gibsondunn.com) Stephanie L. Brooker  (+1 202-887-3502, sbrooker@gibsondunn.com) Daniel P. Chung (+1 202-887-3729, dchung@gibsondunn.com) Stuart F. Delery (+1 202-887-3650, sdelery@gibsondunn.com) Patrick F. Stokes (+1 202-955-8504, pstokes@gibsondunn.com) F. Joseph Warin (+1 202-887-3609, fwarin@gibsondunn.com) San Francisco Marc J. Fagel – Co-Chair (+1 415-393-8332, mfagel@gibsondunn.com) Winston Y. Chan (+1 415-393-8362, wchan@gibsondunn.com) Thad A. Davis (+1 415-393-8251, tdavis@gibsondunn.com) Charles J. Stevens (+1 415-393-8391, cstevens@gibsondunn.com) Michael Li-Ming Wong (+1 415-393-8234, mwong@gibsondunn.com) Palo Alto Paul J. Collins (+1 650-849-5309, pcollins@gibsondunn.com) Benjamin B. Wagner (+1 650-849-5395, bwagner@gibsondunn.com) Denver Robert C. Blume (+1 303-298-5758, rblume@gibsondunn.com) Monica K. Loseman (+1 303-298-5784, mloseman@gibsondunn.com) Los Angeles Michael M. Farhang (+1 213-229-7005, mfarhang@gibsondunn.com) Douglas M. Fuchs (+1 213-229-7605, dfuchs@gibsondunn.com) Privacy, Cybersecurity and Consumer Protection Group: Alexander H. Southwell – Co-Chair, New York (+1 212-351-3981, asouthwell@gibsondunn.com) M. Sean Royall – Dallas (+1 214-698-3256, sroyall@gibsondunn.com) Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com) Christopher Chorba – Los Angeles (+1 213-229-7396, cchorba@gibsondunn.com) Richard H. Cunningham – Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com) Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com) H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com) Shaalu Mehra – Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com) Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com) Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

October 10, 2018 |
Artificial Intelligence and Autonomous Systems Legal Update (3Q18)

Click for PDF We are pleased to provide the following update on recent legal developments in the areas of artificial intelligence, machine learning, and autonomous systems (or “AI” for short), and their implications for companies developing or using products based on these technologies.  As the spread of AI rapidly increases, legal scrutiny in the U.S. of the potential uses and effects of these technologies (both beneficial and harmful) has also been increasing.  While we have chosen to highlight below several governmental and legislative actions from the past quarter, the area is rapidly evolving and we will continue to monitor further actions in these and related areas to provide future updates of potential interest on a regular basis. I.       Increasing Federal Government Interest in AI Technologies The Trump Administration and Congress have recently taken a number of steps aimed at pushing AI forward on the U.S. agenda, while also treating with caution foreign involvement in U.S.-based AI technologies.  Some of these actions may mean additional hurdles for cross-border transactions involving AI technology.  On the other hand, there may also be opportunities for companies engaged in the pursuit of AI technologies to influence the direction of future legislation at an early stage. A.       White House Studies AI In May, the Trump Administration kicked off what is becoming an active year in AI for the federal government by hosting an “Artificial Intelligence for American Industry” summit as part of its designation of AI as an “Administration R&D priority.”[1] During the summit, the White House also announced the establishment of a “Select Committee on Artificial Intelligence” to advise the President on research and development priorities and explore partnerships within the government and with industry.[2]  This Select Committee is housed within the National Science and Technology Council, and is chaired by Office of Science and Technology Policy leadership. Administration officials have said that a focus of the Select Committee will be to look at opportunities for increasing federal funds into AI research in the private sector, to ensure that the U.S. has (or maintains) a technological advantage in AI over other countries.  In addition, the Committee is to look at possible uses of the government’s vast store of taxpayer-funded data to promote the development of advanced AI technologies, without compromising security or individual privacy.  While it is believed that there will be opportunities for private stakeholders to have input into the Select Committee’s deliberations, the inaugural meeting of the Committee, which occurred in late June, was not open to the public for input. B.       AI in the NDAA for 2019 More recently, on August 13th, President Trump signed into law the John S. McCain National Defense Authorization Act (NDAA) for 2019,[3] which specifically authorizes the Department of Defense to appoint a senior official to coordinate activities relating to the development of AI technologies for the military, as well as to create a strategic plan for incorporating a number of AI technologies into its defense arsenal.  In addition, the NDAA includes the Foreign Investment Risk Review Modernization Act (FIRRMA)[4] and the Export Control Reform Act (ECRA),[5] both of which require the government to scrutinize cross-border transactions involving certain new technologies, likely including AI-related technologies. FIRRMA modifies the review process currently used by the Committee on Foreign Investment in the United States (CFIUS), an interagency committee that reviews the national security implications of investments by foreign entities in the United States.  With FIRRMA’s enactment, the scope of the transactions that CFIUS can review is expanded to include those involving “emerging and foundational technologies,” defined as those that are critical for maintaining the national security technological advantage of the United States.  While the changes to the CFIUS process are still fresh and untested, increased scrutiny under FIRRMA will likely have an impact on available foreign investment in the development and use of AI, at least where the AI technology involved is deemed such a critical technology and is sought to be purchased or licensed by foreign investors. Similarly, ECRA requires the President to establish an interagency review process with various agencies including the Departments of Defense, Energy, State and the head of other agencies “as appropriate,” to identify emerging and foundational technologies essential to national security in order to impose appropriate export controls.  Export licenses are to be denied if the proposed export would have a “significant negative impact” on the U.S. defense industrial base.  The terms “emerging and foundational technologies” are not expressly defined, but it is likely that AI technologies, which are of course “emerging,” would receive a close look under ECRA and that ECRA might also curtail whether certain AI technologies can be sold or licensed to foreign entities. The NDAA also established a National Security Commission on Artificial Intelligence “to review advances in artificial intelligence, related machine learning developments, and associated technologies.”  The Commission, made up of certain senior members of Congress as well as the Secretaries of Defense and Commerce, will function independently from other such panels established by the Trump Administration and will review developments in AI along with assessing risks related to AI and related technologies to consider how those methods relate to the national security and defense needs of the United States.  The Commission will focus on technologies that provide the U.S. with a competitive AI advantage, and will look at the need for AI research and investment as well as consider the legal and ethical risks associated with the use of AI.  Members are to be appointed within 90 days of the Commission being established and an initial report to the President and Congress is to be submitted by early February 2019. C.       Additional Congressional Interest in AI/Automation While a number of existing bills with potential impacts on the development of AI technologies remain stalled in Congress,[6] two more recently-introduced pieces of legislation are also worth monitoring as they progress through the legislative process. In late June, Senator Feinstein (D-CA) sponsored the “Bot Disclosure and Accountability Act of 2018,” which is intended to address  some of the concerns over the use of automated systems for distributing content through social media.[7] As introduced, the bill seeks to prohibit certain types of bot or other automated activity directed to political advertising, at least where such automated activity appears to impersonate human activity.  The bill would also require the Federal Trade Commission to establish and enforce regulations to require public disclosure of the use of bots, defined as any “automated software program or process intended to impersonate or replicate human activity online.”  The bill provides that any such regulations are to be aimed at the “social media provider,” and would place the burden of compliance on such providers of social media websites and other outlets.  Specifically, the FTC is to promulgate regulations requiring the provider to take steps to ensure that any users of a social media website owned or operated by the provider would receive “clear and conspicuous notice” of the use of bots and similar automated systems.  FTC regulations would also require social media providers to police their systems, removing non-compliant postings and/or taking other actions (including suspension or removal) against users that violate such regulations.  While there are significant differences, the Feinstein bill is nevertheless similar in many ways to California’s recently-enacted Bot disclosure law (S.B. 1001), discussed more fully in our previous client alert located here.[8] Also of note, on September 26th, a bipartisan group of Senators introduced the “Artificial Intelligence in Government Act,” which seeks to provide the federal government with additional resources to incorporate AI technologies in the government’s operations.[9] As written, this new bill would require the General Services Administration to bring on technical experts to advise other government agencies, conduct research into future federal AI policy, and promote inter-agency cooperation with regard to AI technologies.  The bill would also create yet another federal advisory board to advise government agencies on AI policy opportunities and concerns.  In addition, the newly-introduced legislation seeks to require the Office of Management and Budget to identify ways for the federal government to invest in and utilize AI technologies and tasks the Office of Personal Management with anticipating and providing training for the skills and competencies the government requires going-forward for incorporating AI into its overall data strategy. II.       Potential Impact on AI Technology of Recent California Privacy Legislation Interestingly, in the related area of data privacy regulation, the federal government has been slower to respond, and it is the state legislatures that are leading the charge.[10] Most machine learning algorithms depend on the availability of large data sets for purpose of training, testing, and refinement.  Typically, the larger and more complete the datasets available, the better.  However, these datasets often include highly personal information about consumers, patients, or others of interest—data that can sometimes be used to predict information specific to a particular person even if attempts are made to keep the source of such data anonymous. The European Union’s General Data Protection Regulation, or GDPR, which went into force on May 25, 2018, has deservedly garnered a great deal of press as one of the first, most comprehensive collections of data privacy protections. While we’re only months into its effective period, the full impact and enforcement of the GDPR’s provisions have yet to be felt.  Still, many U.S. companies, forced to take steps to comply with the provisions of GDPR at least with regard to EU citizens, have opted to take many of those same steps here in the U.S., despite the fact that no direct U.S. federal analogue to the GDPR yet exists.[11] Rather than wait for the federal government to act, several states have opted to follow the lead of the GDPR and enact their own versions of comprehensive data privacy laws.  Perhaps the most significant of these state-legislated omnibus privacy laws is the California Consumer Privacy Act (“CCPA”), signed into law on June 28, 2108, and slated to take effect on January 1, 2020.[12]  The CCPA is not identical to the GDPR, differing in a number of key respects.  However there are many similarities, in that the CCPA also has broadly defined definitions of personal information/data, and seeks to provide a right to notice of data collection, a right of access to and correction of collected data, a right to be forgotten, and a right to data portability.  But how do the CCPA’s requirements differ from the GDPR for companies engaged in the development and use of AI technologies?  While there are many issues to consider, below we examine several of the key differences of the CCPA and their impact on machine learning and other AI-based processing of collected data. A.       Inferences Drawn from Personal Information The GDPR defines personal data as “any information relating to an identified or identifiable natural person,” such as “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that nature person.”[13]  Under the GDPR, personal data has implications in the AI space beyond just the data that is actually collected from an individual.  AI technology can be and often is used to generate additional information about a person from collected data, e.g., spending habits, facial features, risk of disease, or other inferences that can be made from the collected data.  Such inferences, or derivative data, may well constitute “personal data” under a broad view of the GDPR, although there is no specific mention of derivative data in the definition. By contrast, the CCPA goes farther and specifically includes “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”[14]  An “inference” is defined as “the derivation of information, data, assumptions, or conclusions from evidence, or another source of information or data.”[15] Arguably the primary purpose of many AI systems is to draw inferences from a user’s information, by mining data, looking for patterns, and generating analysis.  Although the CCPA does limit inferences to those drawn “to create a profile about a consumer,” the term “profile” is not defined in the CCPA.  However, the use of consumer information that is “deidentified” or “aggregated” is permitted by the CCPA.  Thus, one possible solution may be to take steps to “anonymize” any personal data used to derive any inferences.  As a result, when looking to CCPA compliance, companies may want to carefully consider the derivative/processed data that they are storing about a user, and consider additional steps that may be required for CCPA compliance. B.       Identifying Categories of Personal Information The CCPA also requires disclosures of the categories of personal information being collected, the categories of sources from which personal information is collected, the purpose for collecting and selling personal information, and the categories of third parties with whom the business shares personal information. [16]  Although these categories are likely known and definable for static data collection, it may be more difficult to specifically disclose the purpose and categories for certain information when dynamic machine learning algorithms are used.  This is particularly true when, as discussed above, inferences about a user are included as personal information.  In order to meet these disclosure requirements, companies may need to carefully consider how they will define all of the categories of personal information collected or the purposes of use of that information, particularly when machine learning algorithms are used to generate additional inferences from, or derivatives of, personal data. C.       Personal Data Includes Households The CCPA’s definition of “personal data” also includes information pertaining to non-individuals, such as “households” – a term that the CCPA does not further define.[17]  In the absence of an explicit definition, the term “household” would seem to target information collected about a home and its inhabits through smart home devices, such as thermostats, cameras, lights, TVs, and so on.  When looking to the types of personal data being collected, the CCPA may also encompass information about each of these smart home devices, such as name, location, usage, and special instructions (e.g., temperature controls, light timers, and motion sensing).  Furthermore, any inferences or derivative information generated by AI algorithms from the information collected from these smart home devices may also be covered as personal information.  Arguably, this could include information such as conversations with voice assistants or even information about when people are likely to be home determined via cameras or motion sensors.  Companies developing smart home, or other Internet of Things, devices thus should carefully consider whether the scope and use they make of any information collected from “households” falls under the CCPA requirements for disclosure or other restrictions. III.       Continuing Efforts to Regulate Autonomous Vehicles Much like the potential for a comprehensive U.S. data privacy law, and despite a flurry of legislative activity in Congress in 2017 and early 2018 towards such a national regulatory framework, autonomous vehicles continue to operate under a complex patchwork of state and local rules with limited federal oversight.  We previously provided an update (located here)[18] discussing the Safely Ensuring Lives Future Deployment and Research In Vehicle Evolution (SELF DRIVE) Act[19], which passed the U.S. House of Representatives by voice vote in September 2017 and its companion bill (the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) Act).[20]  Both bills have since stalled in the Senate, and with them the anticipated implementation of a uniform regulatory framework for the development, testing and deployment of autonomous vehicles. As the two bills languish in Congress, ‘chaperoned’ autonomous vehicles have already begun coexisting on roads alongside human drivers.  The accelerating pace of policy proposals—and debate surrounding them—looks set to continue in late 2018 as virtually every major automaker is placing more autonomous vehicles on the road for testing and some manufacturers prepare to launch commercial services such as self-driving taxi ride-shares[21] into a national regulatory vacuum. A.       “Light-touch” Regulation The delineation of federal and state regulatory authority has emerged as a key issue because autonomous vehicles do not fit neatly into the existing regulatory structure.  One of the key aspects of the proposed federal legislation is that it empowers the National Highway Traffic Safety Administration (NHTSA) with the oversight of manufacturers of self-driving cars through enactment of future rules and regulations that will set the standards for safety and govern areas of privacy and cybersecurity relating to such vehicles.  The intention is to have a single body (the NHTSA) develop a consistent set of rules and regulations for manufacturers, rather than continuing to allow the states to adopt a web of potentially widely differing rules and regulations that may ultimately inhibit development and deployment of autonomous vehicles.  This approach was echoed by safety guidelines released by the Department of Transportation (DoT) for autonomous vehicles.  Through the guidelines (“a nonregulatory approach to automated vehicle technology safety”),[22] the DoT avoids any compliance requirement or enforcement mechanism, at least for the time being, as the scope of the guidance is expressly to support the industry as it develops best practices in the design, development, testing, and deployment of automated vehicle technologies. Under the proposed federal legislation, the states can still regulate autonomous vehicles, but the guidance encourages states not to pass laws that would “place unnecessary burdens on competition and innovation by limiting [autonomous vehicle] testing or deployment to motor vehicle manufacturers only.”[23]  The third iteration of the DoT’s federal guidance, published on October 4, 2018, builds upon—but does not replace—the existing guidance, and reiterates that the federal government is placing the onus for safety on companies developing the technologies rather than on government regulation. [24]  The guidelines, which now include buses, transit and trucks in addition to cars, remain voluntary. B.       Safety Much of the delay in enacting a regulatory framework is a result of policymakers’ struggle to balance the industry’s desire to speed both the development and deployment of autonomous vehicle technologies with the safety and security concerns of consumer advocates. The AV START bill requires that NHTSA must construct comprehensive safety regulations for AVs with a mandated, accelerated timeline for rulemaking, and the bill puts in place an interim regulatory framework that requires manufacturers to submit a Safety Evaluation Report addressing a range of key areas at least 90 days before testing, selling, or commercialization of an driverless cars.  But some lawmakers and consumer advocates remain skeptical in the wake of highly publicized setbacks in autonomous vehicle testing.[25]  Although the National Safety Transportation Board (NSTB) has authority to investigate auto accidents, there is still no federal regulatory framework governing liability for individuals and states.[26]  There are also ongoing concerns over cybersecurity risks[27], the use of forced arbitration clauses by autonomous vehicle manufacturers,[28] and miscellaneous engineering problems that revolve around the way in which autonomous vehicles interact with obstacles commonly faced by human drivers, such as emergency vehicles,[29] graffiti on road signs or even raindrops and tree shadows.[30] In August 2018, the Governors Highway Safety Association (GHSA) published a report outlining the key questions that manufacturers should urgently address.[31]  The report suggested that states seek to encourage “responsible” autonomous car testing and deployment while protecting public safety and that lawmakers “review all traffic laws.”  The report also notes that public debate often blurs the boundaries between the different levels of automation the NHTSA has defined (ranging from level 0 (no automation) to level 5 (fully self-driving without the need for human occupants)), remarking that “most AVs for the foreseeable future will be Levels 2 through 4.  Perhaps they should be called ‘occasionally self-driving.'”[32] C.       State Laws Currently, 21 states and the District of Columbia have passed laws regulating the deployment and testing of self-driving cars, and governors in 10 states have issued executive orders related to them.[33]  For example, California expanded its testing rules in April 2018 to allow for remote monitoring instead of a safety driver inside the vehicle.[34]  However, state laws differ on basic terminology, such as the definition of “vehicle operator.” Tennessee SB 151[35] points to the autonomous driving system (ADS) while Texas SB 2205[36] designates a “natural person” riding in the vehicle.  Meanwhile, Georgia SB 219[37] identifies the operator as the person who causes the ADS to engage, which might happen remotely in a vehicle fleet. These distinctions will affect how states license both human drivers and autonomous vehicles going forward.  Companies operating in this space accordingly need to stay abreast of legal developments in states in which they are developing or testing autonomous vehicles, while understanding that any new federal regulations may ultimately preempt those states’ authorities to determine, for example, crash protocols or how they handle their passengers’ data. D.       ‘Rest of the World’ While the U.S. was the first country to legislate for the testing of automated vehicles on public roads, the absence of a national regulatory framework risks impeding innovation and development.  In the meantime, other countries are vying for pole position among manufacturers looking to test vehicles on roads.[38]  KPMG’s 2018 Autonomous Vehicles Readiness Index ranks 20 countries’ preparedness for an autonomous vehicle future. The Netherlands took the top spot, outperforming the U.S. (3rd) and China (16th).[39]  Japan and Australia plan to have self-driving cars on public roads by 2020.[40]  The U.K. government has announced that it expects to see fully autonomous vehicles on U.K. roads by 2021, and is introducing legislation—the Automated and Electric Vehicles Act 2018—which installs an insurance framework addressing product liability issues arising out of accidents involving autonomous cars, including those wholly caused by an autonomous vehicle “when driving itself.”[41] E.       Looking Ahead While autonomous vehicles operating on public roads are likely to remain subject to both federal and state regulation, the federal government is facing increasing pressure to adopt a federal regulatory scheme for autonomous vehicles in 2018.[42]  Almost exactly one year after the House passed the SELF DRIVE Act, House Energy and Commerce Committee leaders called on the Senate to advance automated vehicle legislation, stating that “[a]fter a year of delays, forcing automakers and innovators to develop in a state-by-state patchwork of rules, the Senate must act to support this critical safety innovation and secure America’s place as a global leader in technology.”[43]  The continued absence of federal regulation renders the DoT’s informal guidance increasingly important.  The DoT has indicated that it will enact “flexible and technology-neutral” policies—rather than prescriptive performance-based standards—to encourage regulatory harmony and consistency as well as competition and innovation.[44]  Companies searching for more tangible guidance on safety standards at federal level may find it useful to review the recent guidance issued alongside the DoT’s announcement that it is developing (and seeking public input into) a pilot program for ‘highly or fully’ autonomous vehicles on U.S. roads.[45]  The safety standards being considered include technology disabling the vehicle if a sensor fails or barring vehicles from traveling above safe speeds, as well as a requirement that NHTSA be notified of any accident within 24 hours. [1] See https://www.whitehouse.gov/wp-content/uploads/2018/05/Summary-Report-of-White-House-AI-Summit.pdf; note also that the Trump Administration’s efforts in studying AI technologies follow, but appear largely separate from, several workshops on AI held by the Obama Administration in 2016, which resulted in two reports issued in late 2016 (see Preparing for the Future of Artificial Intelligence, and Artificial Intelligence, Automation, and the Economy). [2] Id. at Appendix A. [3] See https://www.mccain.senate.gov/public/index.cfm/2018/8/senate-passes-the-john-s-mccain-national-defense-authorization-act-for-fiscal-year-2019.  The full text of the NDAA is available at https://www.congress.gov/bill/115th-congress/house-bill/5515/text.  For additional information on CFIUS reform implemented by the NDAA, please see Gibson Dunn’s previous client update at https://www.gibsondunn.com/cfius-reform-our-analysis/. [4] See id.; see also https://www.treasury.gov/resource-center/international/Documents/FIRRMA-FAQs.pdf. [5] See https://foreignaffairs.house.gov/wp-content/uploads/2018/02/HR-5040-Section-by-Section.pdf.   [6] See, e.g. infra., Section III discussion of SELF DRIVE and AV START Acts, among others. [7] S.3127, 115th Congress (2018). [8] https://www.gibsondunn.com/new-california-security-of-connected-devices-law-and-ccpa-amendments/. [9] S.3502, 115th Congress (2018). [10] See also, infra., Section III for more discussion of specific regulatory efforts for autonomous vehicles. [11] However, as 2018 has already seen a fair number of hearings before Congress relating to digital data privacy issues, including appearances by key executives from many major tech companies, it seems likely that it may not be long before we see the introduction of a “GDPR-like” comprehensive data privacy bill.  Whether any resulting federal legislation would actually pre-empt state-enacted privacy laws to establish a unified federal framework is itself a hotly-contested issue, and remains to be seen. [12] AB 375 (2018); Cal. Civ. Code §1798.100, et seq. [13] Regulation (EU) 2016/679 (General Data Protection Regulation), Article 4 (1). [14] Cal. Civ. Code §1798.140(o)(1)(K). [15] Id.. at §1798.140(m). [16] Id. at §1798.110(c). [17] Id. at §1798.140(o)(1). [18] https://www.gibsondunn.com/accelerating-progress-toward-a-long-awaited-federal-regulatory-framework-for-autonomous-vehicles-in-the-united-states/. [19]   H.R. 3388, 115th Cong. (2017). [20]   U.S. Senate Committee on Commerce, Science and Transportation, Press Release, Oct. 24, 2017, available at https://www.commerce.senate.gov/public/index.cfm/pressreleases?ID=BA5E2D29-2BF3-4FC7-A79D-58B9E186412C. [21]   Sean O’Kane, Mercedes-Benz Self-Driving Taxi Pilot Coming to Silicon Valley in 2019, The Verge, Jul. 11, 2018, available at https://www.theverge.com/2018/7/11/17555274/mercedes-benz-self-driving-taxi-pilot-silicon-valley-2019. [22]   U.S. Dept. of Transp., Automated Driving Systems 2.0: A Vision for Safety 2.0, Sept. 2017, https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/13069a-ads2.0_090617_v9a_tag.pdf. [23]   Id., at para 2. [24]   U.S. DEPT. OF TRANSP., Preparing for the Future of Transportation: Automated Vehicles 3.0, Oct. 4, 2018, https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/320711/preparing-future-transportation-automated-vehicle-30.pdf. [25]   Sasha Lekach, Waymo’s Self-Driving Taxi Service Could Have Some Major Issues, Mashable, Aug. 28, 2018, available at https://mashable.com/2018/08/28/waymo-self-driving-taxi-problems/#dWzwp.UAEsqM. [26]   Robert L. Rabin, Uber Self-Driving Cars, Liability, and Regulation, Stanford Law School Blog, Mar. 20, 2018, available at https://law.stanford.edu/2018/03/20/uber-self-driving-cars-liability-regulation/. [27]   David Shephardson, U.S. Regulators Grappling with Self-Driving Vehicle Security, Reuters. Jul. 10, 2018, available at https://www.reuters.com/article/us-autos-selfdriving/us-regulators-grappling-with-self-driving-vehicle-security-idUSKBN1K02OD. [28]   Richard Blumenthal, Press Release, Ten Senators Seek Information from Autonomous Vehicle Manufacturers on Their Use of Forced Arbitration Clauses, Mar. 23, 2018, available at https://www.blumenthal.senate.gov/newsroom/press/release/ten-senators-seek-information-from-autonomous-vehicle-manufacturers-on-their-use-of-forced-arbitration-clauses. [29]   Kevin Krewell, How Will Autonomous Cars Respond to Emergency Vehicles, Forbes, Jul. 31, 2018, available at https://www.forbes.com/sites/tiriasresearch/2018/07/31/how-will-autonomous-cars-respond-to-emergency-vehicles/#3eed571627ef. [30]   Michael J. Coren, All The Things That Still Baffle Self-Driving Cars, Starting With Seagulls, Quartz, Sept. 23, 2018, available at https://qz.com/1397504/all-the-things-that-still-baffle-self-driving-cars-starting-with-seagulls/. [31]   ghsa, Preparing For Automated Vehicles: Traffic Safety Issues For States, Aug. 2018, available at https://www.ghsa.org/sites/default/files/2018-08/Final_AVs2018.pdf. [32]   Id., at 7. [33]   Brookings, The State of Self-Driving Car Laws Across the U.S., May 1, 2018, available at https://www.brookings.edu/blog/techtank/2018/05/01/the-state-of-self-driving-car-laws-across-the-u-s/. [34]   Aarian Marshall, Fully Self-Driving Cars Are Really Truly Coming to California, Wired, Feb. 26, 2018, available at, https://www.wired.com/story/california-self-driving-car-laws/; State of California, Department of Motor Vehicles, Autonomous Vehicles in California, available at https://www.dmv.ca.gov/portal/dmv/detail/vr/autonomous/bkgd. [35]   SB 151, available at http://www.capitol.tn.gov/Bills/110/Bill/SB0151.pdf. [36]   SB 2205, available at https://legiscan.com/TX/text/SB2205/2017. [37]   SB 219, available at http://www.legis.ga.gov/Legislation/en-US/display/20172018/SB/219. [38]   Tony Peng & Michael Sarazen, Global Survey of Autonomous Vehicle Regulations, Medium, Mar. 15, 2018, available at https://medium.com/syncedreview/global-survey-of-autonomous-vehicle-regulations-6b8608f205f9. [39]   KPMG, Autonomous Vehicles Readiness Index: Assessing Countries’ Openness and Preparedness for Autonomous Vehicles, 2018, (“The US has a highly innovative but largely disparate environment with little predictability regarding the uniform adoption of national standards for AVs. Therefore the prospect of  widespread driverless vehicles is unlikely in the near future. However, federal policy and regulatory guidance could certainly accelerate early adoption . . .”), p. 17, available at https://assets.kpmg.com/content/dam/kpmg/nl/pdf/2018/sector/automotive/autonomous-vehicles-readiness-index.pdf. [40]   Stanley White, Japan Looks to Launch Autonomous Car System in Tokyo by 2020, Automotive News, Jun. 4, 2018, available at http://www.autonews.com/article/20180604/MOBILITY/180609906/japan-self-driving-car; National Transport Commission Australia, Automated vehicles in Australia, available at https://www.ntc.gov.au/roads/technology/automated-vehicles-in-australia/. [41]   The Automated and Electric Vehicles Act 2018, available at http://www.legislation.gov.uk/ukpga/2018/18/contents/enacted; Lexology, Muddy Road Ahead Part II: Liability Legislation for Autonomous Vehicles in the United Kingdom, Sept. 21, 2018,  https://www.lexology.com/library/detail.aspx?g=89029292-ad7b-4c89-8ac9-eedec3d9113a; see further Anne Perkins, Government to Review Law Before Self-Driving Cars Arrive on UK Roads, The Guardian, Mar. 6, 2018, available at https://www.theguardian.com/technology/2018/mar/06/self-driving-cars-in-uk-riding-on-legal-review. [42]   Michaela Ross, Code & Conduit Podcast: Rep. Bob Latta Eyes Self-Driving Car Compromise This Year, Bloomberg Law, Jul. 26, 2018, available at https://www.bna.com/code-conduit-podcast-b73014481132/. [43]   Freight Waves, House Committee Urges Senate to Advance Self-Driving Vehicle Legislation, Sept. 10, 2018, available at https://www.freightwaves.com/news/house-committee-urges-senate-to-advance-self-driving-vehicle-legislation; House Energy and Commerce Committee, Press Release, Sept. 5, 2018, available at https://energycommerce.house.gov/news/press-release/media-advisory-walden-ec-leaders-to-call-on-senate-to-pass-self-driving-car-legislation/. [44]   See supra n. 24, U.S. DEPT. OF TRANSP., Preparing for the Future of Transportation: Automated Vehicles 3.0, Oct. 4, 2018, iv. [45]   David Shephardson, Self-driving cars may hit U.S. roads in pilot program, NHTSA says, Automotive News, Oct. 9, 2018, available at http://www.autonews.com/article/20181009/MOBILITY/181009630/self-driving-cars-may-hit-u.s.-roads-in-pilot-program-nhtsa-says. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, or the authors: H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com) Claudia M. Barrett – Washington, D.C. (+1 202-887-3642, cbarrett@gibsondunn.com) Frances Annika Smithson – Los Angeles (+1 213-229-7914, fsmithson@gibsondunn.com) Ryan K. Iwahashi – Palo Alto (+1 650-849-5367, riwahashi@gibsondunn.com) Please also feel free to contact any of the following: Automotive/Transportation: Theodore J. Boutrous, Jr. – Los Angeles (+1 213-229-7000, tboutrous@gibsondunn.com) Christopher Chorba – Los Angeles (+1 213-229-7396, cchorba@gibsondunn.com) Theane Evangelis – Los Angeles (+1 213-229-7726, tevangelis@gibsondunn.com) Privacy, Cybersecurity and Consumer Protection: Alexander H. Southwell – New York (+1 212-351-3981, asouthwell@gibsondunn.com) Public Policy: Michael D. Bopp – Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com) Mylan L. Denerstein – New York (+1 212-351-3850, mdenerstein@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

October 5, 2018 |
New California Security of Connected Devices Law and CCPA Amendments

Click for PDF California continues to lead the United States in focusing attention on privacy and security of user data and devices.  Last week, Governor Jerry Brown signed into law two identical bills requiring manufacturers to include “reasonable security feature[s]” on all devices which are “capable of connecting to the Internet” (commonly known as the Internet of Things).[1]  The law is described as the first of its kind in the United States, and comes just three months after passage of the California Consumer Privacy Act of 2018 (“CCPA”);[2] both laws are set to take effect January 1, 2020.[3]  Collectively, these laws represent a dramatic expansion of data privacy law that will impact the products and processes of many companies. Also last week, Governor Brown signed into law Senate Bill 1121, which implemented amendments to the CCPA relating primarily to enforcement of the provisions, and clarification of exemptions relating to medical information. Security of Connected Devices The new law is aimed at protecting “connected devices” from unauthorized access, and requires “reasonable security feature[s]” proportional to the device’s “nature and function” and the “information it may collect, contain, or transmit.”[4]  There are various notable exclusions, particularly where the devices are covered by certain other laws, or when a company merely purchases devices for resale (or for branding and resale) in California.[5]  Nonetheless, the law is unique in that it may require security for Internet-connected products regardless of the type of information or data at issue—a contrast to the CCPA and other data privacy and security laws. Who Must Comply with the Law? Anyone “who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California” is subject to the statute.[6]  However, the law includes an explicit carve-out that “contract[ing] with another person to manufacture on the person’s behalf” does not include a “contract only to purchase a connected device, or only to purchase and brand a connected device.”[7]  Thus, if a company is merely purchasing whole units, and reselling, or even branding and reselling—effectively without the ability to indicate specifications for the device—it will likely not be subject to the new law. What’s Required? The law applies to manufacturers of “connected devices.”  A “connected device” is defined as “capable of connecting to the Internet . . . and . . . assigned an Internet Protocol address or Bluetooth address.”[8]  The number of products falling into this category is increasing at a remarkable rate, and the products span a multitude of applications, from consumer products (such as smart home features, including automatic lights or thermostats controlled remotely), to commercial use cases (such as electronic toll systems and “smart agriculture”). The law requires that such manufacturers “equip the device with a reasonable security feature or features” that is: Appropriate to the nature and function of the device; Appropriate to the information it may collect, contain, or transmit; and Designed to protect the device and its information from unauthorized access, destruction, use, modification, or disclosure.[9] The law does not specify what is “reasonable,” and relies upon the manufacturer to determine what is appropriate to the device.  As a result, “reasonable” will likely be further refined through enforcement actions (described below) . However, the law does provide that a device will satisfy the provisions if it is “equipped with a means for authentication outside a local area network,” and (1) each device is preprogrammed with a unique password, or (2) the user must create a “new means of authentication” (such as a password) before the device may be used.[10] [11] What’s Not Covered? Notably, the law excludes certain devices or manufacturers, particularly where they are covered by other existing laws, and makes clear statements of what this law does not do.  For example, the law does not apply to[12]: Any unaffiliated third-party software or applications the user adds to the device; Any provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications; Devices subject to security requirements under federal law (e.g., FDA); and “Manufacturers” subject to HIPAA or the Confidentiality of Medical Information Act—at least “with respect to any activity regulated by those acts.”[13] How Will It Be Enforced? The law expressly does not provide for a private right of action, and it may only be enforced by the “Attorney General, a city attorney, a county counsel, or a district attorney.”[14]  It further does not set forth any criminal penalty, include a maximum civil fine, or specify any other authorized relief.  Nonetheless, the authorization of the enumerated entities to enforce it presumably includes the authority for those entities to seek civil fines, as they can under other consumer protection statutes (for example, Section 17206 of the California Business & Professions Code).[15] What Can You Do? If your company sells, or intends to sell, a product in California that connects to the Internet, consider: Whether the company is a “manufacturer”; The security features of the device, if any; What security features might be reasonable given the nature and function of the device and the nature of the data collected or used; Possibilities for alternative, or additional security measures for the specific device; and Engineering resources and timeline required to implement additional features. Many connected devices on the market today already have authentication and security features, but even those that do may benefit from an evaluation of their sufficiency in preparation for this new law.  Because the law may require actual product changes, rather than merely policy changes, addressing these issues early is important. Consultation with legal and information security professionals may be helpful. Amendments to CCPA Signed by Governor Brown on September 23, 2018 As anticipated, the California Legislature has begun to pass amendments to the CCPA, though the current changes are relatively modest.  Governor Brown signed the latest amendments to the CCPA on September 23, 2018, which included[16]: Extending the deadline for the California Attorney General (“AG”) to develop and publish rules implementing the CCPA until July 1, 2020; Prohibiting the AG from enforcing the Act until either July 1, 2020, or six months after the publication of the regulations, whichever comes first; Limiting the civil penalties that the AG can impose to $2,500 for each violation of the CCPA or up to $7,500 per each intentional violation; Removing the requirement for a consumer to notify the AG within 30 days of filing a civil action in the event of a data breach and to then wait six months to see if the AG elects to pursue the case; Clarifying that consumers only have a right of action related to a business’ alleged failure to “implement and maintain reasonable security procedures and practices” that results in a breach and not for any other violations of the Act; Updating the definition of “personal information” to stress that certain identifiers (e.g., IP address, geolocation information and web browsing history) only constitute personal information if the data can be “reasonably linked, directly or indirectly, with a particular consumer or household”; and Explicitly exempting entities covered by HIPAA, GLBA and DPPA, as well as California’s Confidentiality of Medical Information Act and its Financial Information Privacy Act. The foregoing amendments may not have been of major significance—they were passed on the last day of the most recent legislative session.  The California Legislature is expected to consider more substantive changes to the law when it reconvenes for the 2019 – 2020 session in January 2019, including addressing additional concerns regarding enforcement mechanisms, the law’s broad scope, and the sweeping disclosure obligations. Companies that may be impacted by the CCPA should continue to monitor legislative and regulatory developments relating to the CCPA, and should begin planning for the implementation of this broad statute.    [1]   Assembly Bill 1906 and Senate Bill 327 contain identical language.    [2]   The California Consumer Privacy Act was the subject of a detailed analysis in a client alert issued by Gibson Dunn on July 12, 2018.  That publication is available here.    [3]   The law will be enacted as California Civil Code Sections 1798.91.04 to 1798.91.06.    [4]   Cal. Civil Code § 1798.91.04(a)(1) and (a)(2).    [5]   Cal. Civil Code § 1798.91.05(c) and § 1798.91.06.    [6]   Cal. Civil Code § 1798.91.05(c).    [7]   Cal. Civil Code § 1798.91.05(c).    [8]   Cal. Civil Code § 1798.91.05(b).    [9]   Cal. Civil Code § 1798.91.04(a)(1), (a)(2), and (a)(3).    [10]   Cal. Civil Code § 1798.91.04(b) (emphasis added).    [11]   Authentication is simply defined as a “method of verifying the authority” of a user accessing the information or device. Cal. Civil Code § 1798.91.05(a).    [12]   Cal. Civil Code § 1798.91.06.    [13]   That said, those laws generally require stricter provisions for security measures.    [14]   Cal. Civil Code § 1798.91.06(e).    [15]   See Cal. Bus. & Prof. Code § 17204.    [16]   S.B. 1121. S. Reg. Sess. 2017-2018. (CA 2018) The following Gibson Dunn lawyers assisted in the preparation of this client alert: Joshua A. Jessen, Benjamin B. Wagner, and Cassandra L. Gaedt-Sheckter. Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group: United States Alexander H. Southwell – Co-Chair, New York (+1 212-351-3981, asouthwell@gibsondunn.com) M. Sean Royall – Dallas (+1 214-698-3256, sroyall@gibsondunn.com) Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com) Christopher Chorba – Los Angeles (+1 213-229-7396, cchorba@gibsondunn.com) Richard H. Cunningham – Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com) Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com) H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com) Shaalu Mehra – Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com) Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com) Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) Europe Ahmed Baladi – Co-Chair, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) James A. Cox – London (+44 (0)207071 4250, jacox@gibsondunn.com) Patrick Doris – London (+44 (0)20 7071 4276, pdoris@gibsondunn.com) Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, jrobe@gibsondunn.com) Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com) Nicolas Autet – Paris (+33 (0)1 56 43 13 00, nautet@gibsondunn.com) Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com) Sarah Wazen – London (+44 (0)20 7071 4203, swazen@gibsondunn.com) Alejandro Guerrero – Brussels (+32 2 554 7218, aguerrero@gibsondunn.com) Asia Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com) Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

September 14, 2018 |
Kristin Linsley, Christina Greenberg and Jennifer Rho Named Among Women Leaders in Tech Law

The Recorder named San Francisco partner Kristin Linsley to its annual Women Leaders in Tech Law. Additionally, Palo Alto associate Christina Greenberg and Los Angeles associate Jennifer Rho were named among The Recorder’s Next Generation Leaders. The list of 60 winners—30 Women Leaders in Tech Law and 30 Next Generation Leaders recognized attorneys who “are helping the law and the legal profession address novel issues raised by technological advances.” The honorees were announced on September 14, 2018.

September 1, 2018 |
Timothy Loose Named Among Global Data Review’s 40 Under 40

Global Data Review named Los Angeles partner Timothy Loose to its 2018 40 Under 40 [PDF] list which profiles “the 40 individuals who represent the best and the brightest of the data law bar around the world.” The list was published on September 1, 2018.

July 12, 2018 |
California Consumer Privacy Act of 2018

Click for PDF On June 28, 2018, Governor Jerry Brown signed the California Consumer Privacy Act of 2018 (“CCPA”), which has been described as a landmark privacy bill that aims to give California consumers increased transparency and control over how companies use and share their personal information.  The law will be enacted as several new sections of the California Civil Code (sections 1798.100 to 1798.198).  While lawmakers and others are already discussing amending the law prior to its January 1, 2020 effective date, as passed the law would require businesses collecting information about California consumers to: disclose what personal information is collected about a consumer and the purposes for which that personal information is used; delete a consumer’s personal information if requested to do so, unless it is necessary for the business to maintain that information for certain purposes; disclose what personal information is sold or shared for a business purpose, and to whom; stop selling a consumer’s information if requested to do so (the “right to opt out”), unless the consumer is under 16 years of age, in which case the business is required to obtain affirmative authorization to sell the consumer’s data (the “right to opt in”); and not discriminate against a consumer for exercising any of the aforementioned rights, including by denying goods or services, charging different prices, or providing a different level or quality of goods or services, subject to certain exceptions. The CCPA also empowers the California Attorney General to adopt regulations to further the statute’s purposes, and to solicit “broad public participation” before the law goes into effect.[1]  In addition, the law permits businesses to seek the opinion of the Attorney General for guidance on how to comply with its provisions. The CCPA does not appear to create any private rights of action, with one notable exception:  the CCPA expands California’s data security laws by providing, in certain cases, a private right of action to consumers “whose nonencrypted or nonredacted personal information” is subject to a breach “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures,” which permits consumers to seek statutory damages of $100 to $750 per incident.[2]  The other rights embodied in the CCPA may be enforced only by the Attorney General—who may seek civil penalties up to $7,500 per violation. In the eighteen months ahead, businesses that collect personal information about California consumers will need to carefully assess their data privacy and disclosure practices and procedures to ensure they are in compliance when the law goes into effect on January 1, 2020.  Businesses may also want to consider whether to submit information to the Attorney General regarding the development of implementing regulations prior to the effective date. I.     Background and Context The CCPA was passed quickly in order to block a similar privacy initiative from appearing on election ballots in November.  The ballot initiative had obtained enough signatures to be presented to voters, but its backers agreed to abandon it if lawmakers passed a comparable bill.  The ballot initiative, if enacted, could not easily be amended by the legislature,[3] so legislators quickly drafted and unanimously passed AB 375 before the June 28 deadline to withdraw items from the ballot.  While not as strict as the EU’s new General Data Protection Regulation (GDPR), the CCPA is more stringent than most existing privacy laws in the United States. II.     Who Must Comply With The CCPA? The CCPA applies to any “business,” including any for-profit entity that collects consumers’ personal information, which does business in California, and which satisfies one or more of the following thresholds: has annual gross revenues in excess of twenty-five million dollars ($25,000,000); possesses the personal information of 50,000 or more consumers, households, or devices; or earns more than half of its annual revenue from selling consumers’ personal information.[4] The CCPA also applies to any entity that controls or is controlled by such a business and shares common branding with the business.[5] The definition of “Personal Information” under the CCPA is extremely broad and includes things not considered “Personal Information” under other U.S. privacy laws, like location data, purchasing or consuming histories, browsing history, and inferences drawn from any of the consumer information.[6]  As a result of the breadth of these definitions, the CCPA likely will apply to hundreds of thousands of companies, both inside and outside of California. III.     CCPA’s Key Rights And Provisions The stated goal of the CCPA is to ensure the following rights of Californians: (1) to know what personal information is being collected about them; (2) to know whether their personal information is sold or disclosed and to whom; (3) to say no to the sale of personal information; (4) to access their personal information; and (5) to equal service and price, even if they exercise their privacy rights.[7]  The CCPA purports to enforce these rights by imposing several obligations on covered businesses, as discussed in more detail below.            A.     Transparency In The Collection Of Personal Information The CCPA requires disclosure of information about how a business collects and uses personal information, and also gives consumers the right to request certain additional information about what data is collected about them.[8]  Specifically, a consumer has the right to request that a business disclose: the categories of personal information it has collected about that consumer; the categories of sources from which the personal information is collected; the business or commercial purpose for collecting or selling personal information; the categories of third parties with whom the business shares personal information; and the specific pieces of personal information it has collected about that consumer.[9] While categories (1)-(4) are fairly general, category (5) requires very detailed information about a consumer, and businesses will need to develop a mechanism for providing this type of information. Under the CCPA, businesses also must affirmatively disclose certain information “at or before the point of collection,” and cannot collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice.[10]  Specifically, businesses must disclose in their online privacy policies and in any California-specific description of a consumer’s rights a list of the categories of personal information they have collected about consumers in the preceding 12 months by reference to the enumerated categories (1)-(5), above.[11] Businesses must provide consumers with at least two methods for submitting requests for information, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.[12]            B.     Deletion Of Personal Information The CCPA also gives consumers a right to request that businesses delete personal information about them.  Upon receipt of a “verifiable request” from a consumer, a business must delete the consumer’s personal information and direct any service providers to do the same.  There are exceptions to this deletion rule when “it is necessary for the business or service provider to maintain the consumer’s personal information” for one of nine enumerated reasons: Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. Debug to identify and repair errors that impair existing intended functionality. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business. Comply with a legal obligation. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.[13] Because these exceptions are so broad, especially given the catch-all provision in category (9), it is unclear whether the CCPA’s right to deletion will substantially alter a business’s obligations as a practical matter.            C.     Disclosure Of Personal Information Sold Or Shared For A Business Purpose The CCPA also requires businesses to disclose what personal information is sold or disclosed for a business purpose, and to whom.[14]  The disclosure of certain information is only required upon receipt of a “verifiable consumer request.”[15]  Specifically, a consumer has the right to request that a business disclose: The categories of personal information that the business collected about the consumer; The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold; and The categories of personal information that the business disclosed about the consumer for a business purpose.[16] A business must also affirmatively disclose (including in its online privacy policy and in any California-specific description of consumer’s rights): The category or categories of consumers’ personal information it has sold, or if the business has not sold consumers’ personal information, it shall disclose that fact; and The category or categories of consumers’ personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers’ personal information for a business purpose, it shall disclose that fact.[17] This information must be disclosed in two separate lists, each listing the categories of personal information it has sold about consumers in the preceding 12 months that fall into categories (1) and (2), above.[18]            D.     Right To Opt-Out Of Sale Of Personal Information The CCPA also requires businesses to stop selling a consumer’s personal information if requested to do so by the consumer (“opt-out”).  In addition, consumers under the age of 16 must affirmatively opt-in to allow selling of personal information, and parental consent is required for consumers under the age of 13.[19]  Businesses must provide notice to consumers that their information may be sold and that consumers have the right to opt out of the sale.  In order to comply with the notice requirement, businesses must include a link titled “Do Not Sell My Personal Information” on their homepage and in their privacy policy.[20]            E.     Prohibition Against Discrimination For Exercising Rights The CCPA prohibits a business from discriminating against a consumer for exercising any of their rights in the CCPA, including by denying goods or services, charging different prices, or providing a different level or quality of goods or services.  There are exceptions, however, if the difference in price or level or quality of goods or services “is reasonably related to the value provided to the consumer by the consumer’s data.”  For example, while the language of the statute is not entirely clear, a business may be allowed to charge those users who do not allow the sale of their data while providing the service for free to users who do allow the sale of their data—as long as the amount charged is reasonably related to the value to the business of that consumer’s data.  A business may also offer financial incentives for the collection of personal information, as long as the incentives are not “unjust, unreasonable, coercive, or usurious” and the business notifies the consumer of the incentives and the consumer gives prior opt-in consent.            F.     Data Breach Provisions The CCPA provides a private right of action to consumers “whose nonencrypted or nonredacted personal information” is subject to a breach “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures.”[21]  Under the CCPA, a consumer may seek statutory damages of $100 to $750 per incident or actual damages, whichever is greater.[22]  Notably, the meaning of “personal information” under this provision is the same as it is in California’s existing data breach law, rather than the broad definition used in the remainder of the CCPA.[23]  Consumers bringing a private action under this section must first provide written notice to the business of the alleged violations (and allow the business an opportunity to cure the violations), and must notify the Attorney General and give the Attorney General an opportunity to prosecute.[24]  Notice is not required for an “action solely for actual pecuniary damages suffered as a result of the alleged violations.”[25] IV.     Potential Liability Section 1798.150, regarding liability for data breaches, is the only provision in the CCPA expressly allowing a private right of action.  The damages available for such a civil suit are limited to the greater of (1) between $100 and $750 per consumer per incident, or (2) actual damages.  Individual consumers’ claims also can potentially be aggregated in a class action. The other rights embodied in the CCPA may be enforced only by the Attorney General—who may seek civil penalties not to exceed $2,500 for each violation, unless the violation was intentional, in which case the Attorney General can seek up to $7,500 per violation.[26] [1]   To be codified at Cal. Civ. Code § 1798.185(a) [2]      Cal. Civ. Code § 1798.150. [3]      By its own terms, the ballot initiative could be amended upon a statute passed by 70% of each house of the Legislature if the amendment furthered the purposes of the act, or by a majority for certain provisions to impose additional privacy restrictions.  See The Consumer Right to Privacy Act of 2018 No. 17-0039, Section 5. Otherwise, approved ballot initiatives in California can only be amended with voter approval. California Constitution, Article II, Section 10. [4]   Cal. Civ. Code § 1798.140(c)(1). [5]   Cal. Civ. Code § 1798.140(c)(2). [6]   Cal. Civ. Code § 1798.140(o). The definition of “personal information” does not include publicly available information, and the CCPA also does not generally restrict a business’s ability to collect or use deidentified aggregate consumer information. Cal. Civ. Code § 1798.145(a)(5). [7]   Assemb. Bill 375, 2017-2018 Reg. Sess., Ch. 55, Sec. 2 (Cal. 2018) [8]   Cal. Civ. Code § 1798.100 and 1798.110. [9]   Cal. Civ. Code § 1798.110(a). [10]     Cal. Civ. Code §§ 1798.100(b); 1798.110(c). [11]     Cal. Civ. Code §§ 1798.110(c); 1798.130(a)(5)(B). [12]   Cal. Civ. Code § 1798.130(a)(1). [13]   Cal. Civ. Code § 1798.105(d). [14]   Cal. Civ. Code § 1798.115. [15]   Cal. Civ. Code § 1798.115(a)-(b). [16]   Cal. Civ. Code § 1798.115(a). [17]   Cal. Civ. Code § 1798.115(c). [18]   Cal. Civ. Code § 1798.130(a)(5)(C). [19]   Cal. Civ. Code § 1798.120(d). [20]   Cal. Civ. Code § 1798.135. [21]   Cal. Civ. Code § 1798.150. [22]   Cal. Civ. Code § 1798.150. [23]   Cal. Civ. Code § 1798.81.5(d)(1)(A) [24]   Cal. Civ. Code § 1798.150(b). [25]   Cal. Civ. Code § 1798.150 (b)(1). [26]   Cal. Civ. Code § 1798.155. The following Gibson Dunn lawyers assisted in the preparation of this client alert: Joshua A. Jessen, Benjamin B. Wagner, Christina Chandler Kogan, Abbey A. Barrera, and Alison Watkins. Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group: United States Alexander H. Southwell – Co-Chair, New York (+1 212-351-3981, asouthwell@gibsondunn.com) M. Sean Royall – Dallas (+1 214-698-3256, sroyall@gibsondunn.com) Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com) Christopher Chorba – Los Angeles (+1 213-229-7396, cchorba@gibsondunn.com) Richard H. Cunningham – Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com) Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com) H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com) Shaalu Mehra – Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com) Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com) Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) Europe Ahmed Baladi – Co-Chair, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) James A. Cox – London (+44 (0)207071 4250, jacox@gibsondunn.com) Patrick Doris – London (+44 (0)20 7071 4276, pdoris@gibsondunn.com) Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, jrobe@gibsondunn.com) Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com) Nicolas Autet – Paris (+33 (0)1 56 43 13 00, nautet@gibsondunn.com) Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com) Sarah Wazen – London (+44 (0)20 7071 4203, swazen@gibsondunn.com) Alejandro Guerrero Perez – Brussels (+32 2 554 7218, aguerreroperez@gibsondunn.com) Asia Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com) Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

July 5, 2018 |
Supreme Court Finds Failure to Prove a Sherman Act Section 1 Violation in Credit Card Market

Click for PDF On June 25, 2018, the Supreme Court of the United States assuaged the concerns of many that antitrust enforcement would hobble new and creative ways of conducting business, particularly businesses that have relied on technology to bring consumers and sellers together by offering a “platform” that creates a highly convenient way for them to interact and consummate sales. In Ohio v. American Express, the Court held that plaintiffs failed to prove a Sherman Act Section 1 violation in the credit card market because they presented evidence of alleged anticompetitive effects only on the merchant side of the relevant market. Without evidence of the impact of the challenged practices on the cardholder side of the market, the Court concluded that plaintiffs failed to carry their burden to prove anticompetitive effects. The Court’s opinion has several important elements beyond its holding that certain two-sided platform markets must be evaluated as a single relevant market: Significantly, the Supreme Court discussed a framework for analyzing alleged restraints under the rule of reason for the first time.  Both the majority and dissent adopted the parties’ agreed-upon, three-step framework for analyzing restraints under the rule of reason.  Under this framework, the plaintiff bears the initial burden of proving anticompetitive effects, which shifts the burden to the defendant to show a procompetitive justification.  If the defendant meets its burden of proving procompetitive efficiencies, then the burden shifts back to the plaintiff to show that those efficiencies could have been achieved through less restrictive means.  Notably, the Court did not mention any balancing of anticompetitive effects against procompetitive justifications. The third step in the above rule of reason framework may be the focus of scrutiny as plaintiffs look to find “less restrictive alternatives” to overcome defendants’ evidence of a procompetitive rationale for a challenged practice.  DOJ-FTC Competitor Collaboration Guidelines provide, however, that the agencies “do not search for a theoretically less restrictive alternative that is not realistic given business realities.”  Section 3.36(b). The Court also found that evidence that output of transactions in the relevant market had increased during the relevant period undercut plaintiffs’ reliance solely on evidence of price increases by Amex.  The Court’s reliance on the failure to prove output restriction reinforces the continued vitality of the Court’s prior decision in Brooke Group Ltd. v. Brown & Williamson Tobacco Corp., 509 U.S. 209 (1993). The Court rejected the argument that market definition could be dispensed with based on evidence of purported actual anticompetitive effects in the form of merchant fee increases by Amex.  The Court in this regard distinguished horizontal restraints, which in some cases may be analyzed without “precisely defin[ing] the relevant market,” and vertical restraints, stating that vertical restraints frequently do not pose any threat to competition absent the defendant possessing market power. Therefore, it is critical to precisely define the relevant market when evaluating vertical restraints. The case arose out of a decades-old practice.  For more than fifty years, American Express Company and American Express Travel Services Company (together, “Amex”) have included “anti-steering” provisions in contracts with merchants who agree to accept American Express cards as a means of payment. These provisions prohibited merchants from trying to persuade customers to use cards other than American Express cards or imposing special conditions on customers using American Express cards. Absent the challenged provisions, merchants had a strong incentive to encourage customers to use other credit cards because other credit card providers charged merchants lower fees than Amex.  Amex uses the money received from its higher merchant fees to fund investments in its customer rewards program, which offers cardholders better rewards than those offered by rival credit card companies. The United States and several States (“plaintiffs”) sued Amex in October 2010, alleging that the anti-steering provisions violated Section 1 of the Sherman Act. The United States District Court for the Southern District of New York entered judgment for plaintiffs, finding that the provisions violated Section 1 because they caused merchants to pay higher fees by precluding merchants from encouraging cardholders to use an alternative card with a lower fee at the point of sale. The district court sided with plaintiffs in finding that the credit card market was really two separate markets: a merchant market and a cardholder market. The United States Court of Appeals for the Second Circuit reversed, holding that the district court erroneously considered only the dealings between Amex and merchants.  As a result, it failed to recognize that the credit card market was a single, “two-sided” market, not two separate markets.  Therefore, the impact of the anti-steering provisions on the cardholder side of the market had to be analyzed in order to determine if those provisions had a substantial anticompetitive effect in the relevant market.  The Supreme Court affirmed in a 5-4 decision. The majority, in an opinion authored by Justice Thomas, agreed with the Second Circuit that the credit card market should be considered as a single market because credit card providers compete to provide credit card transactions, but can create and sell those services only if both the cardholder and the merchant simultaneously choose to use the credit card network as a means of payment. The market is “two-sided” in that it involves the simultaneous provision of services to both cardholders and merchants; in any transaction, a credit card network cannot sell its payment services individually to only the cardholder or only the merchant. The majority observed that the credit card market exhibited strong “indirect” network effects because prices to cardholders affected demand by merchants and prices to merchants affected demand by cardholders.  Higher prices to cardholders would tend to decrease the number of cardholders, which would decrease the attractiveness of that card to merchants, which in turn would decrease the attractiveness of the card to cardholders.  Conversely, higher prices to merchants would decrease the number of merchants accepting the card, which would decrease the utility of the card to cardholders, decreasing the number of cardholders. In either case, the provider increasing prices faced the risk of “a feedback loop of declining demand.”  Providers therefore had to strike a balance between the prices charged on one side of the platform and the prices charged on the other side. In the credit card market, different cardholders might attribute different value to broad acceptance of their card by numerous merchants or to generosity of “cash back” or other loyalty or usage rewards. Similarly, merchants might assign different values to the level of fees by a credit card provider versus the card’s ability to present the merchant with a higher proportion of “big spenders.” Significantly for future cases, the majority observed that not every “platform” business bringing together buyers and sellers should be considered to be a single market. The majority focused on the strength of the indirect network effects—that is, the potential for increased prices on one side to reduce demand on the other side, prompting a feedback loop of declining demand.  The majority discussed a newspaper selling advertisements to advertisers as an example of a “platform” that should not be considered a single market. According to the majority, the indirect network effects operated only in one direction. Advertisers might well care if high subscription prices reduced the number of readers. But because readers are largely indifferent to the amount of advertising in a newspaper, a reduction in advertisements caused by higher advertising rates would not lead to a reduced number of readers. The Court emphasized the importance of market definition in analyzing alleged anticompetitive effects caused by vertical restraints. Unlike horizontal restraints among competitors, the majority wrote, “[v]ertical restraints often pose no risk to competition unless the entity imposing them has market power, which cannot be evaluated unless the Court first defines the relevant market.” Thus, the Court disagreed with plaintiffs’ assertion that under FTC v. Indiana Federation of Dentists, 476 U.S. 447 (1986), evidence of actual adverse effects in the form of increased merchant fees was sufficient proof.  The Court distinguished Indiana Federation of Dentists by noting that it involved a horizontal restraint, and therefore the Court concluded it did not need to precisely define the relevant market to evaluate the restraint’s competitive impact. The dissent, authored by Justice Breyer, accused the majority of “abandoning traditional market-definition approaches” by declining to define the relevant market by assessing the substitutability of other products or services for the product or service at issue. As the dissent noted, because consumers’ ability to shift to substitutes constrains the ability of a seller to raise prices, it is necessary to include reasonable substitutes within the relevant market. The dissent argued that the card providers’ services to merchants and services to cardholders were complements, not substitutes, in the sense that, like gasoline and tires for a car, both must be purchased to have value. But this analogy is inapt in at least two respects. First, there is no need for simultaneity in the purchase of gasoline and tires. Few, if any, consumers buy new tires each time they purchase gasoline. Second, the two complementary products are both purchased by the owner or operator of the vehicle. The seller of gasoline and tires does not have to purchase a service from anyone in order to sell the gasoline or tires (unless the buyer wishes to use a credit card, in which case both the buyer and the merchant must simultaneously choose to use the payment services offered by the credit card provider). This is unlike the credit card context where both the cardholder and the merchant must simultaneously choose to use the payment services offered by the credit card provider. The Court’s acceptance that some businesses operate in a single, two-sided market has implications for antitrust cases involving technology-based “platform” businesses, such as ride-sharing and short-term home rentals, that have become a substantial and growing component of the economy. The outcomes in future cases are likely to turn on the strength of the evidence showing that network effects constrain pricing decisions. Makan Delrahim, the head of the DOJ’s Antitrust Division, said this past week that he had feared the Supreme Court would cause “harm to our economy” by creating a rule for evaluating two-sided markets that would harm new “platform” business models like Uber, AirBnB and eBay. He described DOJ’s philosophy with respect to the case as “it’s one interrelated market, it’s a new business model, and you can’t stick your head in the sand and say, ‘If you’re raising the prices – whether on the consumer or driver – it can’t have an effect.’ And it could be a positive effect, because a Lyft can do the same thing and now be able to compete better with an Uber or whatever the next one would be.”  While Mr. Delrahim acknowledged that the Amex ruling likely would apply to companies like Uber and AirBnB, he does not believe Google will benefit from it, noting that consumers do not use Google Search just to see advertisements. Although the Amex decision is notable for its focus on commercial realities and acceptance of the existence of two-sided markets, there are other significant aspects of the decision.  Most notably, the Court discussed a three-step, burden-shifting framework for analyzing restraints under the rule of reason. This provides welcome guidance, as the Court had not previously discussed any framework or methodology for evaluating claims under the rule of reason.  While the framework was agreed-upon among the parties below, its adoption by the majority (and acceptance by the dissent) nevertheless provides important instruction regarding the steps to be conducted by courts in weighing rule of reason claims under either Section 1 or Section 2.  In the first step of the decision’s framework, the plaintiff bears the burden to prove anticompetitive effects in the relevant market. If the plaintiff carries that burden, in the second step the burden shifts to the defendant to demonstrate a procompetitive rationale for the challenged restraint. If the defendant makes that showing, then in the third step the burden shifts back to the plaintiff to “demonstrate that the procompetitive efficiencies could reasonably be achieved through less restrictive means.” The Court held that plaintiffs had not satisfied the first step of the rule of reason framework. As with many cases, the Court’s definition of the relevant market determined the outcome. To prove anticompetitive effects, plaintiffs relied solely on direct evidence of Amex’s increases in merchant fees during 2005-2010. However, the Court concluded that because the market was two-sided, such evidence was incomplete and did not demonstrate anticompetitive effects in the form of either higher prices for credit card transactions or a reduction in the number of such transactions. Indeed, the Court found that certain evidence in the record cut against plaintiffs’ claim that the anti-steering provisions were the cause of any increases in merchant fees by Amex—for example, rival card companies had also increased merchant fees. The Court also noted that credit card transaction output had increased substantially during the relevant period, further undermining any claim of anticompetitive effects. Quoting from Brooke Group, 509 U.S. at 237, the majority wrote that it will “not infer competitive injury from price and output data absent some evidence that tends to prove that output was restricted or prices were above a competitive level.”  The Court’s focus on output restriction under Brooke Group demonstrates that the Court’s continued insistence on the application of sound economic principles in evaluating antitrust claims. While it noted Amex’s rationale for the anti-steering provisions, the Court did not address the second or third step of the rule of reason framework given its finding that the plaintiffs had failed to satisfy the first step. The Court’s recognition in the third step that proven procompetitive efficiencies may be overcome by a showing of less restrictive means of achieving those efficiencies will likely cause private plaintiffs and enforcement agencies to increase their focus on potential alternatives. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please feel free to contact any member of the firm’s Antitrust and Competition practice group or the following authors: Trey Nicoud – San Francisco (+1 415-393-8308, tnicoud@gibsondunn.com) Rod J. Stone – Los Angeles (+1 213-229-7256, rstone@gibsondunn.com) Daniel G. Swanson – Los Angeles (+1 213-229-7430, dswanson@gibsondunn.com) Richard G. Parker – Washington, D.C. (+1 202-955-8503, rparker@gibsondunn.com) M. Sean Royall – Dallas (+1 214-698-3256, sroyall@gibsondunn.com) Chelsea G. Glover – Dallas (+1 214-698-3357, cglover@gibsondunn.com)

June 22, 2018 |
Supreme Court Holds That Individuals Have Fourth Amendment Privacy Rights In Cell Phone Location Records

Click for PDF Carpenter v. United States, No. 16-402  Decided June 22, 2018 The Supreme Court held 5-4 that law enforcement officials must generally obtain a warrant when seeking historical cell phone location records from a telecommunications provider. Background: Wireless carriers regularly collect and store information reflecting the location of cell phones when those phones connect to cell sites to transmit and receive information.  Prosecutors collected a suspect’s cell-site location data from wireless carriers following the procedure in the Stored Communications Act, 18 U.S.C. §§ 2701-12, but without obtaining a warrant.  The suspect argued that the Government’s acquisition of this data without a warrant was an unconstitutional search that violated the Fourth Amendment.  This argument set up a conflict between two lines of Supreme Court precedent: the longstanding third-party doctrine, which holds that information a person voluntarily reveals to others is not protected by the Fourth Amendment; and several recent cases holding that cell phones implicate significant privacy concerns because so many people store large amounts of information on them. Issue: Whether an individual has a protected privacy interest under the Fourth Amendment in historical cell phone location records. Court’s Holding: Yes.  The Fourth Amendment protects cell phone location records because of their comprehensive and private nature, even though they are collected and held by the phone company.  The Government must ordinarily obtain a warrant before acquiring the records. “In light of the deeply revealing nature of [cell site location data], its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection, the fact that such information is gathered by a third party does not make it any less deserving of Fourth Amendment protection.” Chief Justice Roberts, writing for the 5-4 majority What It Means: The decision continues a trend of recent Supreme Court decisions limiting Government access to personal information stored electronically.  In United States v. Jones (2012), the Court unanimously rejected the Government’s argument that it could place a GPS tracker on a suspect’s car without a warrant, although it divided as to the reason.  Likewise, in Riley v. California (2014), the Court unanimously declined to allow police officers to routinely search cell phones incident to arrest, based in part on the volume and importance of personal information stored on them. The Court emphasized that its decision was limited to the collection of historical cell phone location records covering an extended period of time.  The Court declined to consider whether the Fourth Amendment protected real-time cell phone location information or historical location data covering a shorter period of time than the Government collected here (seven days).  The Court also emphasized that it was not calling into question conventional surveillance tools such as security cameras, or collection techniques involving foreign affairs or national security. The Court expressly declined to overrule the third-party doctrine.  Instead, it stated that the doctrine should not be extended to historical cell site location data because the breadth and depth of the information available made that data “qualitatively different” from other information that the Court had previously allowed the Government to obtain from third parties without a warrant. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court.  Please feel free to contact the following practice leaders: Appellate and Constitutional Law Practice Caitlin J. Halligan +1 212.351.3909 challigan@gibsondunn.com Mark A. Perry +1 202.887.3667 mperry@gibsondunn.com Nicole A. Saharsky +1 202.887.3669 nsaharsky@gibsondunn.com   Related Practice: Privacy, Cybersecurity and Consumer Protection Ahmed Baladi +33 (0) 1 56 43 13 00 abaladi@gibsondunn.com Alexander H. Southwell +1 212.351.3981 asouthwell@gibsondunn.com   Related Practice: White Collar Defense and Investigations Joel M. Cohen +1 212.351.2664 jcohen@gibsondunn.com Charles J. Stevens +1 415.393.8391 cstevens@gibsondunn.com F. Joseph Warin +1 202.887.3609 fwarin@gibsondunn.com   © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

May 7, 2018 |
A Closer Look At Barnes & Noble Data Breach Ruling

Orange County partner Joshua Jessen and associate Ashley Van Zelst are the authors of “A Closer Look At Barnes & Noble Data Breach Ruling,” [PDF] published by Law360 on May 7, 2018.

April 17, 2018 |
Supreme Court Holds That Recent Legislation Moots Dispute Over Emails Stored Overseas

Click for PDF United States v. Microsoft Corp., No. 17-2 Decided April 17, 2018 Today, the Supreme Court held that Microsoft’s dispute with the federal government over the government’s attempts to access email stored oversees is moot. Background: The Stored Communications Act, 18 U.S.C. § 2701 et seq., authorizes the government to require an email provider to disclose the contents of emails (and certain other electronic data) within its control if the government obtains a warrant based on probable cause. In this case, the federal government obtained a warrant to obtain emails from an email account used in drug trafficking. The drug trafficking allegedly occurred in the United States, but the emails were stored on a data server in Ireland. Microsoft refused to provide the emails on the ground that the Stored Communications Act does not apply to emails stored overseas. Issue: Whether the Stored Communications Act requires an email provider to disclose to the government emails stored abroad. Court’s Holding: The case is moot. On March 23, 2018, the President signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which amended the Stored Communications Act so that it now applies to emails stored abroad. The parties’ dispute under the old version of the law therefore was moot. “No live dispute remains between the parties over the issue with respect to which certiorari was granted.” Per Curiam What It Means: Given passage of the CLOUD Act, there was no longer any need for the Supreme Court to interpret the prior version of the Stored Communications Act. The CLOUD Act requires an email provider to disclose emails, so long as the statute’s procedures have been followed, regardless of whether those emails are “located within or outside of the United States.” CLOUD Act § 103(a)(1) (to be codified at 18 U.S.C. § 2713). But the CLOUD Act permits courts to exempt providers from disclosing emails of customers who are not U.S. Citizens or residents, if disclosure would risk violating the laws of certain foreign governments. CLOUD Act § 103(b) (to be codified at 18 U.S.C. § 2703(h)).   Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court.  Please feel free to contact the following practice leaders: Appellate and Constitutional Law Practice Caitlin J. Halligan +1 212.351.3909 challigan@gibsondunn.com Mark A. Perry +1 202.887.3667 mperry@gibsondunn.com Nicole A. Saharsky +1 202.887.3669 nsaharsky@gibsondunn.com Related Practice: White Collar Defense and Investigations Joel M. Cohen +1 212.351.2664 jcohen@gibsondunn.com Charles J. Stevens +1 415.393.8391 cstevens@gibsondunn.com F. Joseph Warin +1 202.887.3609 fwarin@gibsondunn.com Related Practice: Privacy, Cybersecurity and Consumer Protection Alexander H. Southwell +1 212.351.3981 asouthwell@gibsondunn.com   © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

April 12, 2018 |
Trump Administration Imposes Unprecedented Russia Sanctions

Click for PDF On April 6, 2018, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) significantly enhanced the impact of sanctions against Russia by blacklisting almost 40 Russian oligarchs, officials, and their affiliated companies pursuant to Obama-era sanctions, as modified by the Countering America’s Adversaries Through Sanctions Act (“CAATSA”) of 2017.  In announcing the sanctions, Treasury Secretary Steven Mnuchin cited Russia’s involvement in “a range of malign activity around the globe,” including the continued occupation of Crimea, instigation of violence in Ukraine, support of the Bashal al-Assad regime in Syria, attempts to subvert Western democracies, and malicious cyber activities.[1]  Russian stocks fell sharply in response to the new measures, and the ruble depreciated almost 5 percent against the dollar.[2] Although this is not the first time that the Trump administration imposed sanctions against Russia, it is the most significant action taken to date.  In June 2017, OFAC added 38 individuals and entities involved in the Ukraine conflict to OFAC’s list of Specially Designated Nationals (“SDNs”).[3]  The April 6 sanctions added seven Russian oligarchs and 12 companies they own or control, 17 senior Russian government officials, the primary state-owned Russian weapons trading company and its subsidiary, a Russian bank, to the SDN List.[4]  These designations include major, publicly-traded companies that have been listed on the London and Hong Kong exchanges and that have thousands of customers and tens of thousands of investors throughout the world. OFAC has never designated similar companies, and the potential challenges for global companies seeking to comply with OFAC measures are substantial.  An SDN designation prohibits U.S. persons—including U.S. companies, U.S. financial institutions, and their foreign branches—from engaging in any transactions with the designees or with entities in which they hold an aggregate ownership of 50 percent or more.  The designation of a small company in a regional market can be devastating for the company, but rarely would it impose meaningful collateral consequences on global markets or investors.  In this case, sanctions on companies such as EN+ and RUSAL (amongst others) have already impacted a substantial portion of a core global commodity (the aluminum market) while also preventing further trades in their shares, a move that could harm pension funds, mutual funds, and other investors that have long held stakes worth billions of dollars. To minimize the immediate disruptions, OFAC issued two time-limited general licenses (regulatory exemptions) permitting companies and individuals to undertake certain transactions to “wind down” business dealings related to the designated parties.[5]  However, our assessment is that disruptions are inevitable and the size of the sanctions targets in this case means that the general licenses will have potentially limited effect in reducing dislocations. Background OFAC’s April 6 designations mark a clear change in tone from the Trump administration, which had initially resisted imposing the full force of CAATSA’s sanctions.  For example, as we wrote in our 2017 Year-End Sanctions Update, CAATSA required the imposition of secondary sanctions on any person the President determined to have been engaging in “a significant transaction with a person that is part, or operates for or on behalf of, the defense or intelligence sectors of the Government Russia.”[6]  On the day such sanctions were to be imposed, State Department representatives provided classified briefings to Congressional leaders to explain their decision not to impose any such sanctions under CAATSA, namely because the Trump administration felt that CAATSA was already having an deterrent effect which removed any immediate need to impose sanctions.[7] Section 241 of CAATSA also required OFAC to publish a report on January 29, 2018 identifying “the most significant senior foreign political figures and oligarchs in the Russian Federation,”[8] (the “Section 241 List”).  The Treasury Department issued the report shortly before midnight on the due date, publicly naming 114 senior Russian political figures and 96 oligarchs.[9]  Although the report did not result in any sanctions or legal repercussions, the public naming of such persons did cause confusion for those who sought to engage with them in compliance with U.S. law.[10]  However, most observers were highly critical of the list, claiming that it demonstrated that the Trump administration was failing to adequately address Congressional intent to punish Moscow.  Interestingly, almost all of the oligarchs designated on April 6 originally appeared on the Section 241 List.[11] Designations Included among the list of sanctioned parties were seven Russian oligarchs designated for being a Russian government official or operating in the energy sector of the Russian Federation economy, and 12 companies they own or control.  In its press release, OFAC warned that the 12 companies identified as owned or controlled by the designated Russian oligarchs “should not be viewed as exhaustive, and the regulated community remains responsible for compliance with OFAC’s 50 percent rule.”  This rule extends U.S. sanctions prohibitions to entities owned 50 percent or more, even if those companies are not themselves listed by OFAC.  The opacity of ownership in the Russian economy makes the 50 percent rule very difficult to operationalize. In addition, OFAC designated 17 senior Russian government officials, a state-owned company and its subsidiary.  The sanctioned individuals and entities, as described by OFAC, are provided in the following table. SDN Description Designated Russian Oligarchs 1. Vladimir Bogdanov Bogdanov is the Director General and Vice Chairman of the Board of Directors of Surgutneftegaz, a vertically integrated oil company operating in Russia. OFAC imposed sectoral sanctions on Surgutneftegaz pursuant to Directive 4 issued under E.O. 13662 in September 2014. 2. Oleg Deripaska Deripaska has said that he does not separate himself from the Russian state.  He has also acknowledged possessing a Russian diplomatic passport, and claims to have represented the Russian government in other countries.  Deripaska has been investigated for money laundering, and has been accused of threatening the lives of business rivals, illegally wiretapping a government official, and taking part in extortion and racketeering.  There are also allegations that Deripaska bribed a government official, ordered the murder of a businessman, and had links to a Russian organized crime group. 3. Suleiman Kerimov Kerimov is a member of the Russian Federation Council.  On November 20, 2017, Kerimov was detained in France and held for two days. He is alleged to have brought hundreds of millions of euros into France – transporting as much as 20 million euros at a time in suitcases, in addition to conducting more conventional funds transfers – without reporting the money to French tax authorities.  Kerimov allegedly launders the funds through the purchase of villas.  Kerimov was also accused of failing to pay 400 million euros in taxes. 4. Kirill Shamalov Shamalov married Putin’s daughter Katerina Tikhonova in February 2013 and his fortunes drastically improved following the marriage; within 18 months, he acquired a large portion of shares of Sibur, a Russia-based company involved in oil and gas exploration, production, processing, and refining.  A year later, he was able to borrow more than one $1 billion through a loan from Gazprombank, a state-owned entity subject to sectoral sanctions pursuant to E.O. 13662.  That same year, long-time Putin associate Gennady Timchenko, who is himself designated pursuant to E.O. 13661, sold an additional 17 percent of Sibur’s shares to Shamalov.  Shortly thereafter, Kirill Shamalov joined the ranks of the billionaire elite around Putin. 5. Andrei Skoch Skoch is a deputy of the Russian Federation’s State Duma.  Skoch has longstanding ties to Russian organized criminal groups, including time spent leading one such enterprise. 6. Viktor Vekselberg Vekselberg is the founder and Chairman of the Board of Directors of the Renova Group.  The Renova Group is comprised of asset management companies and investment funds that own and manage assets in several sectors of the Russian economy, including energy.  In 2016, Russian prosecutors raided Renova’s offices and arrested two associates of Vekselberg, including the company’s chief managing director and another top executive, for bribing officials connected to a power generation project in Russia. Designated Oligarch-Owned Companies 7. B-Finance Ltd. British Virgin Islands company owned or controlled by, directly or indirectly, Oleg Deripaska. 8. Basic Element Limited Basic Element Limited is based in Jersey and is the private investment and management company for Deripaska’s various business interests. 9. EN+ Group Owned or controlled by, directly or indirectly, Oleg Deripaska, B-Finance Ltd., and Basic Element Limited.  EN+ Group is located in Jersey and is a leading international vertically integrated aluminum and power producer.  This is a publicly traded company that has been listed, inter alia, on the London Stock Exchange. 10. EuroSibEnergo Owned or controlled by, directly or indirectly, Oleg Deripaska and EN+ Group. EuroSibEnergo is one of the largest independent power companies in Russia, operating power plants across Russia and producing around nine percent of Russia’s total electricity. 11. United Company RUSAL PLC Owned or controlled by, directly or indirectly, EN+ Group.  United Company RUSAL PLC is based in Jersey and is one of the world’s largest aluminum producers, responsible for seven percent of global aluminum production.  This is a publicly traded company that has been listed, inter alia¸ on the Hong Kong Stock Exchange. 12. Russian Machines Owned or controlled by, directly or indirectly, Oleg Deripaska and Basic Element Limited.  Russian Machines was established to manage the machinery assets of Basic Element Limited. 13. GAZ Group Owned or controlled by, directly or indirectly, Oleg Deripaska and Russian Machines.  GAZ Group is Russia’s leading manufacturer of commercial vehicles. 14. Agroholding Kuban Owned or controlled by, directly or indirectly, Oleg Deripaska and Basic Element Limited. 15. Gazprom Burenie, OOO Owned or controlled by Igor Rotenberg.  Gazprom Burenie, OOO provides oil and gas exploration services in Russia. 16. NPV Engineering Open Joint Stock Company Owned or controlled by Igor Rotenberg.  NPV Engineering Open Joint Stock Company provides management and consulting services in Russia. 17. Ladoga Menedzhment, OOO Owned or controlled by Kirill Shamalov.  Ladoga Menedzhment, OOO is located in Russia and engaged in deposit banking. 18. Renova Group Owned or controlled by Viktor Vekselberg.  Renova Group, based in Russia, is comprised of investment funds and management companies operating in the energy sector, among others, in Russia’s economy. Designated Russian State-Owned Firms 19. Rosoboroneksport State-owned Russian weapons trading company with longstanding and ongoing ties to the Government of Syria, with billions of dollars’ worth of weapons sales over more than a decade.  Rosoboroneksport is being designated under E.O. 13582 for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, the Government of Syria. 20. Russian Financial Corporation Bank (RFC Bank) Owned by Rosoboroneksport.  RFC Bank incorporated is in Moscow, Russia and its operations include deposit banking activities. Designated Russian Government Officials 21. Andrey Akimov Chairman of the Management Board of state-owned Gazprombank 22. Mikhail Fradkov President of the Russian Institute for Strategic Studies (RISS), a major research and analytical center established by the President of the Russian Federation, which provides information support to the Presidential Administration, Federation Council, State Duma, and Security Council. 23. Sergey Fursenko Member of the board of directors of Gazprom Neft, a subsidiary of state-owned Gazprom 24. Oleg Govorun Head of the Presidential Directorate for Social and Economic Cooperation with the Commonwealth of Independent States Member Countries.  Govorun is being designated pursuant to E.O. 13661 for being an official of the Government of the Russian Federation. 25. Alexey Dyumin Governor of the Tula region of Russia.  He previously headed the Special Operations Forces, which played a key role in Russia’s purported annexation of Crimea. 26. Vladimir Kolokoltsev Minister of Internal Affairs and General Police of the Russian Federation 27. Konstantin Kosachev Chairperson of the Council of the Federation Committee on Foreign Affairs 28. Andrey Kostin President, Chairman of the Management Board, and Member of the Supervisory Council of state-owned VTB Bank 29. Alexey Miller Chairman of the Management Committee and Deputy Chairman of the Board of Directors of state-owned company Gazprom 30. Nikolai Patrushev Secretary of the Russian Federation Security Council 31. Vladislav Reznik Member of the Russian State Duma 32. Evgeniy Shkolov Aide to the President of the Russian Federation 33. Alexander Torshin State Secretary – Deputy Governor of the Central Bank of the Russian Federation 34. Vladimir Ustinov Plenipotentiary Envoy to Russia’s Southern Federal District 35. Timur Valiulin Head of the General Administration for Combatting Extremism within Russia’s Ministry of Interior 36. Alexander Zharov Head of Roskomnadzor (the Federal Service for the Supervision of Communications, Information Technology, and Mass Media) 37. Viktor Zolotov Director of the Federal Service of National Guard Troops and Commander of the National Guard Troops of the Russian Federation All assets subject to U.S. jurisdiction of the designated individuals and entities, and of any other entities blocked by operation of law as a result of their ownership by a sanctioned party, are frozen, and U.S. persons are generally prohibited from dealings with them.  OFAC’s Frequently Asked Questions (“FAQs”) make clear that if a blocked person owns less than 50 percent of a U.S. company, the U.S. company will not be blocked.  However, the U.S. company (1) must block all property and interests in property in which the blocked person has an interest and (2) cannot make any payments, dividends, or disbursement of profits to the blocked person and must place them in a blocked account at a U.S. financial institution.[12] Non-U.S. persons could face secondary sanctions for knowingly facilitating significant transactions for or on behalf of the designated individuals or entities.  CAATSA strengthened the secondary sanctions measures that could be used to target such persons, although such measures typically carry less risk because as a matter of implementation OFAC traditionally warns those who may be transacting with parties that could subject them to secondary sanctions and provides them with an opportunity to cure.  While this outreach and deterrence model of imposing secondary sanctions was developed under the Obama administration (and resulted in very few impositions of secondary sanctions), the Trump administration could theoretically change it and impose secondary sanctions without the traditional warning.  However, that appears unlikely and the Trump administration has indicated that it will continue to provide warnings before imposing secondary sanctions. Two CAATSA provisions bear particular note as they are implicated by Friday’s actions:  section 226, which authorizes sanctions on foreign financial institutions for facilitating a transaction on behalf of a Russian person on the SDN List, and section 228, which seeks to impose sanction on a person who “facilitates a significant transaction…for or on behalf of any person subject to sanctions imposed by the United States with respect to the Russian Federation.”[13]  OFAC has clarified that the section 228 provision extends to persons listed on either the SDN or the Sectoral Sanctions Identifications (“SSI”) List, as well as persons they may own or control pursuant to OFAC’s 50 percent rule.[14]  As we noted when CAATSA was passed, despite the mandatory nature of these sections, the President appears to retain the discretion to impose restrictions based upon whether he finds certain transaction significant or for other reasons.  With the increase in the SDN list to include major players in global commodities such as EN+ or RUSAL, more companies around the world that rely on these companies could find themselves at least theoretically at risk of being sanctioned themselves.  Companies should also consider this risk where there is reliance on material produced by any company in the Russian military establishment and sold by the Russian state arms company such as Rosoboronexport, which was also sanctioned. General Licenses In an effort to minimize the immediate disruptions to U.S. persons and global markets (especially given the sanctioning of major publicly traded corporations that have thousands of clients and investors throughout the world), OFAC issued General Licenses 12 and 13, permitting companies to undertake certain transactions and activities to “wind down” certain business dealings related to certain, listed designated parties.  These General Licenses only cover U.S. persons, which has led some non-U.S. companies to inquire whether their ability to wind down operations with respect to the SDN companies would place them at risk for secondary sanctions (as they would be engaging with sanctioned parties and perhaps trigger the CAATSA provisions above).  OFAC has noted in its FAQs that the U.S. Government would not find a transaction “significant” if a U.S. person would not need a specific license to undertake it.[15]  That is, it would seem that at least for the duration of the General Licenses a non-U.S. party can engage in similar wind down operations without risking secondary sanctions. General License 12, which expires June 5, 2018, authorizes U.S. persons to engage in transactions and activities with the 12 oligarch-owned designated entities that are “ordinarily incident and necessary to the maintenance or wind down of operations, contracts, or other agreements” related to these 12 entities (as well as those entities impacted by operation of OFAC’s 50 percent rule).  This is a broader wind down provision than OFAC has issued in the past in that it allows not just “wind down” activities but also non-defined “maintenance” activities.  Despite this breadth it is already uncertain how this General License will actually work in practice.  Permissible transactions and activities include importation from blocked entities and broader dealings with them.  However, no payments are allowed to be made to blocked entities–rather such payments can only be made to the blocked entities listed in General License 12 into blocked, interest-bearing accounts and reported to OFAC by June 18, 2018 (10 business days after the expiration of the license).[16]  It is not clear why a sanctioned party would wish to deliver goods and services to parties if the sanctioned party cannot be paid.  In line with the FAQ noted above, for non-U.S. companies it would seem that in order to avoid secondary sanctions implications the same restrictions would apply–that is, continued transactions are permitted on a wind down basis, but transfer of funds to the SDN companies could be viewed as “significant” or otherwise sanctionable. Recognizing how broad the sanctions are and how far they may implicate subsidiaries of SDN companies inside the United States, OFAC’s FAQs clarify that General License 12 generally permits the blocked entities listed to pay U.S. persons their salaries, pension payments, or other benefits due during the wind down period.  U.S. persons employed by entities that are not explicitly listed in General License 12—principally the designated Russian state-owned entities—do not have the benefit of this wind down period.  OFAC FAQs note that such U.S. persons may seek authorization from OFAC to maintain or wind down their relationships with any such blocked entity, but make clear that continued employment or board membership related to these entities is prohibited.[17]  The implications of these restrictions are significant where, as is the case with the blocked entities listed in General License 12, U.S. subsidiaries exist and U.S. persons are involved throughout company operations. General License 13, which expires May 7, 2018, similarly allows transactions and activities otherwise prohibited under the April 6 sanctions.  This license allows transactions and activities necessary to “divest or transfer debt, equity, or other holdings” in three designated Russia entities:  EN+ Group PLC, GAZ Group, and United Company RUSAL PLC.  Permitted transactions include facilitating, clearing, and settling transactions.  General License 13, however, does not permit any divestment or transfer to a blocked person, including the three entities listed in General License 13.[18]  As with General License 12, transactions permitted under General License 13 must be reported to OFAC within 10 business days after the expiration of the license. Once again, it is uncertain how the General License will work in practice.  Given the designations which have depressed the share prices of the sanctions parties it is unknown who might be willing to purchase the shares even if U.S. holders are permitted to sell them. Other Ramifications for Investors, Supply Chains, and Customers The April 6 sanctions raise other significant questions and practical challenges for U.S. and non-U.S. companies, with particular risks for investors as well as the manufacturers, suppliers, and customers of the SDN companies. Investors and fund managers will need to conduct significant diligence into the participants and ownership structures of their funds, including fund limited partners, to determine whether sanctioned persons or entities are involved.  Moreover, for those who have seen the value of any assets tied to these companies decline significantly, they are allowed to continue to try sell their assets to non-U.S. persons.  However, given the challenge in finding buyers and evidence that certain financial institutions and brokers are already refusing to engage in any trades (even during the wind down period), the investment community needs to potentially prepare for long-term holding of blocked assets (by setting up sequestered accounts). For those within the supply chains of sanctioned companies, from suppliers of commodities to finished goods, as well as customers of sanctioned companies, the concern will be to potentially replace key commercial relationships which will become increasingly difficult (if not prohibited) to maintain.  For companies that have relied on RUSAL, for example, as a source of aluminum or as a customer for their goods they will potentially need to find replacements.  While aluminum is not in short supply globally, in certain jurisdictions RUSAL has a commanding position and even a monopoly.  It is unclear how companies that seek to be compliant with OFAC regulations will navigate a world in which RUSAL has been a primary or secondary supplier (and there is no clear way to avoid such engagement so long as the company seeks to be active in that jurisdiction and in need of aluminum).  Moreover, it is not just U.S. person counterparties that are likely to be affected by prohibitions on dealing with sanctioned parties.  In line with the FAQ noted above, if non-U.S. companies were to make payments to the sanctioned companies for deliveries, these could be deemed “significant transactions” and could make the non-U.S. companies, themselves, the target of OFAC designations and/or secondary sanctions.  One option—reportedly pursued by one major trading company—is to declare force majeure on contracts with Rusal. As noted above, relief contemplated by General Licenses 12 and 13 may be operationally difficult to implement.  The sanctions apply to companies 50 percent owned or controlled by blocked parties.  Companies will need to undertake, under a short time line, significant due diligence to determine whether any such companies are involved in its operations.  The wind down process may be further complicated by any Russian response to the U.S. sanctions. What Happens Next? The April 6 sanctions are likely not the end of the story.  The next steps to watch include: 1.)    Potential Russian Retaliation:  During an address to the State Duma on April 11, Prime Minister Dmitry Medvedev said, for example, that Russia should consider targeting U.S. goods or goods produced in Russia by U.S. companies when considering a possible response.[19]  Any such measures could implicate further U.S. business dealings with Russian entities, including the blocked entities. 2.)    Changing Ownership and Structure of Sanctioned Parties:  Given that the sanctioned companies were listed due to their ownership/control by sanctioned persons (pursuant to the 50 percent rule) there have already been moves to dilute their ownership and thus potentially have the companies de-listed.  While possible, it is important to note that because the companies were explicitly listed by OFAC (and now appear on the SDN list), any reduction in ownership or control will not result in an automatic de-listing.  Rather, OFAC will need to process these changes and formally de-list the entities before they can be treated as non-sanctioned.  OFAC could opt not to de-list, or could decide to list the companies on other bases.  Regardless the process will undoubtedly take some time.  We note that at least one engineering firm whose stock was held by a designated entity has already obtained a license to complete the transfer of these shares; this is helpful precedent for any company impacted but only tangentially related to the designated entities.  Sanctioned entities have also changed their board membership in response to the U.S. sanctions.  On Monday, April 11, for example, the entire board at Renova Management AG, the Swiss subsidiary of the Renova Group, was dismissed after Renova Group’s designation.[20] 3.)    European Follow On Restrictions:  The shock of many of Europe’s major powers following the poisoning of Sergei and Yulia Skripal in Salisbury in early March and the resulting mass expulsion of Russian diplomats from European capitals suggests that sanctions may be next.  Core European U.S. allies were likely notified in advance of the April 6 measures.  In the run up to sanctions in 2014, Washington and Brussels worked very closely to institute parallel measures against Moscow.  While that unity has broken down under the Trump administration, especially since CAATSA was passed in August, it would appear as though some European sanctions are liking in the offing. 4.)    OFAC FAQs/Licenses and Potentially New Measures:  Due to the complexity of the April 6 measures, we expect that OFAC will issue additional FAQs and potentially revisions to General Licenses 12 and 13 (or new General Licenses) in the near term to clear up questions and further calibrate response.  Depending upon next steps from Russia and Europe we may see additional sanctions as well.  Secretary of State-designate Mike Pompeo’s statement that the United States “soft” policy toward Russia is over suggests as much.[21] Unfortunately, there is no clear path towards a de-escalation in Washington-Moscow tensions.  When the U.S. first issued sanctions against Russia in response to the Crimea incursion in 2014 the sanctions “off-ramp” was very clearly defined: if Russia altered its behavior in Crimea/Ukraine there was a way that sanctions could be removed.  Since 2014, as Secretary Mnuchin noted, Russia’s activities have exacerbated in scope and territory to include support for the Bashar regime in Syria, election meddling, cyber-attacks, and the nerve agent attack in the United Kingdom.  The breadth and boldness of this activity makes it even more unlikely that Russia will comply with the West’s wishes and thus even less likely that the sanctions would be removed or even reduced at any point in the near term.  For its part, bipartisan Congressional leadership expressed broad support for the Trump administration’s actions—however, Congress will likely demand more from the President in the near term.  Perhaps eager to placate Congress and dispel any notion that he is “soft” on Russia and buffeted by external circumstances ranging from any potential attack in Syria to the investigation by Robert Mueller, the President may impose still harsher measures on Moscow. [1]      Press Release, U.S. Department of the Treasury, Treasury Designates Russian Oligarchs, Officials, and Entities in Response to Worldwide Malign Activity (Apr. 6, 2018), available at https://home.treasury.gov/news/featured-stories/treasury-designates-russian-oligarchs-officials-and-entities-in-response-to. [2]      Natasha Turak, US sanctions are finally proving a ‘major game changer’ for Russia, CNBC, (Apr. 10, 2018) available at https://www.cnbc.com/2018/04/10/us-moscow-sanctions-finally-proving-a-major-game-changer-for-russia.html. [3]      Press Release, U.S. Dep’t of the Treasury, Treasury Designates Individuals and Entities Involved in the Ongoing Conflict in Ukraine (June 20, 2017), available at https://www.treasury.gov/press-center/press-releases/Pages/sm0114.aspx.  Designated persons and entities included separatists and their supporters; entities operating in and connected to the Russian annexation of Crimea; entities owned or controlled by, or which have provided support to, persons operating in the Russian arms or materiel sector; and Russian government officials. [4]      U.S. Department of the Treasury, supra, n. 1. [5]      Id. [6]      CAATSA, Title II, § 231 (a). Specifically, CAATSA Section 231(a) specified that the President shall impose five or more of the secondary sanctions described in Section 235 with respect to a person the President determines knowingly “engages in a significant transaction with a person that is part of, or operates for or on behalf of, the defense or intelligence sectors of the Government of the Russian Federation, including the Main Intelligence Agency of the General Staff of the Armed Forces of the Russian Federation or the Federal Security Service of the Russian Federation.”  The measures that could be imposed under Section 231 are discretionary in nature.  The language of the legislation is somewhat misleading in this regard.  Section 231 is written as a mandatory requirement—providing that the President “shall impose” various restrictions.  However, the legislation itself—and the October 27, 2017 guidance provided by the State Department—makes clear that secondary sanctions are only imposed after the President makes a determination that a party “knowingly” engaged in “significant” transactions with a listed party.  The terms “knowingly” and “significant” have imprecise meanings, even under the State Department guidance.  OFAC Ukraine-/Russia-related Sanctions FAQs (“OFAC FAQs”), OFAQ No. 545, available at https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_other.aspx#567. [7]      Press Release, U.S. Dep’t of State, Background Briefing on the Countering America’s Adversaries Through Sanctions Act (CAATSA) Section 231 (Jan. 30, 2018), available at https://www.state.gov/r/pa/prs/ps/2018/01/277775.htm. [8]      CAATSA, Title II, § 241. [9]      See U.S. Dep’t of the Treasury, Report to Congress Pursuant to Section 241 of the Countering America’s Adversaries Through Sanctions Act of 2017 Regarding Senior Foreign Political Figures and Oligarchs in the Russian Federation and Russian Parastatal Entities (Unclassified) (Jan. 29, 2018), available at https://www.scribd.com/document/370313106/2018-01-29-Treasury-Caatsa-241-Final. [10]     See, e.g., Press Release, U.S. Dep’t of the Treasury, Treasury Releases CAATSA Reports, Including on Senior Foreign Political Figures and Oligarchs in the Russian Federation (Jan. 29, 2018), available at https://home.treasury.gov/news/press-releases/sm0271. [11]     The one exception is Igor Rotenberg.  Although Igor Rotenberg did not appear on the Section 241 List, his father and uncle were included.  According to the April 6 OFAC announcement, Igor Rotenberg acquired significant assets from his father, Arkady Rotenberg, after OFAC designated the latter in March 2014.  Specifically Arkady Rotenberg sold Igor Rotenberg 79 percent of the Russian oil and gas drilling company Gazprom Burenie.  Igor Rotenberg’s uncle, Boris Rotenberg, owns 16 percent of the company.  Like his brother Arkady Rotenberg, Boris Rotenberg was designated in March 2014. [12]     OFAC FAQ No. 573. [13]     CAATSA, Title II, §228. [14]     OFAC FAQ No. 546.  In its implementing guidance, OFAC confirmed that Section 228 extends to SDNs and SSI entities but clarified that it would not deem a transaction “significant” if U.S. persons could engage in the transaction without the need for a specific license from OFAC.  In other words, only transactions prohibited by OFAC—specifically, transactions with SDNs and/or transactions with SSI entities that are prohibited by the sectoral sanctions—will “count” as significant for purposes of Section 228.  OFAC also noted that even a transaction with an SSI that involves prohibited debt or equity would not automatically be deemed “significant”—it would need to also involve “deceptive practices” and OFAC would assess this criteria on a “totality of the circumstances” basis. [15]     OFAC FAQ No. 574. [16]     General License 12; OFAC FAQ No. 569. [17]     See also OFAC FAQ Nos. 567-568. [18]     See also OFAC FAQ Nos. 570-571. [19]     Russia’s Renova says board at its Swiss subsidiary dismissed due to sanctions, Reuters (Apr. 11, 2018), available at https://uk.reuters.com/article/usa-russia-sanctions-renova/russias-renova-says-board-at-its-swiss-subsidiary-dismissed-due-to-sanctions-idUKR4N1NE02P. [20]     Russia ready to prop Up Deripaska’s Rusal as US sanctions bite, Financial Times (Apr. 11, 2018), available at https://www.ft.com/content/4904f6d4-3d97-11e8-b7e0-52972418fec4. [21]     Patricia Zengerle, Lesley Wroughton, As Pompeo signals hard Russia line, lawmakers want him to stand on his own, Reuters (Apr. 12, 2018), available at https://www.reuters.com/article/us-usa-trump-pompeo/as-pompeo-signals-hard-russia-line-lawmakers-want-him-to-stand-on-his-own-idUSKBN1HJ0HO. The following Gibson Dunn lawyers assisted in preparing this client update: Adam Smith, Judith Alison Lee, Christopher Timura, Stephanie Connor, and Courtney Brown. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s International Trade Group: United States: Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com) Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, rkirk@gibsondunn.com) Jose W. Fernandez – New York (+1 212-351-2376, jfernandez@gibsondunn.com) Marcellus A. McRae – Los Angeles (+1 213-229-7675, mmcrae@gibsondunn.com) Daniel P. Chung – Washington, D.C. (+1 202-887-3729, dchung@gibsondunn.com) Adam M. Smith – Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com) Christopher T. Timura – Washington, D.C. (+1 202-887-3690, ctimura@gibsondunn.com) Stephanie L. Connor – Washington, D.C. (+1 202-955-8586, sconnor@gibsondunn.com) Kamola Kobildjanova – Palo Alto (+1 650-849-5291, kkobildjanova@gibsondunn.com) Courtney M. Brown – Washington, D.C. (+1 202-955-8685, cmbrown@gibsondunn.com) Laura R. Cole – Washington, D.C. (+1 202-887-3787, lcole@gibsondunn.com) Europe: Peter Alexiadis – Brussels (+32 2 554 72 00, palexiadis@gibsondunn.com) Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com) Patrick Doris – London (+44 (0)207 071 4276, pdoris@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Mark Handley – London (+44 (0)207 071 4277, mhandley@gibsondunn.com) Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com) Richard Roeder – Munich (+49 89 189 33-160, rroeder@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

March 7, 2018 |
The Convergence of Law and Cybersecurity

Washington, D.C. associate Melinda Biancuzzo is the co-author of “The Convergence of Law and Cybersecurity,” [PDF] published by Nuix on March 7, 2018.

January 30, 2018 |
Law360 Names Gibson Dunn Among its Privacy 2017 practice Groups of the Year

Law360 named Gibson Dunn one of its five Privacy Practice Groups of the Year [PDF] for 2017. Gibson Dunn was selected for being “a go-to firm for tech giants in behind-the-scenes cybersecurity matters”. The firm’s profile was published on January 30, 2018.

January 29, 2018 |
International Cybersecurity and Data Privacy Outlook and Review – 2018

Click for PDF In honor of Data Privacy Day—an international effort to raise awareness and promote privacy and data protection best practices—we recently offered Gibson Dunn’s sixth annual Cybersecurity and Data Privacy Outlook and Review.  This year again, in addition to that U.S.-focused report, we offer this separate International Outlook and Review. Like many recent years, 2017 saw significant developments in the evolution of the data protection and cybersecurity landscape outside the United States: Following the adoption of a General Data Protection Regulation governing the collection, processing and transfer of personal data in 2016 (“GDPR”),[1] several Member States of the European Union started to adapt their national legal frameworks in light of the future entry into application of the GDPR on 25 May 2018, and the Article 29 Working Party (“WP29”) provided details regarding the implementation thereof. The first proposals for an upcoming European regulation with respect to private life and the protection of personal data in electronic communications, intended to repeal the currently applicable legal framework, were made public (“ePrivacy Regulation”). The Member States of the European Union started working on the transposition into national law of the directive on the security of network and information systems (“NIS Directive”). The framework for international data transfers between the U.S. and the European Union—the Privacy Shield—was subjected to various legal challenges. We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review. Table of Contents __________________________________________ I.     European Union A.   Privacy Shield 1.    Reviews of the European Commission and the WP29 2.    Challenges to Privacy Shield B.   EU Data Protection Regulation and Reform 1.    GDPR 2.    Principal Elements of the GDPR 3.    National Data Protection Reforms Implementing the GDPR C.   EU Cyber Security Directive 1.    Digital Service Providers 2.    Member State Obligations 3.    Minimum Harmonization and Coordination Among EU Member States D.   Other EU Developments 1.    Reform of the ePrivacy Directive – the Draft EU ePrivacy Regulation 2.    CJEU Case Law 3.    Article 29 Working Party (WP29) Opinions II.   Asia-Pacific and Other Notable International Developments __________________________________________ I.     European Union A.     Privacy Shield On 12 July 2016, the European Commission formally approved the EU-U.S. Privacy Shield (“Privacy Shield”), a framework for navigating the transatlantic transfer of data from the EU to the United States.  The Privacy Shield replaces the EU-U.S. Safe Harbor framework, which was invalidated by the European Court of Justice (“ECJ”) on 6 October 2015 in Maximilian Schrems v. Data Protection Commissioner (the “Schrems” decision).[2]  We provided an in-depth discussion of the Schrems decision in a previous Outlook and Review.[3] 1.     Reviews of the European Commission and the WP29 Following the adoption of the Privacy Shield, the WP29—an advisory body that includes representatives from the data protection authorities of each EU Member State—stated that “the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective” during a joint annual review of the Privacy Shield mechanism.[4] The first review was conducted in mid-September 2017 by the European Commission and U.S. authorities.  The European Commission published its report on 18 October 2017.[5]  It concluded that the Privacy Shield continues to ensure an adequate level of protection, noting that various important structures and procedures have been put in place by U.S. authorities—namely, new redress possibilities for EU nationals, a complaint-handling and enforcement procedure, an increased level of cooperation with EU data protection authorities, and necessary safeguards for government access to personal data.  Overall, the European Commission determined that the framework, including the self-certification process, is functioning well, and the European Commission continues to support the Privacy Shield.  The European Commission did, however, make several recommendations to further improve the Privacy Shield’s functioning: More proactive and regular monitoring of companies’ compliance with their obligations under the Privacy Shield by the U.S. Department of Commerce, including the use of review questionnaires or annual compliance reports. Increased searches for and enforcement against companies that falsely claim to participate in the Privacy Shield by U.S. authorities. Raising awareness of how EU individuals can exercise their rights under the Privacy Shield, particularly how they can submit complaints. Closer cooperation between EU and U.S. authorities to achieve a consistent interpretation and to develop guidance for companies and enforcers. The appointment of a permanent Privacy Shield Ombudsman and the appointment of additional members to the Privacy and Civil Liberties Oversight Board (“PCLOB”). A codification of Presidential Policy Directive 28 (“PPD-28”), as part of the reauthorization and reform of Section 702 of the Foreign Intelligence Surveillance Act (“FISA”). It should be noted on this last point that on 19 January 2018 the United States renewed FISA Section 702 without enshrining the protections set forth in the PPD-28.[6]  It remains to be seen how this, and the success of efforts to follow up on the other recommendations, will affect the next annual review of the Privacy Shield in fall 2018. On 28 November 2017, the WP29 released its own opinion on the first annual joint review of the Privacy Shield mechanism.[7]  The WP29’s findings are quite different from the Commission’s, as the WP29 identified “significant concerns” with the Privacy Shield’s mechanisms as currently operated.  While the WP29 recognized the Privacy Shield as an improvement compared to the invalidated Safe Harbor mechanism, and welcomed the increased transparency of the U.S. government and legislator regarding the use of their surveillance powers, the WP29 set forth several recommendations, namely: U.S. authorities should provide more guidance on the principles of the Privacy Shield, particularly regarding transfers, available rights, and recourses and remedies, to make it easier for companies to interpret their obligations and individuals to exercise their rights. More oversight by U.S. authorities concerning compliance with Privacy Shield principles—for instance, compliance with limits on monitoring—and more proactive supervision of the participating organizations. Distinguishing the status of processors and controllers established in the U.S., as the opinion notes there is currently no differentiation made during the application process between the two. Increasing the level of protection concerning profiling data or automated decision-making by creating specific rules to provide sufficient safeguards. Avoiding exceptions for the processing of Human Resources (“HR”) data, as according to the WP29 the U.S. Department of Commerce considers HR data too narrowly, allowing for the transfer of some HR data as commercial data. Shoring up safeguards against the access of data by U.S. public authorities. Addressing the lack of a permanent and independent Ombudsman and the several vacancies on the PCLOB. The WP29 warned that should their concerns fail to be addressed, the group would then take appropriate actions, including challenging the Privacy Shield before national courts.  The WP29 therefore called on the European Commission and U.S. authorities to resume discussions, and to set up an action plan to demonstrate that these concerns will be addressed. 2.     Challenges to Privacy Shield Advocacy groups have already filed challenges to the Privacy Shield.  Specifically, in October 2016 Digital Rights Ireland (“DRI”) filed a challenge with a Luxembourg-based General Court, a lower court of the ECJ, to annul the European Commission’s 12 July 2016 Adequacy Decision, which approved and adopted the Privacy Shield.[8]  However, this action was dismissed by the General Court of the European Union on 22 November 2017.[9]  The European judges held that DRI neither had an interest in bringing proceedings in its own name nor had standing to act in the name of its members and supporters or on behalf of the general public. This is not the only challenge to the Privacy Shield, however:  In 2016, a French privacy advocacy group also challenged the Adequacy Decision in a legal action to the ECJ, claiming that the U.S. Ombudsman redress mechanism is not sufficiently independent and effective and therefore the Adequacy Decision must be annulled.[10]  This case remains ongoing.[11] B.     EU Data Protection Regulation and Reform 1.     GDPR On 15 December 2015, the European Commission, the European Parliament, and the European Council agreed to an EU data protection reform to boost the EU Digital Single Market.  The bill was adopted by the European Council and the European Parliament in early April 2016 and came into force on 24 May 2016 as the GDPR.  However, the GDPR provides for a two-year “grace period,” such that it will not become fully applicable until 25 May 2018.  The GDPR replaces the EU Data Protection Directive[12] and constitutes a set of data protection rules that are directly applicable to the processing of personal data across EU Member States (for additional details regarding the main requirements of the GDPR, please refer to Section 2 below). 2.     Principal Elements of the GDPR The core substantive elements of the GDPR, which will become fully applicable in May 2018, include the following: Extraterritorial Scope:  The GDPR will cover not only data controllers established in the EU, but will also apply to organizations that offer goods or services to residents in the EU, even if these organizations are not established in the EU and do not process data using servers in the EU.[13] Transparency Principle:  Under the GDPR, transparency is a general requirement applicable to three central areas: (i) the provision of information to data subjects; (ii) the way data controllers communicate with data subjects in relation to their rights under the GDPR; and (iii) how data controllers allow and facilitate the exercise of their rights by data subjects.  In late 2017, the WP29 made draft Guidelines on transparency public.[14]  Even though the final version of this document is not available yet, the purpose of such Guidelines is to provide practical guidance and interpretative assistance on the new transparency obligations as resulting from the GDPR. Consent of the Data Subjects:  The GDPR put emphasis on the notion of consent of data subjects by providing further clarification and specification of the requirements for obtaining and demonstrating valid consent.  In November 2017, the WP29 adopted Guidelines specifically dedicated to the concept of consent and focusing on the changes in this respect resulting from the GDPR.[15] “Right to Be Forgotten”:  The GDPR further develops the “right to be forgotten” (formally called the “right to erasure”) whereby personal data must be deleted when an individual no longer wants his or her data to be processed by a company and there are no legitimate reasons for retaining the data.[16]  This right was already introduced in the EU Data Protection Directive, and was the object of the litigation before the CJEU in Google Spain SL and Google Inc. v. AEPD and Mario Costeja González.[17] Among other points, the GDPR clarifies that this right is not absolute and will always be subject to the legitimate interests of the public, including the freedom of expression and historical and scientific research.  The GDPR also obliges controllers who have received a request for erasure to inform other controllers of such request in order to achieve the erasure of any links to or copy of the personal data involved.  This part of the GDPR may impose significant burdens on affected companies, as the creation of selective data destruction procedures often leads to significant costs. Data Breach Notification Obligation:  The GDPR requires data controllers to provide notice of serious security breaches to the competent Data Protection Authority/ies (“DPA(s)”) without undue delay and, in any event, within 72 hours after having become aware of any such breach.  The WP29 has issued Guidelines in order to explain the mandatory breach notification and communication requirements of the GDPR as well as some of the steps data controllers and data processors can take to meet these new obligations.[18] Profiling Activities:  The GDPR specifically addresses the use of profiling and other automated individual decision-making. In 2017, the WP29 made Guidelines public in this respect.[19]  These clarify the provisions of the GDPR regarding profiling, in particular by defining in more detail what profiling is. Data Protection Impact Assessment (“DPIA”):  Where processing activities are deemed likely to result in high risk to the rights and freedoms of data subjects, the GDPR requires that data controllers carry out, prior to the contemplated processing, an assessment of the impact thereof on the protection of personal data.[20]  However, the GDPR does not specifically detail the criteria to be taken into account for determining whether given processing activities represent “high risk.”  Instead, the GDPR provides a non-exhaustive list of examples falling within this scope.  Similarly, no process for performing DPIAs is detailed as part of the GDPR.  Considering the need for additional information in this respect, the WP29 issued Guidelines in 2017 intended to clarify which processing operations must be subject to DPIAs and how they should be carried out.[21]  These Guidelines were subsequently revised throughout the year.[22] Privacy-Friendly Techniques and Practices:  “Privacy by design” is the idea that a product or service should be conceived from the outset to ensure a certain level of privacy for an individual’s data.  “Privacy by default” is the idea that a product or service’s default settings should help ensure privacy of individual data.  The GDPR establishes privacy by design and privacy by default as essential principles.  Accordingly, businesses should only process personal data to the extent necessary for their intended purposes and should not store it for longer than is necessary for those purposes.  These principles will require data controllers to design data protection safeguards into their products and services from the inception of the product development process. Data Portability:  The GDPR establishes a right to data portability, which is intended to make it easier for individuals to transfer personal data from one service provider to another.According to the WP29, as a matter of good practice, companies should develop the means that will contribute to answering data portability requests, such as download tools and Application Programming Interfaces.  Companies should guarantee that personal data is transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.  The WP29 has also called industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability.[23]  In 2017, the WP29 issued revised Guidelines on the right to data portability providing guidance on the way to interpret and implement the right to data portability introduced by the GDPR.[24] Competent Supervisory Authority:  To date, in the EU the monitoring of the application of data protection rules has fallen almost exclusively under the jurisdiction of national DPAs.  Subject to the EU Data Protection Directive and the case law of the CJEU, DPAs only had jurisdiction to find a violation of their data protection laws and impose fines where, inter alia, their respective national laws were applicable.[25]With the adoption of the GDPR, a complex set of rules has been established to govern the applicability of the rules to data controllers that have cross-border processing practices.  First, where a case relates only to an establishment of a data controller or processor in a Member State or substantially affects residents only in a Member State, the DPA of the Member State will have jurisdiction to deal with the case.[26] Second, in other cases concerning cross-border data processing, the DPA of the main establishment of the controller or processor within the EU will have jurisdiction to act as lead DPA for the cross-border processing of this controller or processor.[27]  Articles 61 and 62 provide for mutual assistance and joint operations mechanisms, respectively, to ensure compliance with the GDPR.  Furthermore, the lead DPA will need to follow the cooperation mechanism provided in Article 60 with other DPAs “concerned.”  Ultimately, the European Data Protection Board (“EDPB,” where all EU DPAs and the European Commission are represented) will have decision-making powers in case of disagreement among DPAs as to the outcome of specific investigations.[28]  Third, the GDPR establishes an urgency procedure that any DPA can use to adopt time-barred measures regarding data processing in case of urgency.  These measures will only be applicable in the DPA’s own territory, pending a final decision by the EDPB.[29] In 2016, the WP29 issued Guidelines that aim to assist controllers and processors in the identification of their lead DPA.[30]  These Guidelines were updated in 2017, in particular for addressing circumstances involving joint data controllers.[31] Governance: Data controllers and processors may be required to designate a Data Protection Officer (“DPO”) in certain circumstances.  Small and medium-sized enterprises will be exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.  The WP29 has issued Guidelines that clarify the conditions for the designation, position and tasks of the DPO to ensure compliance with the GDPR; these Guidelines were revised in 2017.[32] These requirements will be supplemented by a much more rigid regime of fines for violations.  DPAs will be able to fine companies that do not comply with EU rules up to 4% of their global annual turnover. 3.     National Data Protection Reforms Implementing the GDPR Because the GDPR is a regulation, there is no need for Member States of the European Union to transpose its provisions in order to render them applicable within their national legal systems.  However, some Member States nonetheless have adapted their legal frameworks regarding data protection in light of the GDPR. The GDPR contains provisions granting flexibility to the Member States to implement such adaptations.  For example, Article 8 of the GDPR provides specific rules regarding the processing of personal data of children below the age of 16.  Nevertheless, Member States may provide by law for a lower age provided it is not below 13 years.  Another example is to be found under Article 58 of the GDPR, as Member States may provide by law that their supervisory authorities have additional powers beyond those already specified under the GDPR. Below is an overview of the national data protection reforms implemented throughout the European Union during 2017: Member State Status of National Data Protection Reform Austria The Datenschutz-Anpassungsgesetz 2018 was published in July 2017.  This act is expected to support the application of the GDPR and will enter into effect by 25 May 2018.  The Datenschutzgesezt 2000 will be replaced accordingly. Belgium Belgium is currently adapting its national data protection legal framework by: reforming the Belgian Privacy Commission (the draft bill in this respect was adopted by the Parliament on 16 November 2017 and was submitted for the King’s approval); and preparing a framework law for addressing the national considerations resulting from the GDPR (although no draft has been disclosed yet). Bulgaria In 2017, Bulgaria did not enact or propose a bill concerning GDPR-related privacy issues. Croatia In 2017, Croatia did not enact or propose a bill concerning GDPR-related privacy issues. Cyprus In 2017, Cyprus did not enact or propose a bill concerning GDPR-related privacy issues. Czech Republic A draft Data Protection Act, intended to adapt the current national legal framework to the GDPR, was discussed by the government.  The upcoming Data Protection Act is expected to replace the current act on data protection. Denmark On 25 October 2017, a proposal for a new Data Protection Act implementing the GDPR was made public.  This proposal was discussed by the Danish Parliament in late 2017 and is expected to pass in the first months of 2018. Estonia The Ministry of Justice rendered public a first draft of the legislation intended to implement the GDPR.  However, the draft was not submitted to Parliament for review in 2017. Finland A working group set up by the Ministry of Justice issued a report in June 2017 proposing to replace the current Finnish Data Protection Act with a new act intended to supplement the GDPR when the GDPR enters into application. France A draft data law intended to modify the current French Data Protection Act was made public in December 2017.  It is likely that this initial draft will go through subsequent modifications before the final law is eventually passed. Germany In June 2017, Germany adapted its Data Protection Act to the GDPR.  The previous version of the German Data Protection Act will remain in force until 25 May 2018. Greece In 2017, Greece did not enact or propose a bill concerning GDPR-related privacy issues. Hungary In 2017, Hungary launched a public consultation on a proposal to amend the current Hungarian Data Protection Act.  This proposal is expected to become final in early 2018. Ireland In May 2017, Ireland issued a General Scheme of Data Protection Bill providing a general scheme for the act intended to give effect to and complement the GDPR. Italy On 6 November 2017, the Italian Parliament passed a law (Law No. 163) adopting specific provisions with respect to the GDPR.  The currently applicable Italian Data Protection Code is to be modified within 6 months from the passage of Law No. 163. Latvia Latvia made public a draft Personal Data Processing Law in October 2017. Lithuania The law applicable in Lithuania (i.e., the Lithuanian Law on Legal Protection of Personal Data) is currently being amended so as to integrate the requirements of the GDPR. Luxembourg The government of Luxembourg proposed a bill specifically addressing data protection in order to adapt the local law to the requirements of the GDPR. Malta In 2017, Malta did not enact or propose a bill concerning GDPR-related privacy issues. Netherlands The data protection law currently applicable in the Netherlands results from the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens).  This Act will no longer be applicable after the GDPR enters into effect in May 2018. Poland In September 2017, Poland published a draft Personal Data Protection Act, intended to provide a legal framework for the GDPR.  This draft was made subject to public consultations and is expected to be enacted in 2018, prior to the entry into application of the GDPR. Portugal In 2017, Portugal did not enact or propose a bill concerning GDPR-related privacy issues. Romania Draft legislation for implementing the GDPR was disclosed and submitted for public debate in 2017. Slovakia On 29 November 2017, the Slovakian Data Protection Act was adopted by the Slovak Parliament with an entry into force on the same date as the GDPR. Slovenia The currently applicable Slovenian Data Protection Act is expected to be repealed by a new data protection act (“ZVOP-2”) intended to ensure the proper implementation of data protection requirements following the entry into application of the GDPR.  ZVOP-2 was subject to the legislative process in 2017 and is likely to be adopted in early 2018. Spain A bill regarding data protection intended to amend the current legal framework was published and made subject to debate, with an eye toward eventual approval by the Spanish Parliament. Sweden A report of the Swedish government proposing provisions intended to complement the GDPR was issued in May 2017, but no government bill was passed in this respect during 2017. United Kingdom On 14 September 2017, the Data Protection Bill was published with the aim to modernize data protection law.  Even though the Data Protection Bill has a wider scope than the mere adaptation of national law to the GDPR, one of its core features includes detailing how the UK uses the flexibility granted by the GDPR to Member States with respect to specific data protection issues. C.     EU Cyber Security Directive On 6 July 2016, the European Parliament officially adopted the Network and Information Security (“NIS”) Directive[33] which is expected to be fully applicable (via national regulations) as of May 2018.  The NIS Directive is the first set of cybersecurity rules to be adopted on the EU level, adding to an already complex array of laws with which companies must comply when implementing security and breach response plans.  It aims to set a minimum level of cybersecurity standards and to streamline cooperation between EU Member States at a time of growing cybersecurity breaches. In February 2017, the European Agency for Network and Information Security (“ENISA”) issued guidelines related to incident notification for digital service providers in the context of the NIS Directive, in order to provide practical information on the cases covered by the NIS Directive and the actions to be taken in such a case.[34] More details as to how the NIS Directive will be implemented at local level were also disclosed in 2017 as Member States started to adopt national legislation to transpose the NIS Directive.  For example, in France on 19 December 2017, a national bill for transposing the NIS Directive was adopted by the French Senate.  This bill specifies fines up to EUR 100,000 if officers of essential services providers do not comply with the security requirements specified by the French Prime Minister and fines up to EUR 75,000 if such officers do not comply with the obligation to provide notifications of data breaches.  Regarding legal persons, the fines for non-compliance with the security requirements specified by the French Prime Minister can be up to EUR 500,000, and up to EUR 375,000 in case data breaches are not duly notified. The final text of the NIS Directive sets out separate cybersecurity obligations for essential service and digital service providers: Essential service providers include actors in the energy, transport, banking and financial markets, as well as health, water and digital infrastructure[35] sectors. Digital service providers will include online marketplaces, search engines and cloud services (with an exemption for companies with less than 50 employees) but not social networks, app stores or payment service providers. In terms of geographic scope, the NIS Directive aims to address potential incidents taking place “within the [European] Union“[36] and will apply to all entities providing the above services[37] within the EU territory/to EU residents, regardless of their physical location.  In particular, all digital service providers that are not established in the EU, but offer services covered by the NIS Directive within the EU, are required to designate an EU-based representative.[38] Companies covered by the NIS Directive will have to ensure that their digital infrastructure is robust enough to withstand cyber-attacks and may need to report major security incidents to the national authorities.  Businesses will also be required to apply procedures demonstrating effective use of security policies and measures. 1.     Digital Service Providers Digital service providers will be obliged to report all incidents that have a “substantial impact” on their services (in terms of the duration, geographic spread and the number of users affected by the incident).[39]  It will be up to regulators to decide whether to inform the public about these incidents after consulting the company involved.  As a practical matter, the NIS Directive states that jurisdiction over a digital service provider should be attributed to the Member State in which it has its main EU establishment, which in principle corresponds to the place where the provider has its head office in the EU.[40]  Digital service providers not established in the EU will be deemed to be under the primary jurisdiction of the Member State where their EU representative has been appointed.[41] Notably, where an incident involves personal data, there may be an additional requirement to report to DPAs under the GDPR, which will come into effect on 25 May 2018.  As indicated above, the GDPR will also have a reporting provision for data breaches, although the notification obligation will focus on the protection of personal information, in contrast to the NIS Directive’s data reporting requirement which is aimed at improving computer and information technology systems overall.  Thus, it is possible that a single cybersecurity breach will need to be notified to more than one authority in each EU Member State affected. 2.     Member State Obligations The NIS Directive itself is not directly applicable.  It will first have to be transposed and implemented into national law by the Member States by May 2018.  Member States will need to, for example, designate the competent national authorities, identify operators of essential services, indicate which types of incidents they must report and establish sanctions for failure to notify.[42]  National procedural rules (for both administrative and court proceedings) will govern the application of the NIS Directive and the relevant national laws to affected entities.[43] In addition, each Member State is to adopt a national strategy to maintain the security of network and information systems and will designate one or more national competent authorities to monitor the application of the NIS Directive.  They are also to designate one or more Computer Security Incident Response Teams (“CSIRTs”) responsible for monitoring and responding to incidents and providing early warnings about risks. 3.     Minimum Harmonization and Coordination Among EU Member States The clear aim of the NIS Directive is to harmonize the EU Member State rules applicable to the security levels of network and information systems across the EU.  However, given the strategic character of certain services covered by the NIS Directive, the NIS Directive gives some powers and margin of discretion to Member States.  For example, the NIS Directive mandates each EU Member State to adopt a national strategy on the security of network and information systems, defining objectives, policies and measures envisaged with a view to achieve the aims of the NIS Directive.[44]  Thus, despite the ability of Member States to seek the assistance of the ENISA, the development of a strategy will remain a national competence.  Furthermore, as far as operators of essential services are concerned, EU Member States will identify the relevant operators subject to the NIS Directive and may impose stricter requirements than those laid down in the NIS Directive (in particular with regard to matters affecting national security).[45] In contrast, Member States should not identify digital service providers (as the NIS Directive applies to all digital service providers within its scope) and, in principle, may not impose any further obligations on such entities.[46]   The European Commission retains powers to adopt implementing rules regarding the application of the security and notification requirements rules applicable to digital service providers.[47]  It is expected that these rules will be developed in cooperation with the ENISA and stakeholders, and will enable uniform treatment of digital service providers across the EU.  In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a digital service provider is not complying with its obligations under the NIS Directive. Another tool for coordination among authorities will be the envisaged “Cooperation Group,” similar to the WP29 operating currently under the 1995 Data Privacy Directive.  The Cooperation Group will bring together the regulators of all EU Member States, who have different legal cultures and hold different approaches to IT and security matters (e.g., affecting national security).  It is therefore expected that the European Commission will play an active role in building trust and consensus among the Cooperation Group’s members with a view of providing meaningful and clear guidance to businesses. D.     Other EU Developments 1.     Reform of the ePrivacy Directive – the Draft EU ePrivacy Regulation 2016 has seen the initiation of the procedures for the reform of the EU’s main set of rules on ePrivacy, the ePrivacy Directive.  In this context, further to a public consultation held by the European Commission, a draft of the future EU ePrivacy Regulation (the “draft ePrivacy Regulation”) was leaked in December 2016.[48]  Such draft was followed by the release of the European Commission’s final proposal on 10 January 2017,[49] which, despite some changes, is mostly similar to the leaked version.  Later in 2017, the European Commission’s proposal was followed by an Opinion of the WP29 released on 4 April 2017.[50]  The European Parliament also proposed an amended version thereof on 20 October 2017,[51] and discussions at the Council of the European Union are still ongoing to date to adopt a final proposal, even though a first redraft has already been published.[52] a.     The European Commission’s ePrivacy Regulation proposal The Commission’s ePrivacy Regulation proposal released in January 2017 seeks to accommodate the reform of the ePrivacy regime to the feedback received from stakeholders and the WP29.  In summary, the draft ePrivacy Regulation prepared by the European Commission constitutes a more comprehensive piece of legislation that aims to fix and close certain open issues identified in the application of the ePrivacy Directive: Regulation versus Directive: The draft instrument that is deemed to replace the ePrivacy Directive is a Regulation.  Under EU law, a Directive is an instrument that only binds EU Member States as to its content and objectives; it cannot be directly applied against individuals, and needs to be transposed into national laws and regulations for its terms to be fully effective.  The ePrivacy Directive has been incorporated into numerous different acts and regulations at national level, which are subject to uneven enforcement by the respective national authorities.The European Commission’s proposal to replace the ePrivacy Directive with a Regulation means that its terms will in principle apply directly across all EU Member States.  This decision is consistent with the approach adopted with regard to the GDPR.  Although Member States will still be given some freedom to deviate from the ePrivacy Regulation (particularly in the area of national security), the choice to adopt a Regulation will increase the homogeneous application of the ePrivacy Regulation across all EU Member States. Alignment with the GDPR:  A number of provisions in the draft ePrivacy Regulation demonstrate alignment with the GDPR.  For example, as with the GDPR, the draft ePrivacy Regulation has a broad territorial scope and applies to the provision of electronic communication services (e.g., voice telephony, SMS services) from outside the EU to residents in the EU.As indicated below, the draft ePrivacy Regulation also aims to close the gap with the GDPR from an enforcement perspective, by empowering DPAs to monitor the application of the privacy-related provisions of the draft ePrivacy Regulation under the conditions established in the GDPR.  The regime for sanctions is also aligned with the GDPR, foreseeing the possibility that organizations be imposed fines up to EUR 20 million or 4% of their worldwide annual turnover for certain infringements (e.g., breaches of secrecy requirements, cookies requirements and the rules on the use of metadata).From a substantive perspective, the definition of a number of legal concepts used in both the GDPR and in the draft ePrivacy Regulation has also been aligned (e.g., the conditions for “consent,” the “appropriate technical and organization measures to ensure a level of security appropriate to the risks”). Inclusion of OTT Service Providers:  In response to the feedback of stakeholders, the draft ePrivacy Regulation indicates that the new Regulation will apply to providers of services that run over the Internet (referred to as “over-the-top” or “OTT” service providers), such as instant messaging services, video call service providers and other interpersonal communications services.[53]  This expansion in scope is achieved by the broad definition of “electronic communications services” of the draft, and is consistent with the current regulatory overhaul that is ongoing in the field of electronic communications.[54] Cookies and Other Connection Data:  Like the ePrivacy Directive, the draft ePrivacy Regulation contains a provision that addresses the circumstances under which the storage and collection of data on users’ devices is lawful.  These practices can continue to be based on the prior consent obtained from users.  Absent users’ consent, according to the draft ePrivacy Regulation, it will still be possible to carry out these practices provided that:[55] they serve the purpose of carrying out (not facilitating) the transmission of a communication over an electronic communications network; or they are necessary (albeit not strictly necessary) for providing: (i) a service requested by the end user; or (ii) first-party web audience measuring. The recitals of the draft ePrivacy Regulation suggest that the circumstances in which consent is not required can be interpreted more broadly than under the current ePrivacy Directive.[56]  For example, first-party analytics cookies, cookies used to give effect to users’ website preferences and cookies required to fill out online forms could be understood to be exempt from the consent requirement.[57] The ePrivacy Regulation contains a new set of seemingly more stringent rules applicable to the “collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment.”  Under the current draft, this collection may only occur “if it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection,” and is subject to significant information and consent requirements.[58]    Marketing Communications: The draft ePrivacy Regulation requires all end users (including corporate and individual subscribers) to consent to direct marketing communications undertaken via electronic communications services.  While telephone marketing continues to be permitted on an opt-out basis, the draft ePrivacy Regulation requires entities placing marketing calls to use a specific code or prefix identifying it as a marketing call.[59] Supervisory Authorities and EDPB:  One of the novelties introduced by the draft ePrivacy Regulation is a section devoted to the appointment and powers of national supervisory authorities.[60]  The relevant provisions clarify that the DPAs responsible for monitoring the application of the GDPR shall also be responsible for monitoring the application of the provisions of the draft ePrivacy Regulation related to privacy in electronic communications, and that the rules on competence, cooperation and powers of action of DPAs foreseen in the GDPR also apply to the draft ePrivacy Regulation.  Finally, the EDPB is empowered to ensure the consistent application of the relevant provisions of the draft ePrivacy Regulation. Implementation:  The draft provides for the ePrivacy Regulation to enter into force on 25 May 2018, at the same time as the GDPR.  However, it is highly unlikely to come into force on that date, or even any time later in 2018. b.     The WP29 Opinion on the European Commission Proposal Following the release of the European Commission’s proposal, the WP29 released its opinion on the proposed regulation in April 2017[61]. The WP29 stated that it “welcomes the proposal” and “the choice for a regulation as the regulatory instrument.”  More broadly, it supported the approach of the regulation and its broad scope, along with its principle of “broad prohibitions and narrow exceptions.”  However, it highlighted four points of “grave concern” that would “lower the level of protection enjoyed under the GDPR” if adopted, and made recommendations in this respect concerning: The rules concerning the tracking of the location of terminal equipment, for instance WiFi tracking, which are inconsistent with the rules of the GDPR.  The WP29 advised the European Commission to “promote a technical standard for mobile devices to automatically signal an objection against such tracking.” The conditions under which the content and metadata can be analyzed should be limited:  Consent of all end-users (senders and recipients) should be the principle with limited exceptions for “purely personal purposes.” Barriers used by some websites to completely block access to the service unless visitors agree to third-party tracking, known as “tracking walls,” should be explicitly prohibited to give individuals the choice to refuse such tracking while still being able to access the website. Terminal equipment and software should offer “privacy protective settings” by default, in addition to allowing the user to adjust these settings.  It is interesting to note that this was initially in the Commission’s leaked draft but not in its final proposal. The WP29 expects that their concerns will be addressed during the ongoing legislative process. c.     The European Parliament’s amended proposal In October 2017, the European Parliament proposed an amended version of the European Commission’s proposal.[62]  It draws on some of the propositions made by the WP29.  For example, the Parliament’s version is more stringent on the use of personal data, and users’ privacy.  Some of the notable changes include: The prohibition to block access to a service solely because the user has refused the processing of personal data which is not necessary for the functioning of the service. The requirement for providers of electronic communications services to ensure the confidentiality of the data, for instance with end-to-end encryption and the prohibition of backdoors. The requirement for browsers to block third-party cookies by default until the user has adjusted his/her cookie settings. The prohibition of “cookie walls” and cookie banners that prevent the use of the service unless users agree to all cookies. In addition to the Parliament’s version, the Council of the European Union has also published a working proposal.[63]  However it is merely a draft of the presidency of the Council, which has yet to adopt a final proposal.  Bulgaria, which takes the presidency of the Council of the European Union during the first half of 2018 has indicated it intends to focus on moving negotiations ahead on the ePrivacy Regulation.[64]  Tripartite negotiations will then need to begin in order to agree upon a common text to be adopted. In any case, it most likely will not be adopted by May 2018 as initially planned. 2.     CJEU Case Law 2017 has also witnessed important cases before the Court of Justice of the European Union (“CJEU”). a.     The Determination of the Data Controller and Applicable Law Under the EU Data Protection Directive, the applicability of the data protection laws of a Member State depends primarily on the existence of a relevant “establishment” in that Member State.  In the past years, the concept of “establishment” gave rise to considerable debate.  (See, for example, the 2016 ruling in the Verein für Konsumenteninformation v. Amazon EU Sàrl case[65], repeating the CJEU’s findings in the Weltimmo judgment of 1 October 2015[66] where it defined broadly the concept of “establishment” contained in Article 4(1)(a) of the EU Data Protection Directive.)  While the CJEU has indicated that the absence of “a branch or subsidiary in a Member State does not preclude [the controller] from having an establishment there within the meaning of Article 4(1)(a)” (e.g., through the existence of other stable arrangements, like an office), such an establishment cannot be presumed to exist “merely […] because the undertaking’s website is accessible there.” Regarding the interpretation of the notion of “establishment,”, additional information was brought to light in the course of 2017.  Indeed, on 24 October 2017 Advocate General Bot made his opinion public regarding the determination of the applicable law in a case where data processing activities were performed through a social media page.[67]  A German company set up a fan page through a U.S.-based social network, which provided statistics based on the personal data of the visitors (such as their preferences and habits) to the company administrating the fan page.  The data protection authority of Schleswig-Holstein required the German company to shut down its fan page as neither the social media site nor the company itself allegedly informed visitors that their personal data was used for this particular purpose. The German Federal Administrative Court sought a preliminary ruling from the CJEU, requesting clarification.  In his opinion, Advocate General Bot first determined that the company administrating the fan page was a joint controller with the social media company regarding the collection of personal data. Second, Advocate General Bot held that data processing is carried out in the context of the activities of an establishment of the controller on the territory of a Member State when an undertaking, operating a social network, sets up in that Member State a subsidiary which is intended to promote and sell advertising space offered by that undertaking and which directs its activities toward residents in that Member State.[68] It is worth noting yet that the opinion of Advocate General Bot in this respect is controversial. A ruling from the CJEU, which could either follow the opinion of Advocate General Bot or depart therefrom, is expected in 2018. b.     Claims Assignment On 14 November 2017, Advocate General Bobek delivered his opinion on the Maximilian Schrems v. Facebook Ireland Limited case pending in the CJEU.[69] Mr. Schrems had started legal proceedings against Facebook Ireland Limited before a court in Austria, which raised the question of whether jurisdiction was established in the domicile of a consumer claimant who was assigned claims by other consumers, thus opening up the possibility of collecting consumer claims from around the world.  Advocate General Bobek held that a consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers domiciled in other places in the same Member State, in other Member States, or in non-member States. c.     Outlook On 3 October 2017, the Irish High Court referred the issue of the validity of the standard contractual clauses decisions to the CJEU for a preliminary ruling.[70]  If the CJEU were to decide to invalidate the standard contractual clauses, this ruling would in all likelihood have tremendous impact on businesses around the world, many of which rely on these legal warranties to ensure an adequate level of data protection to data transfers outside the European Union. 3.     Article 29 Working Party (WP29) Opinions As indicated above, during 2017 the WP29 issued several Guidelines concerning the application of the GDPR to the right to data portability, the appointment and duties of DPOs, the identification of lead DPAs, the concepts of consent and transparency, and other issues.  In parallel, within the framework of the GDPR, the WP29 also adopted Guidelines intended for use by the supervisory authorities to ensure better application and enforcement of the GDPR regarding the application and setting of administrative fines.[71] In addition to the abovementioned Guidelines, the WP29 issued various opinions regarding the key issues of the Law Enforcement Directive No. 2016/680,[72] data processing in the context of Cooperative Intelligent Transport Systems (C-ITS),[73] and data processing at work,[74] as well as the draft ePrivacy Regulation proposal.[75] The WP29 also rendered public some working documents on the adequacy referential within the framework of data transfers to third countries[76] and the elements and principles to be found in Binding Corporate Rules.[77] II.     Asia-Pacific and Other Notable International Developments In an increasingly connected world, 2017 also saw many other countries try to get ahead of the challenges within the cybersecurity and data protection landscape.  Several international developments bear brief mention here: On 1 June 2017, China’s Cybersecurity Law went into effect, becoming the first comprehensive Chinese law to regulate how companies manage and protect digital information.  The law also imposes significant restrictions on the transfer of certain data outside of the mainland (data localization) enabling government access to such data before it is exported.[78]Despite protests and petitions by governments and multinational companies, the implementation of the Cybersecurity Law continues to progress with the aim of regulating the behavior of many companies in protecting digital information.[79]  While the stated objective is to protect personal information and individual privacy, and according to a government statement in China Daily, a state media outlet, to “effectively safeguard national cyberspace sovereignty and security,” the law in effect gives the Chinese government unprecedented access to network data for essentially all companies in the business of information technology.[80]  Notably, key components of the law disproportionately affect multinationals because the data localization requirement obligates international companies to store data domestically and undergo a security assessment by supervisory authorities for important data that needs to be exported out of China.  Though the law imposes more stringent rules on critical information infrastructure operators (whose information could compromise national security or public welfare) in contrast to network operators (whose information capabilities could include virtually all businesses using modern technology), the law effectively subjects a majority of companies to government oversight.  As a consequence, the reality for many foreign companies is that these requirements would likely be onerous, will increase the costs of doing business in China, and will heighten the risk of exposure to industrial espionage.[81]  Despite the release of additional draft guidelines meant to clarify certain provisions of the law, there is a general outlook that the law is still a work in progress, with the scope and definition still vague and uncertain.[82]  Nonetheless, companies should endeavor to assess their data and information management operations to evaluate the risks of the expanding scope of the data protection law as well as their risk appetite for compliance with the Chinese government’s access to their network data. With the growing threat of hacking and identity theft, the Personal Data Protection Commission of Singapore issued proposed advisory guidelines on 7 November 2017 for the collection and use of national registration identification numbers.  The guidance, which covers a great deal of personal and biometric data, emphasized the obligations of companies to ensure policies and practices are in place to meet the obligations for data protection under the Personal Data Protection Act of 2012.  The Commission is giving businesses and organizations 12 months from publication to review their processes and implement necessary changes to ensure compliance.[83] Several other countries, such as Australia and Turkey, also sought to address privacy issues and published important guidelines regarding procedures for deleting, destroying, and anonymizing personal data.  Other countries like Argentina forged ahead with an overhaul of the country’s data protection regime by publishing a draft data protection bill that would align the country’s privacy laws with the GDPR requirements of the European Union.[84] There has also been civic engagement with the public as a number of countries solicited public comments to certain proposed regulations.  For example, Canada opened up for comments a proposed regulation that would mandate reporting of privacy breaches under its Personal Information Protection and Electronic Documents Act of 2015, while India recently issued a white paper inviting comments that would inform the legal framework for drafting a data protection bill to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.”[85] [1]   See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, pp. 1-88, available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679. [2]   Case C-362/14, Maximillian Schrems v. Data Protection Commissioner (Oct. 6, 2016), European Court of Justice. [3]   For a detailed analysis of the Schrems decision, please see Gibson Dunn Client Alert: Cybersecurity and Data Privacy Outlook and Review: 2016 (Jan. 28, 2016) available at http://www.gibsondunn.com/publications/Pages/Cybersecurity-and-Data-Privacy-Outlook-and-Review–2016.aspx. [4]   http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf. [5]   http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=605619. [6]   https://www.whitehouse.gov/briefings-statements/statement-president-fisa-amendments-reauthorization-act-2017/. [7]   http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48782. [8]   http://curia.europa.eu/juris/document/document.jsf?text=&docid=185146&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=320298 [9]   Order of the General Court of the European Union, Digital Rights Ireland v. Commission, 22 November 2017, T-670/16. [10]  http://curia.europa.eu. [11]  http://curia.europa.eu. [12]  See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, pp. 31-50. [13] See GDPR, at Article 3. [14]  See WP29, Guidelines on Transparency under Regulation 2016/679 (WP260; draft not adopted yet), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [15]  See WP29, Guidelines on Consent under Regulation 2016/679 (WP259; 28 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [16] See GDPR, at Article 17. [17] See EU Data Protection Directive, at Articles 12 and 14; and Case C-131/12 Google Spain SL and Google Inc. v. AEPD and Mario Costeja González ECLI:EU:C:2014:317. [18]  See WP29, Guidelines on Personal Data Breach Notification under Regulation 2016/679 (WP250; 3 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [19]  See WP29, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP251; 3 October 2017). [20]  See GDPR, at Article 35. [21]  See WP29, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248; 4 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [22]  See WP29, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248; 4 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [23]  See WP29, Guidelines on the right to data portability (WP 242; 13 December 2016), available at http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_en_40852.pdf. [24]  See WP29, Guidelines on the right to data portability (WP242 rev.01; 5 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [25]  See EU Data Protection Directive, at Articles 4(1) and 28; and Case C-230/14 Weltimmo s.r.o v. Nemzeti Adatvédelmi és Információszabadság Hatóság ECLI:EU:C:2015:639. [26]  See GDPR, at Article 56(2). [27]  See GDPR, at Article 56(1). [28]  See GDPR, at Article 63. [29]  See GDPR, at Article 66. [30]  See WP29, Guidelines for Identifying a Controller or Processor’s Lead Supervisory Authority (WP 244; 13 December 2016), available at http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf. [31] See WP29, Guidelines for Identifying a Controller or Processor’s Lead Supervisory Authority (WP244 rev.01; 5 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [32]  See WP29, Guidelines on Data Protection Officers (‘DPOs’) (WP243 rev.01; 5 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [33]  See Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016, pp. 1-30, available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC. [34]  See ENISA, Incident Notification for DSPs in the Context of the NIS Directive: A Comprehensive Guideline on How to Implement Incident Notification for Digital Service Providers, in the Context of the NIS Directive, February 2017, available at https://www.enisa.europa.eu/publications/incident-notification-for-dsps-in-the-context-of-the-nis-directive/. [35]  E.g., domain name systems (DNS) providers and top level domain (TLD) registries; see Article 4, NIS Directive. [36]  See NIS Directive, at Article 1(1). [37]  With regard to essential services, the NIS Directive will apply to all entities identified by the respective national authorities as “essential” providers of such services in that Member State, see NIS Directive, at Article 5(2). [38]  See NIS Directive, at Article 18(2). [39]  See NIS Directive, at Article 16(3). [40]  See NIS Directive, at Article 18(1).  This criterion will not depend on whether the network and information systems are physically located in a given place. See NIS Directive, at Recital 64. [41]  See NIS Directive, at Article 18(2). [42]  Member States will have an additional six months after the transposition into national law to identify operators of essential services (i.e., a total of 27 months). See NIS Directive, at Article 5(1). [43]  These should respect the fundamental rights of the effective remedy and the right to be heard.  See NIS Directive, at Recital 75. [44]  See NIS Directive, at Article 7. [45]  See NIS Directive, at Recital (57) and Article 3. [46]  See NIS Directive, at Article 16(10). [47]  See NIS Directive, at Articles 16(8) and (9). [48]  See Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and personal data in electronic communications and repealing Directive 2002/58/EC (‘Privacy and Electronic Communications Regulation’), available at http://www.politico.eu/wp-content/uploads/2016/12/POLITICO-e-privacy-directive-review-draft-december.pdf. [49] https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation. [50] http://ec.europa.eu/newsroom/document.cfm?doc_id=44103. [51] http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&reference=A8-2017-0324&language=EN. [52] https://iapp.org/resources/article/council-of-the-eu-eprivacy-regulation-proposal-december-2017/. [53]  See draft ePrivacy Regulation, at Recital (13).  See Explanatory Memorandum, at Section 3.2. [54]  See, e.g., Proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast), COM/2016/0590, available at http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=comnat:COM_2016_0590_FIN. [55]  See draft ePrivacy Regulation, at Article 8(1). [56]  However, in practice, the WP29 had already expressed the possibility that operators do not obtain consent for the setting and receipt of cookies in some of the circumstances now covered in the draft ePrivacy Regulation, provided that certain conditions are met.  See WP29, Opinion 04/2012 on Cookie Consent Exemption (WP 194; 7 June 2012), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf. [57]  See draft ePrivacy Regulation, at Recital (25). [58]  See draft ePrivacy Regulation, at Article 8(2). [59]  See draft ePrivacy Regulation, at Article 16. [60]  See draft ePrivacy Regulation, at Articles 18 ff. [61]  See WP29, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC) (WP247; 4 April 2017) available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [62]  See European Parliament’s proposal available at http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&reference=A8-2017-0324&language=EN. [63]  See Council of the European Union’s working proposal available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_11995_2017_INIT&from=EN. [64]  https://www.euractiv.com/section/digital/news/bulgaria-makes-telecoms-overhaul-a-focus-during-council-presidency/. [65]  See Case C-191/15 Verein für Konsumenteninformation v. Amazon EU Sàrl available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=182286&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1126849. [66]  See Case C-230/14 Weltimmo s.r.o v. Nemzeti Adatvédelmi és Információszabadság Hatóság ECLI:EU:C:2015:639. [67]  See, Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH. [68]  See Opinion of Advocate General Bot delivered on 24 October 2017, Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH. [69]  See Opinion of Advocate General Bobek on Case C-498/16 Maximilian Schrems v. Facebook Ireland Limited. [70]  See Irish High Court Commercial, The Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems, 2016 No. 4809 P. [71]  See WP29, Guidelines on the Application and Setting of Administrative Fines for the Purposes of the Regulation 2016/679 (WP253; 3 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [72]  See WP29, Opinion on Some Key Issues of the Law Enforcement Directive (EU 2016/680) (WP258; 29 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [73]  See WP29, Opinion 03/2017 on Processing Personal Data in the Context of Cooperative Intelligent Transport Systems (C-ITS) (WP252; 4 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [74]  See WP29, Opinion 2/2017 on Data Processing at Work (WP249; 8 June 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [75]  See WP29, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC) (WP247; 4 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [76]  See WP29, Adequacy Referential (updated) (WP254; 28 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [77]  See WP29, Working Document Setting up a Table with the Elements and Principles to be Found in Binding Corporate Rules (WP256 and WP257; 29 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [78]  See FT Cyber Security, “China’s cyber security law rattles multinationals,” Financial Times (30 May 2017), available at https://www.ft.com/content/b302269c-44ff-11e7-8519-9f94ee97d996. [79]  Alex Lawson, “US Asks China Not To Implement Cybersecurity Law,” Law360 (Sept. 27, 2017) available at https://www.law360.com/articles/968132/us-asks-china-not-to-implement-cybersecurity-law. [80]  Sophie Yan, “China’s new cybersecurity law takes effect today, and many are confused,” CNBC.com (1 June 2017), available at https://www.cnbc.com/2017/05/31/chinas-new-cybersecurity-law-takes-effect-today.html. [81]  Christina Larson, Keith Zhai, and Lulu Yilun Chen, “Foreign Firms Fret as China Implements New Cybersecurity Law”, Bloomberg News (24 May 2017), available at https://www.bloomberg.com/news/articles/2017-05-24/foreign-firms-fret-as-china-implements-new-cybersecurity-law. [82]  Clarice Yue, Michelle Chan, Sven-Michael Werner and John Shi, “China Cybersecurity Law update: Draft Guidelines on Security Assessment for Data Export Revised!,” Lexology (Sept. 26, 2017), available at https://www.lexology.com/library/detail.aspx?g=94d24110-4487-4b28-bfa5-4fa98d78a105. [83]  Singapore Personal Data Protection Commission, Proposed Advisory Guidelines on the Personal Data Protection Act For NRIC Numbers, published 7 November 2017, available at https://www.pdpc.gov.sg/docs/default-source/public-consultation-6—nric/proposed-nric-advisory-guidelines—071117.pdf?sfvrsn=4. [84]  Office of the Australian Information Commissioner, “De-identification Decision-Making Framework”, Australian Government (Sept. 18, 2017), available at https://www.oaic.gov.au/agencies-and-organisations/guides/de-identification-decision-making-framework; Lyn Nicholson, “Regulator issues new guidance on de-identification and implications for big data usage”, Lexology (Sept. 26, 2017) available at https://www.lexology.com/library/detail.aspx?g=f6c055f4-cc82-462a-9b25-ec7edc947354; “New Regulation on the Deletion, Destruction or Anonymization of Personal Data,” British Chamber of Commerce of Turkey (Sept. 28, 2017), available at https://www.bcct.org.tr/news/new-regulation-deletion-destruction-anonymization-personal-data-2/64027; Jena M. Valdetero and David Chen, “Big Changes May Be Coming to Argentina’s Data Protection Laws,” Lexology (5 June 2017), available at https://www.lexology.com/library/detail.aspx?g=6a4799ec-2f55-4d51-96bd-3d6d8c04abd2. [85]  Naïm Alexandre Antaki and Wendy J. Wagner, “No escaping notification: Government releases proposed regulations for federal data breach reporting & notification”, Lexology (Sept. 6, 2017), available at https://www.lexology.com/library/detail.aspx?g=0a98fd33-1f2c-4a52-98c0-cf1feeaf0b90; Ministry of Electronics & Information Technology, “White Paper of the Committee of Experts on a Data Protection Framework for India,”  Government of India (Nov. 27, 2017), available at http://meity.gov.in/white-paper-data-protection-framework-india-public-comments-invited. The following Gibson Dunn lawyers assisted in the preparation of this client alert:  Ahmed Baladi, Alexander Southwell, Ryan Bergsieker and Bastien Husson. Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group: Europe Ahmed Baladi – Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) James A. Cox – London (+44 (0)207071 4250, jacox@gibsondunn.com) Patrick Doris – London (+44 (0)20 7071 4276, pdoris@gibsondunn.com) Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, jrobe@gibsondunn.com) Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com) Nicolas Autet – Paris (+33 (0)1 56 43 13 00, nautet@gibsondunn.com) Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com) Sarah Wazen – London (+44 (0)20 7071 4203, swazen@gibsondunn.com) Emmanuelle Bartoli – Paris (+33 (0)1 56 43 13 57, ebartoli@gibsondunn.com) Alejandro Guerrero Perez – Brussels (+32 2 554 7218, aguerreroperez@gibsondunn.com) Asia Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com) Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com) United States Alexander H. Southwell – Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com) Caroline Krass – Chair, National Security Practice, Washington, D.C. (+1 202-887-3784, ckrass@gibsondunn.com) M. Sean Royall – Dallas (+1 214-698-3256, sroyall@gibsondunn.com) Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com) Richard H. Cunningham – Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com) Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com) Shaalu Mehra – Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com) Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com) Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) Questions about SEC disclosure issues concerning data privacy and cybersecurity can also be addressed to the following leaders and members of the Securities Regulation and Corporate Disclosure Group: James J. Moloney – Orange County, CA (+1 949-451-4343, jmoloney@gibsondunn.com) Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com) Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

January 1, 2018 |
WTR1000 Recognizes Gibson Dunn’s Trademark Work

The 2018 edition of the World Trademark Review 1000 recognized Gibson Dunn’s work in the area of trademarks, noting that the firm “deftly serves global brand leaders and makes light work of even the most complicated suits.”  Washington, D.C. partner Howard Hogan is also recognized as “a leader in helping to shape policy initiatives that benefit trademark practice in the United States and elsewhere.”  The WTR 1000, published January 2018, recommends individual practitioners and their firms exclusively in the trademark field, and identifies the leading players in 70 key jurisdictions globally.

January 24, 2018 |
Kristin Linsley and Eric Vandevelde Named Top Cyber/Artificial Intelligence Lawyers 2018

The Daily Journal named San Francisco partner Kristin Linsley and Los Angeles partner Eric Vandevelde to its 2018 list of the Top 20 Cyber/Artificial Intelligence Lawyers in California. Profiles of Linsley [PDF] and Vandevelde [PDF] were published on January 24, 2018.

January 25, 2018 |
U.S. Cybersecurity and Data Privacy Outlook and Review – 2018

Click for PDF In honor of Data Privacy Day—an international effort to raise awareness and promote privacy and data protection best practices—we offer this sixth edition of Gibson Dunn’s Cybersecurity and Data Privacy Outlook and Review.  In 2017, companies were again challenged to navigate a constantly evolving landscape of cybersecurity and privacy issues.  Last year revealed some of the largest data breaches in history, saw a new administration’s shift in priorities regarding cybersecurity, and exposed new challenges posed by increasingly “smart” and connected devices. Among other key regulatory developments this year, the Trump administration issued an executive order addressing the cybersecurity of federal networks and critical infrastructure.  The Securities and Exchange Commission (“SEC”) announced a new Cyber Unit focused on targeting cyber-related misconduct and pursued cases involving novel cyber issues, including insider trading in the wake of a data breach.  The Federal Trade Commission (“FTC”) remained active in the privacy and cybersecurity space, but indicated a shift of focus to cases involving “substantial consumer injury.”  The Department of Health and Human Services (“HHS”) continued enforcement of regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), announcing several notable settlements.  The Federal Communication Commission’s (“FCC”) role in privacy enforcement was substantially adjusted following the repeal of privacy rules put in place in 2016.  And state attorneys general were active at the forefront of concerted efforts to bring enforcement actions and develop privacy and cybersecurity regulations.  Indicative of this collaboration, 2017 saw the largest state data breach settlement in history. Last year also saw frequent data breaches of varying magnitudes.  Throughout the year, hackers targeted government agencies and companies in every industry, seeking personally identifiable information (“PII”), customer login information, payment information, and health care information, among others.  As litigation—especially class action litigation—quickly followed many of the announced breaches, courts continued to grapple with standing issues in the wake of Spokeo, Inc. v. Robins.  New class actions related to connected devices, such as TVs and cars, were also filed in 2017, and 2018 will likely see developments in this arena as more courts begin assessing standing in the context of the Internet of Things. Overlapping international privacy frameworks also posed significant challenges for U.S. companies in 2017.  With the quickly approaching May 2018 deadline for compliance with Europe’s General Data Protection Regulation (“GDPR”), companies worked to put in place appropriate policies and other safeguards.  Last year also saw many other countries impose new or updated cybersecurity and data privacy regulations. We cover these topics and many more in this year’s Review: (I) U.S. regulation of privacy and data security; (II) civil litigation; (III) international regulation of privacy and data security; and (IV) government data collection and device unlocking.  For additional coverage of international developments, please see our separate International Cybersecurity and Data Privacy Outlook and Review. Table of Contents __________________________________________ I.         U.S. Regulation of Privacy and Data Security A.  Enforcement and Guidance 1.   Federal Trade Commission (“FTC”)       2.   Department of Health and Human Services (“HHS”)       3.   Securities and Exchange Commission (“SEC”)       4.   Federal Communications Commission (“FCC”)       5.   Consumer Financial Protection Bureau (“CFPB”)       6.   State Attorneys General       7.   New York Department of Financial Services (“NYDFS”)       8.   Trump Administration Actions B.  Legislative Developments       1.   Federal Developments       2.   State Developments II.        Civil Litigation A.  Standing After Spokeo       1.   Background       2.   Post-Spokeo Standing Decisions in Privacy Cases       3.   Looking Ahead B.  Data Breach Litigation       1.   Litigation       2.   Settlement Trends       3.   Shareholder Derivative Suits C.  Interceptions and Eavesdropping       1.   Email Scanning       2.   Call Recording       3.   Other “Interceptions” D.  Telephone Consumer Protection Act E.   Video Privacy Protection Act F.   California’s Song-Beverly Credit Card Act and Point-of-Service Data Collection G.  Biometric Information Privacy Acts H.  Internet of Things and Device Hacking       1.   Connected and Autonomous Vehicles       2.   Routers, Cloud Storage, and Connected Cameras       3.   Smart TVs       4.   Smart Toys       5.   Regulatory Guidance I.    Civil Litigation: Cybersecurity Insurance       1.   State of the Market       2.   State of the Law – Key Cases J.    Fair Credit Reporting Act III.       Government Data Collection A.  Challenge to Government “Gag Orders” B.  Carpenter v. United States and the Collection of Cell Phone Data C.  Electronic Communications Privacy Act Reform Efforts D.  Device Unlocking E.   Extraterritoriality of Subpoenas and Warrants F.   Collection of Records from Third-Party Cloud Providers G.  Foreign Intelligence Surveillance Act Section 702 IV.       International Regulation of Privacy and Data security A.  The European Union       1.   General Data Protection Regulation (“GDPR”)       2.   EU-U.S. Privacy Shield B.  China and Other International Developments V.        Conclusion __________________________________________ I.     U.S. Regulation of Privacy and Data Security Companies doing business in (and with) the United States continue to face a morass when it comes to government regulation of privacy and data security due to the competing and overlapping efforts of myriad federal and state government regulators in this space.  Nearly every major federal agency has now weighed in on data security issues in one form or another, as have most states.  Below, we cover the most notable enforcement efforts, regulatory guidance, and legislative developments from the past year. A.    Enforcement and Guidance 1.     Federal Trade Commission (“FTC”) In 2017, the FTC remained one of the most active and far-reaching government agencies regulating privacy and data security.  All told, the FTC announced 12 enforcement actions related to privacy and data security issues, while also making headlines with its related public statements and guidance.  We address the most notable enforcement actions and guidance from the FTC below. a.      Data Security and Privacy Enforcement Equifax .   In September 2017, the FTC announced it had begun investigating the massive data breach at Equifax Inc., the Atlanta-based consumer credit bureau. [1]   The week before the announcement, Equifax revealed that in May, hackers had exploited a flaw in the company’s website that allowed them to access the account information of up to 143 million customers, including driver’s license numbers, addresses, birthdates, and Social Security numbers.  This breach represented one of the largest in recent memory and, given the centrality of credit-reporting agencies to activity throughout the economy and the sensitive nature of the information involved, sparked renewed public scrutiny of data security issues. The FTC did not elaborate on the scope of its investigation, but the announcement itself was significant given that the Commission rarely comments on ongoing investigations. TaxSlayer .      Further underscoring the FTC’s increased attention to companies that store consumer financial data, in August 2017 the Georgia-based online tax preparation service TaxSlayer, LLC, agreed to settle FTC allegations that it allowed hackers to access nearly 9,000 user accounts between October and December 2015. [2]   The hackers then used this information to fraudulently obtain tax returns.  The FTC alleged that TaxSlayer failed to implement adequate security measures, such as requiring strong passwords, providing a clear and conspicuous privacy notice, or conducting risk assessments.  As part of the settlement, TaxSlayer agreed to obtain biennial third-party assessments of its compliance with data privacy regulations, but neither confirmed nor denied liability. LabMD .  As we highlighted in our 2016 Year-End Update , the now-defunct medical testing laboratory LabMD appealed an FTC order finding that the company failed to reasonably protect its customers’ personal information from data breaches and requiring it to establish a comprehensive information security program to safeguard against such breaches in the future. [3]   In 2008, billing information for approximately 9,300 consumers became accessible on a peer-to-peer network, and other personal information for at least 500 consumers ended up in the hands of identity thieves. [4]   The FTC’s order overturned the initial ruling of its own Administrative Law Judge, which had dismissed the Commission’s charges because they failed to show that the company’s conduct created a probability of harm. [5]   In November 2016, the Eleventh Circuit granted the company’s request for a stay pending appeal of the Commission’s decision, [6]   and this past June the court heard oral argument in the case.  The Eleventh Circuit’s ruling could significantly reshape the FTC’s authority to regulate data privacy harms.  At issue in the oral argument was whether the FTC must show proof of actual consumer harm to bring a data security enforcement action under Section 5 of the FTC Act.  LabMD argued that the FTC overstepped its enforcement authority because no consumer suffered an actual injury as a result of the company’s data breach.  The FTC countered that it nevertheless could exercise its enforcement authority under Section 5 because the unauthorized exposure of health care information constitutes a substantial injury under traditional principles of privacy tort law.  The panel was expected to issue a ruling in the months after the oral argument, but it has not yet done so. D-Link .  In January 2017, the FTC filed suit against the network equipment manufacturer D-Link Corp. over the company’s allegedly inadequate security measures in its routers and internet cameras. [7]   In its complaint, the FTC alleged that the company’s failure to properly secure its routers and cameras left consumers vulnerable to hackers, particularly through their live video and audio feeds.  Further, the complaint alleged that the company misled consumers by advertising on its website that its products are “Easy to Secure” and contain “Advanced Network Security.”  In September, the district court granted in part and denied in part the company’s motion to dismiss the FTC’s complaint. [8]   The district court’s ruling may have a dramatic impact on the FTC’s ability to bring claims against companies for putting consumers’ information at risk.  The court found that three of the complaint’s six counts were pled inadequately or with insufficient particularity, and gave the FTC until late October to re-plead its claims.  Specifically, the court found that, for the three dismissed claims, the FTC failed to adequately plead harm because it relied “solely on the likelihood that [D-Link] put consumers at ‘risk’ because ‘remote attackers could take simple steps, using widely available tools, to locate and exploit defendants’ devices, which were widely known to be vulnerable,'” [9] and that this amounts to “a mere possibility of injury at best.” [10]   D-Link submitted its amended answer on October, and fact discovery is ongoing. Vizio .   In February 2017, TV manufacturer Vizio Inc. entered into a settlement with the FTC and the New Jersey Attorney General over allegations that it secretly gathered users’ viewing data and shared it with third parties. [11]   The settlement is significant given the increasing ubiquity of so-called “smart” devices, from televisions to thermostats to electronic assistants.  Specifically, the regulators alleged that beginning in February 2014, Vizio began collecting second-by-second information about the content displayed on its “smart TVs,” including content from cable, broadband, set-top boxes, streaming devices, and DVDs.  Vizio allegedly appended this information with its users’ personal information, such as users’ age, sex, income level, marital status, household size, education level, home ownership, and home value.  Vizio would then sell this information to third parties.  As part of the settlement, Vizio agreed to pay $2.2 million and overhaul its data collection practices, as well as delete data obtained prior to March 1, 2016, and obtain affirmative consent from consumers regarding the company’s data collection practices.  Notably, Acting Chairwoman Maureen Ohlhausen issued a concurring statement expressing skepticism that Vizio’s conduct caused, or was likely to cause, a substantial injury to consumers.  As part of the settlement, Vizio neither admitted nor denied liability. Lenovo .   In September 2017, the FTC announced that it had entered into a settlement, along with 32 state Attorneys General, with Lenovo Inc. over allegations that the company preloaded some of its computers with invasive software that compromised consumers’ privacy and security. [12]   The Commission alleged that, beginning in August 2014, Lenovo began selling laptops in the U.S. with a software program called VisualDiscovery, created by a company called Superfish, Inc., that would access consumers’ personal information transmitted via the internet, such as login info for websites, Social Security numbers, medical information, and financial and payment information.  The software would then send some of this information to the software company’s servers, where the information was allegedly stored insecurely.  This settlement is significant given the high value digital companies place on leveraging data regarding consumers’ preferences to target their advertisements.  As part of the settlement, Lenovo must get consumers’ affirmative consent before preinstalling this sort of software; must implement a comprehensive software security program, which is subject to third-party audits for a period of 20 years; and must pay $3.5 million to state regulators.  Lenovo neither admitted nor denied liability as part of the settlement. b.      Data Breach Guidance With the arrival of the Trump administration, and 3 open seats on the Commission, companies and commentators have been watching carefully for any signal of whether, and how, the FTC’s regulatory focus and enforcement priorities will change in coming years.  Several recent statements provide some indication—albeit not definitive answers—about what the future may hold under the Trump administration. In September, Acting FTC Chairwoman Maureen Ohlhausen said during a speech at the Federal Communications Bar Association that the FTC should focus on “substantial consumer injury” in determining which cases to pursue, rather than “hypothetical” harms. [13]   “Government does the most good with the fewest unintended side effects when it focuses on stopping substantial consumer injury instead of expending resources to prevent hypothetical injuries,” Ohlhausen said. “So understanding consumer injury in the context of privacy and data security is very important for the commission.” [14] While the FTC thus seems poised to cede some regulatory ground by moving away from regulating speculative harms, Acting Chairwoman Ohlhausen has also signaled that the Commission may adopt a broader definition of what constitutes a “substantial” injury.  In a speech at a cybersecurity event at the Georgetown University Law Center in May, Ohlhausen noted that the FTC historically has focused on direct financial harms to consumers, but that this understanding may be too narrow. [15]   Health and safety risks, such as those posed by the sharing of real-time and highly accurate location data that may leave consumers vulnerable to stalking, could also constitute a substantial injury, as could the disclosure of sensitive medical information.  Whether Joseph J. Simons, whom President Trump in October announced that he intended to nominate to head the FTC, will take positions similar to those of Acting Chairwoman Ohlhausen is yet to be seen. In her September speech, Ohlhausen announced a December workshop at which the FTC would examine the consumer harms that stem from informational injury.  Leading up to the workshop, a host of pro-business groups including the U.S. Chamber of Commerce, the Association of National Advertisers, and the Retail Industry Leaders Association, issued public comments urging the Commission to adopt a regulatory framework designed to regulate actual injuries, rather than conjectural ones. [16]   In contrast, several consumer groups such as the Electronic Privacy Information Center, encouraged the FTC to focus on the rise in data breaches and the concomitant increased risk of identity theft.  The workshop took place on December 12, but the FTC has not yet announced any shifts in enforcement priorities as a result. c.       Scope of Authority—Common Carriers As we mentioned in our last update, in May the Ninth Circuit granted the FTC’s petition to rehear en banc a dispute between the Commission and AT&T over the company’s allegedly deceptive “data throttling.” [17]   AT&T argued that it was not subject to the FTC’s authority because it is a common carrier, a category that Section 5 of the FTC Act excludes from the FTC’s jurisdiction.  In August 2016, a Ninth Circuit panel agreed with AT&T that, because the company engaged in non-common carrier activities such as providing consumers with mobile data and email services, it fell outside the Commission’s regulatory ambit. The full Ninth Circuit held oral argument in September but has not yet issued a ruling.  An affirmance could significantly curtail the FTC’s jurisdiction. 2.     Department of Health and Human Services (“HHS”) The flurry of HHS activity in 2016 related to the protection of patient privacy continued in 2017.  As HHS continued the second-phase of its audit program to assess compliance with patient privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), [18]   HHS also announced several multimillion-dollar settlements with health care companies for alleged HIPAA violations. Matching the largest-ever HIPAA-related settlement, Memorial Healthcare Systems agreed to pay $5.5 million and implement a “robust corrective action plan” to settle claims that its employees had improperly accessed and disclosed information for over 115,000 patients. [19]   HHS alleged that Memorial Health Care Systems failed to implement and manage user access rights and, despite results of previous risk analyses, failed to regularly review information system activity by employees and users at affiliated physician practices on applications that maintain protected information. HHS also fined Children’s Medical Center of Dallas $3.2 million for alleged HIPAA violations after two data breaches involving lost or stolen devices that contained unencrypted patient medical information. [20]   The investigation by the Office for Civil Rights (“OCR”) found that the medical center failed to implement risk management plans and failed to use encryption on its devices despite previous warnings to do so. In addition, St. Luke’s Roosevelt Hospital Center Inc. agreed to a settlement and corrective action plan following a complaint alleging that the hospital had faxed sensitive information concerning a patient’s HIV status. [21]   Although the total settlement amounted only to $387,000, the agreement stemmed from only two disclosures of Protected Health Information (“PHI”), highlighting the potential impact of even seemingly limited events. HHS also announced several “firsts” in its HIPAA enforcement efforts, including the first enforcement action involving delayed reporting of a patient information breach and the first settlement with a wireless services provider.  In the former, Presence Health agreed to pay $475,000 and revise its policies governing the privacy of patient information following allegations that it failed to properly notify more than 800 of its patients within 60 days of discovering that their personal information had been stolen. [22]   In the latter, CardioNet, which provides remote mobile monitoring for patients at risk for cardio arrhythmias, agreed to pay $2.5 million and implement a corrective action plan for the alleged disclosure of unsecured electronic protected health information (“ePHI”) after an employee’s laptop was stolen from a parked vehicle. [23]   OCR found that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft, as well as a lack of final policies and procedures implementing ePHI safeguards and the HIPAA Security Rule. Closing out the year, HHS OCR announced that 21st Century Oncology, Inc. agreed to pay $2.3 million and adopt a comprehensive corrective action plan to settle alleged violations of the HIPAA Privacy and Security Rules that were uncovered after a hacker gained access to more than 2.2 million patient records, some of which were later sold to undercover agents from the FBI. [24] Finally, following Acting HHS Secretary Eric Hargan’s declaration of the opioid crisis as a public health emergency, HHS issued guidance regarding the circumstances in which health care providers may share a patient’s PHI with family members, friends, or legal representatives. [25]   Focusing on patients who are in crisis or incapacitated, such as during an opioid overdose, the guidance interprets current HIPAA regulations as allowing health care providers to share information in certain emergency or dangerous situations, including with persons who are in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.  The guidance also discusses factors to consider in assessing a patient’s decision-making capacity and provides direction on health care providers’ ability to share PHI in different situations, including when unable to obtain a patient’s consent and after the patient has had an opportunity to object. 3.     Securities and Exchange Commission (“SEC”) a.      Cybersecurity Focus In 2017, the SEC maintained the previous year’s focus on cybersecurity incidents with respect to both its external oversight responsibilities and the internal operations of the agency.  Since the issuance of its cybersecurity guidance in 2011, the SEC has continued to emphasize proper communications regarding cybersecurity issues within a company’s management as well as proper disclosure of cybersecurity risks by registrants. [26] The SEC announced in November that it will likely issue new guidance to public companies regarding disclosure and reporting of cybersecurity incidents. [27]   Signaling this potential guidance, Acting Enforcement Director Stephanie Avakian stated in April that she could “absolutely” envision circumstances where enforcement would be necessary in light of a company’s failure to report cyber incidents and risks. [28]   The new guidance may also include provisions encouraging companies to consider how they handle stock sales by corporate insiders around the time of a cybersecurity breach. [29]   In November, Director of the SEC’s Division of Corporate Finance, William Hinman, stated, “it would be wise for folks to re-examine their insider trading policies.” [30] Two cybersecurity incidents with potential insider trading consequences that may influence the SEC’s new guidance were disclosed in the fall of 2017.  After Equifax discovered its massive breach in July—but before it was publicly reported in September—Equifax executives sold nearly $2 million in company stock. [31]   Once the news of the breach broke, stock prices dropped significantly. [32]   While the SEC has not confirmed or denied any SEC investigation of the executives for insider trading, Equifax reported in its third quarter 10-Q that the SEC had subpoenaed the company “regarding trading activities by certain employees in relation to the cybersecurity incident.” [33]   The second incident occurred this fall when the SEC faced its own cybersecurity threat.  On September 20, 2017, as part of its “Statement on Cybersecurity,” the SEC disclosed that a 2016 intrusion into EDGAR, the Commission’s electronic filing system for public company disclosures, may have allowed hackers to gain access to and trade on the basis of the non-public information exposed. [34]   The SEC stated it did not believe the intrusion was the result of a systemic risk or that it led to the exposure of any personally identifiable information. [35]   Days after the statement, the SEC announced the establishment of a Cyber Unit to “focus on targeting cyber-related misconduct.” [36] b.      Cyber Unit’s First Charges On December 4, 2017, the SEC announced the first charges filed by the newly established Cyber Unit. [37]   The SEC’s complaint alleges that Dominic Lacroix and his company, PlexCorp, operated an Initial Coin Offering (“ICO”) fraud that raised over $15 million from investors by selling a security called PlexCoin, a cryptocurrency, and promising a 1,354 percent profit in less than one month. [38]   The charges filed against PlexCorp, Lacroix, and his partner Sabrina Paradis-Royer [39] include violations of the anti-fraud provisions contained in Section 10(b) of the Exchange Act and Rule 10b-5, Section 17(a) of the Securities Act, as well as registration provisions in Sections 5(a) and 5(c) of the Securities Act. [40]   The district court issued an emergency order freezing the assets of the company and the executives charged, and the SEC is seeking permanent injunctions and disgorgement plus interest and penalties.  The SEC is also seeking a Final Judgment prohibiting the two executives from offering digital securities in the future. [41] 4.     Federal Communications Commission (“FCC”) a.      FCC Rulemaking i.     FCC Privacy Regulations for Broadband Providers Repealed On April 3, 2017, President Trump signed a resolution repealing FCC privacy rules adopted in the prior year. [42]   In 2016, the FCC adopted sweeping new regulations governing the ways in which providers of broadband Internet access service use and share their customers’ personal information. [43]   There were three key components to the regulations for broadband providers: (1) notice to consumers of data collection and use policies; (2) an opt-out provision for “non-sensitive” information used or shared by the providers and a requirement to obtain affirmative opt-in consent before they can use or share “sensitive” customer data; and (3) more stringent and specific requirements for notification of any data breaches.  The resolution was passed under the Congressional Review Act, which allows Congress to repeal agency rules through simple majority votes. ii.     FCC Approves Next-Gen Broadcasting Technology On November 16, 2017, the FCC voted 3-2 to permit the use of a new broadcast transmission standard, known as ATSC 3.0 or Next Gen TV.  This new broadcast standard will allow more precise geolocating of television signals, ultra-high definition picture quality, more interactive programming, and localized safety warnings that have the ability to turn on televisions as necessary to transmit emergency broadcasts. [44]   Privacy advocates argue that ATSC 3.0 allows broadcasters to collect data on viewing habits, spurring user-targeted ads similar to those on the Internet.  During a House Communications Subcommittee FCC oversight hearing in November, Representative Debbie Dingell requested that the FCC address the types of information broadcasters will be able to collect from consumers and how it will be handled and protected. [45] b.      Cell Phone Cybersecurity On August 24, 2017, the FCC’s Public Safety and Homeland Security Bureau released Public Notice DA 17-799.  This Notice was a result of Congress asking the FCC to tackle “fundamental security threats” to cell phones, since Congress felt current oversight by police and private entities “neither adequately addressed these serious cybersecurity vulnerabilities nor warned its customers about the risks they face.”  The Notice encourages communications service providers to implement recommended security countermeasures to prevent exploitation of carrier Signaling System 7 (“SS7”) network infrastructure. [46]   According to the Notice, security vulnerabilities present within SS7 networks allow attackers to obtain subscriber information, eavesdrop on subscriber traffic, engage in financial theft, and conduct denial-of-service attacks.  The March 2017 recommendations for best practices to reduce SS7 security risks include: (1) awareness and protection, which covers the set of industry recommendations that advocate increased awareness of SS7 signaling and protective measures that can be deployed by telecommunication service providers; and (2) security best practices, which covers the set of industry recommendations that deal with best security best practices for SS7 communications. c.       FCC Settlements / Enforcement i.     $100M Settlement for Squatting on Spectrum Licenses On January 12, 2017, a wireless spectrum trading company settled a dispute with the FCC over allegations it lied about its buildout of wireless infrastructure for $100 million and possible divestment from its spectrum licenses. [47]   Because wireless spectrum is a scarce public resource, the FCC requires companies that license spectrum to put it to good use.  In 2013 and 2014, the spectrum company received licenses in the 28GHz and 39GHz bands, which are identified for use in the next generation of cellular network, on the condition that it use them to provide services. [48]  A November 2015 anonymous report alleged that the company never built several of the 39GHz systems it had told the FCC were completed. [49]  As part of the settlement, the company agreed to pay a $100 million civil penalty, to surrender its licenses in the 39GHz spectrum, and to sell the remainder of its license portfolio. ii.     Robocall Fines On June 22, 2017, FCC Chairman Ajit Pai stated that robocalls were the Commission’s top enforcement priority. [50]   That same day, the FCC voted to fine a Miami man a record-breaking $120 million for allegedly making 96 million spoofed robocalls to consumers in three months in violation of the Truth in Caller ID Act. [51]   Spoofing refers to deliberately falsifying caller ID information to disguise an identity with the intent to harm or defraud consumers, or wrongfully obtain anything of value.  The calls—which appeared to come from local numbers—purported to offer vacation deals from major companies like TripAdvisor, Expedia, and others.  Consumers who “pressed 1” were transferred to foreign call centers where operators attempted to sell them timeshares.  TripAdvisor alerted the FCC to the robocalls after fielding complaints from its customers.  In July and August, the FCC levied fines of nearly $3 million and $82 million against other companies for unsolicited robocalls, the magnitude of the latter due in part to the targeting of vulnerable consumers, including the elderly, the infirm, and low income families. [52] 5.     Consumer Financial Protection Bureau (“CFPB”) The CFPB was not particularly active in the area of data privacy and security in 2017.  However, on October 18, 2017, the CFPB announced a series of non-binding Consumer Protection Principles to address the developing market for financial “aggregation services.” [53]   Such companies offer a broad range of products and services that are developed using consumer-provided financial data.  This data is collected and aggregated by financial services companies, “fintech” firms, and other companies.  The services offered range from the provision of financial advice to the facilitation of underwriting or fraud-screening.  The release of the Principles followed a November 2016 Request for Information to stakeholders in the “aggregation services” market.  The Principles, intended to protect consumers who authorize third parties to collect their financial data to provide these services, are not intended to alter or interfere with the scope of existing consumer protections in this market.  The CFPB simultaneously released a summary of the stakeholder insights underlying the development of the Principles. [54]   The CFPB identified the following nine principles that providers of “aggregation services” should follow, all of which are anchored by the core belief that users should retain control over their information: [55] Access:   Users should be able to request and obtain information about their ownership or use of a financial product or service from the provider. Data Scope and Usability:  The scope of financial data subject to consumer and consumer-authorized access includes, but is not limited to, information about any transaction and the terms of an account.  Information should be made available in a usable format for consumers and consumer-authorized third parties. Control and Informed Consent:   Consumers should be entitled to a full and effective disclosure of the authorized terms of access, storage, use and disposal of information.  Consumers should also be able to readily revoke authorization to access, use or store their data. Authorizing Payments:   A user’s consent to the access of data does not constitute consent for payment authorization.  Providers may request both types of authorization from a consumer requesting its services. Security:   Consumer data must be maintained securely.  Parties with access to data must have adequate processes in place to protect against and effectively respond to data breaches. Access Transparency:  Users should be able to obtain information regarding the uses to which their information will be put and the parties to which it will be provided. Accuracy:  Consumer data gathered by “aggregation services” must be accurate and up-to-date. Ability to Dispute and Resolve Unauthorized Access:   Users should have the ability to dispute and resolve incidents involving unauthorized access and data sharing. Efficient and Effective Accountability Mechanisms:   Commercial participants should be incentivized to protect consumer-provided data, but also must be held responsible for any risks they introduce to consumers. The agency emphasized that the Principles do not “establish binding requirements or obligations relevant to the Consumer Bureau’s exercise of its rulemaking, supervisory, or enforcement authority.” [56]   Nor are they intended to “provide guidance on existing statutes and regulations that apply in this market.” [57]   Nevertheless, the CFPB stated that the Principles “express the Bureau’s vision for realizing a robust, safe, and workable data aggregation market” and suggested that the Bureau “will continue to monitor closely developments in this market.” [58]   Thus, it is possible that as “aggregation services” and “fintech” firms become increasingly prevalent, the CFPB will become more involved with the regulation of data privacy-related issues. 6.     State Attorneys General State attorneys general play a key role in data privacy and security matters.  During the past year, state attorneys general were at the forefront of concerted efforts to bring enforcement actions and develop privacy and cybersecurity regulations. a.      Collaboration Among Attorneys General During the past year, states increasingly coordinated their enforcement efforts with each other and with other government agencies to settle multi-state litigations involving mega-data breach cases.  In May 2017, the Target Corporation (“Target”) reached an $18.5 million settlement—the largest state data breach settlement in history—with 47 states and the District of Columbia.  The settlement brought an end to investigations jointly led by state attorneys general into Target’s November 2013 data breach involving unauthorized access to portions of Target’s computer systems that process payment card transactions at Target’s retail stores and to portions that store Target customer contact information. [59]   Under the terms of the agreement, Target will be required to develop, implement, and maintain a comprehensive information security program, to hire a third party to conduct a security assessment, and implement additional administrative safeguards to further strengthen the company’s data security. [60] In August 2017, 33 state attorneys general reached a $5.5 million multi-state settlement with Nationwide Mutual Insurance Company (“Nationwide”) and its wholly owned subsidiary Allied Property & Casualty Insurance Company (“Allied”) over a 2012 data breach. [61]   The personal information of 1.27 million people was stolen when hackers exploited a vulnerability in Nationwide/Allied’s web application hosting software—a vulnerability that allegedly could have been remedied with a previously available software patch that Nationwide/Allied had failed to apply. [62] As described more fully above, in September 2017 Lenovo reached a $3.5 million multi-state settlement to resolve charges brought by 32 state attorneys general and the FTC. [63]   Of the 23 states involved in the settlement, California received the largest share, amounting to $389,204, based largely on its size and leadership role in the investigation. [64] Following the public announcement of the Equifax breach in September, Massachusetts became the first state to sue Equifax, claiming that Equifax failed to maintain the appropriate safeguards to protect consumer data, despite being aware of the vulnerabilities in its system for months. [65]   On November 30, 2017, the Judicial Panel on Multidistrict Litigation held a hearing on the pending motion to consolidate and transfer the numerous cases filed (and cases to be filed in the future) against Equifax to the U.S. District Court for the Northern District of Georgia, near the company’s headquarters in Atlanta. [66] b.      Developments Within States The California Attorney General settled a number of data breach and consumer protection cases.  On November 22, 2017, the Attorney General settled a case with Cottage Health System (“Cottage Health”) and its affiliated hospitals to resolve allegations resulting from two separate and unrelated data breach incidents in 2013 and 2015. [67]   The Attorney General alleged that Cottage Health failed to implement basic, reasonable safeguards to protect personal medical information, in violation of California’s Confidentiality of Medical Information Act, Unfair Competition Law, and HIPAA. [68]   Under the terms of the settlement, Cottage Health agreed to update its security measures and pay a $2 million penalty. [69]   Cottage Health was also required to hire a data privacy security officer to ensure it develops and follows appropriate procedures, as well as to begin completing annual privacy risk assessments. [70] The New York Attorney General’s Office remained active in combatting violations of data security.  On October 31, 2017, the New York Attorney General, along with the Vermont Attorney General, reached a $700,000 settlement with Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. (“Hilton”) as a result of two separate data security incidents in 2015 which exposed credit card numbers. [71]   The investigation allegedly revealed that Hilton did not adequately protect consumers’ information and failed to provide timely notice of the breach, as New York General Business Law § 899-aa(2) requires notice to customers in the “most expedient time possible and without unreasonable delay.” [72]   The reached settlement, among other things, requires Hilton to maintain a comprehensive information security program designed to protect consumer cardholder data and to conduct annual data security assessments. As noted earlier, on February 6, 2017 the New Jersey Attorney General reached a settlement agreement with Vizio, Inc., a smart TV maker, for alleged violations of consumer protection laws by collecting and sharing data on the viewing habits of its smart TV users without their consent. [73]   Vizio agreed to pay $2.2 million and to change its data collection practices to resolve allegations, ending parallel investigations conducted by the Attorney General and the FTC. [74]   The state obtained $1 million and the FTC obtained $1.5 million in the settlement. [75] The Washington Attorney General released its second edition of the Annual Data Breach Report, containing a summary of the data collected from the data breach notifications required by Washington’s notification laws. [76]   Since the 2015 amendment to Washington’s data breach laws, the Attorney General has actively enforced compliance with the state’s notification regulations. 7.     New York Department of Financial Services (“NYDFS”) In 2017, New York’s Department of Financial Services (“NYDFS”) adopted groundbreaking regulations that broadly regulate cybersecurity within the financial services industry.  NYDFS is the New York state regulator of financial services licensed in the state and thus supervises many large banks and insurance companies.  Effective March 1, 2017, the NYDFS regulations require banks, insurance companies, and other financial services institutions subject to regulation by the NYDFS to establish and maintain a comprehensive cybersecurity program. [77]   “Covered Entities” are required, among other things, to perform a risk assessment to assess their cyber risks, implement a written cybersecurity policy, and maintain a comprehensive cybersecurity program. [78]   While some security measures were mandated by August 28, 2017, others are mandated by September 3, 2018, with a final compliance date of March 1, 2019. [79] The final regulations, codified in 23 NYCRR Part 500, are largely the same as the proposed rules discussed in last year’s 2016 Year-End Update , but differ in the following key ways: Cybersecurity programs must be based on the risk assessment performed by each Covered Entity. Risk assessments must be performed “periodically” instead of “annually.” The company’s cybersecurity plan can be reviewed by either a senior officer or the board of directors, but does not need to be reviewed by both. Covered Entities must hold records, schedules, and data supporting the certificate of compliance for five years, and make this documentation of compliance available to NYDFS upon request.  However, the record retention for audit trails designed to detect and respond to cybersecurity events is limited to three years. There is a limited small business exemption for Covered Entities that have fewer than ten New York employees and less than $5 million in gross annual revenue or under $10 million in year-end total assets. The Chief Information Security Officer (“CISO”) does not need to be an internal employee, but instead can be employed by the Covered Entity, one of its affiliates or a third-party service provider. Companies do not need to encrypt nonpublic information in transit over external networks if doing so is “infeasible.”  Instead, they may secure the information using “alternative compensating controls reviewed and approved” by the CISO. [80] This fall, Governor Cuomo directed the NYDFS to extend the regulations to credit bureaus, expanding the reach of both the rules and the NYDFS itself, which had not previously had oversight over credit reporting agencies.  Under the proposed regulation, all consumer credit reporting bureaus that operate in New York must register with the NYDFS annually, beginning on or before February 1, 2018.  The compliance schedule will begin on April 4, 2018. [81] 8.     Trump Administration Actions a.      Presidential Executive Order On May 11, 2017, President Trump issued an executive order entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which lays out the administration’s priorities in three areas of focus:  (1) cybersecurity of federal networks, (2) cybersecurity of critical infrastructure, and (3) cybersecurity of the nation. [82]   The order directed a thoroughgoing review of existing policies regarding cybersecurity in a variety of different sectors. For cybersecurity of federal networks , the Executive Order stated that the President would hold agency heads accountable for managing the cybersecurity risks to their agencies, and directed them to use The Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology, to manage cybersecurity risk. [83]   The Executive Order also directed the agency heads to submit a risk management report to Homeland Security and the Office of Management and Budget (“OMB”) within 90 days, outlining their existing risk mitigation strategies and each agency’s action plan to implement the Framework, and then contemplated that the Director of the OMB would submit its own determination to the President within 60 days. [84] The Executive Order also articulated the administration’s policy to “build and maintain a modern, secure, and more resilient executive branch IT architecture,” directing the Director of the American Technology Council—created by the President on May 1, 2017—to coordinate a report on the feasibility of transitioning all agencies to “one or more consolidated network architectures” or to “shared IT services.” [85]   The American Technology Council issued a detailed report to the President on federal IT modernization in the fall of 2017, and delivered the final Federal IT Modernization report on December 13, 2017. [86] For cybersecurity of critical infrastructure , the Executive Order stated the administration’s policy to “support the cybersecurity risk management efforts of the owners and operators” of critical infrastructure. [87]   First, it directed the Secretary of Homeland Security to coordinate with other senior administration officials to identify the greatest risk of attacks to infrastructure that could result in wide-scale effects on public health, economic security or national security, and to deliver a report setting forth its findings and recommendations within 180 days. [88]   Second, it directed the Secretary of Homeland Security to work with the Secretary of Commerce to determine whether existing federal policy sufficiently promotes “market transparency of cybersecurity risk management practices.” [89]   Third, it directed the Secretary of Homeland Security with the Secretary of Commerce to work together with “appropriate stakeholders to improve the resilience of the internet and communications ecosystem” to “threats perpetrated by automated and distributed attacks (e.g., botnets).” [90]   In response to the Executive Order, on January 5, 2018, both agencies released for public comment a report on enhancing the resilience of the Internet and communications ecosystem against botnets and other automated, distributed threats. [91]   Fourth, it directed the Secretary of Energy and the Secretary of Homeland Security to coordinate with state and local governments to prepare an assessment of the Nation’s vulnerability to prolonged power outages resulting from cyber incidents. [92]   Fifth, it directed the Secretary of Defense, again in coordination with the Department of Homeland Security, to prepare an assessment of the risks facing the defense industry. [93] For cybersecurity for the nation , the Order states the administration’s policy to ensure that the internet “remains valuable for future generations.” [94]   First, the Order directs various agencies to prepare a report to the President “on the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.” [95]   Second, the Order directs agency heads to prepare a report on the agencies’ “international cybersecurity priorities” to the Secretary of State, who would then prepare a report “documenting an engagement strategy for international cooperation in cybersecurity.” [96]   Finally, the Order solicits three different reports in the area of “workforce development,” focused on the education and development of an American cybersecurity workforce, on the United States’ competitiveness with peer programs in other countries, and on the United States’ national-security-related cyber capabilities. [97] Although the release of the Executive Order was met with praise across party lines, critics in the months since it was released have noted gaps in its implementation.  To date, it is unclear which federal agencies have complied with the review process set forth in the Executive Order, and in September 2017, a commentator observed that “the goal of a speedy review process . . . ha[d] not materialized.” [98]   The administration has seen some turnover in cybersecurity-related posts. [99]   In December 2017, the administration affirmed that cybersecurity remained a key priority and suggested that it would build on the Executive Order by releasing a new strategy for cybersecurity. [100] b.      Release of the Vulnerabilities Equities Process (“VEP”) On November 15, 2017, the Trump administration publicly disclosed the Vulnerabilities Equities Process (“VEP”), a set of guidelines used by government agencies and departments to determine when to inform market actors of security vulnerabilities in their software and hardware. [101]   The unclassified document states that the purpose of the VEP is to “balance[] whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge . . . for national security and law enforcement.” [102]   The VEP describes an Equities Review Board for interagency deliberation, consisting of representatives from several government agencies, with the National Security Agency (“NSA”) serving as the VEP Executive Secretariat. [103]   Generally, an agency that learns of a vulnerability will submit information regarding the vulnerability, together with a recommendation whether to disseminate or restrict the vulnerability, to the VEP Executive Secretariat once the vulnerability reaches a certain threshold. [104]   The VEP Executive Secretariat then notifies points of contacts at relevant agencies.  Interested agencies then state whether they concur with the recommendation to disseminate or restrict the vulnerability. [105]   The VEP states that the purpose of distributing information is to obtain a consensus regarding dissemination or restriction, but also provides procedures for resolving contested preliminary determinations. [106]   The VEP outlines the considerations that bear on determining whether to disseminate or restrict information regarding a vulnerability. [107] B.     Legislative Developments 1.     Federal Developments Last year did not see much congressional legislation in the area of cybersecurity.  The most significant piece of privacy legislation to reach President Trump’s desk was not new legislation, but a repeal of FCC broadband provider privacy rules that were set to take effect at the end of 2017.  In addition to rolling back the FCC broadband rules, Congress also took steps toward addressing foreign surveillance, cybersecurity, and data breach notification, but as of the date of this review, few of those bills have yet to become law. a.      Repeal of Broadband Privacy Rules In March 2017, both the House and Senate passed resolutions under the Congressional Review Act to repeal FCC broadband privacy rules that were set to take effect at the end of 2017.   Entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunication Services,” 81 Fed. Reg. 87274 (December 2, 2016), the rules would have imposed certain privacy regulations on internet service providers (“ISPs”), such as requiring them to provide adequate privacy notices and comply with data breach notification requirements.  The most controversial of these rules was the requirement that ISPs obtain consumers’ opt-in consent before sharing consumer information (such as browsing history) with third parties, as certain commentators argued that the proposed rules placed ISPs at a disadvantage when compared to other online companies such as Google and Facebook. [108]   FCC Chairman Ajit Pai stated his support for the repeal in part on the belief that the rules “were designed to benefit one group of favored companies.” [109]   Chairman Pai’s announcement also indicated that the FCC will “be working with the FTC to restore its authority to police internet service providers’ privacy practices,” and to “end the uncertainty and confusion that was created in 2015 when the FCC intruded in this space.” [110]   On April 3, 2017, President Trump signed the repeal into law. [111] b.      Foreign Surveillance With Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) [112] initially set to expire at the end of 2017, there has been significant debate over the appropriate scope of the U.S. government’s foreign surveillance powers.  Section 702 allows the U.S. government to gather foreign intelligence information without a warrant, subject to certain restrictions. [113]   Even before legislation on this topic was introduced, government and industry groups began advocating for their respective positions.  For example, on April 18, 2017, the Office of the Director of National Intelligence released a report supporting a reauthorization of Section 702, including controversial aspects such as “upstream” collection whereby the “NSA obtains communications directly from the Internet backbone, with the compelled assistance of companies that maintain those networks.” [114]   With the deadline for reauthorization approaching, the House Judiciary Committee introduced the FISA Amendments Reauthorization Act of 2017 to renew Section 702 for four years while making “key reforms” to the program to “strengthen privacy protections for Americans.” [115]  The Senate Intelligence Committee also advanced a reauthorization bill. [116]  The White House and Congress subsequently pushed the deadline for reauthorization from December 31, 2017 forward to January 19, 2018. [117]   On January 11, 2018, the House of Representatives voted to extend Section 702 for six years with minimal changes, rejecting a push by a bipartisan group of lawmakers to impose privacy limits on the U.S. government’s ability to gather emails and other personal communications. [118]   The Senate approved the FISA reauthorization bill on January 18, 2018, [119] and President Trump signed the bill into law on January 19, 2018. [120]   FISA is now set to expire in December 2023. [121] c.       Email Collection by Law Enforcement Congress continues to introduce legislation to reform the Electronic Communications Privacy Act (“ECPA”), [122] but has yet to finalize a bill for the President’s signature.  ECPA addresses, among other issues, procedures for law enforcement to obtain stored electronic communications.  For example, ECPA currently requires only a subpoena for the U.S. government to collect emails over 180 days old, while emails under 180 days old require a warrant.  In February 2017, the House unanimously passed a bill called the Email Privacy Act [123] to reform ECPA. [124]   Among other changes, the House bill would require a warrant to obtain emails over 180 days old.  In July 2017, Senators Patrick Leahy and Mike Lee proposed the ECPA Modernization Act, a Senate version of ECPA reform. [125]   The ECPA Modernization Act marks the third time in five years that the bipartisan team has attempted to reform the ECPA.  The bill currently languishes in the Senate. d.      Cybersecurity and Data Breach Notification In 2016 the House and Senate each passed legislation related to cybersecurity without finalizing any bills to be signed into law.  This past year, Congress similarly attempted to address cybersecurity measures with limited success in enacting new law.  For example, on May 16, 2017, the House overwhelmingly passed the Strengthening State and Local Cyber Crime Fighting Act of 2017, which formalizes the Secret Service’s National Computer Forensic Institute as the entity responsible for coordinating investigations into cyberattacks and other computer hacking, as well as providing training to state and local agencies on dealing with cybercrimes. [126]   After the Senate passed a version of the same bill, President Trump signed the bill into law on November 2, 2017. [127] Following the Equifax data breach, the Senate and House have been considering the Consumer Privacy Protection Act of 2017. [128]   The bill requires that companies report data breaches “as expediently as possible” or face civil penalties.  Congress has previously considered similar bills, however, without adopting a nationwide data breach notification standard. [129]   Thus data breach notification requirements continue to vary among the 48 states that have adopted laws on the subject. [130] 2.     State Developments In 2017, at least 42 states introduced over 240 bills related to cybersecurity and data privacy. [131]   Key areas of legislative activity include ISP data collection and tracking, data breach notification, cybersecurity committees, computer crimes, employee monitoring notice, and cybersecurity training. a.      ISP Data Collection and Tracking A number of states introduced legislation requiring ISPs to obtain consumer consent before gathering and sharing online data with third parties.  This flurry of legislative activity comes on the heels of Congress’s rollback of FCC regulations that were poised to expand online privacy rules and to require ISPs to notify customers before selling data to a third party. [132]   While only Nevada and Minnesota have actually passed privacy laws protecting consumers’ data privacy in the wake of the now-repealed FCC regulations, nearly 30 other states have introduced similar legislation.  Both Nevada’s and Minnesota’s legislation prohibit disclosure of personal identifying information to third parties.  Beyond personal identifying information, Minnesota’s legislation also requires ISPs to obtain permission before disclosing subscribers’ online usage and browser history.  Common features across other state bills include requiring consent before collecting customers’ personal identifying information, specifying the form of ISP data collection notice, and prohibiting discounts for customers who consent to their personal identifying information being shared with third parties.  In California, a recent ballot initiative would impose even greater restrictions, by requiring medium and large-sized businesses and ISPs to compile and maintain detailed records of disclosed consumer information and requiring ISPs to maintain the same level of service for all customers—regardless of whether they opt out of information-sharing. [133]   Beyond these common features, all of the proposed legislation in this area varies as to the liability extended beyond ISPs, including website operators, as well as the form of consent that must be given before gathering and sharing consumer data. b.      Data Breach Notification Forty-eight states—and the District of Columbia, Guam, Puerto Rico, and the Virgin Islands—have now passed legislation requiring both private companies and government entities to notify individuals regarding security breaches of personal identifying information.  Alabama and South Dakota are the only two exceptions.  Since our last update, New Mexico passed legislation on April 6, 2017, effective June 16, 2017, requiring notification upon the unauthorized acquisition of personal identifying information. [134]   Delaware took legislative action to expand its definition of “personal identifying information,” to include, in addition to the usual triggers like passport numbers and state identification card numbers, health insurance policy numbers or other health insurance identifiers, medical history or diagnosis information, and DNA profiles. [135] c.       Cybersecurity Committees Another trend in 2017 was the continued establishment of state committees on cybersecurity.  Four states—Georgia, Massachusetts, North Carolina, and Pennsylvania—introduced bills to form cybersecurity committees to study and improve cybersecurity preparedness and enhance state-wide responses to security threats.  Illinois introduced legislation that would form an International Cybersecurity Task Force to review reports from the Department of Homeland Security and the FBI on “Russian Malicious Cyber Activity” and develop strategies to implement or reject the recommendations espoused by those reports. [136]   Puerto Rico also enacted legislation directing the Senate and House Committees on Public Safety to research computer security with an eye towards understanding how new technologies might help ensure the proper handling of confidential information. [137] d.      Computer Crimes In 2017, states continued to pass legislation to target computer crimes, with increased penalties for such offenses.  For example, Connecticut passed legislation establishing the crime of computer extortion by the use of ransomware as a felony. [138]   This bill was introduced after the WannaCry attack, in which a ransomware worm targeted Microsoft Windows, disrupting the normal functions of numerous organizations, including hospitals, ambulances, health clinics, shipping companies, and schools.  Connecticut’s legislature framed the bill as a preventative measure to protect against and deter similar cyberattacks.  Wyoming passed legislation to create the criminal offense of computer extortion, a felony punishable by a prison term of up to ten years and a fine of $10,000, and to expand the computer crimes to be investigated by Wyoming’s division of criminal investigation. [139]   A number of other states also introduced legislation concerning computer crimes that remains pending.  For example, New Jersey introduced a bill that clarifies the scope of the crime of unlawful access to password-protected communications—limiting it to access that is “knowingly” without authorization—and provides for imprisonment terms of up to 18 months for the most serious version of this offense. [140]   New York also introduced bills to provide for the calculation of damages caused by computer tampering, requiring that cyber terrorism be classified as a Class B felony [141] and increasing penalties for crimes involving the use of personal information, fraud, tampering, theft, and use of a computer to commit crimes. [142] e.       Notice of Monitoring Employee Communications and Internet Access In 2017, a handful of states introduced legislation requiring private or government employers to notify employees before monitoring employees’ email communications or Internet access and browsing histories.  Specifically, Colorado and Tennessee passed legislation providing that government entities operating electronic mail communications systems must adopt written policies on monitoring activities that specify when employee correspondence may be considered a public record. [143]   Connecticut and Delaware now require private and public employers to give notice to employees before monitoring employee email communications or Internet usage behavior. [144]   The ramifications of non-compliance for Connecticut employers are civil penalties of $500 for the first offense, $1,000 for the second offense, and $3,000 for each subsequent offense. [145]   The ramifications of non-compliance for Delaware employers are civil penalties of $100 per violation. [146] f.       Cybersecurity Training This year, several states introduced legislation to improve state employee cybersecurity training.  Illinois passed a bill that requires state employees to participate in annual training by the Department of Innovation and Technology to enhance cybersecurity preparedness. [147]   New Jersey and Oregon introduced similar bills. [148]   Relatedly, California introduced legislation that would direct the Regents of the University of California and other higher education institutions to evaluate their cybersecurity education and training programs to ensure that “the state is meeting the workforce needs of the cybersecurity industry.” [149] II.     Civil Litigation Privacy-related civil litigation was again prevalent in 2017, which witnessed one of the largest private data breaches in history.  Numerous data breaches announced in 2017 led to civil actions, including actions on behalf of government entities.  Courts grappled with issues related to standing post-Spokeo, approved settlements of numerous class action suits, and presided over shareholder derivative suits alleging that directors and officers breached their fiduciary duties in overseeing corporate cybersecurity. In addition to breach-related litigation, plaintiffs filed multiple class action lawsuits alleging that technology companies violated state and federal laws by scanning user emails for targeted advertising and other business purposes.  Last year also continued the recent trend of civil and criminal cases being brought against both businesses and individuals for recording phone calls without the requisite consent and against companies for violating the Telephone Consumer Protection Act (“TCPA”) and the Video Privacy Protection Act (“VPPA”).  Additionally, there was an increase in regulatory guidance and regulatory and private actions related to the “Internet of Things,” i.e., smart and connected devices. A.     Standing After Spokeo 1.     Background In 2017, litigation over standing often predominated in data privacy actions as a result of the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins. [150]   As discussed further in our 2016 Year-End Update , the Supreme Court held in Spokeo that “a bare procedural violation” of a statute without a resulting “concrete” injury does not satisfy the “injury-in-fact” requirement of Article III standing. [151]   The Court emphasized that “Article III standing requires a concrete injury even in the context of a statutory violation.” [152] We thus observed last year that, on its face, Spokeo seemed poised to favor defendants in data privacy litigation, but noted that lower courts’ subsequent interpretation and application of Spokeo had been decidedly mixed.  That trend continued in 2017, as appellate courts continued to split on the question of whether the risk of future identity theft stemming from data breaches that resulted in stolen personal information is enough to confer standing without present injury.  Further, while courts continued to favor plaintiffs in cases brought under the Video Privacy Protection Act (“VPPA”) and the Telephone Consumer Protection Act (“TCPA”) in 2017, they often ruled for defendants on standing challenges in lawsuits concerning unlawful data retention. 2.     Post-Spokeo Standing Decisions in Privacy Cases a.      Data Breach Last year, the circuit courts diverged on the question of whether plaintiffs have standing to sue based on the possibility that they may become victims of identity theft following a data breach. For example, in January 2017, the Third Circuit reversed a district court dismissal, finding that a putative class of customers sufficiently pled standing in a Fair Credit Reporting Act (“FCRA”) case based on allegations that the defendant inadequately protected personal information stolen from that company. [153]   The court agreed with the plaintiffs that the purported “violation of their statutory right to have their personal information secured against unauthorized disclosure constitute[d], in and of itself, an injury in fact,” and that establishing standing did not require additional “specific harm,” such as economic damages. [154]   It further emphasized that the wrongful “dissemination of [the plaintiffs’] own private information” was “the very injury that FCRA is intended to prevent,” rather than a de minimis technical infraction that would be insufficient under Spokeo. [155]   Likewise, the D.C. Circuit found standing in a data breach case based on allegations that the plaintiffs “face[d] a substantial risk of identity theft” resulting from their stolen personal information. [156] Conversely, in an unpublished decision, the Second Circuit affirmed dismissal of a suit predicated on alleged theft of credit card information, because the plaintiff failed to plead “a particularized and concrete injury suffered from the attempted fraudulent purchases,” since she was never asked to pay for an unauthorized transaction. [157]   Moreover, the court held that there was no risk of future harm because the “stolen credit card was promptly canceled after the breach and no other personally identifying information . . . [was] alleged to have been stolen.” [158]   The Fourth Circuit reached a similar conclusion in a data breach case concerning personal information obtained from veterans’ medical care facilities after determining that the “threatened injury of future identity theft” was speculative rather than sufficiently imminent. [159]   A number of district courts also dismissed data breach claims for lack of standing where the risk of prospective harm from a data breach was, in their view, hypothetical. [160] The Eighth Circuit reached a split decision on the question of standing based on the possibility of identity theft following a data breach in In re SuperValu, Inc., a multi-district litigation involving several putative classes that sued retail grocery stores that had suffered two cyber-attacks. [161]   The plaintiffs alleged theft of their personal information and violations of, among other things, various state data breach notification statutes. [162]   The Eighth Circuit agreed with the district court that the plaintiffs had failed to adequately plead injury based on the risk of future identity theft, and it noted that its sister circuits—as discussed above and in our last review—had reached “differing conclusions on the question of standing” in similar data breach cases. [163]   Observing that “this out-of-circuit precedent . . . ultimately turned on the substance of the allegations before each court,” the Eighth Circuit concluded that the plaintiffs in SuperValu had not plausibly alleged that the “defendants’ data breaches create[d] a substantial risk that [the] plaintiffs [would] suffer credit or debit card fraud.” [164]   However, the court also found that one named plaintiff had sufficiently pled a present injury based on actual misuse of his credit card information, and it accordingly reversed the dismissal of that particular individual’s claims. [165] b.      Unlawful Disclosure Standing decisions in unlawful disclosure cases in 2017 turned on whether dissemination of the information at issue posed a material risk of harm to a plaintiff’s statutory interests.  In keeping with Spokeo, lower courts dismissed lawsuits predicated on de minimis procedural infractions. After the Supreme Court vacated and remanded Spokeo for further consideration of whether the plaintiff had pled a concrete injury under the FCRA, the Ninth Circuit answered in the affirmative. [166]   It held that the inaccurate information disclosed in the credit report at issue implicated “material facts” about the plaintiff’s life and “could be deemed a real harm” to, inter alia, his employment prospects. [167]   The Ninth Circuit similarly found standing in Syed v. M-I, LLC, an FCRA case concerning the alleged failure of an employer to inform job applicants that it would check their credit histories as part of the application process, [168] as well as in a VPPA action based on allegations that the defendant disclosed information about the plaintiff’s video-watching habits. [169]   In the latter decision, the court held that, “although the FCRA outlines procedural obligations that  sometimes protect individual interests, the VPPA identifies a substantive right to privacy that suffers  any time a video service provider discloses otherwise private information.” [170]   The Eleventh Circuit issued an identical ruling in another VPPA appeal. [171]   A number of district courts also reached similar decisions in cases concerning failures to comply with the FCRA’s and the Fair Debt Collections Practices Act’s (“FDCPA”) disclosure requirements. [172] However, in contrast to Syed, the Seventh Circuit found in Groshek v. Time Warner Cable, Inc. that a plaintiff did not suffer “a concrete informational injury” under the FCRA based on a prospective employer’s purported failure to properly obtain an applicant’s permission before procuring a credit report. [173]   The court distinguished Syed on the ground that the “Ninth Circuit had factual allegations from which it could infer harm, whereas” the plaintiff in Groshek  “present[ed] no factual allegations plausibly suggesting that he was confused by the disclosure form or the form’s inclusion of a liability release . . . .” [174]   Likewise, in an FCRA class action based on a credit reporting agency’s inclusion of a defunct credit card company on its reports, the Fourth Circuit found that the named plaintiff had failed to demonstrate how he had been injured by the erroneous information and therefore had “suffered no real harm, let alone the harm Congress sought to prevent in enacting the FCRA.” [175]   Accordingly, the court vacated the judgment awarding damages to the class. [176]   The Second Circuit similarly affirmed dismissals of two Fair and Accurate Credit Transactions Act (“FACTA”) suits predicated on the disclosure of credit card information on restaurant and retail receipts after finding that the purported injuries did not pose a “material risk of harm” to the plaintiffs’ statutory interests. [177]   District courts have followed course in other FACTA actions. [178] c.       Unlawful Retention Unlawful retention cases have continued to trend in defendants’ favor on the question of standing.  For instance, earlier this year in Gubala v. Time Warner Cable, Inc., the Seventh Circuit determined that there was no standing in a Cable Communications Privacy Act (“CCPA”) action based on allegations that the defendant had retained the plaintiff’s personal information after the plaintiff canceled a cable subscription. [179]   The court determined that there was no cognizable injury because the plaintiff failed to allege that the defendant had “ever given away or leaked or lost any of his personal information or intend[ed] to give it away or [was] at risk of having the information stolen from it.” [180] d.      Unlawful Acquisition/Use The courts have continued to split on the question of standing in unlawful acquisition and use cases.  In Santana v. Take-Two Interactive Software, Inc., for example, the Second Circuit affirmed the district court’s dismissal of a Biometric Information Privacy Act (“BIPA”) lawsuit predicated on the defendant’s alleged unlawful collection, dissemination, and retention of biometric data used to create 3D models of players’ faces in basketball video games, for lack of standing. [181]   The court held that the purported BIPA violations were procedural and did not pose a “material risk of harm” to the plaintiffs’ statutory interests sufficient to establish an Article III injury. [182]   Conversely, over the past year, district courts found standing for a Wiretap Act claim predicated on use of a smartphone application to track users’ physical movements, [183] as well as for VPPA, Wiretap Act, and state law claims based on the collection of video-viewing information through smart TVs. [184]   Courts also found standing in the context of Driver’s Privacy Protection Act claims stemming from the sale of vehicle accident reports containing personal information to third parties for solicitation purposes. [185] e.       TCPA Claims In TCPA cases, courts have continued to find that unsolicited electronic communications constitute a concrete injury to statutory privacy rights.  For example, the Ninth Circuit held that spam-like text messages about gym memberships violated “the substantive [TCPA] right to be free from certain types of phone calls and texts absent consumer consent,” [186] and the Second and Third Circuits found that plaintiffs adequately alleged harm in actions based on unwanted, prerecorded telephone calls. [187]   A number of district courts have reached identical conclusions in TCPA cases; [188] however, one court refused to certify a proposed TCPA class after determining that some prospective class members had consented to receive the calls at issue and thus did not suffer a cognizable injury. [189] 3.      Looking Ahead Spokeo did not provide a bright-line rule squarely prohibiting plaintiffs from suing for intangible injuries.  Accordingly, lower courts have continued to grapple with its application in the data privacy space.  There appears to be an emerging pro-plaintiff consensus in VPPA and TCPA actions, and courts have continued to favor defendants in retention suits.  However, the circuit courts have adopted divergent views on whether data breaches resulting in stolen personal information and the associated risk of future identity theft are, by themselves, enough to confer standing absent allegations of present harm.  On December 6, 2017, Spokeo again petitioned for certiorari and sought review of the Ninth Circuit’s latest standing determination. [190]  However, shortly before publication of this review, the Supreme Court rejected Spokeo’s petition, [191] thereby declining the opportunity to clarify its precedent. B.     Data Breach Litigation 1.     Litigation a.      High-Profile Breaches in 2017 Last year witnessed one of the largest data breaches in history, when it was reported that Equifax, Inc., one of the three major American credit bureaus, had its systems compromised, affecting more than 143 million Americans.  But Equifax was not alone in suffering massive data breaches: for example, a white hat hacker revealed in July that a political data analytics company had left the voting information of nearly 200 million Americans exposed.  Throughout the year hackers targeted government agencies and companies in every industry, seeking out personally identifiable information (“PII”), customer login information, payment information, and health care information, among others.  Litigation quickly followed many of the announced breaches, including civil actions and suits on behalf of government entities. i.     Credit Bureau Attacks In the Equifax attack, hackers were able to access names, Social Security numbers, addresses, and other PII, making the breach not just one of the largest in terms of the number of individuals affected, but also in terms of the breadth and sensitivity of PII lost.  The hackers gained entry by exploiting a website application vulnerability, and were not discovered until after they had accessed dozens of sensitive databases and created over 30 different entry points into Equifax’s computer systems. [192] To date, over 240 class action lawsuits by consumers have been filed against Equifax in the U.S., including a “50-state” complaint seeking to consolidate dozens of individual suits. [193]   Those suits allege a variety of common law and statutory claims, seeking monetary damages, injunctive relief, and other related relief. [194]   Equifax also faces municipal suits by Chicago and San Francisco generally alleging violations of state laws and local ordinances regarding protection of personal data, consumer fraud, business practices, and breach notice requirements. [195]    Additionally, the Massachusetts Attorney General has filed a suit against the credit reporting agency in relation to the data breach. [196]   Financial institutions including banks and credit unions also filed suit, seeking monetary relief for data breach costs to the financial institutions, such as canceling and reissuing credit cards and absorbing the cost of any fraudulent charges. [197]   Shareholders have also sued Equifax, alleging violations of securities laws and seeking damages against the company and its top officers. [198] Equifax moved to consolidate the lawsuits it faces, which continue to proliferate. [199]   As a result, a Judicial Panel on Multidistrict Litigation ordered centralization of the cases on December 6, 2017. [200]   Going forward, litigation will be heard in the Northern District of Georgia. Equifax was not the only bureau to have sensitive information left vulnerable.  On December 20, 2017, security firm UpGuard announced that it had discovered a cache of materials on an unsecured server, this time maintained by Alteryx, a data analytics company that is partnered with the major credit bureau Experian. [201]   Sensitive personal information on 123 million U.S. households was left unsecured, including datasets from Experian and the U.S. Census Bureau. [202]   The exposed data included home addresses, contact information, purchasing behavior, and financial information. [203]   At least two lawsuits have already been filed against Alteryx, in California and Oregon. [204] ii.     Political Breaches The U.S. government continued investigating the July 2016 cyberattack on the Democratic National Committee, with related lawsuits drawing attention throughout 2017.  Such suits included a complaint under the Freedom of Information Act filed by the Electronic Privacy Information Center against the FBI, seeking records relating to its investigation into the attack, [205] and lawsuits brought by Microsoft against command-and-control servers used by KGB hacking group “Fancy Bear” to covertly direct malware onto victims’ computers. [206] Then, on June 19, 2017, UpGuard announced that they had discovered that Deep Root Analytics, LLC, a data analytics company contracted by the Republican National Committee to gather voting data, had stored information on more than 198 million Americans on an unsecured storage server. [207]   This information included names, birth dates, addresses, voter registration details, and social media posts. [208]   While it is unclear whether any nefarious parties accessed the data, the breach did lead to a class action lawsuit against Deep Root. [209]   That lawsuit was dismissed by the plaintiffs with prejudice in November. [210] Additionally, the U.S. Department of Homeland Security announced in September 2017 that it appeared Russia had undertaken extensive efforts to hack state election systems in the lead-up to the presidential election. [211]   Illinois had its systems breached, while 20 other states were targeted but are not believed to have been breached. [212] iii.     Customer Information Fast Food Restaurant Chains .  2017 was a particularly notable year for data breaches at American fast food restaurants.  In February, Arby’s Restaurant Group Inc. revealed a breach of customer data from malicious software accessing point-of-sale systems at its restaurants; suits sprang up almost immediately. [213]   In April, Chipotle Mexican Grill, Inc. announced that it had detected a security breach in its processing and transmission of customer and employee data, leading to lawsuits from financial institutions. [214]   In September, Sonic Corp. was confronted with multiple suits following a data breach announced by a security analyst, in which millions of credit and debit card users may have had their accounts pilfered. [215]   Then, in October, Pizza Hut Inc. announced that it had discovered what it deemed to be a “temporary security intrusion” that compromised the PII of nearly 60,000 customers who completed orders on its website or mobile app between October 1 and 2, 2017. [216] On November 7, 2017, a class action suit was filed against the company in Washington. [217] Hotel Groups .  2017 was not any kinder to hotel groups.  Lawsuits were filed in July against Sabre Hospitality Solutions, a vendor whose electronic reservation system services thousands of travel agencies and hotels, which announced that it had suffered a data breach compromising the information of customers who made reservations using the system between August 2016 and March 2017. [218]   Credit card information and cardholder names were stolen.  Intercontinental Hotels Group (“IHG”) is facing its own class action lawsuit, after it announced a data breach that affected 12 of its properties.  Malware was found on servers which processed payments made at on-site restaurants and bars during the second half of 2016. [219]   The matter is currently being briefed by IHG for dismissal. Whole Foods .  Whole Foods Market Group, Inc. found itself the target of a lawsuit following its September 28, 2017 announcement that its point-of-sale systems at taprooms and full-service restaurants (but not its grocery stores) had been hacked.  The suit, a class action filed by a customer, alleges negligence on the part of Whole Foods for failing to protect her information, as well as violations of the Fair Credit Reporting Act and Ohio’s Consumer Sales Practices Act. [220] iv.     Health Information The number of data breaches affecting health care providers continued to rise in 2017, with over 340 incidents reported to the Department of Health and Human Services. [221]    The past year did not, however, witness any massive breaches comparable to the 2015 attack on Anthem, which resulted in the disclosure of more than 78 million patients’ PII. [222]   Interestingly, of the five largest health care-related breaches in 2017, only one has resulted in litigation so far. Commonwealth Health Corporation .  In March 2017, Commonwealth Health Corporation’s Kentucky-based Med Center Health announced that up to 697,800 individuals may have had their billing and health information stolen via a breach that occurred in 2014-15. [223]   No hacking was involved with the breach; rather, a former employee accessed the information without authorization.  This is believed to be the largest breach of a health care provider in 2017, in terms of number of records compromised. [224]   While federal investigators look into the matter, at least one lawsuit has been filed against the company by affected patients. [225] v.       Law Firms and Business Information Cyberattacks affected two large international law firms, amongst others, in 2017.  While DLA Piper suffered a ransom- or wiper-ware attack that disabled the firm’s communications systems for several days, no lawsuits have been filed by its clients as yet. [226]   Litigation followed a data breach at the Cayman Islands-based law firm Appleby; however, it was Appleby going on the attack, suing the BBC and The Guardian over their reporting of offshore transactions by the firm’s clients. [227]   Millions of documents, dubbed the “Paradise Papers” by the media, were leaked to journalists detailing the arrangements and offshore activities of Appleby’s clients. [228]   Appleby sued the two media companies in British court in order to force the disclosure of the documents that formed the basis of their investigation. [229] b.      Update on High-Profile Data Breach Cases from Prior Years While many prior data breach cases headed for settlement instead of being decided by the courts (as discussed in detail in the Settlements section below), some cases received significant rulings in the past year.  Others continue to be litigated. i.     District Court Litigation Yahoo.   On August 30, 2017, a district court in the Northern District of California granted in part and denied in part Yahoo’s motion to dismiss data breach litigation, opening the way for class action lawsuits to proceed against the web portal, now owned by Verizon Communications. [230]   The district court ruled that some of the named plaintiffs had alleged Article III standing at the pleading stage, because they had “alleged a risk of future identity theft, in addition to loss of value of their [personal identification information].” [231]   The court dismissed certain claims in the consolidated actions, but allowed the actions to continue and the plaintiffs to amend their complaints. [232] Office of Personnel Management .  The District Court for the District of Columbia dismissed a class action data breach suit stemming from the attack against the Office of Personnel Management, which compromised the personal data of current, former, and prospective U.S. government employees. [233]   The court ruled that the theft of data alone was not enough to establish standing for the class and that they must allege unreimbursed out-of-pocket expenses from the alleged identity theft to state an injury in fact. [234]   While the court held that two plaintiffs had alleged such expenses, it found that their claims were insufficient to establish standing because they had not sufficiently tied those injuries to the breach. [235]   The court also dismissed the case on sovereign immunity and contractor immunity grounds, and found that the complaint failed to state a claim under the Privacy Act, the Little Tucker Act, and the Constitution. [236]   Gibson Dunn represented OPM’s co-defendant, contractor KeyPoint Government Solutions, in this litigation. VTech .  The litigation arising from a 2015 cyberattack on digital learning toy-maker VTech’s servers continued to wind its way through the Northern District of Illinois.  VTech won its motion to dismiss the cases against it on July 5, 2017, as the court ruled that the plaintiffs had failed to show how the data breach could lead to future harm. [237]   Specifically, the court held that plaintiffs did not explain how the stolen data would be used to perpetrate identity theft. [238]   However, the court did not dismiss the claims with prejudice; accordingly, plaintiffs’ counsel brought an amended complaint against the company in August. [239]   The case settled in early 2018. [240] Uber.   Uber won its motion to dismiss a lawsuit stemming from a 2014 data breach.  The court held that the plaintiffs did not “plausibly allege an immediate, credible risk of harm” and thus lacked standing. [241]   In particular, the named plaintiff did not allege that any passwords, PINs, or Social Security numbers were among the data obtained. [242] Gibson Dunn represents Uber in this dispute, which is ongoing following Plaintiffs’ filing of a Third Amended Complaint. Noodles & Co.   Noodles & Co. won its motion to dismiss a proposed class action brought by financial institutions over its data breach suffered in early 2016. [243]   The court found that the chain had no obligation towards the credit unions that had brought the suit. [244]   The court ruled that the claims were barred under the economic loss rule. [245]   Because the duties allegedly breached were contained in a network of interrelated contracts, the rule applied; because the rule only allows for recovery of damages on a breach of contract claim, the negligence claims brought by the credit unions were invalid. ii.     Appellate Litigation CareFirst BlueCross BlueShield .  The D.C. Circuit Court revived a class action lawsuit brought by policyholders of CareFirst BlueCross BlueShield health insurance, which suffered a cyberattack in 2014 leading to the theft of 1.1 million members’ personal information, including names, birthdates, addresses, and subscriber ID numbers. [246]   The circuit court found that the breach likely exposed Social Security and credit card numbers and other personal data such that fraudulent medical claims could result, resulting in harm concrete enough to establish standing under the Supreme Court’s Spokeo decision. [247]   Although the district court had dismissed the complaint, finding that it was based on statutory violations and not concrete harm, the appellate court found that it was plausible to infer that the hackers had the intent and ability to use the stolen data for ill, leading to concrete harm. [248] Veterans Affairs .  Conversely, the Fourth Circuit dismissed a class action suit arising from the theft of a laptop from a Veterans Affairs medical facility, which contained the unencrypted personal information of patients. [249]   The circuit court agreed with the district court’s ruling, finding that the plaintiffs’ fear of harm from future identity theft was too speculative to confer standing, even if the plaintiffs took actions to mitigate that speculative future harm. [250]   The court reasoned that the allegations of harm rested on an attenuated chain of possibilities, including the assumption that the laptop thief planned to misuse the personal information on the laptop, and planned to misuse the plaintiffs‘ personal information specifically. [251]   This chain of logic was not sufficient to establish standing under Spokeo. c.      Trends in Data Breach Cases in 2017 Courts continued to grapple with specific issues in 2017, including issues that some had thought would be settled from Supreme Court precedent in past years, such as the Spokeo decision. i.      Standing Post-Spokeo As seen in the appellate litigation above, the circuit courts are split when it comes to interpreting the high court’s decision in Spokeo (and Clapper v. Amnesty International) regarding the tests for sufficient imminence and concrete harm to confer standing.  The D.C. Circuit found in Attias that there was concrete harm from the CareFirst data breach, because it was plausible to infer that the hackers had the intent and ability to wrongfully use the stolen data. [252]   But the Fourth Circuit found in Beck that there was no concrete harm from a stolen laptop containing patient information, because the harm rested on a logical chain requiring misuse of the plaintiff’s specific personal information. [253]   The Second Circuit used similar reasoning in Whalen v. Michaels Stores, Inc., finding that a data breach leading to stolen credit card information was not sufficient to allege concrete harm, because the plaintiff had promptly canceled her card and there were no specifics alleged regarding any other particularized or concrete injury. [254] Like the D.C. Circuit, the Seventh, Third, and Sixth Circuits have found that risk of identity theft or credit card fraud was enough to grant constitutional standing to those who had been hacked. [255] The Eight Circuit added a new split in September in reviving a class action lawsuit brought against SuperValu Inc., by reasoning that while there was not sufficient personal information lost to allow plaintiffs to rely on risk of imminent harm due to stolen identities, there was standing because someone had used a plaintiff’s credit card to make an unauthorized purchase. [256]   That allegation was sufficient to meet the concrete injury test, even though SuperValu’s attorneys argued that there was no indication the purchase was a result of the breach. [257] ii.      Companies on the Attack 2017 has seen an uptick in firms taking the offensive in wielding litigation as a tool to fight hackers.  For instance, Microsoft has focused its attention on the command-and-control servers used by one of the most sophisticated hacking collectives attempting to direct malware onto victims’ computers.  To do so, it sued Fancy Bear in the Eastern District of Virginia. [258]   Microsoft argued that it had standing to sue because Fancy Bear had been using domain names that contained the names of Microsoft’s products to setup websites containing malware. [259]   Thereafter, Microsoft won orders from the court to compel domain name registrars to alter domains to point to Microsoft, instead of to Fancy Bear’s sites. [260]   Microsoft is now seeking a permanent injunction to give Microsoft ownership of the domains it has targeted. [261] In a different vein, as noted above, Appleby has wielded litigation against journalists who reported on the Paradise Papers. [262] Ultimately, these actions point to the possibility that other companies will take the fight to hackers, especially companies in the tech industry whose products are often targeted in order to foster data breaches. 2.      Settlement Trends As in 2016, companies facing major data breach litigation in 2017 have continued to choose to settle claims on a class-wide basis.  As discussed more fully below, Anthem Inc., one of the nation’s largest health insurance providers, agreed to settle a class action lawsuit brought by consumers stemming from a 2015 data security breach for $115 million. [263]   Given the financial, regulatory, and reputational risks attendant to data breach litigation, this trend is understandable.  Other trends emerged in 2017 as well.  First, defendants in data breach litigation are continuing to settle with financial institution-plaintiffs in addition to consumer-plaintiffs.  Additionally, in the aftermath of data breach settlements, some class members have objected to various elements of the settlements or proceedings.  Lastly, as is discussed more fully below, defendants facing data breach enforcement have increasingly entered into settlement agreements with state attorneys general. a.      Anthem’s Settlement In 2015, Anthem, one of the nation’s largest health insurance providers, announced that it had been the victim of a data breach in which hackers gained access to individuals’ personal information. [264]   Customer-plaintiffs brought numerous class action lawsuits against Anthem and its affiliates that were ultimately consolidated in the Northern District of California. [265]   After the court denied the defendants’ motion to dismiss in part, [266] the parties entered into a settlement on May 31, 2017. [267]   The court preliminarily approved the settlement at the end of August. [268] The broad strokes of the Anthem settlement are familiar.  As part of the settlement, the defendants agreed to make a $115 million payment into a settlement fund. [269]   The fund will be used, in part, to cover reimbursement for out-of-pocket costs and credit monitoring services for class members, [270] and to pay up to $37.95 million in attorneys’ fees. [271]   In addition, the defendants agreed to implement improved data security practices for at least three years and to engage an independent consultant to ensure that these practices are followed. [272] b.      Home Depot Settles with Financial Institutions Following a 2014 data breach, in 2016 Home Depot settled a class action lawsuit brought on behalf of over 50 million of its customers for $13 million. [273]   However, the settlement did not include coexisting claims brought by a consolidated class of financial institutions claiming that they were harmed by Home Depot’s failure to prevent the data breach because they were required to issue consumers new credit cards and to reimburse any fraudulent charges stemming from the data breach. [274]   In early 2017 Home Depot entered into an additional settlement with the financial intuitions and agreed to pay $25 million into a settlement fund intended for distribution among the class members. [275]   In September 2017, the Northern District of Georgia approved this settlement. [276] c.       Developments Regarding the Target Settlement In 2015, Target agreed to settle a consumer class action arising out of a 2013 data breach for $10 million. [277]   The ultimate disposition of the case and distribution of the settlement fund, however, have been significantly delayed due to various claims by objectors. [278]   For instance, in May 2017, the District of Minnesota rejected an objector’s claim that the class representatives in the case had a conflict of interest with other class members such that the settlement was inadequate. [279]   As of this writing, the objector’s appeal is pending before the Eighth Circuit Court of Appeals. [280] In addition, in May 2017 Target agreed to pay $18.5 million to 47 states and the District of Columbia as part of a settlement that arose out of a multi-state investigation into the same breach. [281] d.      Historical Context for Settlements of Data Breach Claims As demonstrated in the chart below, the data breach settlements in 2017 appear to be similar to those of recent years. Defendant Approval  Data Type Relief to the Class Service Awards, Fees, & Costs Home Depot (Financial Institution Class) [282] September 22, 2017 Card Data $25 million for class claims; up to $2.25 million to certain sponsored entities; security practice changes Up to $2,500 for each class representative; $710,000 in litigation costs; $15.3 million in fees Anthem [283] August 25, 2017 (preliminary approval) Personal Information $115 million for, among other things, class members’ out-of-pocket expenses and credit monitoring services; security practice changes Up to $3 million in costs and $37.95 million in fees, to be covered by $115 million settlement payment Home Depot (Consumer Class) [284] August 23, 2016  Card Data Up to $13 million for class claims; up to $6.5 million for 18 months of credit monitoring services; security practices changes $1,000 for each representative plaintiff; $166,925 in costs; $7.536 million in fees Target Corp. (Financial Institution Class) [285] May 12, 2016 Card data Up to $20.25 million for class claims; $19.108 million to MasterCardReportedly up to $67 million for Visa’s claims against Target [286] $20,000 for 5 representative plaintiffs; $2.109 million in costs; $17.8 million in fees Sony Pictures Entertainment, Inc. [287] April 6, 2016 Login and Personal Information Up to $2 million for preventative losses; up to $2.5 million for claims for identity theft losses; up to two years of credit monitoring services $3,000 for each named plaintiff; $1,000 for each plaintiff who initially filed an action; $2.588 million in fees St. Joseph Health System [288] February 3, 2016 Health Information $7.5 million in cash payment; up to $3 million for class claims; one year of credit monitoring services (offered during remediation); security practice changes $50,000 in incentive payments for class representatives; $7.45 million in fees and costs Target Corp. (Consumer Class) [289] November 17, 2015 Card Data Up to $10 million for claims; security practice changes $1,000 for three deposed plaintiffs; $500 for other plaintiffs; $6.75 million in fees LinkedIn [290] September 15, 2015 Login Information Up to $1.25 million for claims; security practice changes $5,000 for the named plaintiff; $26,609 in costs; $312,500 in fees Adobe Systems, Inc. [291] August 13, 2015 Voluntary Dismissal Login and Card Data Security practice changes and audit $5,000 to each individual plaintiff; $1.18 million in fees Sony Gaming Networks [292] May 4, 2015 Card Data and Personal Information Up to $1 million for identity theft losses; benefit options including free games and themes or month subscription, unused wallet credits, virtual currency; some small cash payments $2.75 million in fees 3.      Shareholder Derivative Suits In recent years, shareholders have occasionally responded to data breaches by filing derivative lawsuits against corporate directors and officers for breach of fiduciary duty in overseeing corporate cybersecurity.  From 2014 to 2017, shareholders brought five such high-profile derivative lawsuits on behalf of Wyndham Worldwide, Target, Home Depot, Wendy’s, and Yahoo.  However, these suits have generally struggled to move past the motion-to-dismiss stage.  Both the Wyndham and Target lawsuits were dismissed after courts respectively found that the Wyndham board’s actions were protected under the business judgment rule, [293] and that pursuing legal action against Target’s directors and officers was not in the corporation’s best interest. [294]   The Home Depot case was similarly dismissed in 2015; however, the parties reached a settlement this year after the plaintiffs filed an appeal of the dismissal.  The outcomes of the Wendy’s and Yahoo litigations remain to be seen. The Home Depot .  After news broke that hackers stole the email addresses and credit card information of more than 50 million Home Depot customers, a number of the company’s shareholders filed a derivative lawsuit in September 2015 in the Northern District of Georgia, alleging that the board of directors breached its fiduciary duty by disbanding Home Depot’s infrastructure committee and moving too slowly in addressing the security breach.  On November 30, 2016, the district court dismissed the action on grounds that the shareholders failed to either demand that the board take action or demonstrate with particularized facts that such a demand would have been futile. [295]   Plaintiffs subsequently filed an appeal in the Eleventh Circuit.  However, on April 28, 2017, the parties reached a settlement pursuant to which Home Depot agreed to adopt certain cybersecurity-related corporate governance reforms and to pay the plaintiffs’ legal fees, totaling around $1.1 million. [296]   The promised reforms included maintaining an executive committee on data security, documenting the responsibilities of the company’s corporate information security officer, and requiring regular reports on the company’s IT and cybersecurity budget. [297] Wendy’s .   On December 16, 2016, just two weeks after the district court’s dismissal of the Home Depot suit, plaintiff shareholders filed a derivative action in the Southern District of Ohio against The Wendy’s Co. (“Wendy’s”) and certain of the company’s directors and officers.  The lawsuit stemmed from a data breach that occurred between October 2015 and June 2016, which affected 1,025 Wendy’s franchises and spawned a series of consumer protection lawsuits. [298]   The complaint asserted claims for breach of fiduciary duty, waste of corporate assets, unjust enrichment, and gross mismanagement. [299]  The plaintiffs sought money damages, corporate governance reforms, and restitution of benefits and compensation.  In an attempt to avoid the fate of the Home Depot shareholder litigation, the Wendy’s plaintiffs provide detailed allegations to support their claim of demand futility, arguing that the controlling shareholder defendants have familial or past business ties with certain directors, resulting in these directors being “beholden to the controlling shareholder defendants.” [300]   On March 10, 2017, the Wendy’s board responded with a motion to dismiss, arguing failure to state a claim and failure to make a demand or adequately plead demand futility. [301]   The board members contended that the complaint was nothing more than speculation and failed to include any specific allegations that they breached any corporate duty in regard to data security protocols. [302]  At the time of this writing, the board’s motion to dismiss was still pending. Yahoo .  The Yahoo data breach has given rise to two shareholder derivative suits.  On February 16, 2017, a Yahoo shareholder filed a lawsuit on behalf of the company in the Northern District of California. [303]  On February 23, 2017, another group of Yahoo Inc. shareholders filed a second derivative lawsuit in Delaware Chancery Court. [304]   Both cases have since been stayed, the former pending the entry of final judgments in the securities and consumer class actions also filed against Yahoo in the wake of the breach. [305] C.     Interceptions and Eavesdropping 1.      Email Scanning As in past years, 2017 saw key developments in class action lawsuits alleging technology companies violated state and federal laws by scanning user emails for targeted advertising and other business purposes.  Companies operating electronic communications services should continue to monitor such lawsuits, as they allege privacy violations based on what many consider to be standard industry practices, concern potentially massive proposed classes including all or many users of such services, and analyze the disclosures that satisfy consent to information collection and use. Matera v. Google Inc.   Plaintiffs in Matera v. Google Inc. filed a class action against Google in September 2015, alleging that Gmail violates the CIPA and ECPA by intercepting emails of non-Gmail users in order to provide targeted advertising.  In 2016, the court denied Google’s motion to dismiss as to the merits of plaintiffs’ claims, [306] and granted in part and denied in part Google’s motion to dismiss based on lack of standing. [307]   Most significantly, the court concluded that based on “the historical practice of courts recognizing that the unauthorized interception of communication constitutes cognizable injury” and “the judgment of Congress and the California Legislature [that] alleged violations of . . . the Wiretap Act and CIPA constitute injury in fact,” the plaintiffs’ complaint survived Spokeo. [308]   However, the court also held that plaintiffs lacked standing to enjoin Google from engaging in the alleged “intercepting and scanning,” which Google confirmed it had ceased. [309] In November 2016, the parties requested a stay of the proceedings and announced that they had successfully mediated a resolution of the case and finalized a settlement agreement. [310]   In a preliminary approval hearing held on March 9, 2017, the parties explained that, pursuant to the agreement, Google would be enjoined from “scanning in transit email for the sole purpose of collecting advertising data.” [311]   However, Google would be allowed to scan incoming in-transit email for “the ‘dual purpose’ of (1) detecting spam and malware and (2) obtaining information that would be ‘later used for advertising.'” [312]   Google also agreed to pay $2.2 million in attorneys’ fees, $2,000 for each of the two lead plaintiffs, and $123,500 for the settlement administrator. [313] On March 15, 2017, the court rejected this settlement offer, stating that the class settlement notice was “inadequate” because it was “difficult to understand.” [314]   In particular, the preliminary settlement failed to clearly disclose the “dual purpose” to which Google agreed or “the fact that Google intercepts, scans, and analyzes the content of emails sent by non-Gmail users to Gmail users for the purpose of creating user profiles” for targeted advertising. [315]   Furthermore, the court found that it was not clear whether the changes Google planned to make would bring Google into compliance with the CIPA and ECPA. [316] On July 21, 2017, the parties proposed a new settlement, which included a “plain language” recap of the changes Google plans to make. [317]   The summary stated that for three years, Google would “cease all automated scanning of emails sent to Google accounts for advertising purposes while the emails are in transmission prior to delivery to the Gmail user’s inbox.”  The settlement does not prohibit Google from scanning email for the prevention of spam or malware.  In addition, Google stated that it is making “business-related” changes to Gmail, whereby it “will no longer scan the contents of emails sent to Gmail accounts for advertising services,” either during the transmission process or after the emails have been delivered.  These changes are not subject to the three-year time period, and are independent of the settlement. [318]  The court preliminarily approved the revised settlement on August 31, 2017. [319]   A final fairness hearing is scheduled for February 8, 2018. Cooper v. Slice Technologies, Inc. & UnrollMe Inc.   In Cooper v. Slice, plaintiffs brought a class action for damages and injunctive relief, alleging that UnrollMe and its parent company, Slice Technologies, violated the ECPA and SCA by failing to adequately disclose UnrollMe’s practice of scanning emails and selling data to third parties. [320]   UnrollMe is a web service that unsubscribes users from mailing lists, newsletters, and other unwanted emails. [321]   Plaintiffs asserted that UnrollMe intercepted and accessed user’s emails without consent or authorization, or exceeded authorization by accessing emails for the purpose of extracting and selling consumer data. [322] Defendants moved to dismiss the lawsuit on October 12, 2017. [323]   Among other things, defendants argued that plaintiffs failed to allege injury in fact to establish Article III standing under Spokeo, since plaintiffs did not allege their actual emails were sold to other companies, or that anonymized data that was extracted from plaintiffs’ emails was reidentified after being sold.  Defendants also asserted that plaintiffs failed to state a claim under the Wiretap Act because defendants purportedly disclosed the activities at issue in their privacy policy, and because plaintiffs alleged only access to their stored emails, whereas the Wiretap Act applies to the “interception” of communications. 2.     Call Recording In recent years, there have been a number of civil and criminal cases brought against both businesses and individuals for recording phone calls without the requisite consent.  The recording of telephone conversations is governed by a patchwork of federal and state law.  At the federal level, the Wiretap Act permits the recording of phone calls, so long as one party to the call consents to the recording. [324]   The vast majority of states have similarly adopted a “one-party” consent requirement. [325]   A minority of states have arguably adopted either a “two-party” or “all-party” consent requirement. [326] Most of the call recording cases brought in recent years have been against companies for large-scale recordings of commercial calls, rather than individual illicit recordings.  Although nearly a dozen states have all-party consent laws, much of the litigation surrounding unauthorized recordings has arisen out of California’s Invasion of Privacy Act (“CIPA”), California Penal Code § 630, et seq. [327]   Most call recording litigation based on CIPA has focused on §§ 632 and 632.7, which prohibit eavesdropping on calls to landlines and cell phones, respectively. Recently, courts have held that non-California plaintiffs may assert CIPA claims against California defendants where the alleged violations occurred in California. [328]   Indicative of this national reach, California business owners brought suit in Illinois against various banks and telemarketers alleging illegal recordings of discussions containing sensitive business information. [329]   The various defendants filed motions to dismiss, transfer, and sever the case, but the case is still pending in the Northern District of Illinois.  Significantly, some of the defendants have sought to change venue based on forum selection clauses in their customer or user agreements, rather than challenging the ability of plaintiffs to bring CIPA claims outside of California, indicating that few litigants are willing to challenge the national reach of CIPA. Also in the realm of jurisdictional issues related to CIPA, the Ninth Circuit recently reversed a decision to remand a CIPA class action back to state court, concluding that the plaintiff had failed to demonstrate that two-thirds of the class actually resided in California, as required by the Class Action Fairness Act (“CAFA”). [330]   Specifically, CAFA exempts from federal jurisdiction “home-state controversies,” where at least two-thirds of the proposed class and the primary defendants are all citizens of the State in which the action was originally filed. [331]   Plaintiffs’ proof that two-thirds of all class members were Californians was lacking, according to the Ninth Circuit, because, although the class contained an indeterminate number of people who were “located in” California when they received the allegedly improperly recorded phone calls, the allegations never specified how many of them were California citizens or even how large the whole class was. [332]   In reaching its decision, the court noted that Plaintiffs were aware of the class definition issue and failed to carry their burden of proving the citizenship of a sufficient number of class members. [333] In the class certification context, in Raffin v. Medicredit, Inc., the Central District of California certified a CIPA class action against Medicredit, a debt collector, for recording cell phone calls and failing to inform plaintiffs of the recording. [334]   The action sought certification of a § 632.7 class, which prohibits the recording of cell phone communications. [335]   Notably, the court concluded that the class was ascertainable for certification purposes, even though it may be necessary to undertake the challenging process of using cell site location information to verify that putative class members were in California when called. [336]   In analyzing § 632.7 more generally, the court also concluded that a party must be informed “at the outset,” meaning “prior to any recording of the plaintiff’s communication,” that the call is being recorded. [337]   Subsequent courts have adopted this interpretation of § 632.7, suggesting a broadening of the law’s scope. [338] If this becomes settled law, it would align the law under § 632.7 with that under § 632, which already requires notification “at the outset” for any recordings of calls over a landline.  However, class certification appears to be more difficult under § 632 than § 632.7, as the more generous test applied in Raffin diverges from the stricter analysis in Saulsberry v. Meridian Financial Services, Inc., decided last year. [339]  This may be an indicator of a unique area of divergence in the interpretation of two statutes that are otherwise converging, or it may represent a reversal of the trend of denying class certification.  Ultimately, very few §§ 632 and 632.7 class certification cases have been decided this year, but all three have granted class certification. [340] Adding to the body of law regarding the scope of § 632.7, the court in Ronquillo-Griffin concluded that § 632.7, like § 632, applies to parties to a communication, not just third parties, adding to the already significant number of district courts who have so interpreted § 632.7. [341]   Like the Raffin case discussed above, this indicates an increasing overlap between § 632 and § 632.7, generating a more consistent body of law between call recordings over landlines and cell phones. On the criminal side, the California Court of Appeal invalidated part of CIPA. [342]   California Penal Code § 632(d) renders inadmissible as evidence recordings obtained without all parties’ consent.  However, California’s constitution contains a “Right to Truth-in-Evidence” provision, which permits all relevant evidence to be admitted unless the legislature provides otherwise by a two-thirds majority vote. [343]   The Court of Appeal concluded that this provision abrogated the inadmissibility component of CIPA, rendering recordings that otherwise violate CIPA admissible. [344] Outside of California, there has also been some litigation regarding the scope of local eavesdropping statutes.  The Arizona Court of Appeals confirmed that a phone message may be shared by the recipient of the message, even if the person leaving the message does not consent. [345]   In State v. Smith, the defendant had argued that, when leaving a voice message, there is only one “participant,” to the call, but the court rejected this logic, concluding that the recipient of the message is also a participant and may consent to sharing the recorded voicemail. [346]   In a similar case—also captioned State v. Smith —the Supreme Court of Washington considered whether an inadvertent recording through the voicemail function of a cell phone falls within the purview of Washington’s all-party consent statute. [347]   The Court concluded that “the plain language of the act confirms that even an inadvertent recording of a private conversation falls within the purview of the act.” [348] 3.     Other “Interceptions” Emails and telephone calls are not the only communications that can be intercepted, and plaintiffs are increasingly bringing lawsuits based on novel theories of interception and collection of data.  This year saw a number of developments in ongoing lawsuits, as well as several actions alleging new theories of Wiretap Act violations. Opperman et al v. Kong Technologies, Inc. et al.  In April 2017, several major tech companies, including Twitter, Yelp, Instagram, Foursquare, and Path, agreed to settle a putative class action accusing them of violating the ECPA and the Texas Wiretap Act, among other common law privacy rights. [349]   The putative class action complaint, originally filed in 2012, alleged that the defendants’ applications access user contact information without their consent. [350]   For instance, plaintiffs claimed that Twitter’s “Find Friends” feature violated consumer privacy by scanning users’ address books to see which of their contacts are on Twitter.  Twitter, on the other hand, argued users were informed of the process and gave their permission for the service to scan their address books.  Path users alleged that the photo sharing and messaging app was accessing their contacts and calendar information without permission.  Path later issued an apology.  Plaintiffs agreed to pay a consolidated $5.3 million as part of a deal, which covers a proposed class of an estimated 7 million claimants who downloaded the companies’ iOS apps on their Apple devices and activated the “Add Friends,” “Find Friends” or “Suggested Friends” feature offered by the relevant application. [351]   A final approval hearing was held on December 14, 2017. In re Vizio, Inc., Consumer Privacy Litig .   In this putative class action complaint, plaintiffs alleged that Vizio violated the ECPA and the VPPA, as well as several state law fraud, negligent misrepresentation, and consumer protection claims, by using their smart TVs to secretly collect, and distribute to advertisers, information on customer viewing habits so that advertisers could deliver targeted advertising in real time. [352]   On March 2, 2017, the court granted Vizio’s motion to dismiss plaintiffs’ Wiretap Act, state law video privacy, negligent misrepresentation, affirmative fraud, and California false advertising claims with leave to amend.  Vizio’s motion was denied as to plaintiffs’ VPPA, fraudulent omission, state privacy law, and unjust enrichment claims.  With respect to the Wiretap Act claims, the court found that plaintiffs failed to adequately plead simultaneous interception (relying instead on vague allegations about how Vizio’s data collection occurred in “real time”), but did not reach Vizio’s argument that its collection and disclosure software does not capture the “contents” of electronic communication. [353]   On March 23, 2017, plaintiffs filed a second consolidated complaint that dropped all of the dismissed causes of action except the Wiretap Act claims. [354]   Addressing the deficiencies in the prior complaint, plaintiffs now alleged that Vizio’s software takes samples of the programming displayed on a TV at any point in time and sends fingerprints of those samples to the centralized fingerprint matching server to compare against already existing fingerprints in the database, a process that operates sufficiently fast to provide “at least some context-sensitive content substantially simultaneously with at least one targeted video.” [355] On April 13, 2017, Vizio moved to dismiss plaintiffs’ Wiretap Act claims for failure to state a claim, attacking only whether its software captures the “contents” of electronic communications. [356]   Denying dismissal on July 25, 2017, the court ruled that because the intended message conveyed by Vizio’s software communication is the program being watched, the intercepted data extends beyond metadata to samples of the actual content. [357]   The court also dismissed Vizio’s assertion that its software does not collect the contents of electronic communications because the samples are “tiny” and “unrecognizable,” noting that the standard for determining whether information qualifies as content data does not depend on how much content is collected or whether the intercepted information would be “recognizable.” [358] In its motion to dismiss, Vizio also argued that plaintiffs’ demand for injunctive relief was moot because a recent agreement with the FTC and New Jersey Attorney General—in which Vizio was fined $2.2 million and agreed to obtain affirmative express consent before collecting any consumer data—ensured the offensive data collection had stopped. [359]  Finding that the agreements were insufficient to ensure that Vizio’s improper data collection would not recur, the court denied Vizio’s motion to dismiss on mootness grounds. [360] Satchell v. Sonic Notify, Inc.  In a class action filed in August 2016, plaintiff alleged that the Golden State Warriors’ mobile app, developed by YinzCam, uses the phone’s microphone to track users’ locations by picking up on sonic beacons built by Signal360, and violates the Wiretap Act by secretly recording users’ conversations in the process. [361]   Defendants moved to dismiss on November 1, 2016, and on February 13, 2017, the court granted the motion in part and denied it in part. [362]   The court ruled that although plaintiff alleged sufficient facts to demonstrate she suffered an injury in fact from the purported spying, she did not sufficiently allege a violation of the Wiretap Act because she failed to show how the defendants intercepted and then used those oral communications. [363]   Plaintiff filed an amended complaint on March 13, 2017, [364] in which the court determined she cured those defects by alleging sufficient facts to show defendants intercepted an oral communication. [365]   In a November 20, 2017 decision denying defendants’ motion to dismiss, the court explained, “Plaintiff cites at least four instances where she had her phone with her, the app was running and she had conversations about private matters, including nonpublic information during a business meeting and private financial matters.” [366]  However, the court dismissed YinzCam from the lawsuit, ruling that plaintiff failed to demonstrate that the company was more than a conduit for the alleged communications that were intercepted by the Warriors and Signal 360. [367] Rackemann v. Lisnr, Inc. et al.   In October 2016, the NFL’s Indianapolis Colts, and audio software companies involved in creating the Colt’s mobile app, faced similar allegations that beacon technology was used to spy on the conversations of fans using the teams’ app. [368]   Defendants moved to dismiss, and on September 29, 2017, the court denied defendants’ motion with respect to plaintiff’s interception claims and granted it with respect to their use claims.  Regarding interception, the court rejected defendants’ argument that plaintiff need allege specific details of communications that may have been intercepted, finding that it was reasonable to infer that plaintiff’s smartphone was activated while he was engaged in a private conversation over a four-year period. [369]  The court also found that plaintiff adequately plead that his communications were captured and the content acquired, as he asserted that the app recorded portions of audio, including private conversations, captured by the phone’s microphone, and that audio was analyzed by defendants. [370]   Following the Sixth Circuit’s recent decision in Luis v. Zang, the court refused to dismiss Adept Mobile, the audio software company that, among other things, maintained the code for the app and integrated the audio technology into the app. [371]   Citing the Sixth Circuit, the court explained that “allegations of defendants working in concert or participating in the interception of communications can suffice to state a claim.” [372]   The court did, however, dismiss plaintiff’s claim that defendants “used” intercepted data, as plaintiff pled no facts showing that the contents of plaintiff’s communications, as opposed to beacon signals, were used to send targeted advertising. [373] Zak v. Bose Corp.  In a putative class action, plaintiff accused Bose of violating the Wiretap Act and the Illinois Eavesdropping Statute by secretly collecting, transmitting, and disclosing the private music selections of customers who downloaded Bose’s mobile app. [374]   Bose’s app allows users to pair their mobile devices with Bose wireless headphones and access key features, such as controlling the content they play. [375]   Plaintiff asserted that when he used the Bose app to view information about and control music playing on his Bose headphones, Bose collected and retained the song information displayed in the app. [376]   Plaintiff alleged that this collection constitutes an interception of electronic communications between Bose users and streaming music providers such as Spotify. [377] In a motion to dismiss filed on August 3, 2017, Bose argued that the Wiretap Act does not apply to Bluetooth communications between an app and headphones because such communications operate between devices in close physical proximity, and do not effect interstate or foreign commerce. [378]   Furthermore, Bose contended that the Wiretap Act and the Eavesdropping Statute do not apply to communications where the interceptor is one of the parties, and the communications at issue occurred between plaintiff’s Bose headphones and Bose’s app. [379] Allen v. Quicken Loans Inc. and Navistone, Inc.   In December 2017, Quicken Loans was hit with a proposed class action alleging it breached the Wiretap Act by installing software on its website that secretly tracks visitors’ keystrokes, mouse clicks, and other electronic communications in order to gather personally identifiable information and de-anonymize their names and addresses. [380]   This action, which was filed in the District of New Jersey, follows two nearly identical lawsuits brought by the same plaintiff’s firm against mattress seller Casper and retailer Moosejaw. [381] D.     Telephone Consumer Protection Act The past year has been eventful for actions under the TCPA. [382] Perhaps the most anticipated TCPA topic in 2017—the D.C. Circuit’s ruling in ACA International v. FCC—remains outstanding. [383]   ACA International interprets the FCC’s 2015 omnibus Declaratory Ruling and Order (the “omnibus order”) that, among other things, defined an autodialer to include any equipment with the “potential ability” to store or produce telephone numbers to be called or to call those numbers, as opposed to equipment with the current capability to do this. [384]   The omnibus order also changed the means through which a consumer can revoke consent.  Under the omnibus order, not only may “a called party . . . revoke consent at any time and through any reasonable means,” but “[a] caller may not limit the manner in which revocation [of consent] may occur.” [385]   Oral argument was held in October 2016 and lasted for over two hours, but the D.C. Circuit has yet to issue a decision. In Congress, both sides of the aisle appeared interested in amending the TCPA.  In late 2016, the House Energy and Commerce Committee’s Subcommittee on Communications and Technology held a hearing on the TCPA wherein a Democratic ranking member applauded a move to modernize the TCPA, [386] and the Republican subcommittee chairman stated “it is increasingly clear that the law is outdated and in many cases, counterproductive.” [387]   Though Congress has not yet acted, some of Congress’s possible changes to the TCPA could be to cap statutory damages at $500,000 (matching the Truth in Lending Act’s cap) [388] or to update the TCPA to reflect the increased use of text messaging and the creation of apps that could turn a smartphone into an autodialer. Yet Democrats and Republicans have not agreed on every TCPA issue in 2017.  For example, in March 2017, the FCC received a petition from All About the Message LLC seeking a declaration that the use of ringless robocalls that go straight to voicemail do not violate the TCPA. [389]   After the FCC issued a request for public comment, eleven Democratic Senators sent a letter to the FCC urging it to protect consumers from such calls, while the Republican National Committee voiced support for the petition. [390] Even though Congress did not pass legislation amending the act, FCC leadership changed in 2017.  The FCC, which has interpretative authority over the TCPA, is statutorily required to have two commissioners from each party, and, for the past several years, was led by three Democrats and two Republicans. [391]   Following the inauguration of President Trump, the FCC now has three Republicans and two Democrats. [392]   In the upcoming year, it is likely that the Republican commissioners will scale back FCC enforcement of the TCPA. [393]   Commissioner Michael O’Reilly, a Republican, vehemently disagreed with the FCC’s 2015 omnibus order, and Chairman Ajit Pai applauded the D.C. Circuit’s March ruling in Yaakov v. FCC, which held that the FCC lacked the authority under the TCPA to require opt-out notices on solicited faxes. [394]   Chairman Pai previously has been critical of plaintiff’s counsel’s choice of litigation targets, noting that these “lawyers have found legitimate, domestic businesses a much more profitable target” for TCPA litigation, rather than “go[ing] after the illegal telemarketers, the over-the-phone scam artists, and the foreign fraudsters.” [395]  The sentiment of the current leadership suggests some regulatory restraint in 2018. The past year also saw the resolution of several closely-watched cases.  In Krakauer v. Dish Network LLC, a jury awarded damages to a class of plaintiffs who allegedly received unwanted phone calls. [396]   The court ordered treble damages on the basis that Dish allegedly had knowledge that its marketing firm had repeatedly violated the TCPA. [397] In United States v. Dish Network LLC, the district court found that Dish Network violated the TCPA and state laws through both its direct telephone marketing and third-party telephone marketing campaigns. [398]   The civil penalties ordered in the case included awards to both the federal government and the state participants in the suit: California, Illinois, North Carolina, and Ohio. [399]   The matter is currently on appeal. [400] In Birchmeier v. Caribbean Cruise Line, Inc., the parties agreed to a $76 million settlement of a class action accusing several cruise marketing companies of robocalling. [401]   The agreement provides a minimum of $135 per call where the vast majority of class members claimed three calls, leaving plaintiffs with a much higher payment than is typical in a TCPA class action settlement of this size. [402] E.     Video Privacy Protection Act In 2017, courts resolved some significant VPPA-related cases that had been filed in previous years.  The VPPA, which was enacted in 1998 following a D.C. newspaper’s disclosure of Supreme Court nominee Judge Robert Bork’s video rental records, [403] prohibits “video tape service providers” from “knowingly” disclosing “personally identifiable information concerning any consumer” to third parties. [404]   The VPPA was originally intended as a straightforward rule to prevent video stores from disclosing the video-rental habits of its patrons.  Over 20 years later, courts continue to grapple with applying this antiquated law to constantly changing technologies. This year, courts addressed three main issues as related to the VPPA: (1) standing, (2) the definition of “personally identifiable information,” and (3) the definition of “consumer” or “subscriber.”  While there is an emerging consensus on the procedural issue of standing, courts remain split on how to apply the more substantive provisions of the statute. Both circuit courts to address the issue of standing this year found that an allegation of mere disclosure in violation of the VPPA is sufficient to meet Article III’s standing requirements.  In Eichenberger v. ESPN, Inc., plaintiffs alleged that ESPN had disclosed users’ “personally identifiable information” to Adobe Analytics, a third-party analytics company, in violation of the VPPA. [405]   Joining every circuit court [406] and all district courts [407] that have addressed the issue post-Spokeo, the three-judge panel held that the plaintiff did not need to allege any further harm beyond a disclosure of “personally identifiable information” to plead Article III standing. [408]   As described above, in Spokeo v. Robins the Supreme Court strengthened the requirements for Article III standing, requiring allegations of a concrete injury rather than a mere statutory violation. [409]   In finding that disclosure in and of itself constitutes a concrete harm, the Ninth Circuit in Eichenberger explained that the VPPA confers a substantive right to privacy, meaning that “every disclosure” of an individual’s personally identifiable information and video-viewing history “offends the interests” the VPPA protects. [410]   Earlier this year, in Perry v. Cable News Network, the Eleventh Circuit similarly found that a disclosure alone, even without any alleged misuse of information, satisfied Article III standing requirements. [411]   The precedent set by these decisions sets a low barrier for entry for plaintiffs to bring suit under the VPPA, which may yield an increase in VPPA litigation. Circuit courts have taken different approaches in addressing the scope of “personally identifiable information,” but the significance of any differences between the two tests is yet to be determined.  The VPPA defines “personally identifiable information” to “include[] information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” [412]   As discussed in our 2016 Year-End Update , the First and Third Circuits articulated two separate tests to determine what information Congress intended to cover in this statute.  In Yershov v. Gannett, the First Circuit diverged from virtually all district courts in embracing a broader definition of “personally identifiable information,” holding that it extends beyond a person’s name to include “information reasonably and foreseeably likely to reveal which . . . videos [a person] has obtained.” [413]   The court concluded that GPS coordinates and a device ID fell within this definition. [414]   In contrast, in In re Nickelodeon Consumer Privacy Litigation, the Third Circuit adopted an “ordinary person” test, finding that “personally identifiable information” includes only information that “would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” [415]   In finding that digital identifiers such as MAC addresses and IP addresses did not constitute “personally identifiable information,” it explained that Congress’s purpose in passing the VPPA was narrowly restricted to preventing “disclosures of information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits.” [416]   In January 2017, the Supreme Court denied certiorari, [417] declining to address what some have characterized as a split between the two circuit courts. In Eichenberger, Ninth Circuit considered both of these standards, but ultimately adopted the narrower “ordinary person” test promulgated by the Third Circuit.  Notably, the court instructed that the statute “looks to what information a video service provider discloses, not to what the recipient of that information decides to do with it.” [418]   The court held that the information allegedly disclosed to Adobe by ESPN—(1) the serial number of the plaintiff’s Roku device, and (2) the identity of videos the plaintiff had watched on the WatchESPN Channel application—could not be used by an “ordinary person” to identify an individual.  The fact that Adobe might be able to identify the individual with other personal information in its possession, that ESPN never shared nor possessed, was irrelevant.  The court reasoned that this test “fits most neatly” with congressional intent, stating that “the advent of the Internet did not change the disclosing-party focus of the statute.” [419]   By assessing liability based on the information disclosed from the disclosing party’s perspective, companies should be able to better assess their compliance with the law.  Although these courts have applied different standards, both the Third and Ninth Circuits assert that the practical differences may be minimal. [420] On the other hand, the Central District of California applied the First Circuit standard in In re Vizio, Inc. Consumer Privacy Litigation .  In that case, plaintiffs alleged that Vizio violated the VPPA and the ECPA by using their televisions to secretly collect, and distribute to advertisers, information on customer viewing habits. [421]   In denying in part defendants’ motion to dismiss, the court held that the disclosure of “consumers’ MAC addresses and information about other devices connected to the same network” could qualify as “personally identifiable information” under the VPPA because MAC addresses are “frequently linked to an individual’s name and can be used to acquire highly specific geolocation data.” [422]   This case will be one to watch this year; the district court denied Vizio an immediate appeal of the decision to the Ninth Circuit, [423] and the next filing regarding a motion to compel was due on January 3, 2018. The final issue considered by courts this year was the issue of who is a “subscriber,” and thus a “consumer,” under the statute.  In Perry v. Cable News Network, the plaintiff alleged that CNN violated the VPPA by tracking his views of news articles and videos on the CNN app and disclosing this information to third parties.  In affirming the dismissal of the putative class action, the court found that the plaintiff did not qualify as a “subscriber”  because he had not established an account with CNN, provided any personal information, made any payments, become a registered user, received a CNN ID, or established a CNN profile. [424]   Thus, he had not “demonstrated an ongoing commitment or relationship with CNN.” [425]   In In re Vizio, on the other hand, the court held that plaintiffs are “subscribers” based on the allegation that Vizio charges them a premium for its smart TVs because of the video content it provides. [426]   Additionally, the court found that plaintiffs plausibly alleged that Vizio is a “video tape service provider” because it is engaged in the business of delivering video content. [427] In 2017, courts sought to add more clarity to VPPA jurisprudence.  With the exception of the First Circuit and Central District of California, most courts have interpreted the VPPA narrowly and relieved media companies of liability.  Nevertheless, plaintiffs who can clear the Spokeo standing bar are likely to continue to bring suit under the VPPA in the hope of winning substantial statutory damages. F.     California’s Song-Beverly Credit Card Act and Point-of-Service Data Collection There were few cases this year arising under California’s Song-Beverly Credit Card Act, which prohibits merchants from requesting and recording “personal identification information” concerning the cardholder during credit card transactions. [428]   The lack of cases is likely due to the impact of the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, [429]  which defendants have invoked to defeat class actions brought under Song-Beverly.  Indeed, in the one significant case this year, Medellin v. IKEA U.S.A. W., Inc., the representative plaintiff alleged that IKEA had requested and collected her ZIP code as part of her credit card purchases, but conceded that “she alleged only a bare procedural violation of the [Song-Beverly] statute and suffered no other cognizable harm” as required for standing. [430]   The Ninth Circuit consequently vacated the district court’s judgment and remanded the case with instructions to dismiss without prejudice for lack of standing—due to the fact that the plaintiff’s claim did not “satisfy the injury-in-fact requirement of Article III.” [431]   IKEA appealed to the U.S. Supreme Court, seeking to expand the Spokeo doctrine, but the Supreme Court declined certiorari on October 2, 2017. [432] The lack of significant Song-Beverly cases in 2017 may be explained a number of ways.  It is likely that some plaintiffs decided to wait for the outcome of the Supreme Court’s certiorari decision in Medellin before moving forward with their case.  It is also likely that possible plaintiffs are exploring how best to argue that their violations of Song-Beverly satisfy Article III standing requirements, especially after the Medellin plaintiff conceded that her allegations did not.  Regardless, we can expect that after Spokeo and Medellin, many plaintiffs were forced to revise their litigation strategy to adapt to these decisions or determine whether California state courts may be a preferred venue, given that Spokeo has evidently narrowed federal class action doctrine.  As a result, we may see new cases with novel arguments for standing brought in 2018. G.    Biometric Information Privacy Acts In 2017, companies have continued to integrate biometric technology into both their products and their day-to-day operations.  In previous years, Texas and Illinois enacted legislation regulating the collection and use of certain biometric data.  In July of 2017, Washington became the third state to enact such legislation, requiring in certain circumstances that commercial entities “provid[e] notice, obtain[] consent, or provid[e] a mechanism to prevent the subsequent use” of biometric data before collecting such information.  However, like Texas’s law, and unlike the Illinois Biometric Information Privacy Act (“BIPA”), the Washington bill does not provide a private right of action. The private right of action allowed by the Illinois BIPA continues to energize the plaintiff’s bar, which in 2017 filed dozens of class actions against companies for their allegedly improper collection of alleged biometric information.  Plaintiffs in these cases have generally fallen under one of two categories: (1) employees of companies that allegedly utilize biometric information, such as fingerprints, for time keeping purposes; and (2) customers of companies (often in the technology industry) that use alleged biometric information to enhance the consumer experience, such as photo sharing and social media services. The first category of plaintiffs represents a relatively new trend in BIPA litigation, as 2017 witnessed a surge of class actions by employees of companies using alleged biometric timekeeping methods.  For example, in October, employees of Illinois trucking company RJW Transport filed suit against the company, alleging that it captured and stored their fingerprints for timekeeping purposes, “without obtaining informed written consent or publishing its data retention and deletion policies,” as required by statute.  Similarly, employees of hotel chain Hyatt filed an action against their employer, claiming that they suffered “serious and irreversible privacy risks,” such as risk of identity theft, as a result of the collection of their fingerprints.   These suits are just two of many class actions filed in relation to alleged biometric timekeeping systems in the past year; however, these cases may come to a quick end in light of a December decision from the Illinois Second District Appellate Court in which the court held that “[i]f a person alleges only a technical violation of the Act without alleging any injury or adverse effect, then he or she is not aggrieved and may not recover under” BIPA. [433] Consumer class actions were the second primary category of BIPA cases facing courts this year.  There have been two major issues arising out of consumer-driven litigation recently: (1) Article III standing; and (2) the photograph exception of BIPA.  Several court opinions in 2017 addressed these issues and will likely affect plaintiffs’ litigation strategies moving forward. First is the matter of Article III standing.  Our 2016 Year-End Update described defendant’s motion to dismiss in In re Facebook Biometric Information Privacy Litigation, a suit in which plaintiffs alleged that Facebook’s facial recognition and photo tagging system violated the Illinois BIPA.  Facebook argued that plaintiffs had not suffered a concrete harm sufficient to establish Article III standing.  The court stayed Facebook’s motion pending the Ninth Circuit’s decision on remand in Robins v. Spokeo, Inc.  The court heard oral argument in November 2017 after that Spokeo decision came down, but has not yet issued a ruling. Meanwhile, in November, the Second Circuit affirmed dismissal of the complaint in Santana v. Take-Two Interactive Software, Inc. on the ground that plaintiffs, consumers of a video game that used facial recognition technology to create life-like player personas, alleged harms that were merely procedural, and did not show a “risk of real harm” under Spokeo absent allegations that the company was misusing the collected biometric information.  This decision will likely make it difficult, at least in the Second Circuit, for consumer plaintiffs to bring class actions for mere procedural violations of BIPA. The second key issue impacting consumer class actions this year was whether BIPA covers the practice of scanning facial features from digital photographs; specifically, whether such scanning technologies are excluded from BIPA’s protection of “biometric identifiers” under the statute’s exception for “photographs.”  In 2016, in Facebook, the court held that this alleged conduct did not fall under the photographs exception, reasoning that the term “photographs” is listed along with other “low-tech” categories of data in the statute—such as writing samples and physical descriptions—and thus was only intended to refer to “paper prints of photographs, not digitized images.” In 2017, the Northern District of Illinois reached a similar conclusion about facial scanning technologies, but under a different analysis.  In Rivera v. Google, Inc., plaintiffs alleged that Google extracted biometric identifiers from digitized photographs without users’ consent.   Google argued in its motion to dismiss that the statute did not regulate biometric data derived from these photograph based on a plain reading of the exception.  The judge rejected Google’s argument, reasoning that although the photographs exception did excuse Google’s storage of the photographs themselves, it did not cover the collection of face geometry data derived therefrom .   Furthermore, the judge wrote, there was nothing in the text of the legislation to suggest that biometric identifiers must be derived from a person in real time.  Google has since appealed the district court’s decision. H.    Internet of Things and Device Hacking The Internet of Things (“IoT”) is continuously expanding as traditional devices are becoming increasingly “smart” and connected.  Throughout 2017, corresponding with an increase in the IoT, there was an increase in regulatory guidance and regulatory and private actions related to smart and connected devices. 1.      Connected and Autonomous Vehicles Concerns about security breaches and privacy violations related to self-driving and other automobile software have played an important role during recent legislative developments in this area.  The House passed the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution, or SELF DRIVE, Act on September 6, 2017. [434]  The bill largely allows automakers to set their own cybersecurity standards, including a plan to deal with “reasonably foreseeable vulnerabilities” in their systems. [435]  On October 4, 2017, the Senate approved its own version of the bill, the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (“AV START”) Act. [436]  A recent amendment requires that manufacturers develop, maintain, and execute a written plan for identifying and reducing cybersecurity risks to the motor vehicle safety of automated vehicles.  The Senate Commerce Committee plans to hold a hearing on self-driving and other auto technologies on January 24, 2018. [437]  For further detail, please see our 2017 client alert Accelerating Progress Toward a Long-Awaited Federal Regulatory Framework for Autonomous Vehicles in the United States . On June 28, 2017, the FTC and the National Highway Traffic Safety Administration (“NHTSA”) hosted a workshop to examine the consumer privacy and security issues posed by automated and connected cars among industry representatives, consumer advocates, academics, and government officials. [438]  In her opening remarks, Acting FTC Chairman Maureen Ohlhausen emphasized the potential benefits of connected cars and stressed that while the FTC would use its enforcement powers under the FTC Act, its approach would be one of “regulatory humility”—aiming to “avoid unnecessary or duplicative regulation that could slow or stop innovation.”  She urged Congress to consider data security and data breach notification legislation to “strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.” [439]  Highlighting the importance of collaboration between industry and regulators, stakeholders also pointed to self-regulatory efforts such as the Alliance of Automobile Manufacturers’ Privacy Principles for Vehicle Technologies and Services voluntary industry standards, which went into effect in January 2016. [440] Developments continued on the litigation front as well.  In July 2015, Chrysler and Harmon International Industries voluntarily recalled their vehicles because the vehicle computer system (“uConnect”) had design vulnerabilities that could allow hackers to take remote control of the vehicle’s functions. [441]  In Flynn v. FCA US LLC, plaintiffs alleged that these vulnerabilities violated the Magnuson-Moss Warranty Act and Michigan, Illinois, and Missouri state laws. [442]  In August 2017, the court dismissed all claims that possible future car-hacking could cause injury or death, but allowed plaintiffs to pursue claims that they overpaid for the vehicles in light of the alleged system vulnerabilities. [443]  On October 13, 2017, plaintiffs asked the court to certify a class of 1.4 million car owners. [444]  Automaker FCA US LLC moved for summary judgment on all plaintiffs’ claims on October 5 and subsequently filed alternative motions for summary judgment against particular plaintiffs. [445]  On November 6, 2017, plaintiffs opposed these motions. [446] In November 2015, in Cahen v. Toyota Motor Corp., the court granted Toyota, Ford, and General Motors’ motions to dismiss a class action complaint alleging, among other claims, that the vehicles’ computers were vulnerable to hacking and privacy violations related to their computer software. [447]  In September 2016, plaintiffs appealed to the Ninth Circuit, arguing that the district court erred in holding that plaintiffs failed to establish standing to assert their claims. [448]  On December 21, 2017, the Ninth Circuit affirmed the district court’s dismissal, noting that the alleged risks and defects were speculative and that plaintiffs had not pleaded sufficient facts demonstrating how the aggregate collection and storage of non-individually identifiable driving history and vehicle performance data caused an actual injury. [449] 2.      Routers, Cloud Storage, and Connected Cameras On January 5, 2017, the FTC sued D-Link, a provider of wireless routers and IP-connected cameras, in the Northern District of California for alleged violations of the FTC Act. [450]  As outlined in our 2016 Year-End Update , the FTC alleged that D-Link engaged in unfair and deceptive practices by advertising its routers and cameras as containing “Advanced Network Security,” while flaws in D-Link’s security allow hackers to easily access consumers’ information and cameras. [451]   The complaint against D-Link alleges one count of unfairness relating to D-Link’s failure to secure consumer’s information and five counts of misrepresentation relating to D-Link’s advertising and statements that its routers and internet cameras are secure. [452]  On September 19, 2017, the court dismissed the FTC’s unfairness claim and two of the misrepresentation claims under Section 5 of the FTC Act.  The district court ruled that, in the absence of a breach, the FTC had failed to allege that device security flaws caused or were likely to cause substantial consumer harm, and that two misrepresentation claims, which centered on alleged misrepresentations in promotional materials for IP cameras and graphic user interfaces (“GUI”s) for routers, lacked specificity as to the deceptive conduct alleged. [453]  The district court allowed the remaining three misrepresentation claims to continue. [454] 3.      Smart TVs Private actions against smart television manufacturers have continued apace along with the rapid growth of consumer demand for the devices.  In the most prominent case, plaintiffs alleged that Vizio violated the VPPA and the ECPA by using their televisions to secretly collect, and distribute to advertisers, information on customer viewing habits. [455]   In July 2017, the court denied Vizio’s motion to dismiss, finding that the agreement the company struck with the Federal Trade Commission and New Jersey’s Attorney General  was insufficient to ensure that Vizio’s improper data collection would not recur. [456]   Similarly, in March 2017, a proposed class action was filed against Samsung Electronics America Inc. and its parent company Samsung Electronics Co. Ltd., claiming that smart TV devices with the capability to respond to human voices through a built-in “always on” recording device were being used by the company to intercept and record consumers’ private communications inside their homes for profit, violating the New Jersey Consumer Fraud Act. [457]   The case was dismissed without prejudice on September 27, 2017. [458] Sling Media Inc. fared better in the Second Circuit, which in November 2017 affirmed the dismissal of a class action complaint against Sling Media that alleged deceptive business practices in connection with Sling’s introduction of unwanted advertisements into its television streaming service. [459]   In a summary order, the panel affirmed the district court’s holding that the complaint and proposed amendments to the complaint failed to plausibly allege a violation of New York General Business Law Section 349, because plaintiffs failed to point to any affirmative statement or omission made by Sling Media that would have misled a reasonable consumer into believing that the service would never include advertisements. [460] 4.      Smart Toys On August 8, 2017, a proposed class action was brought against Viacom by parents of children who, while playing online games via smart phone apps, allegedly had their personal information collected and sold to advertisers. [461]   Plaintiffs allege that Viacom makes and markets to children games that collect user data which is then cross-referenced with the child’s activity across other apps and platforms and used for targeted advertising. [462]   Plaintiffs assert violations of the federal Children’s Online Privacy Protection Act and, on behalf of a California subclass, violations of the California constitutional right to privacy. [463] 5.      Regulatory Guidance On June 21, 2017, the FTC released an updated guidance document for complying with the Children’s Online Privacy Protection Act (“COPPA”), which explicitly identifies connected toys and other IoT devices as being covered under COPPA. [464]   The FTC then issued a clarification on October 23, 2017 that it would not take enforcement action against an operator who—without first obtaining verifiable parental consent—collected an audio file containing a child’s voice solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request (provided the audio that was sought did not contain personal information), and only maintained the file for the brief time necessary for that purpose. [465]   The privacy and data security risks for emerging and novel connected devices were further emphasized when, in July 2017, the FBI warned consumers that internet-connected toys present privacy and safety risks for children. [466] The FTC has identified IoT as a privacy enforcement priority and has taken several actions against IoT manufacturers. [467]   In addition to the private actions against Vizio described above, the FTC also brought an enforcement action against Vizio, asserting that the company had violated the unfairness and deception prongs of Section 5 of the FTC Act and that Vizio’s actions caused or were likely to cause “substantial injury” to consumers. [468]   In February 2017, Vizio agreed to pay a $2.2 million fine to resolve allegations by the FTC and the New Jersey Attorney General. [469]  In addition to the fine, the agreement also required Vizio to obtain affirmative express consent prior to collecting any consumer data. [470] The rapid adoption of internet-connected devices has spurred action on international as well as state level.  The European Union Agency for Network and Information Security has joined several semiconductor makers in calling for baseline privacy and cybersecurity requirements for connected devices. [471]   The proposed requirements include certification and labeling of trusted devices. [472]   States also continue to explore new legislation to address this issue.  One of a number of bills pending in state legislatures is California’s SB-327. [473]  If passed, it would require disclosure to consumers of the extent to which “connected devices” are capable of collecting biometric data. [474] I.      Civil Litigation: Cybersecurity Insurance 1.      State of the Market Although still a nascent industry, the cybersecurity insurance market is expected to experience massive growth throughout 2018. [475]   This anticipated market expansion is based on persistent cyber threats and new state, federal, and international regulatory schemes. [476] This cybersecurity regulatory fabric includes the already complex web of individual state regulations, as well as a new federal regulatory agency and the European Union’s General Data Protection Regulation (“GDPR”).  Several states—including New York, [477] California, Illinois, Colorado, and Maryland—already contribute to the vast web of regulatory requirements. [478]   For example, as discussed above, a series of class action lawsuits have arisen from Illinois’ Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1, et seq., presenting new questions for insurers on how cyber liability insurance policies relate to these actions. [479] The regulation expansion will not only yield industry growth, but will also present significant challenges for insurance companies catering to this complex regulatory landscape. [480]   Ultimately, recent figures estimate that “total annual cyber premiums are expected to rise from $2.5 billion in 2017 to $10 billion by 2020.” [481] 2.      State of the Law – Key Cases a.      Computer Fraud Insurance Provisions One frequently recurring debate in this year’s cases was whether computer fraud insurance provisions covered variations in hacking, intrusions, or cyber-fraud schemes.  The Ninth, Sixth, and Second Circuits all heard arguments or decided cases on these issues. Although each decision depended heavily on the precise wording of an individual insurance policy, several courts held that computer fraud coverage did not apply to email spoofing schemes where the policy holder voluntarily wired money.  For example, in Taylor Lieberman v. Federal Insurance Co., the Ninth Circuit held that a policy’s coverage for computer fraud did not apply when wire transfers were made in response to a hacker who was masquerading as a client. [482]   The court rejected the plaintiff’s claims that the fraudulent email constituted an unauthorized entry or trespass into the plaintiff’s computer system. [483]   The Sixth Circuit recently heard arguments on the scope of a computer fraud policy as well in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America . [484]   The litigation was triggered after plaintiff, a tool manufacturer, received an email from a cyber-attacker posing as a vendor and requesting payment. [485]   The plaintiff wired the cyber fraudsters $800,000 as a result of the sham. [486]   When the insurance company denied coverage, the tooling manufacturer sued.  The district court granted summary judgment for the insurance company, reasoning that, “[a]lthough fraudulent emails were used to impersonate a vendor and dupe [the plaintiff] into making a transfer of funds, such emails do not constitute the ‘use of any computer to fraudulently cause a transfer.'” [487]   Relying on the Ninth Circuit’s reasoning, the district court adopted the interpretation that the phrase “fraudulently cause a transfer” required the “unauthorized transfer of funds.” [488]   The district court therefore concluded that plaintiff did not “suffer a ‘direct loss’ that was ‘directly caused by computer fraud.'” [489]   On appeal, petitioner contended that such intervening steps should not be dispositive of the analysis when use of a computer is at the heart of the fraud. [490] The Second Circuit heard arguments in November 2017 in a very similar case, Medidata Solutions, Inc. v. Federal Insurance Co. [491]   Cybercriminals spoofed the email account of the company’s president, resulting in the wiring of $4.7 million from the plaintiff to the cybercriminals. [492]   The insurance company, as in the Sixth Circuit case, disputed whether the insurance agreement’s computer fraud provision covered the incident. [493]   Here, however, the district court determined that the policy provided coverage for the losses. [494]   The court considered that “the fraud on Medidata was achieved by entry into Medidata’s email system with spoofed emails armed with a computer code that masked the thief’s true identity.” [495]   And the losses were a direct cause of a computer violation. [496]   The Medidata court distinguished the Ninth Circuit’s decision in Taylor & Lieberman, reasoning that, in Medidata, “Medidata did not suffer a loss from spoofed emails sent from one of its clients,” but rather “[a] thief spoofed emails armed with a computer code into the email system that Medidata used,” and that “the fraud caused transfers out of Medidata’s own bank account.” [497]   The district court therefore held that the policy did in fact cover the fraud, reasoning that the fraudster’s approach in Medidata’s case is the type of unauthorized, “deceitful and dishonest access” contemplated by the ruling in Universal American Corp. v. National Union Fire Insurance Co. [498]   In its amicus brief on appeal, the Surety & Fidelity Association of America contended that “‘[o]utwitting of the computer system is a very different risk than misleading the insured’s human employees — who have the ability to take reasonable steps to confirm the legitimacy of a wire transfer request or direction received by email — and who then make an authorized transfer based upon such request or direction.'” [499] In a separate type of scheme, a debit card processor’s system flaw allowed pre-paid debit card holders to reuse card balances multiple times. [500]   The district court considered whether this scheme constituted a “computer fraud” within the meaning of the policy and under Georgia law. [501]   The court held that, because the “cardholders ‘used’ telephones to provide responses to prompts from a computer that [plaintiff] owned and operated,” a computer did not perpetrate the scheme. [502]   The computer fraud provision therefore did not cover any losses from the scheme. [503] b.      Litigation Costs Another significant area of contention was the coverage for data breach litigation costs.  For example, the Fifth Circuit recently heard arguments in Spec’s Family Partners, Ltd. v. The Hanover Insurance Co. where the plaintiff’s card payment system experienced two data breaches, prompting litigation between the plaintiff and its third-party transaction service provider. [504]   The plaintiff submitted claims to the defendant, its insurance company, to pay for litigation expenses. [505]   Defendant refused to pay. [506]   In the ensuing case, the district court considered the meaning of the “duty to defend,” where plaintiff received demand letters and also instituted its own litigation vis-à-vis the third-party provider. [507]   The court looked to the eight corners rule in ascertaining whether the insurer had a duty to defend. [508]   That is, the court compared the words of the insurance policy with the allegations of plaintiff’s complaint “to determine whether any claim asserted in the pleading is potentially within the policy’s coverage.” [509]   Here, the policy provided that the insurer had “the right and duty to defend ‘Claim,’ even if the allegations in such ‘Claims’ are groundless[.]” [510]   The definition of a “Claim” included a written demand for damages or non-monetary relief, or “[a]ny complaint or similar pleading initiating a judicial, civil, administrative, regulatory, alternative dispute, or arbitration proceeding[.]” [511]   Because the demand letters were not separate claims against plaintiff Spec’s specifically, they did not meet the definition of a “claim” under the policy. [512]   Moreover, the court agreed with defendant insurer that “the only claim Spec’s asserted is [the third-party’s] demand for indemnification based on the Merchant Agreement – which is expressly excluded from policy coverage.” [513] The court therefore granted the defendant’s motion for judgment on the pleadings on all grounds. [514] In a similar matter, a hospital inadvertently sent out the private information of 20,000 patients to job applicants, triggering a lawsuit. [515]   The hospital’s insurer then declined to provide a defense in the underlying action because it considered its policy only excess coverage. [516]   Upon removal to federal court, the hospital contended that the denial of coverage to cover its defense in the ensuing litigation constituted a breach of contract and a breach of the covenant of good faith. [517]   Finally, in Innovak International, Inc. v. The Hanover Insurance Co., the district court held that an insurance company was not responsible for the defense of a database software company where the claims in the underlying action—failure to implement proper security measures—were not the type of claims covered by the insurance policy, which only covered claims for “personal and advertising injury.” [518] J.      Fair Credit Reporting Act Credit agencies and employers continued to face Fair Credit Reporting Act class action claims in 2017, which were on the rise from last year [519] despite continued uncertainty resulting from inconsistent lower-court applications of the Supreme Court’s decision in Spokeo, Inc. v. Robins. [520]  Enacted in 1970, the Fair Credit Reporting Act (“FCRA”) promotes the accuracy, fairness, and privacy of consumer information in the files of consumer reporting agencies and protects consumers from the willful and/or negligent inclusion of inaccurate information in their background check reports. [521]   The FCRA provides for penalties of up to $1000 per “willful” violation, actual damages for negligent violations, punitive damages, and attorney’s fees. [522] A substantial verdict against TransUnion awarded this year may spur further litigation regarding the accuracy of credit agency reporting. [523]   In June 2017, a California jury awarded $60 million in statutory and punitive damages to a class of more than 8,000 members claiming TransUnion hindered their ability to obtain credit and adversely affected other eligibility decisions by unreasonably linking them with similarly named terrorists and criminals from a government watch list and failing to properly notify them of their rights once discovered. [524]   TransUnion has since filed a notice of appeal to the Ninth Circuit. [525] Meanwhile, courts remain split on how to interpret the FCRA’s requirement of “maximum possible accuracy” in credit reports. [526]   In an August 2017 ruling, the Eleventh Circuit, in dicta, agreed with the Fourth, Fifth, and D.C. Circuit Courts that the standard requires “information that is both technically accurate and not misleading or incomplete,” whereas some courts, including District Courts in Maryland, Connecticut and the Northern District of Alabama, have ruled that the standard requires only that credit reporting agencies report information that is “technically accurate.” [527]   The Eleventh Circuit explained that the difference between the two standards is like “the difference between report[ing] that a person was ‘involved’ in a credit card scam and report[ing] that he was in fact one of the victims of the scam.” [528] Also increasing in frequency are class action suits alleging that employers ran background checks on prospective hires without prior expressed, written consent in “a document that consists solely of the disclosure,” as required by the FCRA. [529]   With mixed success so far, plaintiffs have pursued litigation against, among others, Amazon, [530] Wells Fargo, [531] Michaels Stores, [532] and Home Depot [533] this year.  Many of these cases involve online employment applications that include pages containing FCRA disclosures, putting at issue how to interpret the statute’s definition of “a document that consists solely of the disclosure” in a world where more companies are turning to web-based forms.  However, while some cases are proceeding, other courts, in light of Spokeo, have been dismissing similar suits for the lack of an injury sufficient to confer Article III standing. III.     Government Data Collection Unsurprisingly, this past year has witnessed continued friction between tech companies and privacy advocates, on the one hand, and law-enforcement and national security entities on the other.  Two major decisions are expected from the Supreme Court in the coming months, both addressing the scope of the government’s powers under the Stored Communications Act.  These cases are described in greater detail below.  One major debate in 2017, over the future of the Foreign Intelligence Surveillance Act (FISA), ended with a whimper.  Although FISA was set to expire at the end of last year, it is now clear that the status quo will remain in place, if only because lawmakers could not agree about how to amend the law. A.    Challenge to Government “Gag Orders” As we reported in our 2017 Data Privacy Outlook and Review, Microsoft Corporation sued the U.S. Department of Justice in April 2016 alleging the unconstitutionality of 18 U.S.C. §§ 2703 and 2705(b)—which permit the federal government to issue “[p]reclusion of notice” or “gag” orders preventing cloud storage companies from disclosing government warrants for seizure of user data. [534]   These orders, which may last “for such period as the court deems appropriate,” must be issued upon application by a government agency if a court finds “reason to believe” that disclosure of the warrant at issue will endanger public safety, jeopardize an ongoing investigation, or unduly delay trial. [535]   Microsoft stated that it had received over 3,250 such orders in the 20 months ending in May 2016. [536] A number of organizations filed amicus briefs in support of Microsoft, including a group of law professors represented in part by Gibson Dunn; [537] civil liberties organizations such as the Electronic Frontier Foundation; [538] news organizations, including the Associated Press and Fox News; [539] and technology companies, including Apple and Mozilla. [540] In February 2017, the District Court for the Western District of Washington partially denied the government’s motion to dismiss Microsoft’s claims, finding that the gag orders’ indefinite limitation on Microsoft’s ability to speak about warrants issued under § 2703 was a First Amendment injury sufficient to support standing. [541]   The court also found that Microsoft had sufficiently stated a claim that indefinite § 2705(b) gag orders were unconstitutional prior restraints and content-based restrictions on speech, whether subject to a strict scrutiny analysis or a lesser standard of review. [542]   However, the court rejected Microsoft’s effort to assert its customers’ Fourth Amendment right against unreasonable search and seizure, finding third-party standing disfavored by the Supreme Court and the Ninth Circuit in a wide range of contexts, despite acknowledging that “some of Microsoft’s customers will be practically unable to vindicate their own Fourth Amendment rights.” [543] Following the lawsuit, the Office of the Deputy Attorney General issued new guidance to federal prosecutors last October that substantially tightens requirements for obtaining protective orders under § 2705(b). [544]   Most notably, the new policy bars Department of Justice attorneys from seeking protective orders that delay notice for more than one year “[b]arring exceptional circumstances.” [545]  It also requires that prosecutors explain which of the five conditions set forth in subsection (b) apply to the case at hand and seek protective orders under § 2705(b) only “when circumstances require.” In response to the policy, Microsoft promptly filed an unopposed motion to voluntarily dismiss its lawsuit, in which it acknowledged that “the new Policy significantly improves DOJ practices under Section 2705(b),” and the motion was granted. [546] B.     Carpenter v. United States and the Collection of Cell Phone Data On November 29, 2017, the Supreme Court heard oral argument in Carpenter v. United States, a case addressing another aspect of the Stored Communications Act.  Specifically, the Court is considering whether the government violates the Fourth Amendment by obtaining historical cell tower location data pursuant to a court order issued under 18 U.S.C. § 2703(d) rather than a probable cause warrant.  Carpenter is expected to test the limits of the so-called “third-party doctrine,” which holds that government acquisition of information voluntarily provided to a third party—such as call records—is not a search for Fourth Amendment purposes and thus does not require a warrant. The Carpenter petitioner was convicted of robbing several stores in 2010 and 2011. [547]   During its investigation, the government obtained court orders pursuant to § 2703(d) to obtain “cell site information for [petitioner’s] telephone,” which identified the cell towers to which petitioner’s phone connected when making and receiving calls during a 127-day period encompassing the robberies. [548]   This data permitted only a rough estimation of petitioner’s location at the times of the calls, but nonetheless allowed the government to place petitioner’s phone in the vicinities of the robberies when they occurred. [549]   Petitioner moved to suppress the cell-site records, arguing that their acquisition without a probable cause warrant violated the Fourth Amendment, and the district court denied his motion. [550]   On appeal, the Sixth Circuit affirmed, analogizing cell tower information to “mailing addresses, phone numbers, and IP addresses”—non-content information used to “facilitate personal communications” in which a person has no reasonable expectation of privacy. [551]   In reaching its decision, the Sixth Circuit relied on two landmark third-party doctrine precedents:  Smith v. Maryland, which held that use of a “pen register” to capture dialed telephone numbers did not implicate a reasonable expectation of privacy, [552] and United States v. Miller, which held that a customer had no reasonable expectation of privacy in account statements, deposit slips, and cancelled checks held by a bank. [553] On appeal to the Supreme Court, the government also cites Smith and Miller in arguing that the third-party doctrine encompasses cell site data, and that its acquisition was not a Fourth Amendment search of petitioner. [554]   In the alternative, the government argues that if that acquisition did constitute a search, it was reasonable in light of the 18 U.S.C. § 2703(d) requirement that the government show “specific articulable facts” to support a court order and the importance of cell site records to law enforcement investigations. [555]   Petitioner argues that the retrospective acquisition of long-term cell site data is a Fourth Amendment search, analogizing it to “longer term GPS monitoring.” [556]   Petitioner also urges the Court to look to the future, asserting that “the rule [the Court] adopt[s] must take account of more sophisticated systems that are already in use or development,” and noting that cell site data is becoming both more precise and more voluminous. [557] The case has garnered significant public attention, with a variety of amici filing briefs in support of petitioner (including, among others, the Center for Democracy and Technology, [558] the Competitive Enterprise Institute, [559] the Electronic Privacy Information Center, [560] the Reporters Committee for Freedom of the Press and a group of nineteen media organizations, [561] a group of 42 privacy and criminal procedure scholars, [562] and a group of 19 technology experts [563] ), the government (including, among others, the National District Attorneys Association, [564] a group of 19 state Attorneys General, [565] and Professor Orin Kerr [566] ), and of neither party (a group of 15 technology companies including Apple, Google, Facebook, Microsoft, Twitter, Verizon, and others [567] ). C.    Electronic Communications Privacy Act Reform Efforts There are currently two bills pending before Congress to reform the ECPA in ways that would address the issues raised by both the Microsoft gag order litigation and the warrantless collection of geolocation data in Carpenter v. United States.  The Email Privacy Act, [568] introduced by Senators Patrick Leahy (D-Vermont), Mike Lee (R-Utah), and others on July 27, 2017, is a companion bill to the Email Privacy Act passed by the House of Representatives by voice vote in February. [569]   Most significantly, the Email Privacy Act would require law enforcement to obtain a probable cause warrant to acquire the content of all emails or other electronic communications (under 18 U.S.C. § 2703 the government can currently obtain the contents of electronic communications that are more than 180 days old via a court order). [570] Also on July 27, Senators Leahy and Lee introduced the ECPA Modernization Act of 2017. [571]   Like the Email Privacy Act, this bill would require a warrant for acquisition of electronic communication content, [572] but would also add a variety of additional reforms.  First, it would substantially amend 18 U.S.C. § 2705(b) by adding a requirement that a court issuing a § 2705(b) nondisclosure order find “specific articulable facts” supporting its issuance, and by limiting § 2705(b) nondisclosure orders to 90 days (extendable by one or more periods of not more than 90 days). [573]   This change would eliminate the government’s ability to obtain nondisclosure orders of indefinite duration—one of the central issues identified by Microsoft in challenging § 2705(d) and addressed in the Deputy Attorney General’s subsequent guidance document that generally bars “gag” orders lasting more than one year. [574] Second, the ECPA Modernization Act would amend 18 U.S.C. § 2703 to permit government officials to obtain “stored geolocation information” [575] only pursuant to a warrant supported by probable cause, and would require notice to the subscriber whose geolocation information was accessed within ten days. [576]   Under current law, acquisition of stored geolocation information does not require a warrant, but rather only a court order supported by “specific articulable facts” showing that the information is “relevant and material to an ongoing criminal investigation.” [577]   The constitutionality of warrantless acquisition of this kind of information is the question currently before the Supreme Court in Carpenter v. United States. Other significant changes proposed in the ECPA Modernization Act include requiring the government to notify a subscriber within 10 days of obtaining the contents of the subscriber’s  wire or electronic communications or geolocation information from a third-party cloud storage provider, [578] and explicitly providing a suppression remedy for cloud content or stored or real-time geolocation information obtained without a warrant or otherwise in violation of the law. [579] A variety of research, advocacy, and technology industry groups and companies have publicly expressed support for the ECPA Modernization Act of 2017, including the Electronic Frontier Foundation, [580] the American Civil Liberties Union, [581] FreedomWorks, [582] Citizens Against Government Waste, [583] the Consumer Technology Association, [584] the Center for Democracy and Technology, [585] the National Association of Criminal Defense Lawyers, [586] and Microsoft. [587] D.    Device Unlocking The use of biometric security systems—such as facial recognition, fingerprint unlocking, and iris scanning—in mobile devices has become increasingly prevalent in recent years, and has received even greater attention with the introduction of Apple’s Face ID technology in September 2017.  While there remains some division among courts about whether police violate the Fifth Amendment by compelling a suspect to unlock an electronic device using a traditional passcode, [588] courts have recently held—although not without exception—that unlocking a device using a thumbprint is not “testimonial” and thus does not implicate a suspect’s Fifth Amendment right against self-incrimination. [589]   There is currently no case law addressing whether the government may compel a suspect to unlock a device using facial features as opposed to a thumbprint, but the same reasoning is likely to apply.  Thus, while biometric security may offer sufficient protection from intrusion by hackers, it may offer less protection against government access than traditional security measures such as passcodes or PINs.  A new feature in Apple’s most recent operating system iOS 11 would provide one means of addressing this concern.  Pressing the power button on an iOS 11-equipped device five times in rapid succession disables biometric unlocking and thus requires a PIN or passcode to unlock it. [590] E.     Extraterritoriality of Subpoenas and Warrants Before the end of the 2017-18 term, the Supreme Court will determine the scope of the government’s power to obtain information stored overseas under the Stored Communications Act (“SCA”).  This case, now styled United States v. Microsoft, Inc., arose in December 2013, when the Southern District of New York issued a warrant under Section 2703 of the SCA requiring Microsoft to produce the contents of an email account. [591]   Microsoft filed a motion to quash, arguing that the data was stored in a server in Ireland and the warrant was an inappropriate extraterritorial application of the SCA. [592]   On April 25, 2014, the district court denied Microsoft’s motion to quash, holding that a warrant under Section 2703 requires the recipient to produce all information in its possession, custody, or control, even if the information is stored abroad. [593]   On July 14, 2016, the Second Circuit reversed and remanded on appeal. [594]   The court concluded that SCA warrants are not equivalent to subpoenas which may require the production of communications stored overseas, and further held that the case involved an extraterritorial application of the statute because the focus of the SCA is on privacy and a privacy invasion occurs where a customer’s content is accessed. [595] The government requested rehearing en banc.  On January 24, 2017, the Second Circuit denied the motion in a split four-to-four decision. [596]   The concurring opinion reiterated the view that the SCA’s focus is on privacy and that the statute protects privacy at the place that data is stored. [597]   Four judges, however, authored dissents, each taking issue with a distinct aspect of Microsoft’s argument. [598]   In particular, Judge Jacobs rejected Microsoft’s analogy to paper documents and reasoned that it is irrelevant where the contents are stored if they are accessible in the US; [599] Judge Cabranes found the conduct at issue to be disclosure, not access, and cautioned that the panel’s decision burdened legitimate law enforcement efforts [600] ; and Judge Droney opined that there are no extraterritoriality concerns because the service provider is located domestically. [601] Since the Second Circuit’s decision, district courts in other circuits have taken the opposing approach.  The District of the District of Columbia, the Northern District of California, and the Eastern District of Pennsylvania each ordered Google to comply with SCA warrants that were directed to the contents of email accounts stored overseas. [602]   The courts found that the focus of the SCA is disclosure and that whether a service provider must produce records if it has sufficient control over the evidence, regardless of where the records are located. [603] On October 16, 2017, the Supreme Court granted certiorari. [604] In its brief filed on December 6, 2017, the government first argues that the focus of Section 2703 is on the disclosure of information, not storage. [605]   Even if privacy is the focus of the provision, no search or seizure would occur in Ireland because Microsoft does not interfere with a customer’s possessory interests or reasonable expectation of privacy when it gathers or moves materials in its control. [606]   Rather, any invasion to privacy would occur domestically, when Microsoft discloses information to a third party. [607]   Next, the government asserts that an SCA warrant resembles a subpoena because it is directed at a person rather than a place, and Microsoft thus must produce all documents under its control. [608]   Lastly, the government contends that its ability to collect information for legitimate law enforcement purposes should not be subject to a company’s business decision of where to store its data. [609] On January 11, 2018, Microsoft filed its brief, in which it argues that the SCA’s focus is where electronic communications are stored and that a search and seizure occurs in the jurisdiction of the storage. [610]   Thus, according to Miscrosoft, the disclosure of communications stored abroad is an impermissible extraterritorial application of the SCA. [611]   Oral argument is scheduled for February 27, 2018, and a decision will likely follow this summer. F.     Collection of Records from Third-Party Cloud Providers On December 13, 2017, the Computer Crime and Intellectual Property Section of the Department of Justice issued internal guidance that instructs prosecutors to request electronic records directly from companies and not third-party cloud service providers. [612]   Compelling information from cloud computing services may raise several complications, such as delays and the inability of the cloud provider to preserve, access, extract, and decrypt the data. [613]   The guidance permits exceptions if law enforcement believes the company is unwilling to comply, is engaged in criminal conduct, or is unable to disclose the necessary information. [614]   In response to the memorandum, Microsoft praised the policy as “a win” for cloud and enterprise customers. [615] G.    Foreign Intelligence Surveillance Act Section 702 The Foreign Intelligence Surveillance Act (FISA) [616] was passed in 1978 and amended in 2008.  FISA was enacted in order to allow the United States government to conduct electronic surveillance “to acquire foreign intelligence information.” [617]   Foreign intelligence information is defined in the act as information that relates to terrorism, an attack by a foreign power, or national defense generally. [618]   The Act established a tribunal – the Foreign Intelligence Surveillance Court [619] – to decide based on classified ex parte proceedings whether to approve government requests to collect data through FISA.  The FISA Court famously approved the National Security Agency’s PRISM Program, which allowed the agency to clandestinely collect certain data on American citizens from American internet companies, such as Google. [620] FISA Section 702 specifically allows the U.S. government to target the electronic communications of persons reasonably believed to be outside the United States for intelligence collection without a warrant.  The data collected often includes the communications of American citizens who interact with targeted foreigners, so-called “incidental collection.” [621]   Some believe FISA, including Section 702, is constitutionally sufficient in light of the need to protect U.S. national security, [622] while others believe that the Act violates the First and Fourth Amendments to the Constitution. [623]   This controversial law was set to expire in January 2018 unless reauthorized by Congress.  Both the Senate and House reauthorized Section 702 for an additional six years without any changes, and President Trump signed the bill into law on January 19. [624] The past year had seen numerous attempts in the House and Senate to reauthorize or overhaul FISA Section 702.  Last October, the Senate Intelligence Committee voted in favor of sending the FISA Amendments Reauthorization Act of 2017 – which was said by its drafters to contain greater protections to civil liberties while maintaining FISA as a powerful tool for national security – to the full Senate. [625] The proposed bill would have required law enforcement to obtain court approval before using information gathered about U.S. citizens in the course of conducting surveillance on foreign nationals, among other changes. [626]   Another FISA reauthorization bill, which passed through the House Intelligence Committee in December 2017 and similarly contained additional restrictions on the use of data collected about U.S. citizens, would have renewed Section 702 for four more years, to the end of 2021. [627]   However, the January 2018 reauthorization of FISA closed the book on the attempts to amend the law to include greater constitutional protections. Congress’ eleventh-hour reauthorization of FISA after months of debate generated uncertainty around the role of the Act in national defense.  The debate over the constitutionality of FISA is sure to continue and may even impact the 2020 presidential election. IV.     International Regulation of Privacy and Data security We address international developments in more detail in our separate International Cybersecurity and Data Privacy Outlook and Review, but below we highlight several international developments that are likely to have important implications for U.S companies. A.    The European Union 1.      General Data Protection Regulation (“GDPR”) One of the most important and pressing issues for U.S.-based companies over the coming year is the upcoming implementation and enforcement of the GDPR. [628]   For a more complete overview, please see our recently published primer specifically on the GDPR, accessible here .  But as an introduction, here is a quick run-down of some of the most salient facets of the GDPR that are relevant to U.S.-based companies. The GDPR requires compliance by all companies that process personal data of data subjects within the EU, regardless of whether the company is located in the EU. [629]   It also requires compliance by companies that process data related to monitoring behavior within the EU. [630]   Most international companies will therefore be subject to the GDPR. The GDPR establishes a high bar for ensuring that a data subject has consented voluntarily to a company’s processing of the subject’s personal data.  A request for consent cannot be obtained through pressure and must be “clearly distinguishable” from other matters in a written agreement. [631]  The data subject has the right to withdraw consent at any time and must be informed of this right when initially granting consent. [632]   These standards are more stringent than the U.S. standards. If a company subject to the GDPR performs data processing that will likely entail a high risk to individual privacy rights, the company must conduct a data protection impact assessment (“DPIA”). [633]  The GDPR recommends a DPIA, in particular, when a company is using new technologies. [634]  The DPIA must include a detailed description of the processing operations, an assessment of the necessity and proportionality of the operations relative to their purpose, an assessment of the rights of the subjects, and the measures that will be implemented to protect those rights. [635] The GDPR ensures that its protections will not be undermined by the transfer of data outside the EU or to international organizations that lack the protections of the GDPR.  Data transfers can only take place under the GDPR’s guidelines. [636]   Data transfers to the U.S. from the EU are currently permissible under the EU-U.S. Privacy Shield, discussed below, as well as under Binding Corporate Rules (“BCRs”) and the use of model contractual clauses. It remains unclear exactly how substantial penalties under the GDPR will be after enforcement begins on May 25, 2018.  Individual countries will be responsible for enforcing the GDPR within their borders, so enforcement likely will vary.  Notably, the GDPR authorizes substantial penalties for non-compliance—up to 4% of a company’s annual global turnover or €20 million, whichever is greater. [637] 2.      EU-U.S. Privacy Shield As noted above, one way that a company may comply with the EU’s requirements for secure data transfers is through the EU-U.S. Privacy Shield Framework.  Administered in the U.S. by the Department of Commerce, the Privacy Shield allows companies to participate voluntarily by establishing a commitment to privacy compliance and self-certifying annually. The EU-U.S. Privacy Shield has been challenged by groups in Europe that claim its protections are inadequate.  But on October 18, 2017, the EU Commission published a report that established that the Privacy Shield, unlike the Safe Harbor framework that preceded it, “ensures an adequate level of protection for personal data that has been transferred from the European Union to organi[z]ations in the U.S.” [638]   Thus, as of this publication, the Privacy Shield stands as a valid option for companies to comply with the GDPR. However, the Commission also noted that “the practical implementation of the Privacy Shield framework can be further improved in order to ensure that the guarantees and safeguards provided therein continue to function as intended.” [639]   The Commission will continue to review the adequacy of the Privacy Shield annually and has provided some recommendations for the U.S. in maintaining the Privacy Shield’s adequacy. [640]   For now, participation in the Privacy Shield can protect companies that perform data transfers between the EU and the U.S.  But companies must be sure they actually are adhering to the Privacy Shield, and not merely paying lip service to it.  Indeed, U.S. regulators at the FTC have already taken action against several companies that allegedly deceived consumers by falsely claiming participation in the Privacy Shield framework. [641] B.     China and Other International Developments In an increasingly connected world, 2017 also saw many countries outside of the United States try to get ahead of the challenges within the cybersecurity and data protection landscape.  Several international developments bear brief mention here: On June 1, 2017, China’s Cybersecurity Law went into effect, becoming the first comprehensive Chinese law to regulate how companies manage and protect digital information.  The law also imposes significant restrictions on the transfer of certain data outside of the mainland (data localization) enabling government access to such data before it is exported. [642] Despite protests and petitions by governments and multinational companies, the implementation of the Cybersecurity Law continues to progress with the aim of regulating the behavior of many companies in protecting digital information. [643]   While the stated objective is to protect personal information and individual privacy, and according to a government statement in China Daily, a state media outlet, to “effectively safeguard national cyberspace sovereignty and security,” the law in effect gives the Chinese government unprecedented access to network data for essentially all companies in the business of information technology. [644]   Notably, key components of the law disproportionately affect multinationals because the data localization requirement obligates international companies to store data domestically and undergo a security assessment by supervisory authorities for important data that needs to be exported out of China.  Though the law imposes more stringent rules on critical information infrastructure operators (whose information could compromise national security or public welfare) in contrast to network operators (whose information capabilities could include virtually all businesses using modern technology), the law effectively subjects a majority of companies to government oversight.  As a consequence, the reality for many foreign companies is that these requirements would likely be onerous, will increase the costs of doing business in China, and will heighten the risk of exposure to industrial espionage. [645]   Despite the release of additional draft guidelines meant to clarify certain provisions of the law, there is a general outlook that the law is still a work in progress, with the scope and definition still vague and uncertain. [646]  Nonetheless, companies should endeavor to assess their data and information management operations to evaluate the risks of the expanding scope of the data protection law as well as their risk appetite for compliance with the Chinese government’s access to their network data. With the growing threat of hacking and identity theft, the Personal Data Protection Commission of Singapore issued proposed advisory guidelines on November 7, 2017 for the collection and use of national registration identification numbers.  The guidance, which covers a great deal of personal and biometric data, emphasized the obligations of companies to ensure policies and practices are in place to meet the obligations for data protection under the Personal Data Protection Act of 2012.  The Commission is giving businesses and organizations twelve months from publication to review their processes and implement necessary changes to ensure compliance. [647] Several other countries, such as Australia and Turkey, also sought to address privacy issues and published important guidelines regarding procedures for deleting, destroying, and anonymizing personal data.  Other countries like Argentina forged ahead with an overhaul of the country’s data protection regime by publishing a draft data protection bill that would align the country’s privacy laws with the GDPR requirements of the European Union. [648] There has also been civic engagement with the public as a number of countries solicited public comments to certain proposed regulations.  For example, Canada opened up for comments a proposed regulation that would mandate reporting of privacy breaches under its Personal Information Protection and Electronic Documents Act of 2015, while India recently issued a white paper inviting comments that would inform the legal framework for drafting a data protection bill to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” [649] V.     Conclusion We expect 2018 to be another significant year in the development and application of data privacy and cybersecurity law.  As technology and data collection become more sophisticated, companies and governments will continue to explore the potential permissible uses of personal information.  At the same time, the public will continue to debate the ideal balance between the benefits of big data and concerns for privacy and security.  We will be tracking these important issues in the year ahead. [1] Susan Heavey and Dustin Volz, FTC Probes Equifax, Top Democrat Likens It To Enron, Reuters (Sept. 14, 2017), available at https://www.reuters.com/article/us-equifax-cyber-ftc/ftc-probes-equifax-top-democrat-likens-it-to-enron-idUSKCN1BP1VX. [2] Press Release, Federal Trade Commission, Operator of Online Tax Preparation Service Agrees to Settle FTC Charges That it Violated Financial Privacy and Security Rules (Aug. 29, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/08/operator-online-tax-preparation-service-agrees-settle-ftc-charges. [3] Final Order at 1, In the Matter of LabMD, Inc., No. 9357 (F.T.C. July 28, 2016). [4] Press Release, Federal Trade Commission, FTC Files Complaint Against LabMD for Failing to Protect Consumers’ Privacy (Aug. 29, 2013), available at https://www.ftc.gov/news-events/press-releases/2013/08/ftc-files-complaint-against-labmd-failing-protect-consumers. [5] Initial Decision at 13–14, In the Matter of LabMD, Inc., No. 9357 (F.T.C. Nov. 13, 2015). [6] LabMD, Inc. v. Fed. Trade Comm’n , 678 F. App’x 816, 817 (11th Cir. 2016). [7] Press Release, Federal Trade Commission, FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras (Jan. 5, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate. [8] Fed. Trade Comm’n v. D-Link Sys., Inc. , No. 3:17-CV-00039-JD, 2017 WL 4150873, at *1 (N.D. Cal. Sept. 19, 2017). [9] Id . at *5. [10] Id . [11] Press Release, Federal Trade Commission, VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions without Users’ Consent (Feb. 6, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/02/vizio-pay-22-million-ftc-state-new-jersey-settle-charges-it. [12] Press Release, Federal Trade Commission, Lenovo Settles FTC Charges it Harmed Consumers with Preinstalled Software on its Laptops that Compromised Online Security (Sept. 5, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/09/lenovo-settles-ftc-charges-it-harmed-consumers-preinstalled. [13] Press Release, Federal Trade Commission, Painting the Privacy Landscape: Informational Injury in FTC Privacy and Data Security Cases (Sept. 19, 2017), available at https://www.ftc.gov/public-statements/2017/09/painting-privacy-landscape-informational-injury-ftc-privacy-data-security. [14] Id. [15] Bryan Koenig, FTC’s Definition Of Cyber Injury Getting Broader, Chief Says , Law360 (May 17, 2017), available at https://www.law360.com/articles/925071/ftc-s-definition-of-cyber-injury-getting-broader-chief-says. [16] Allison Grande, Biz Groups Push FTC To Avoid ‘Theoretical’ Privacy Harms, Law360 (Nov. 1, 2017), available at https://www.law360.com/articles/980724/biz-groups-push-ftc-to-avoid-theoretical-privacy-harms . [17] Fed. Trade Comm’n v. AT&T Mobility LLC , 864 F.3d 995 (9th Cir. 2017). [18] Press Release, Department of Health and Human Services,OCR Launches Phase 2 of HIPAA Audit Program, (no date), available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/ . [19] Press Release, Department of Health and Human Services, $5.5 million HIPAA settlement shines light on the importance of audit controls (Feb. 16, 2017), available at https://www.hhs.gov/about/news/2017/02/16/hipaa-settlement-shines-light-on-the-importance-of-audit-controls.html . [20] Press Release, Department of Health and Human Services, Lack of timely action risks security and costs money (Feb. 1, 2017), available at https://www.hhs.gov/about/news/2017/02/01/lack-timely-action-risks-security-and-costs-money.html . [21] Press Release, Department of Health and Human Services, Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k (May 23, 2017), available at https://www.hhs.gov/about/news/2017/05/23/careless-handling-hiv-information-costs-entity.html . [22] Press Release, Department of Health and Human Services, First HIPAA enforcement action for lack of timely breach notification settles for $475,000 (Jan. 9, 2017), available at http://wayback.archive-it.org/3926/20170127111957/https://www.hhs.gov/about/news/2017/01/09/first-hipaa-enforcement-action-lack-timely-breach-notification-settles-475000.html [23] Press Release, Department of Health and Human Services, $2.5 million settlement shows that not understanding HIPAA requirements creates risk (Apr. 24, 2017), available at https://www.hhs.gov/about/news/2017/04/24/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk.html . [24] Press Release, Department of Health and Human Services, Failure to protect the health records of millions of persons costs entity millions of dollars (Dec. 28, 2017), available at https://www.hhs.gov/about/news/2017/12/28/failure-to-protect-the-health-records-of-millions-of-persons-costs-entity-millions-of-dollars.html . [25] Department of Health and Human Services, How HIPAA Allows Doctors to Respond to the Opioid Crisis (no date), available at https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf . [26] SEC Division of Corporation Finance, CF Disclosure Guidance:Topic No. 2—Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm . [27] Ed Beeson, SEC Likely To Revisit Cybersecurity Guidance, Official Says , Law360 (Nov. 9, 2017, 8:48 PM), https://www.law360.com/cybersecurity-privacy/articles/983742/sec-likely-to-revisit-cybersecurity-guidance-official-says . [28] Jimmy Hoover, SEC Suits Over Cyber Reporting Could Be On Horizon, Law360 (Apr. 20, 2017, 1:25 PM), https://www.law360.com/privacy/articles/915377/sec-suits-over-cyber-reporting-could-be-on-horizon . [29] Beeson, supra note 27. [30] Id. [31] Chris Isidore, Equifax is investigating executive stock sales, CNN Money (Sept. 29, 2017, 3:19 PM), http://money.cnn.com/2017/09/29/news/companies/equifax-investigation/index.html . [32] Tom Schoenberg, Anders Melin, and Matt Robinson, Equifax Stock Sales Are the Focus of U.S. Criminal Probe, Bloomberg (Sept. 18, 2017, 12:20 PM), https://www.bloomberg.com/news/articles/2017-09-18/equifax-stock-sales-said-to-be-focus-of-u-s-criminal-probe . [33] Equifax Inc., Quarterly Report (Form 10-Q) at 40 (Nov. 9, 2017), available at https://otp.tools.investis.com/clients/us/equifax/SEC/sec-show.aspx?Type=html&FilingId=12372346&CIK=0000033185&Index=10000 ; see also Hayley Tsukayama, Equifax faces hundreds of class-action lawsuits and an SEC subpoena over the way it handled its data breach , Washington Post (Nov. 9, 2017), https://www.washingtonpost.com/news/the-switch/wp/2017/11/09/equifax-faces-hundreds-of-class-action-lawsuits-and-an-sec-subpoena-over-the-way-it-handled-its-data-breach/?utm_term=.ceebfb8dc054 . [34] Public Statement, SEC Chairman Jay Clayton,Statement on Cybersecurity, SEC (Sept. 20, 2017), available at https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20#_ftnref10 . [35] Id. [36] Press Release, SEC, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors , SEC (Sept. 25, 2017), available at https://www.sec.gov/news/press-release/2017-176 . [37] Press Release, SEC, SEC Emergency Action Halts ICO Scam, SEC (Dec. 4, 2017), available at https://www.sec.gov/news/press-release/2017-219 . [38] Id. [39] The SEC alleges that Paradis-Royer, believed to be Lacroix’s romantic partner, helped to cover up the scheme when she, amongst other conduct, registered payments in her name, and attempted to resist Quebec authorities when they arrived at Lacroix and Paradis-Royer’s residence and warn Lacroix of the search.  See Compl., ECF No. 1, SEC v. PlexCorps et. al., 1:17-CV-07007, at ¶¶ 24, 63, 92 (E.D.N.Y. Dec 1, 2017), available at https://www.sec.gov/litigation/complants/2017/comp-pr2017-219.pdf . [40] See Compl., ECF No. 1, SEC v. PlexCorps et. al., 1:17-CV-07007 (E.D.N.Y. Dec 1, 2017), available at https://www.sec.gov/litigation/complants/2017/comp-pr2017-219.pdf ; see also Press Release, SEC, supra note 37. [41] Press Release, SEC, supra note 37. [42] David Shepardson, Trump Signs Repeal of U.S. Broadband Privacy Rules, Reuters (April 3, 2017, 7:50 PM), available at https://www.reuters.com/article/us-usa-internet-trump/trump-signs-repeal-of-u-s-broadband-privacy-rules-idUSKBN1752PR . [43] See Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Report & Order (“Commission Order”), FCC Dkt. No. 16-148 (Nov. 2, 2016), available at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db1103/FCC-16-148A1.pdf. [44] David Shepardson, FCC Approves TV Technology that Gives Better Pictures but Less Privacy , Reuters (Nov. 16, 2017, 3:25 PM), available at https://www.reuters.com/article/us-usa-television-technology/fcc-approves-tv-technology-that-gives-better-pictures-but-less-privacy-idUSKBN1DG2XF . [45] See John Eggerton, Dingell has Privacy Concerns over ATSC 3.0, Broadcasting Cable, (Nov. 8, 2017, 4:52 PM), http://www.broadcastingcable.com/news/washington/dingell-has-privacy-concerns-over-atsc-30/169962 . [46] SS7 is a signaling protocol that supports call setup, routing, exchange, and billing functions in communications networks by transmitting messages between fixed and mobile service providers.  See FCC’s Public Safety & Homeland Security Bureau Encourages Implementation of CSRIC Signaling System 7 Security Best Practices , DA-17-799 (Aug. 24, 2017), https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0ahUKEwi8_tXflYrYAhXC5CYKHTC4BroQFggwMAE&url=https%3A%2F%2Fapps.fcc.gov%2Fedocs_public%2Fattachmatch%2FDA-17-799A1.docx&usg=AOvVaw3NB4Lc5YhzWjjTAxZv9Hss ; see also Jenna Ebersole, Dem Lawmakers Urge FCC Action On Cellphone Cybersecurity, Law360 (March 28, 2017, 8:05 PM), https://www.law360.com/articles/906956/dem-lawmakers-urge-fcc-action-on-cellphone-cybersecurity . [47] FCC, Order, Straight Path Communications Inc., Ultimate Parent Company of Straight Path Spectrum, LLC, Straight Path Spectrum LLC, File No. EC-SED-16-00022575, Acct. No. 201732100003, FRN: 0022779334 (Jan. 12, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DA-17-40A1.pdf. [48] Stephen Lawson, FCC looks to higher frequencies for 5G mobile (Oct. 22, 2015, 1:44 PM), https://www.computerworld.com/article/2996149/mobile-wireless/fcc-looks-to-higher-frequencies-for-5g-mobile.html . [49] FCC, Order, Straight Path Communications Inc., Ultimate Parent Company of Straight Path Spectrum, LLC, Straight Path Spectrum LLC, File No. EC-SED-16-00022575, Acct. No. 201732100003, FRN: 0022779334 (Jan. 12, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DA-17-40A1.pdf. [50] Blog of FCC Chairman Ajit Pai, Consumer Protection Month at the FCC (June 22, 2017, 2:20 PM), https://www.fcc.gov/news-events/blog/2017/06/22/consumer-protection-month-fcc . [51] Press Release, Federal Communications Commission, Robocall Scammer Faces $120 Million Proposed Fine for Massive Caller ID Spoofing Operation (June 22, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-345470A1.pdf . [52] Kelcee Griffis, FCC Fines Co. $2.8M For Powering Robocalls To Cellphones, Law360 (July 13, 2017, 4:27 PM), https://www.law360.com/articles/944001/fcc-fines-co-2-8m-for-powering-robocalls-to-cellphones ; Press Release, Federal Communications Commission, FCC Proposes $82 Million Fine for Spoofed Telemarketing Robocalls (Aug. 3, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-346059A1.pdf. [53] Consumer Protection Principles:  Consumer-Authorized Financial Data Sharing and Aggregation, Consumer Financial Protection Bureau (Oct. 18, 2017), available at http://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf. [54] Stakeholder Insights that Inform the Consumer Protection Principles, Consumer Financial Protection Bureau (October 18, 2017), available at http://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation_stakeholder-insights.pdf. [55] See supra note 54. [56] Press Release, Bureau Seeks to Ensure a Workable Data Aggregation Market that Gives Consumers Protection and Value (Oct. 18, 2017), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-outlines-principles-consumer-authorized-financial-data-sharing-and-aggregation/. [57] Id. [58] See supra note 54. [59] Assurance of Voluntary Compliance, In the Matter of Investigation by Eric T. Schneiderman, Attorney General of the State of New York, of Target Corporation , No. 17-094 (May 15, 2017) , available at https://ag.ny.gov/sites/default/files/nyag_target_settlement.pdf [60] Id .; see also Press Release, A.G. Schneiderman Announces $18.5 Million Multi-State Settlement With Target Corporation over 2013 Data Breach (May 23, 2017), available at https://ag.ny.gov/press-release/ag-schneiderman-announces-185-million-multi-state-settlement-target-corporation-over. [61] Assurance of Voluntary Compliance, In Re Nationwide Mutual Ins. Co. and Allied Prop. & Casualty Ins. Co ., (Aug. 3, 2017), available at https://ag.ny.gov/sites/default/files/nationwide-aod.pdf; see also Press Release, A.G. Schneiderman Announces $5.5 Million Multi-State Settlement With Nationwide Mutual Insurance Company Over 2012 Data Breach (Aug. 9, 2017), available at https://ag.ny.gov/press-release/ag-schneiderman-announces-55-million-multi-state-settlement-nationwide-mutual. [62] Id . [63] Press Release, Lenovo Settles FTC Charges it Harmed Consumers With Preinstalled Software on its Laptops that Compromised Online Security (Sept. 5, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/09/lenovo-settles-ftc-charges-it-harmed-consumers-preinstalled. [64] Press Release, Attorney General Becerra Announces $3.5M Settlement with Lenovo for Preinstalling Software that Compromised Security of its Computers (Sept. 5, 2017), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-35m-settlement-lenovo-preinstalling-software. [65] Press Release, AG’s Office Alleges Company Failed to Protect Personal Information of Nearly Three Million Massachusetts Residents, Despite Knowing its System was Vulnerable to Hackers (Sept. 19, 2017), available at http://www.mass.gov/ago/news-and-updates/press-releases/2017/2017-09-19-equifax-lawsuit.html;see also Complaint, Commonwealth of Massachusetts v. Equifax, Inc., (Suffolk Sup. Ct. Sept. 19, 2017). [66] Memorandum In Support of Plaintiffs’ Motion For Transfer of Actions to the Northern District of Georgia And For Consolidation Pursuant to 28 U.S.C. 1407, In Re: Equifax Inc., Consumer Data Security Breach Litigation , MDL Dkt. No. 2800 (Judicial panel on Multi-district Litigation, Sept. 11, 2017), available at: http://www.almcms.com/contrib/content/uploads/sites/292/2017/09/Equifax-MDL-motion.pdf. [67] Press Release, Attorney General Becerra Announces $2 Million Settlement Involving Santa Barbara-based Cottage Health System Over Failure to Protect Patient Medical Records (Nov. 22, 2017), available at https://www.oag.ca.gov/news/press-releases/attorney-general-becerra-announces-2-million-settlement-involving-santa-barbara. [68] Id .; see also Complaint for Injunction, Civil Penalties, and Other Equitable Relief, California v. Cottage Health et al ., No. 17CV05269 (Sup. Ct. County of Santa Barbara, November 15, 2017), available at https://www.oag.ca.gov/system/files/attachments/press_releases/Conformed%20Cottage%20Complaint%20SIGNED.PDF. [69] Stipulation for Entry of Final Judgment and Permanent Injunction, California v. Cottage Health, et al., No. 17CV05269 (Sup. Ct. County of Santa Barbara, November 15, 2017). [70] Id . [71] Press Release, A.G. Schneiderman Announces $700,000 Joint Settlement With Hilton After Data Breach Exposed Hundreds of Thousands of Credit Card Numbers (Oct. 31, 2017), available at https://ag.ny.gov/press-release/ag-schneiderman-announces-700000-joint-settlement-hilton-after-data-breach-exposed . [72] Id .; N. Y. Gen. Bus. Law § 899-aa(2) (McKinney 2017). [73] Press Release, New Jersey Division of Consumer Affairs, Federal Trade Commission Reach $2.5 Million Settlement with Smart TV Manufacturer to Settle Allegations of Invasive Data Collection (Feb. 6, 2017), available at http://nj.gov/oag/newsreleases17/pr20170206a.html. [74] Id .; see also Stipulated Order for Permanent Injunction and Monetary Judgment, Federal Trade Commission, et al. v. Vizio, Inc., No. 2:17-cv-00758 (D. N.J. Feb. 6, 2017), available at http://nj.gov/oag/newsreleases17/Vizio-Order.pdf. [75] Id . [76] Washington State Attorney General’s Office, 2017 Data Breach Report, available at http://agportal-s3bucket.s3.amazonaws.com/uploadedfiles/Home/Safeguarding_Consumers/Data_Breach/2017%20Data%20Breach%20Report%20Final.pdf. [77] 23 NYCRR 500, available at http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf. [78] Id . [79] Id .  See also Key Dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500) , N.Y. Dep’t of Fin. Servs., http://www.dfs.ny.gov/about/cybersecurity.htm (last visited Jan. 23, 2018). [80] Id. [81] Proposed Financial Services Regulations , N.Y. Dep’t of Fin. Servs., http://www.dfs.ny.gov/legal/regulations/proposed/propdfs.htm (last visited Jan. 23, 2018). [82] Executive Order 13,800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , May 11, 2017. [83] Id. at 1. [84] Id. at 1-2. [85] Id. at 4. [86] See Press Release, Final IT Modernization Report, Dec. 13, 2017, available at https://www.whitehouse.gov/articles/final-modernization-report/ ; Report to the President on Federal IT Moderization, available at https://itmodernization.cio.gov/. [87] Executive Order, at 5. [88] Id. at 5-6. [89] Id. at 6. [90] Id. [91]            A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats , National Telecommunications and Information Administrations, U.S. Dep’t of Commerce, Jan. 5, 2018, available at https://www.ntia.doc.gov/report/2018/report-president-enhancing-resilience-internet-and-communications-ecosystem-against . [92] Id. at 6-7. [93] Id. at 7. [94] Id. [95] Id. [96] Id. at 7-8. [97] Id. at 8-9. [98] Lily Hay Newman, Taking Stock of Trump’s Cybersecurity Executive Order so Far , WIRED, Sept. 3, 2017, available at https://www.wired.com/story/trump-cybersecurity-executive-order/. [99] See, e.g., Sonam Sheth, Over a Quarter of the Members on Trump’s Cybersecurity Advisory Council Have Resigned En Masse , Business Insider, Aug. 28, 2017, available at http://www.businessinsider.com/members-of-trump-cybersecurity-council-resign-2017-8. [100] Joseph Marks, Trump Administration Plans a New Cybersecurity Strategy, Defense One, Oct. 25, 2017, available at http://www.defenseone.com/technology/2017/10/trump-administration-plans-new-cybersecurity-strategy/142042/. [101] Vulnerabilities Equities Policy and Process for the United States Government, Nov. 15, 2017, available at https://www.whitehouse.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF. [102] Id. at 1. [103] Id. at 3-4. [104] Id. at 6-7. [105] Id. [106] Id. at 7-8. [107] Id. at 13-14. [108] David Shepardson, Trump Signs Repeal of U.S. Broadband Privacy Rules, Reuters, Apr. 3, 2017, https://www.reuters.com/article/us-usa-internet-trump/trump-signs-repeal-of-u-s-broadband-privacy-rules-idUSKBN1752PR. [109] Richard Lawler, Trump Signs Bill Rolling Back FCC Privacy Rules for ISPs, Engadget, Apr. 3, 2017, https://www.engadget.com/2017/04/03/trump-signs-bill-rolling-back-fcc-privacy-rules-for-isps/. [110] Id. [111] Shepardson , supra note 109. [112] See generally 50 U.S.C. § 1881 (2012). [113] See, e.g. , 50 U.S.C. § 1881a. [114] The FISA Amendments Act:  Q &A , Office of the Director of National Intelligence, https://www.dni.gov/files/icotr/FISA%20Amendments%20Act%20QA%20for%20Publication.pdf. [115] H.R. 139, 115th Cong. (2017). [116] S. 2010, 115th Cong. (2017); see also David Shortell, Senate Intel Advances Bill to Reauthorize Spying Program with Minimal Reform , CNN, Oct. 27, 2017, http://www.cnn.com/2017/10/26/politics/fisa-702-reauthorization-bill-advanced/index.html. [117] Pub. L. 115-96 (2017); see also Matthew Kahn, Congress Buys Itself Another Three Weeks on Section 702, Lawfare, Dec. 22, 2017, https://www.lawfareblog.com/year-review-fisa-section-702. [118]   H. 137, 115th Cong. (2017); see also Charlie Savage, Eileen Sullivan & Nicholas Fandos, House Extends Surveillance Law, Rejecting New Privacy Safeguards , N.Y. T IMES, Jan. 11, 2018, https://www.nytimes.com/2018/01/11/us/politics/fisa-surveillance-congress-trump.html. [119]   See Ted Barrett and Ashley Killough, Senate Passes FISA Section 702 Reauthorization, CNN Politics, Jan. 18, 2018, http://www.cnn.com/2018/01/18/politics/fisa-reauthorization-senate-vote/index.html. [120]   See Gregory Korte and Erin Kelly, Trump signs bill extending surveillance law – the same law he says was used to spy on him , USA Today, Jan. 19, 2018, https://www.usatoday.com/story/news/politics/onpolitics/2018/01/19/trump-signs-bill-extending-surveillance-law-same-law-he-says-used-spy-him/1049663001/. [121]   See Andrew Liptak, President Donald Trump Has Signed the FISA Reauthorization Bill , The Verge, Jan. 20, 2018, https://www.theverge.com/2018/1/20/16913534/president-donald-trump-signed-fisa-amendments-reauthorization-act-of-2017-section-702. [122] See 18 U.S.C. § 2510 (2012). [123] H.R. 387, 115th Cong. (2015). [124] Mario Trujillo, House Unanimously Passes Email Privacy Bill, The Hill, Apr. 27, 2016, http://thehill.com/policy/technology/277897-house-unanimously-passes-bill-to-protect-email-privacy. [125] S. 1654, 115th Cong. (2017). [126] H.R. 1616, 115th Cong. (2017); see also Michael Macagnone, House Authorizes National Cyber Security Center, Law360, May 16, 2017, https://www.law360.com/privacy/articles/924495. [127]   Pub. L. No. 115-76 (2017). [128] H.R. 4081, 115th Cong. (2017); S. 2124, 115th Cong. (2017). [129] Mike Lennon, U.S. Senators Introduce SEC Cybersecurity Disclosure Legislation , Security Week, Dec. 18, 2015, http://www.securityweek.com/us-senators-introduce-sec-cybersecurity-disclosure-legislation. [130] See Security Breach Notification Laws , National Conference of State Legislatures, Jan. 4, 2016, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx (listing the 47 states, along with the District of Columbia, Guam, Puerto Rico, and the Virgin Islands that have passed data breach notification laws). [131] See Nat’l Conference of State Legislatures, Cybersecurity Legislation 2017, http://ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx (last visited Jan. 22, 2018). [132] See Act of Apr. 3, 2017, Pub. L. No. 115-22, 131 Stat. 88 (2017) (disapproving Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Report and Order, 81 Fed. Reg. 87,274 (Dec. 2, 2016)). [133] See California Consumer Privacy Act of 2018, Initiative No. 17-0027 (Cal. 2018), available at https://oag.ca.gov/system/files/initiatives/pdfs/17-0027%20%28Consumer%20Privacy%29_1.pdf . [134] Data Breach Notification Act, H.B. 15 (N.M. 2017), available at https://legiscan.com/NM/text/HB15/2017 (defining “personal identifying information” as an “[i]ndividual’s first name or last initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:  social security number; driver’s license number; government issued identification number; account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to a person’s financial account; or biometric data”). [135] Act to Amend Title 6 of the Delaware Code Relating to Breaches of Security Involving Personal Information, H.B. 180 (Del. 2017), available at https://legis.delaware.gov/BillDetail/26009. [136] H.J.R. 59, 100th Gen. Assemb., 1st Sess. (Ill. 2017), available at http://ilga.gov/legislation/fulltext.asp?DocName=10000HJ0059eng&GA=100&SessionId=91&DocTypeId=HJR&LegID=107003&DocNum=59&GAID=14&Session=&print=true. [137] See Nat’l Conference of State Legislatures, Cybersecurity Legislation 2017, http://ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx (last visited Jan. 22, 2018) (discussing H.R. 353 (P.R. 2017)); see also H.R. 353 (P.R. 2017), available at http://www.oslpr.org/2017-2020/%7B89C0F2C716C0425EA321DE9FC40CC10A%7D.docx (Spanish-language version). [138] H.B. 7304 (Conn. 2017), available at https://www.cga.ct.gov/2017/act/pa/pdf/2017PA-00223-R00HB-07304-PA.pdf. [139] S.B. 33, 64th Legis. Sess. (Wy. 2017), available at https://legiscan.com/WY/text/SF0033/2017. [140] S.B. 1028, 217th Leg. (N.J. 2017), available at https://legiscan.com/NJ/text/S1028/2016. [141] Assemb. B. 2765 (N.Y. 2017), available at http://assembly.state.ny.us/leg/?default_fld=&bn=A02765&term=2017&Summary=Y&Actions=Y&Text=Y&Committee%26nbspVotes=Y&Floor%26nbspVotes=Y. [142] S.B. 2406-A (N.Y. 2017), available at http://legislation.nysenate.gov/pdf/bills/2017/S2406A. [143] Colo. Rev. Stat. Ann. § 24-72-204.5 (West 2017); Tenn. Code. Ann. § 10-7-512 (West 2017). [144] Conn. Gen. Stat. Ann. § 31-48d (West 2017); Del. Code Ann. tit. 19, § 705 (West 2017). [145]   Conn. Gen. Stat. Ann. § 31-48d(c). [146]   Del. Code Ann. tit. 19, § 705(c). [147] H.B. 2371, 100th Gen. Assemb., 1st Sess. (Ill. 2017), available at http://www.ilga.gov/legislation/fulltext.asp?DocName=&SessionId=91&GA=100&DocTypeId=HB&DocNum=2371&GAID=14&LegID=103007&SpecSess=&Session=. [148] Assemb. B. 4936, 217th Leg. (N.J. 2017), available at https://legiscan.com/NJ/text/A4936/2016; H.B. 3221, 79th Legis. Sess. (Or. 2017), available at https://olis.leg.state.or.us/liz/2017R1/Downloads/MeasureDocument/HB3221. [149] Assemb. B. 276 (Cal. 2017), available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB276. [150]   Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). [151]   Id. at 1545. [152]   Id. [153]  In re Horizon Healthcare Servs. Inc. Data Breach Litig ., 846 F.3d 625, 634–35 (3d Cir. 2017). [154]   Id. at 634–35. [155]   Id. at 640 (footnotes omitted); see also id. (“There is thus a de facto injury that satisfies the concreteness requirement for Article III standing.”) (footnote omitted). [156]   Attias v. Carefirst, Inc., 865 F.3d 620, 627 (D.C. Cir. 2017). [157]   Whalen v. Michaels Stores, Inc., 689 F. App’x 89, 90 (2d Cir. 2017). [158]   Id. [159]   Beck v. McDonald, 848 F.3d 262, 274–75 (4th Cir.), cert. denied sub nom. Beck v. Shulkin, 137 S. Ct. 2307 (2017). [160]   See e.g., In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., No. MC 15-1394 (ABJ), 2017 WL 4129193, at *34–35 (D.D.C. Sept. 19, 2017) (“Neither complaint directly alleges, or marshals any facts that would support an inference, that those behind this attack are likely to use the information for credit card fraud or identify theft purposes, that they are likely to make it available to other criminals for that purpose, or that the breach has enabled other bad actors to have greater access to the information than they did before.”), appeals docketed, No. 17-5217 (D.C. Cir. Sep. 27, 2017), No. 17-5232 (D.C. Cir. Oct. 12 2017), No. 18-1182 (Fed. Cir. Nov. 15, 2017); In re VTech Data Breach Litig., No. 15 CV 10889, 2017 WL 2880102, at *4 (N.D. Ill. July 5, 2017) (“Plaintiffs here fail to make the connection between the data breach they allege and the identity theft they fear.  Specifically, plaintiffs do not explain how the stolen data would be used to perpetrate identity theft.”); Nayab v. Capital One Bank, N.A., No. 3:16-CV-3111-CAB-MDD, 2017 WL 2721982, at *2–3  (S.D. Cal. June 23, 2017) (finding that allegations of “increased risk” of identity theft were “speculative and conjectural”), appeal docketed, No. 17-55944 (9th Cir. July 5, 2017). [161]   In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017). [162]   Id. at 765–67 . [163]   Id. at 769 (citing Attias, 865 at 625–29; Whalen, 689 F. App’x at 89–91;Beck, 848 F.3d at 273–76; Galaria v. Nationwide Mut. Ins., 663 F. App’x. 384, 387–90  (6th Cir. 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 966–69 (7th Cir. 2016); and Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692–93  (7th Cir. 2015)). [164]   Id. at 769, 771 (citation omitted). [165]   Id. at 772–74. [166]   See Robins v. Spokeo, Inc., 867 F.3d 1108, 1117 (9th Cir. 2017), petition for cert. filed, No. 17-806 (U.S. Dec. 6, 2017). [167]   Id. [168]   Syed v. M-I, LLC, 853 F.3d 492, 499–500  (9th Cir. 2017), cert. denied, No. 16-1524, 2017 WL 2671483 (U.S. Nov. 13, 2017). [169]   Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 2017). [170]   Id. [171]   See Perry v. Cable News Network, Inc., 854 F.3d 1336, 1340–41  (11th Cir. 2017) (“We conclude that violation of the VPPA constitutes a concrete harm. . . . The structure and purpose of the VPPA supports the conclusion that it provides actionable rights.”) (citations omitted). [172]   See e.g., Aguirre v. Absolute Resolutions Corp., No. 15 C 11111, 2017 WL 4280957, at *5 (N.D. Ill. Sept. 27, 2017) (FDCPA case); Hargrett v. Amazon.com DEDC LLC, 235 F. Supp. 3d 1320, 1326 (M.D. Fla. 2017) (FCRA case);  Bock v. Pressler & Pressler, LLP, 254 F. Supp. 3d 724, 734–737 (D.N.J. 2017) (FDCPA case). [173]   See Groshek v. Time Warner, Inc., 865 F.3d 884, 887 (7th Cir. 2017). [174]   Id. at 889. [175]   Dreher v. Experian Info. Sols., Inc., 856 F.3d 337, 346–47 (4th Cir. 2017). [176]   See id. at 347. [177]   See Crupar-Weinmann v. Paris Baguette Am., Inc., 861 F.3d 76, 81–82 (2d Cir. 2017); Katz v. Donna Karan Co., L.L.C., 872 F.3d 114, 121 (2d Cir. 2017) (“FACTA does not prohibit printing the [credit card] issuer identity on a receipt . . . .”). [178]   See e.g., Fullwood v. Wolfgang’s Steakhouse, Inc., No. 13 CIV. 7174 (KPF), 2017 WL 5157466, at *5–6 (S.D.N.Y. Nov. 3, 2017); Kamal v. J. Crew Grp., Inc., No. CV 2:15-0190 (WJM), 2017 WL 2443062, at *4–5 (D.N.J. June 6, 2017). [179]   See Gubala v. Time Warner Cable, Inc., 846 F.3d 909, 913 (7th Cir. 2017). [180]   Id. at 910. [181]   See Santana v. Take-Two Interactive Software, Inc., — F. App’x —-, 2017 WL 5592589, at *5 (2d Cir. Nov. 21, 2017). [182]   Id. at *2–3. [183]   See Satchell v. Sonic Notify, Inc., 234 F. Supp. 3d 996, 1005 (N.D. Cal. 2017) (holding that the plaintiff alleged an adequate injury based on allegation that the “[d]efendants captured and listened to private conversations without her knowledge or consent”). [184]   See In re Vizio, Inc., Consumer Privacy Litig., 238 F. Supp. 3d 1204, 1215–17 (C.D. Cal. 2017). [185]   E.g., Whitaker v. Appriss, Inc., 229 F. Supp. 3d 809, 812–17 (N.D. Ind. 2017); Hatch v. Demayo, No. 1:16CV925, 2017 WL 4357447, at *3–6 (M.D.N.C. Sept. 29, 2017). [186]   Van Patten v. Vertical Fitness Grp., LLC, 847 F.3d 1037, 1043 (9th Cir. 2017). [187]   See Leyse v. Lifetime Entm’t Servs., LLC, 679 F. App’x 44, 46 (2d Cir. 2017); Susinno v. Work Out World Inc., 862 F.3d 346, 352 (3d Cir. 2017). [188]   See e.g., Melito v. Am. Eagle Outfitters, Inc., No. 14-CV-2440 (VEC), 2017 WL 3995619, at *7 (S.D.N.Y. Sept. 11, 2017) (certifying class and approving class settlement over objections, and holding that the “receipt of an unconsented to voicemail message was sufficient to establish a concrete injury”),appeal docketed, No. 17-3277 (2d Cir. Oct 10, 2017); Heather McCombs, D.P.M., L.L.C. v. Cayan LLC, No. 15 C 10843, 2017 WL 1022013, at *4 (N.D. Ill. Mar. 16, 2017) (holding “that in pleading the receipt of an unsolicited fax advertisement in violation of the TCPA, Plaintiff has alleged a particularized and concrete injury sufficient to satisfy Article III”),  appeal dismissed, No. 17-1946, 2017 WL 5185363 (7th Cir. July 7, 2017). [189]   Legg v. PTZ Ins. Agency, Ltd., 321 F.R.D. 572, 577–78 (N.D. Ill. 2017), appeal docketed, No. 17-8018 (7th Cir. Aug. 31, 2017). [190]   Allison Grande,Spokeo Wants Justices To Revisit Last Year’ s Standing Ruling, Law360 (Dec. 13, 2017, 10:50 PM), https://www.law360.com/cybersecurity-privacy/articles/994507/spokeo-wants-justices-to-revisit-last-year-s-standing-ruling. [191]   Allison Grande, Spokeo Standing Fight Won’t Go Another Round At High Court , Law360 (Jan. 22, 2018, 4:15 PM), https://www.law360.com/cybersecurity-privacy/articles/1004192/spokeo-standing-fight-won-t-go-another-round-at-high-court.  [192]  Michael Riley, Jordan Robertson, and Anita Sharpe, The Equifax data breach has the hallmarks of state-sponsored pros , Bloomberg Businessweek (Sept. 29, 2017), https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros.  [193]  See, e.g., Compl., Allen et al v. Equifax, Inc., No. 1:17-cv-04544 (N.D. Ga. Nov. 10, 2017); see also Wolf Richter, Equifax’s data breach will cost it for months to come, Business Insider (Nov. 11, 2017), http://www.businessinsider.com/equifax-data-breach-will-keep-costing-it-for-months-to-come-2017-11 .  [194]  Id.  [195]  See Compl., People of the State of California v. Equifax, Inc., No. CGC-17-561529 (Sep. 26, 2017); Compl., City of Chicago v. Equifax, Inc., 2017-CH-13047 (Sep. 28, 2017).  [196]  Compl., Commonwealth of Massachusetts v. Equifax, Inc., No. 1784CV03009 (Sep. 19, 2017).  [197]  Renae Merle, After the breach, Equifax now faces the lawsuits, Washington Post (Sep. 22, 2017), https://www.washingtonpost.com/news/business/wp/2017/09/22/after-the-breach-equifax-now-faces-the-lawsuits/?utm_term=.185a237742fb .  [198]  Compl., Kuhns et al. v. Equifax, Inc., No. 1:17-cv-03463 (N.D. Ga. Sep. 8, 2017).  [199]  See, e.g., Knepper v. Equifax Information Servs., LLC., No. 2:17-CV-02368 (D. Nev. Oct. 2, 2017) (order granting motion to stay pending consolidation).  [200]  In re Equifax, Inc. Customer Data Security Breach Litigation , MDL No. 2800 (J.P.M.L. Dec. 6, 2017).  [201]  Teri Robinson, Open AWS S3 bucket exposes sensitive Experian and census info on 123 million U.S. households , SC Magazine (Dec. 20, 2017), https://www.scmagazine.com/open-aws-s3-bucket-exposes-sensitive-experian-and-census-info-on-123-million-us-households/article/720067/ .  [202]  Id.  [203]  Id. [204]   Ray Schultz, Alteryx Slammed with Two Data Breach Suits, Email Marketing Daily (Dec. 22, 2017), https://www.mediapost.com/publications/article/312126/alteryx-slammed-with-two-data-breach-suits.html. [205] Elec. Privacy Info. Ctr. v. FBI , No. 1:17-cv-00121 (D.D.C. Jan. 18, 2017). [206] Compl., Microsoft Corp. v. Does 1-12, No.2016-cv-00993 (E.D. Va. Filed Aug. 3, 2016), at ECF No. 1; see also Kevin Poulsen, Putin’s Hackers Now Under Attack – From Microsoft, Daily Beast (July 20, 2017), https://www.thedailybeast.com/microsoft-pushes-to-take-over-russian-spies-network . [207] Selena Larson, Data of almost 200 million voters leaked online by GOP analytics firm , CNN (June 19, 2017), http://money.cnn.com/2017/06/19/technology/voter-data-leaked-online-gop/index.html?iid=EL . [208] Id . [209] Compl., McAleer et al v. Deep Root Analytics, LLC, No. 6:17-cv-01142 (M.D. Fl. June 21, 2017). [210] Order, McAleer et al v. Deep Root Analytics, LLC, No. 6:17-cv-01142 (M.D. Fl. Nov. 7, 2017). [211]   Callum Borchers, What we know about the 21 states targeted by Russian hackers , Washington Post (Sept. 23, 2017), https://www.washingtonpost.com/news/the-fix/wp/2017/09/23/what-we-know-about-the-21-states-targeted-by-russian-hackers/?utm_term=.28d2dcb475c7 . [212]   Id. [213] See, e.g. , Compl., Weiss et al. v. Arby’s Restaurant Group, Inc., No. 1:17-cv-01035 (N.D. Ga., Mar. 22, 2017). [214] See, e.g. , Compl., Bellwether Comm. Credit Union v. Chipotle Mexican Grill, Inc. , No. 1:17-cv-01102 (D. Colo., May 4, 2017). [215] See, e.g. , Order, In re Sonic Corp. Customer Data Security Breach Litig., No. 2807 (JPML, Dec. 15, 2017); David P. Willis, Sonic Drive-In hit by security breach, Asbury Park Press (Sept. 27, 2017), https://www.usatoday.com/story/tech/2017/09/27/sonic-drive-hit-security-breach/708850001/ . [216] Josh Magness & Donovan Harrell, Pizza Hut was hacked, company says, Miami Herald (Oct. 14, 2017, updated Oct. 18, 2017), https://www.usatoday.com/story/tech/2017/09/27/sonic-drive-hit-security-breach/708850001/ . [217] Compl., Yoachim et al. v. Pizza Hut Inc., No. 17-cv-1675 (W.D. Wash., Nov. 7, 2017). [218] Jamie Biesiada, Sabre sued for data breach of hotel res system, Travel Weekly (July 14, 2017), http://www.travelweekly.com/Travel-News/Travel-Technology/Sabre-sued-for-data-breach-of-hotel-res-system . [219] Compl., Orr v. InterContinental Hotels Group, PLC, No. 1:17-cv-01622 (N.D. Ga., May 5, 2017). [220] Compl., Banus v. Whole Foods Market Group, Inc., No. 1:17-cv-02132 (N.D. Ohio, Oct. 10, 2017). [221]   Largest Healthcare Data Breaches of 2017, HIPAA J. (Jan. 4, 2018), https://www.hipaajournal.com/largest-healthcare-data-breaches-2017/. [222]   Id. [223] Marianne Kolbasuk McGee, Breach involving encrypted devices raises questions, Health Care Info Security (Mar. 23, 2017), https://www.healthcareinfosecurity.com/breach-involving-encrypted-devices-raises-questions-a-9789 . [224]   Largest Healthcare Data Breaches of 2017, HIPAA J. (Jan. 4, 2018), https://www.hipaajournal.com/largest-healthcare-data-breaches-2017/. [225] Compl., Palmer v. Bowling Green-Warren Cnty. Comm. Hosp. Corp., No. 17-CI-00579 (Cir. Ct. Warren Cnty., May 12, 2017). [226] Jeff John Roberts, Law firm DLA Piper reels under cyber attack, fate of files unclear , Fortune (June 29, 2017), https://www.healthcareinfosecurity.com/breach-involving-encrypted-devices-raises-questions-a-9789 . [227] Guardian to fight legal action over Paradise Papers , The Guardian (Dec. 18, 2017), https://www.theguardian.com/uk-news/2017/dec/18/guardian-bbc-legal-action-paradise-papers?CMP=Share_iOSApp_Other . [228] Id . [229] Id . [230] See Order, In re: Yahoo! Inc. Customer Data Sec. Breach Litigation, No. 16-MD-02752-LHK, 2017 WL 3727318 (N.D. Cal. Aug. 30, 2017). [231] Id. at *17. [232] Id . at *53. [233] In re: U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 266 F. Supp. 3d 1 (D.D.C. 2017). [234] Id . at 20, 28. [235] Id . at 36-38. [236] Id . at 39-47, 49-50. [237] In re VTech Data Breach Litig., No. 1:15-cv-10889, -10891, -11620, -11885, 2017 WL 2880102, at *4 (N.D. Ill. July 5, 2017). [238] Id . [239] Amended Complaint, In re VTech Data Breach Litig., No. 1:15-cv-10889, -10891, -11620, -11885 (N.D. Ill. Aug. 17, 2017). [240]   Electronic Toy Maker VTech Settles FTC Allegations That It Violated Children’s Privacy Law and the FTC Act , Fed. Trade Comm’n (Jan. 8, 2018), https://www.ftc.gov/news-events/press-releases/2018/01/electronic-toy-maker-vtech-settles-ftc-allegations-it-violated. [241]   Id. at 14. [242]   Id. at 12. [243] SELCO Comm. Credit Union v. Noodles & Co. , 267 F. Supp. 3d 1292 (D. Colo. 2017). [244] Id . [245] Id . [246] Attias v. CareFirst, Inc. , 865 F.3d 620, 622-23 (D.C. Cir. 2017). [247] Id . at 628. [248] Id . [249] Beck v. McDonald , 848 F.3d 262, 267 (4th Cir. Feb. 6, 2017). [250] Id . at 274, 276-77. [251] Id . at 275. [252] Attias , 865 F.3d at 628. [253] Beck , 848 F.3d at 275. [254] Whalen v. Michaels Stores, Inc. , 689 Fed. App’x 89, 90-91 (2d Cir. 2017). [255] See Alison Frankel, 8th Circuit Adds to Data Breach Litigation Uncertainty, Ahead of SCOTUS Petition , Reuters (Sept. 1, 2017), https://www.reuters.com/article/us-otc-databreach/8th-circuit-adds-to-data-breach-litigation-uncertainty-ahead-of-scotus-petition-idUSKCN1BC5OJ. [256] In re SuperValu, Inc., Customer Data Sec. Breach Litig., 870 F.3d 763, 770-72 (8th Cir. 2017). [257]   Id. at 772. [258] Complaint, Microsoft Corp. v. Does 1-12, No. 2016-cv-00993 (E.D. Va. Aug. 3, 2016), ECF No. 1; see also Kevin Poulsen, Putin’s Hackers Now Under Attack – From Microsoft, Daily Beast (July 20, 2017), https://www.thedailybeast.com/microsoft-pushes-to-take-over-russian-spies-network. [259] Id . [260] Preliminary Injunction Order, Microsoft Corp. v. Does 1-12 , No. 2016-cv-00993 (E.D. Va. Aug. 12, 2016), ECF No. 33. [261] Motion for Default Judgment and Permanent Injunction, Microsoft Corp. v. Does 1-12, No. 2016-cv-00993 (E.D. Va. Jun. 29, 2017), ECF No. 55. [262] Guardian to Fight Legal Action over Paradise Papers , The Guardian (Dec. 18, 2017), https://www.theguardian.com/uk-news/2017/dec/18/guardian-bbc-legal-action-paradise-papers. [263] Settlement Agreement and Release at 11, In re Anthem, Inc. Data Breach Litig. (“In re Anthem “), No. 5:15-md-02617-LHK, (N.D. Cal. June 23, 2017). [264] See In re Anthem, 162 F. Supp. 3d 953, 967 (N.D. Cal. 2016). [265] See id. at 968. [266] Id. at 1016. [267] Settlement Agreement and Release at 4, In re Anthem, No. 5:15-md-02617-LHK (N D. Cal. June 23, 2017). [268] See generally Order Granting Motion for Preliminary Approval of Class Action Settlement, In re Anthem, No. 5:15-md-02617-LHK, (N.D. Cal. Aug. 25, 2017). [269] Settlement Agreement and Release at 11, In re Anthem, No. 5:15-md-02617-LHK, (N.D. Cal. May 31, 2017). [270] Id. [271] Id. at 11, 23. [272] Id. at 10. [273] See Memorandum of Law in Support of Consumer Plaintiffs’ Motion for Preliminary Approval of Class Settlement, In re: The Home Depot, Inc., Customer Data Sec. Breach Litig.  (“In re Home Depot“), No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016). [274] See Final Order and Judgment at 1–2, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Sept. 22, 2017). [275] Id. at 3. [276] Id. at 13. [277] See Memorandum and Order at 3, In re: Target Corp. Customer Data Sec. Breach Litig., No. 14-md-2522 (PAM) (D. Minn. May 17, 2017). [278] See id. [279] See id. at 19-21. [280] See generally Objector Olson’s Amended Notice of Appeal, In re: Target Corp. Customer Data Sec. Breach Litig., No. 14-md-2522 (PAM) (D. Minn. June 2, 2017). [281] Press Release, N.Y. State Office of the Attorney Gen., A.G. Schneiderman Announces $18.5 Million Multi-State Settlement with Target Corporation over 2013 Data Breach (May 23, 2017), https://ag.ny.gov/press-release/ag-schneiderman-announces-185-million-multi-state-settlement-target-corporation-over. [282] See Final Order and Judgment at 3–6, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Sept. 22, 2017), ECF No. 343 (adopting Settlement Agreement, ECF No. 327-3). [283] See Settlement Agreement and Release at 10–18, 23, In re Anthem, No. 5:15-md-02617-LHK, (N.D. Cal. Jun. 23, 2017), ECF No. 869-8. [284] Order Granting Final Approval of Class Action Settlement and Final Judgment, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 260 (adopting Settlement Agreement, ECF No. 181-2); Order Granting Consumer Plaintiffs’ Motion For Service Awards, Attorneys’ Fees and Litigation Expense Reimbursement, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 261 (adopting Settlement Agreement, ECF No. 181-2). [285] Mem. and Order Granting Mot. for Final Approval of Financial Institutions’ Class Action Settlement and Mot. for Att’y Fees and Expenses and Service Payments, In re Target, No. 0:14-md-02522-PAM (D. Minn. May 12, 2016), ECF No. 758 (adopting Settlement Agreement, ECF No. 653-1). [286]   Robin Sidel, Target to Settle Claims Over Data Breach, Wall St. J. (Aug. 18, 2015, 5:10 PM ET), http://www.wsj.com/articles/target-reaches-settlement-with-visa-over-2013-data-breach-1439912013. [287] Final Approval of Class Settlement, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Apr. 6, 2016), ECF No. 165 (approving Settlement Agreement, ECF No. 146-1); Order on Mot. for Att’y Fees, Costs, and Service Awards at 3, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Apr. 12, 2016), ECF No. 166. [288] St. Joseph Health System Med. Info. Cases , JCCP No. 4716 (Cal. Sup. Ct.). [289] Mem. and Order Granting Mot. for Final Approval of Consumer Settlement and Mot for Payment of Service Awards and Fees and Expenses, In re Target, No. 0:14-md-02522-PAM (D. Minn. Nov. 16, 2016), ECF No. 645 (approving Settlement Agreement, ECF No. 358-1). [290] Order Granting Final Approval of Class Action Settlement, In re LinkedIn User Privacy Litig., No. 12-CV-03088-EJD (N.D. Cal. Sept. 15, 2015), ECF No. 147 (approving Settlement Agreement, ECF No. 145-1). [291] Mot. for Approval of Voluntary Dismissal, In re Adobe Systems Inc. Privacy Litig., No. 5:13-CV-05226-LHK (N.D. Cal. June 9, 2015), ECF No. 87; Settlement Agreement, In re Adobe Systems Inc. Privacy Litig., No. 5:13-CV-05226-LHK (N.D. Cal. June 9, 2015), ECF No. 87-2. [292] Min. Order Granting Motion for Settlement, In re Sony Gaming Networks & Customer Data Sec. Breach Litig ., No. 3:11-md-02258 (S.D. Cal. May 4, 2015), ECF No. 210; Settlement Agreement, In re Sony Gaming Networks, No. 3:11-md-02258 (S.D. Cal. June 13, 2014), ECF No. 190-2. [293] Opinion at 3, 9–11, Palkon et al. v. Holmes et al., No. 2:14-cv-01234 (SRC) (D.N.J. Oct. 20, 2014), ECF No. 49. [294] Order Granting Motion to Dismiss, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (D. Minn. July 7, 2016), ECF No. 19; Target Corporation Report of the Special Litigation Committee at 2, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (Mar. 30, 2016), ECF No. 62-2; see also Memorandum of Law of the Special Litigation Committee of the Board of Directors of Target Corporation in Support of its Motion for Approval and Dismissal, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (D. Minn. May 6, 2016), ECF No. 59. [295] Opinion and Order at 11, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Nov. 30, 2016), ECF No. 62. [296] Unopposed Motion for Order for Preliminary Approval of Shareholder Derivative Settlement with Brief In Support, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Apr. 28, 2017), ECF No. 73; Notice of Proposed Settlement at 5, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Apr. 28, 2017), ECF No. 74-4. [297] Notice of Proposed Settlement at 4-5, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Apr. 28, 2017), ECF No. 74-4. [298]   See Updates Related to Investigation of Unusual Payment Card Activity at Wendy’s, WENDYS.COM, (last visited Jan. 21, 2018), https://www.wendys.com/en-us/about-wendys/the-wendys-company-updates. [299] Verified Shareholder Derivative Complaint at 71-74, Graham v. Peltz et al, No. 1:16-cv-01153-TSB (S.D. Ohio Dec. 16, 2016), ECF No. 1. [300] Id. at 4. [301] Memorandum in Support of Defendants’ Motion to Dismiss Verified Shareholder Derivative Complaint, Graham v. Peltz et al, No. 1:16-cv-01153-TSB (S.D. Ohio Mar. 10, 2017), ECF No. 9-1. [302] Id. at 15. [303] Complaint, In re: Yahoo! Inc. Shareholder Derivative Litigation, No. 5:17-cv-00787-LHK (N.D. Cal. Feb. 16, 2017), ECF No. 1. [304] Complaint, Okla. Firefighters Pension And Ret. Sys. v. Brandt, et al. , No. 2017-0133-SG, 2017 WL 771182 (Del. Ch. Feb. 23, 2017). [305] Order Staying Case Pending Entry of Final Judgments in Securities and Customer Class Actions, In re: Yahoo! Inc. Shareholder Derivative Litigation, No. 5:17-cv-00787-LHK (N.D. Cal. Sep. 25, 2017), ECF No. 40. [306]   Order Denying Motion to Dismiss, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Aug. 12, 2016), ECF No. 49. [307]   Matera v. Google Inc., No. 15-CV-04062, 2016 WL 5339806, at *14 (N.D. Cal. Sept. 23, 2016). [308]   Id. [309]   Id. at *16 (“[I]t appears that there is no ‘real and immediate threat of repeated injury in the future.'”). [310]   Stipulation Staying Proceedings, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Nov. 28, 2016), ECF No. 60. [311]   Matera v. Google Inc., 2017 WL 1365021, at *2 (N.D. Cal. 2017). [312]   Id. [313]   Motion for Preliminary Approval of Class Action Settlement, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Dec. 13, 2016), ECF No. 62. [314]   Id. [315]   Id. [316]   Id. [317]   Motion for Preliminary Approval of Class Action Settlement, Matera v. Google, Inc., 5:15-cv-04062-LHK (N.D. Cal. July 21, 2017), ECF No. 79. [318]   Id. [319]   Order Granting Preliminary Approval of Class Action Settlement, Matera v. Google, Inc., 5:15-cv-04062-LHK (N.D. Cal. Aug. 31, 2017), ECF No. 89. [320]   Amended Complaint, Cooper & Parikh v. Slice Technologies, Inc., & UnrollMe Inc. , No. 1:17-cv-07102-JPO (N.D. Cal. July 10, 2017), ECF No. 29. [321]   Id. [322]   Id. [323]   Motion to Dismiss, Cooper & Parikh v. Slice Technologies, Inc., & UnrollMe Inc. , No. 1:17-cv-07102-JPO (N.D. Cal. Oct. 12, 2017), ECF No. 54. [324] 18 U.S.C. § 2511(2)(d). [325] See Ala. Code §§ 13A-11-30(1), 31; Alaska Stat. Ann. §§ 42.20.300(a), 310(a)(1); Ariz. Rev. Stat. Ann. §§ 13-3012(5(c)), (9); Ark. Code Ann. § 5-60-120; Colo. Rev. Stat. Ann. § 18-9-303(1); Conn. Gen. Stat. Ann. §§ 53a-187, -189 but see § 52-570d; D.C. Code Ann. § 23-542(b)(3); Ga. Code Ann. §§ 16-11-62, 66(a); Haw. Rev. Stat. Ann. § 803-42(3)(A); Idaho Code Ann. § 18-6702(2)(d); Ind. Code Ann. § 35-31.5-2-176; Iowa Code Ann. §§ 727.8, 808B.2 (2)(c); Kan. Stat. Ann. § 21-6101; Ky. Rev. Stat. Ann. §§ 526.010, 526.020; La. Stat. Ann. § 15:1303(c)(4); Me. Stat. tit. 15, § 710; Mich. Comp. Laws § 750.539(c) but see Sullivan v. Gray, 324 N.W.2d 58 (Mich. Ct. Ap.. 1982); Minn. Stat. Ann. § 626A.02(d); Miss. Code. Ann. § 41-29-531(e); Mo. Ann. Stat. § 542.402(2)(3); Neb. Rev. Stat. Ann. §§ 86-276, -290(2)(c); N.J. Stat. Ann. §§ 2A:156A-2, -4(d); N.M. Stat. Ann. § 30-12-1(C); N.Y. Penal Law §§ 250.00(1), 250.05; N.C. Gen. Stat. Ann. § 15A-287(a); N.D. Cent. Code Ann. § 12.1-15-02; Ohio Rev. Code Ann. §§ 2933.51, 2933.52(B)(4); Okla. Stat. tit. 13, §§ 176.2, 176.4; Or. Rev. Stat. Ann. §§ 165.535, 165.540; R.I. Gen. Laws Ann. §§ 11-35-21, 12-5.1-1; S.C. Code Ann. §§ 17-30-15, -30; S.D. Codified Laws §§  23A-35A-1, -20; Tenn. Code Ann. §§ 39-13-601, -604, 40-6-303; Tex. Penal Code Ann. § 16.02; Tex. Code Crim. Proc. Ann. art. 18.20; Utah Code Ann. § 77-23a-3, -4; Va. Code Ann. § 19.2-62; W. Va. Code Ann. § 62-1D-3; Wis. Stat. Ann. §§ 968.27, 968.31 but see Wis. Stat. Ann. § 885.365(1) (rendering inadmissible as evidence in civil cases recordings obtained without the consent of all parties); Wyo. Stat. Ann. § 7-3-702. Vermont has no applicable statute or definitive cases on consent to record a phone conversation. [326] Cal. Penal Code § 632; Del. Code Ann. tit. 11, § 1335(a)(4) but see § 2402(c)(4); Fla. Stat. § 934.03(3)(d); 720 Ill .Comp. Stat. 5/14-2(a); Md. Code Ann., Cts. & Jud. Proc. § 10-402(c)(3); Mass. Gen. Laws Ann. ch. 272, § 99; Mont. Code Ann. § 45-8-213; Nev. Rev. Stat. Ann. §§ 200.620, 200.650 but see Lane v. Allstate Ins. Co., 969 P.2d 938 (Nev. 1998); N.H. Rev. Stat. Ann. § 570-A:2(I-a); 18 Pa. Stat. and Cons. Stat. Ann. §§ 5702, 5704; Wash. Rev. Code Ann. § 9.73.030. [327] Cal. Penal Code § 630, et seq. [328] See Bona Fide Conglomerate, Inc. v. SourceAmerica , No. 3:14-CV-00751-GPC, 2016 WL 3543699, at *6 (S.D. Cal. June 29, 2016) (citing Valentine v. NebuAd, Inc., 804 F. Supp. 2d 1022, 1028 (N.D. Cal. 2011); see also Carrese v. Yes Online Inc., No. 16-CV-05301-SJO, 2016 WL 6069198, at *4 (C.D. Cal. Oct. 13, 2016). [329] Complaint, Wang, et al. v. Wells Fargo Bank, N.A., et al., 1:16-CV-11223 (N.D. Ill. Dec. 9, 2017), ECF No. 1. [330] Brinkley v. Monterey Fin. Servs., Inc. , 873 F.3d 1118, 1122-23 (9th Cir. 2017). [331] 28 U.S.C. § 1332(d)(4)(B). [332] Brinkley , 873 F.3d at 1121-23. [333] Id. [334] Raffin v. Medicredit, Inc. , No. 15-CV-4912, 2017 WL 131745 (C.D. Cal. Jan. 3, 2017). [335] Id. at *1.  § 632 prohibits recordings over landlines. [336] Id. at *3. [337] Id. at *8. [338] See, e.g. , Zaklit v. Nationstar Mortg. LLC, 5:15-CV-2190-CAs, 2017 WL 3174901 (C.D. Cal. July 24, 2017); Ronquillo-Griffin v. Telus Commc’ns, Inc., No. 17-CV-129-JM, 2017 WL 2779329 (S.D. Cal. June 27, 2017). [339]   Compare Raffin, 2017 WL 131745, at *3 with Saulsberry v. Meridian Fin. Servs., Inc., No. 14-CV-6256, 2016 WL 3456939, at *15-16 (C.D. Cal. Apr. 14, 2016). [340]   See Raffin, 2017 WL 131745; Zaklit, 2017 WL 3174901; Reyes v. Educational Credit Mgmt. Corp., No. 15-CV-00628, 2017 WL 4169720 (S.D. Cal. Sept. 20, 2017). [341] See Ronquillo Griffin , 2017 WL 2779329, at *3-4; Carrese, 2016 WL 6069198, at *8 n.8 (collecting cases); but see Granina v. Eddie Bauer LLC, No. BC569111, 2015 WL 9855304 (L.A. Cty. Super. Ct. Dec. 2, 2015). [342] People v. Guzman , 217 Cal. Rptr. 3d 509 (Cal. Ct. App. 2017). [343] Cal. Const., art. I, § 28, subd. (f), ¶ (2). [344] Guzman , 217 Cal. Rptr. 3d at 514-19. [345] State v. Smith , No. 1 CA-CR 16-0259 PRPC, 2017 WL 3481244 (Ariz. Ct. App. Aug. 15, 2017). [346] Id. at *4. [347] State v. Smith , 405 P.3d 997 (Wash. 2017). [348] Id. at 1001. [349]   Class Action Settlement Agreement, Opperman et al v. Kong Technologies, Inc. et al., No. 3:13-cv-00453-JST (N.D. Cal, April 3, 2017), ECF No. 884. [350]   Complaint, Opperman et al v. Kong Technologies, Inc. et al., No. 3:13-cv-00453-JST (W.D. Texas Mar. 12, 2012), ECF No. 1. [351]   Class Action Settlement Agreement, supra note 246. [352]   Complaint, In re Vizio, Inc., Consumer Privacy Litig., No. 8:16-ml-02693-JLS-KES (C.D. Cal. Mar. 23, 2017), ECF No. 1. [353]   In re Vizio, Inc., Consumer Privacy Litigation, 238 F.Supp.3d 1204, 1228 (C.D. Cal. 2017). [354]   Second Consolidated Complaint, In re Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal March 23, 2017), ECF No. 136. [355]   Id. [356]   Motion to Dismiss Second Consolidated Complaint and Motion to Strike Class Allegations, In re Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal April 13, 2017), ECF No. 145. [357]   Order Denying Defendants’ Motion to Dismiss and Strike, In re Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal July 25, 2017), ECF No. 199. [358]   Id. [359]   Id. [360]   Id. [361]   Complaint, Satchell v. Signal360, Inc. et al, No. 4:16-cv-04961-JSW (N.D. Cal Aug. 29, 2017), ECF No. 1. [362]   Satchell v. Sonic Notify, Inc., 234 F.Supp.3d 996 (N.D.Cal. 2017). [363]   Id. at 1005-1009. [364]   Amended Complaint, Satchell v. Signal360, Inc. et al, No. 4:16-cv-04961-JSW (N.D. Cal Mar. 13, 2017), ECF No. 58. [365]   Order Granting In Part and Denying In Part Motions to Dismiss, Satchell v. Sonic Notify, Inc., et al., No. 4:16-cv-04961-JSW (N.D. Cal Nov. 20, 2017), ECF No. 89. [366]   Id. at 10. [367]   Id. at 10-12. [368]   Complaint, Rackemann v. Lisnr, Inc. et al., No. 2:16-cv-01573-AJS (W.D. Penn. Oct. 16, 2016), ECF No. 1. [369]   Rackemann v. LISNR, Inc., 2017 WL 4340349, at *5 (S.D. Ind. 2017). [370]   Id. at *5-8. [371]   Id. at *8. [372]   Id. at *8 (citing Luis v. Zang, 833 F.3d 619, 633 (6th Cir. 2016)). [373]   Id. at *9. [374]   Amended Complaint, Zak v. Bose Corp., No. 1:17-cv-02928 (N.D. Ill. July 10, 2017), ECF No. 24. [375]   Id. [376]   Id. [377]   Id. [378]   Motion to Dismiss Plaintiffs’ Second Amended Complaint, Zak v. Bose Corp., No. 1:17-cv-02928 (N.D. Ill. Aug. 3, 2017), ECF No. 28. [379]   Id. [380]   Complaint, Allen v. Quicken Loans Inc. & Navistone, Inc., No. 2:17-cv-12352-ES-MAH (D. N.J. Dec. 1, 2017), ECF No. 1. [381]   Complaint, Cohen v. Casper Sleep Inc. & Navistone, No. 1:17-cv-09325 (S.D.N.Y. Nov. 28, 2017), ECF No. 1; Complaint, Cohen v. New Moosejaw, LLC & Navistone, No. 1:17-cv-09391 (S.D.N.Y. Nov. 30, 2017), ECF No. 1. [382] 47 U.S.C. §§ 227 et seq. [383] ACA International v. FCC, et al , No. 15-1211 (D.C. Cir. filed July 10, 2015). [384] Rules & Regs. Implementing the Tel. Consumer Prot. Act of 1991, 30 FCC Rcd. 7961, 7975–76 ¶ 19 (2015). [385] Id. at 7989–90 ¶ 47. [386]   Modernizing the Telephone Consumer Protection Act: Hearing Before the Subcomm. on Communications and Technology of the H. Comm. on Energy and Commerce, 114th Cong. 8-9 (2016) (statement of Representative Anna Eshoo). [387] Id. at 3-41 (statement of Subcommittee Chairman Greg Walden). [388]         12 C.F.R. § 1002.16(b). [389] Pet. for Declaratory Ruling of All About The Message, LLC, In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991 , CG Docket No. 20-278 (FCC Mar. 31, 2017). [390] Eric Zorn, Hang Up Now On The Idea Of ‘Ringless Voicemail’ , Chi. Trib., June 2, 2017, http://www.chicagotribune.com/news/opinion/zorn/ct-ringless-voicemail-20170602-column.html ; Letter from Edward J. Markey et al., U.S. Senate, to Ajit Pai, Chairman of the FCC (June 14, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-345975A4.pdf. [391] What We Do , About the FCC, https://www.fcc.gov/about-fcc/what-we-do (last visited Jan. 22, 2018). [392] Organizational Charts of the Federal Communications Commission, Federal Communications Commission, https://www.fcc.gov/sites/default/files/fccorg-08112017.pdf ; Jim Puzzanghera, Here Are The Five Officials Who Will Decide The Controversial Changes to Net Neutrality Rules , L.A. Times (Nov. 22, 2017), http://www.latimes.com/business/la-fi-net-neutrality-fcc-20171122-htmlstory.html. [393] See, e.g. , Ajit Pai, The FCC Shouldn’t Enable More TCPA Lawsuits, The Daily Caller (June 16, 2015), http://dailycaller.com/2015/06/16/the-fcc-shouldnt-enable-more-tcpa-lawsuits/2/. [394] Yaakov v. FCC , No. 14-1234 (D.C. Cir. Mar. 31, 2017); Statement of FCC Chairman Ajit Pai, FCC News (Mar. 31, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-344186A1.pdf . [395]   Dissenting Statement of Commissioner Pai, Re: In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991 , CG Docket No. 02-278, WC Docket No. 07-135 (FCC July 10, 2015). [396] Krakauer v. Dish Network LLC , No. 1:14-333, 2017 WL 2242952 (M.D.N.C. Oct. 3, 2017). [397] Id. at *12. [398] United States v. Dish Network LLC , 256 F. Supp. 3d 810 (C.D. Ill. June 5, 2017). [399] Id. at 991. [400]   United States v. Dish Network LLC, No. 09-3073-SEM-RSH (C.D. Ill. notice of appeal filed June 16, 2017). [401] Birchmeier v. Caribbean Cruise Line, Inc. , No. 1:12-cv-04069 (N.D. Ill. Mar. 2, 2017). [402] Id. [403] See Andrea Peterson, How a Failed Supreme Court Bid Is Still Causing Headaches For Hulu and Netflix, Washington Post (Dec. 27, 2013), available at https://www.washingtonpost.com/news/the-switch/wp/2013/12/27/how-a-failed-supreme-court-bid-is-still-causing-headaches-for-hulu-and-netflix/. [404] 18 U.S. § 2710(b)(1). [405] Eichenberger v. ESPN, Inc. , 876 F.3d 979, 982(9th Cir. 2017). [406] In re Nickelodeon Consumer Privacy Litig. , 827 F.3d 262, 272–75 (3d Cir. 2016);  Sterk v. Redbox Automated Retail, LLC, 770 F.3d 618, 623 (7th Cir. 2014). [407] See, e.g. , Yershov v. Gannet Satellite Info. Network, Inc., 204 F. Supp. 3d 353, 358-61 (D. Mass. 2016); Boelter v. Advance Magazine Publishers Inc., 210 F. Supp. 3d 579, 590 (S.D.N.Y. 2016); Austin-Spearman v. AMC Network Entm’t LLC, 98 F. Supp. 3d 662, 666 (S.D.N.Y. 2015); In re Hulu Privacy Litig., No. C 11-03764 LB, 2013 WL 6773794, at *5 (N.D. Cal. Dec. 20, 2013); Ellis v. Cartoon Network, Inc., No. 1:14-CV-484-TWT, 2014 WL 5023535, at *2 (N.D. Ga. Oct. 8, 2014), aff’d on other grounds, 803 F.3d 1251 (11th Cir. 2015). [408] Eichenberger , 876 F.3d at 984. [409] Spokeo, Inc. v. Robins , 136 S. Ct. 1540 (2016). [410] Eichenberger , 876 F.3d at 983. [411] Perry v. Cable News , 854 F.3d 1336, 1340-41 (11th Cir. 2017). [412] 18 U.S.C. § 2710(a)(3). [413] Yershov v. Gannett Satellite Information Network Inc. , 820 F.3d 482, 486 (1st Cir. 2016) (emphasis added). [414] Id. [415] In re Nickelodeon Consumer Privacy Litig. , 827 F.3d 262, 290 (3d Cir. 2016) (emphasis added). [416] Id. at 284. [417] C.A.F. v. Viacom, Inc. , 137 S.Ct. 624 (2017). [418] Eichenberger , 876 F.3d at 985. [419] Id . [420] Id . at 986 (quoting Yershov, 820 F.3d at 486); Nickelodeon Consumer Privacy Litig., 827 F.3d at 290. [421] In re Vizio, Inc. Consumer Privacy Litig. , 238 F. Supp. 3d 1204, 1225 (C.D. Cal. 2017). [422] Id . at 1224-25. [423] In re Vizio, Inc. Consumer Privacy Litig. , Case No. 8:16-ml-02693-JLS-KES (C.D. Cal. October 13, 2017), Dkt no. 224. [424] Perry , 854 F.3d at 1342. [425] Id. [426] Vizio , 238 F. Supp. 3d at 1223. [427] Id. at 1221-22. [428]   Cal. Civ. Code § 1747.08. [429]   Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). [430]   Medellin v. IKEA U.S.A. W., Inc., 672 F. App’x 782, 783 (9th Cir. 2017), cert. denied, 138 S. Ct. 220 (2017). [431]   Id. (citing Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016)). [432]   IKEA U.S.A. W., Inc. v. Medellin, 138 S. Ct. 220 (2017). [433]   Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317 (Ill. Ct. App. Dec. 21, 2017). [434] H.R. 3388, 115th Cong. (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/3388/text [435] Id ., at § 30130(a)(1)(A). [436] Press Release, U.S. Senate Committee on Commerce, Science and Transportation (Oct. 24, 2017), available at https://www.commerce.senate.gov/public/index.cfm/pressreleases?ID=BA5E2D29-2BF3-4FC7-A79D-58B9E186412C [437] U.S. Senate Committee on Commerce, Science and Transportation, Notice of Hearing ” Driving Automotive Innovation and Federal Policies” on Jan. 24, 2018, available at https://www.commerce.senate.gov/public/index.cfm/hearings?ID=68CDF867-FFB6-425B-BD24-9542E35AC767 [438] Press Release, Federal Trade Commission (Jun. 28, 2017), available at https://www.ftc.gov/news-events/events-calendar/2017/06/connected-cars-privacy-security-issues-related-connected [439] Federal Trade Commission, Acting Chairman’s Opening Remarks, Connected Car Workshop, Jun. 28, 2017, at 5, available at https://www.ftc.gov/system/files/documents/public_statements/1227733/ohlhausen_-_connected_cars_workshop_opening_remarks_6-28-17.pdf [440] Jimmy H. Koo, Regulators, Carmakers Plot Road to Connected Car Privacy, Security , Bloomberg News, Jun. 29, 2017, available at https://www.bna.com/regulators-carmakers-plot-n73014460960/ [441] Flynn v. FCA US LLC , No. 15-cv-00855-MJR-DGW, 2016 WL 5341749, at *1 (S.D. Ill. Sept. 23, 2016). [442] Id . at *2–4. [443] Flynn v. FCA US LLC , No. 15-cv-00855-MJR-DGW, 2017 WL 3592040, at *5 (S.D. Ill. Aug. 21, 2017). [444] Plaintiffs’ Motion for Class Certification at 1, Flynn v. FCA US LLC, No. 15-cv-00855-MJR-DGW (S.D. Ill. Oct. 13, 2017), ECF No. 266. [445] See FCA US LLC’s Motion for Summary Judgment and Brief in Support at 1, Flynn v. FCA US LLC, No. 15-cv-00855-MJR-DGW (S.D. Ill. Oct. 5, 2017), ECF No. 256. [446] See Plaintiffs’ Memorandum in Opposition to FCA US LLC’s Motion for Summary Judgment (Filed Under Seal and Redacted in Its Entirety), Flynn v. FCA US LLC, No. 15-cv-008855-MJR-DGW (S.D. Ill. Nov. 6, 2017), ECF No. 278. [447] Cahen v. Toyota Motor Corp., 147 F. Supp. 3d 955, 974 (N.D. Cal. 2015). [448] See Cahen v. Toyota Motor Corp. , No. 16-15496, 2017 WL 6525501, at *1 (9th Cir. Dec. 21, 2017).    [449]           Id. [450]   Complaint, Fed. Trade Comm’n v. D-Link Sys., Inc., No. 17-CV-00039-JD (N.D. Cal. Jan. 5, 2017), ECF No. 1. [451] Id . at 5–6, 8, 11–13. [452] Id . at 10–13. [453]   See Fed. Trade Comm’n v. D-Link Sys., Inc., No. 3:17-cv-00039-JD, 2017 WL 4150873, at *1–2 (N.D. Cal. Sept. 19, 2017). [454]   See id. at 6. [455] In re Vizio, Inc., Consumer Privacy Litig. , No. 8:16-ml-02693 (C.D. Cal. Apr. 11, 2016). [456]   Order Denying Defendants’ Motion to Dismiss and Strike, In re: Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal July 25, 2017), ECF No. 199; s ee supra pp. 2, 35-36, 41 and infra p. 46. [457] Siegel v. Samsung Electronics America, Inc. et al ., No. 2:17-cv-01687 (D.N.J. Mar. 10. 2017), ECF. No. 1. [458]   Id., ECF No. 18. [459] In re Sling Media Slingbox , No. 17-1094 (2d. Cir. Apr. 18, 2017). [460] Id. [461] Rushing v. Viacom Inc., No. 3:17-CV-4492 (N.D. Cal. Aug. 7, 2017). [462]   Id., at 20-21. [463]   Id., at 22. [464] Press Release, Federal Trade Commission (June 21, 2017), available at https://www.ftc.gov/news-events/blogs/business-blog/2017/06/ftc-updates-coppa-compliance-plan-business [465] Press Release, Federal Trade Commission (Oct. 23, 2017), available at https://www.ftc.gov/system/files/documents/public_statements/1266473/coppa_policy_statement_audiorecordings.pdf [466] Federal Bureau of Investigation, Consumer Notice: Consumer Notice: Internet-Connected Toys Could Present Privacy and Contact Concerns for Children (July 17, 2017), available at https://www.ic3.gov/media/2017/170717.aspx . [467]           Internet of Things: Privacy & Security in a Connected World, FTC Staff Report (January 2015), available at https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf . [468]   Federal Trade Commission, Attorney General of the State of New Jersey v. Vizio Inc. et al, 2:17-cv-00758 (Feb. 6, 2017) [469] The FTC asserted that Vizio violated the unfairness and deception prongs of Section 5 of the FTC Act and that Vizio’s actions caused or were likely to cause “substantial injury” to consumers—a conclusion about which Acting Chair Maureen Ohlhausen expressed skepticism in a concurring statement.  Concurring Statement of Acting Chairman Maureen K. Ohlhausen, In the Matter of Vizio, Inc., Matter No. 1623024 (Feb. 6, 2017) . [470]   Federal Trade Commission, Attorney General of the State of New Jersey v. Vizio Inc. et al , 2:17-cv-00758, at 3 (Feb. 6, 2017). [471] Press Release: ENISA works together with European semiconductor industry on key cybersecurity areas, European Union Agency for Network and Information Security (May 22, 2017), available at https://www.enisa.europa.eu/news/enisa-news/enisa-works-together-with-european-semiconductor-industry-on-key-cybersecurity-areas. [472] Id. [473] California Legislative Information, SB-327 Information Privacy: connected devices, available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327 . [474] Text of proposed bill available at https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 . [475]   Najiyya Budaly, Data Rules to Bring Cyber Insurance Surge, Report Says, Law360 (Dec. 13, 2017), https://www.law360.com/articles/994267/data-rules-to-bring-cyber-insurance-surge-report-says. [476]   Id.; William Shaw, Insurers Urge Leniency On Profiling Under EU Data Laws, Law360 (Dec. 5, 2017), https://www.law360.com/cybersecurity-privacy/articles/991522/insurers-urge-leniency-on-profiling-under-eu-data-laws. [477]   Evan Weinberger, Banks, Insurers Get More Time for NY Cybersecurity Rule, Law360 (Dec. 21, 2016), https://www.law360.com/articles/875764/banks-insurers-get-more-time-for-ny-cybersecurity-rule. [478]   Cybersecurity Legislation 2017, National Conference of State Legislatures (Oct. 30, 2017), http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx. [479]   Jeff Sistrunk, A Guide to Insurance Coverage for Biometric Privacy Suits, Law360 (Nov. 6, 2017), https://www.law360.com/cybersecurity-privacy/articles/981980/a-guide-to-insurance-coverage-for-biometric-privacy-suits. [480]   See Jeff Sistrunk, Small Cos. Slow To Pick Up Cyberinsurance, Lawmakers Hear, Law360 (July 26, 2017), https://www.law360.com/articles/947964/small-cos-slow-to-pick-up-cyberinsurance-lawmakers-hear. [481]   Budaly, supra note 477. [482]   Taylor & Lieberman v. Fed. Ins. Co., 681 F. App’x 627, 629 (9th Cir. 2017). [483]   Id. [484]   American Tooling Ctr., Inc. v. Travelers Cas. and Sur. Co. of Am. , No. 16-12108, 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017); Jeff Sistrunk, Travelers Tells 6th Circ. To Uphold Email Scam Coverage Win , Law360 (Dec. 13, 2017), https://www.law360.com/articles/994258/travelers-tells-6th-circ-to-uphold-email-scam-coverage-win. [485]   American Tooling Ctr., 2017 WL 3263356 at *1. [486]   Sistrunk, supra note 486. [487]   American Tooling Ctr., Inc., 2017 WL 3263356 at *3. [488]   Id. [489]   Id. [490]   Sistrunk, supra note 486. [491]   Medidata Sols., Inc. v. Fed. Ins. Co., No. 15-CV-907 (ALC), 2017 WL 3268529, at *1 (S.D.N.Y. July 21, 2017). [492]   Id. at * 1–2. [493]   Id. at *4. [494]   Id. at *4. [495]   Id. at *6. [496]   Id. at *7. [497]   Id. at *6. [498]   Id. at *5; Universal American Corp. v. National Union Fire Insurance Co ., 37 N.E.3d 78 (N.Y. 2015). [499]   Jeff Sistrunk, Email Scam Not a Covered Fraud, Insurer Org. Tells 2nd Circ. , Law360 (Nov. 29, 2017), https://www.law360.com/articles/989344/email-scam-not-a-covered-fraud-insurer-org-tells-2nd-circ-; See also Posco Daewoo Am. Corp. v. Allinex USA, Inc., No. 17-483, 2017 WL 4922014, at *5–6 (D. N.J. Oct. 31, 2017) (granting defendant’s motion to dismiss on the grounds that an email spoofing scheme and plaintiff’s voluntary wire transfer did not meet the definition of computer fraud). [500]   InComm Holdings, Inc. v. Great Am. Ins. Co., 1:15-cv-2671-WSD, 2017 WL 1021749, at * 1–2 (N.D. Ga. Mar. 16, 2017). [501]   Id. at *6–7. [502]   Id. at *8–9. [503]   Id. at *11. [504]   Spec’s Family Partners, Ltd. v. The Hanover Ins. Co., No. H-16-438, 2017 WL 3278060, at *1 (S.D. Tex. Mar. 15, 2017). [505]   Id. [506]   Id. [507]   Id. at * 4–9. [508]   Id. at *3. [509]   Id. (internal quotation marks omitted). [510]   Id. [511]   Id. [512]   Id.at *4. [513]   Id. at *5. [514]   Id. at *8. [515]   Dave Simpson, Children’s Hospital Sues Insurer for Data Breach Coverage, Law360 (Nov. 20, 2017), https://www.law360.com/cybersecurity-privacy/articles/987237/children-s-hospital-sues-insurer-for-data-breach-coverage. [516]   Id. [517]   Id. [518]   Innovak Int’l, Inc. v. Hanover Ins. Co., No. 8:16-cv-2453-MSS-JSS, 2017 WL 5632718, at * 6–7 (M.D Fla. Nov. 17, 2017); Jeff Sistrunk, Insurer Doesn’t Owe Defense of Data Breach Suit, Judge Says , Law360 (Nov. 17, 2017), https://www.law360.com/cybersecurity-privacy/articles/986792/insurer-doesn-t-owe-defense-of-data-breach-suit-judge-says. [519] Report: TCPA Consumer Litigation Filings on Track to End 2017 Under Recent Annual Totals , ACA International (Nov. 28, 2017), https://www.acainternational.org/news/report-tcpa-consumer-litigation-filings-on-track-to-end-2017-under-recent-annual-totals. [520] Spokeo, Inc. v. Robins , 136 S. Ct. 1540, 1545, 1549–50 (2016). [521] 15 U.S.C. § 1681 et seq. [522] 15 U.S.C. §§ 1681(n), 1681(o). [523] Judgement, Sergio L. Ramirez v. Trans Union, LLC, No. 12-cv-00632-JSC (June 21, 2017) ECF No. 309; see also Order Re: Plaintiff Sergio Ramirez’s Motion for a Service Award, Sergio L. Ramirez v. Trans Union, LLC, No. 12-cv-00632-JSC (Nov. 7, 2017) ECF No. 345. [524] Id. [525] Sergio Ramirez v. Trans Union LLC ,  No. 17-17244 (9th Cir. docketed Nov. 02, 2017). [526] See 15 U.S.C. § 1681e(b). [527] Pedro v. Equifax, Inc. , 868 F.3d 1275, 1281 (11th Cir. 2017) (internal quotation marks omitted) (finding credit reporting agency’s interpretation of the FCPA was not objectively unreasonable given judicial precedent, though expressing preference for a more exacting interpretation). [528] Id. at 1283 (Rosenbaum, R., concurring) (internal quotation marks omitted) (citing Alexander v. Moore & Assocs., Inc., 553 F. Supp. 948, 952 (D. Haw. 1982)). [529] See 15 U.S.C. § 1681b(b)(2)(A). [530] Hargrett v. Amazon.com DEDC LLC , 235 F. Supp. 3d 1320 (M.D. Fla. 2017) (denying defendant’s motion to dismiss for lack of Article III standing for FCRA claims). [531] Anderson v. Wells Fargo Bank, N.A. , 266 F. Supp. 3d 1175 (D.S.D. 2017) (holding plaintiffs’ claims were time-barred though they would have had Article III standing to pursue FCRA claims). [532] In re Michaels Stores, Inc., Fair Credit Reporting Act (FCRA) Litig. , No. 2615, 2017 WL 354023 (D.N.J. Jan. 24, 2017) (dismissed for lack of Article III standing). [533] Saltzberg vs. Home Depot U.S.A., Inc. , No. 2:17-CV-05798, 2017 WL 4776969 (C.D. Cal. Oct. 18, 2017) (dismissed for lack of Article III standing). [534] See Compl., Microsoft Corp. v. U.S. Dep’t of Justice (“Microsoft”), No. 2:16-cv-00538-JLR (W.D. Wash. Apr. 14, 2016), ECF No. 1. [535] 18 U.S.C. § 2705(b).  Specifically, a court must grant a government application for a nondisclosure order if it finds reason to believe that disclosure will result in: (1) Endangering the life or physical safety of an individual; (2) Flight from prosecution; (3) Destruction or tampering with evidence; (4) Intimidation of potential witnesses; or (5) Otherwise seriously jeopardizing an investigation or unduly delaying a trial. Id. [536] See First Am. Compl., ¶ 5, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 28. [537]   Unopposed Motion for Leave to File Brief of Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 49. [538]   Motion for Leave to File Brief of Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 58. [539]   Stipulated Motion for Leave to File Brief of Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 56. [540]   Unopposed Motion for Leave to File Brief as Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 66. [541] See Microsoft Corp. v. U.S. Dep’t of Justice , 233 F. Supp. 3d 887, 889–902 (W.D. Wash. 2017). [542] Id . at 907–08. [543] Id. at 915–16. [544] U.S. Dep’t of Justice, Memorandum re Policy Regarding Applications for Protective Orders Pursuant to 18 U.S.C. § 2705(b) (Oct. 19, 2017), available at https://www.justice.gov/criminal-ccips/page/file/1005791/download. [545] Id. at 2.  The policy memo cites “national security investigations that materially differ from routine criminal investigations” as an example of what might constitute “exceptional circumstances.” Id. at 2 n.3. [546]   See Microsoft Corporation’s Unopposed Motion for Voluntary Dismissal at 2, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. Oct. 24, 2017), ECF No. 117; see also Order Granting Microsoft Corporation’s Unopposed Motion for Voluntary Dismissal (W.D. Wash. Oct. 25, 2017), ECF No. 119. [547] United States v. Carpenter , 819 F.3d 880, 884–85 (6th Cir. 2016). [548] Id. at 884–86. [549] Id. at 885. [550] Id. at 884. [551] Id. at 887. [552] Smith v. Maryland , 442 U.S. 735, 740 (1979). [553] United States v. Miller , 425 U.S. 435, 440 (1976). [554] Brief for United States at 15–18, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4311113. [555] Id. at 43–52. [556] Brief for Petitioner at 15, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3575179; see also United States v. Jones, 565 U.S. 400, 430 (2012) (Alito, J., concurring in the judgment) “[T]he use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.”). [557] Id. at 26–29. [558] Brief of the Center for Democracy and Technology as Amicus Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530958. [559] Brief for the Competitive Enterprise Institute, et al. as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530955. [560] Brief of Amici Curiae Electronic Privacy Information Center (EPIC) and Thirty-Six Technical Experts, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530960. [561] Brief Amici Curiae for The Reporters Committee for Freedom of the Press and 19 Media Organizations, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530966. [562] Brief for Scholars of Criminal Procedure and Privacy as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3614233. [563] Brief for Technology Experts as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530967. [564] Amicus Curiae Brief for National District Attorneys Association, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4417212. [565] Brief for the States of Alabama, et al. as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4417211. [566] Brief of Professor Orin S. Kerr as Amicus Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4417210. [567] Brief for Technology Companies as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3601390. [568] S. 1654, 115th Cong. (2017). [569] H.R. 387, 115th Cong. (2017). [570] S. 1654, 115th Cong. § 3 (2017). [571] S. 1657, 115th Cong. (2017). [572] S. 1657, 115th Cong. § 2 (2017). [573] S. 1657, 115th Cong. § 4 (2017). [574]   U.S. Dep’t of Justice, Memorandum re Policy Regarding Applications for Protective Orders Pursuant to 18 U.S.C. § 2705(b) (Oct. 19, 2017), available at https://www.justice.gov/criminal-ccips/page/file/1005791/download. [575] The ECPA Modernization Act of 2017 defines “geolocation information” to mean “any information concerning the past or current location of an electronic communications device that is in whole or in part generated by or derived from the operation or use of the electronic communications device,” and defines “geolocation service” to mean “the provision of a service or functionality that uses or collects geolocation information.”  S. 1657, 115th Cong. § 5 (2017). [576] S. 1657, 115th Cong. § 2 (2017). [577] 18 U.S.C. § 2703(d). [578] Id . [579] S. 1657, 115th Cong. § 5 (2017). [580] Sophia Cope, EFF Supports Senate Email and Location Privacy Bill, Eff.org (Jul. 27, 2017), https://www.eff.org/deeplinks/2017/07/eff-applauds-senate-email-and-location-privacy-bill (last visited Dec. 20, 2017). [581] American Civil Liberties Union, ACLU Statement On Introduction Of Electronic Communications Privacy Modernization Act , aclu.org (Jul. 27, 2017), https://www.aclu.org/news/aclu-statement-introduction-electronic-communications-privacy-modernization-act (last visited Dec. 20, 2017). [582] Adam Brandon, Support the ECPA Modernization Act, S. 1657, Freedomworks.org (Jul. 31, 2017), http://www.freedomworks.org/content/support-ecpa-modernization-act-s-1657 (last visited Dec. 20, 2017). [583] Deborah Collier, ECPA Modernization Act of 2017 Introduced , cagw.org (Jul. 27, 2017), https://www.cagw.org/thewastewatcher/ecpa-modernization-act-2017-introduced (last visited Dec. 20, 2017). [584] Consumer Technology Association, CTA Applauds Senate for Bipartisan ECPA Reform Bill, cta.tech (Jul. 27, 2017), https://www.cta.tech/News/Press-Releases/2017/July/CTA-Applauds-Senate-for-Bipartisan-ECPA-Reform-Bil.aspx (last visited Dec. 20, 2017). [585] Chris Calabrese, The Bill Our Privacy Desperately Needs in the Digital Age, Cdt.org (Jul. 27, 2017), https://cdt.org/blog/the-bill-our-privacy-desperately-needs-in-the-digital-age/ (last visited Dec. 20, 2017). [586] Ivan Dominguez, Ezra Dunkle-Polier, Alexandra Funk, NACDL News: NACDL Welcomes Introduction of Bipartisan ECPA Modernization Act of 2017 (Aug. 2017), nacdl.org, https://www.nacdl.org/Champion.aspx?id=48305 (last visited Dec. 20, 2017). [587] Brad Smith, DOJ acts to curb the overuse of secrecy orders. Now it’s Congress’ turn , Microsoft.com (Oct. 23, 2017), https://blogs.microsoft.com/on-the-issues/2017/10/23/doj-acts-curb-overuse-secrecy-orders-now-congress-turn/ (last visited Dec. 20, 2017). [588] Compare In re Grand Jury Subpoena Duces Tecum Dated Mar. 25 , 2011, 670 F.3d 1335, 1346 (11th Cir. 2012) (holding that providing a password is a testimonial act), and Order Denying Application to Compel Decryption, In re The Decryption of a Seized Data Storage System, Case No. 13-M-449 (E.D. Wisc. Apr. 19, 2013) (same), with United States v. Fricosu, 841 F. Supp. 2d 1232, 1237 (D. Colo. 2012) (holding production of unencrypted drive by defendant did not implicate Fifth Amendment right against self-incrimination), and Commonwealth v. Gelfgatt, SUCR2010-10491 (Sup. Ct. Mass. Nov. 6, 2014) (holding defendant in contempt for failure to unlock password protected drives), and State v. Stahl, 206 So. 3d 124, 135 (Fla. Dist. Ct. App. 2016) (quashing order denying motion to compel production of cell phone passcode and noting that “we are not inclined to believe that the Fifth Amendment should provide greater protection to individuals who passcode protect their iPhones with letter and number combinations than to individuals who use their fingerprint as the passcode”). [589] See, e.g. , Com. v. Baust, 89 Va. Cir. 267 (Va. Cir. Ct. 2014) (granting motion to compel defendant to unlock phone with fingerprint and noting that “like physical characteristics that are non-testimonial, the fingerprint of Defendant if used to access his phone is likewise non-testimonial and does not require Defendant to ‘communicate any knowledge’ at all.”); State v. Diamond, 890 N.W.2d 143, 150 (Minn. Ct. App. 2017), review granted (Mar. 28, 2017) (“By being ordered to produce his fingerprint, [defendant] was not required to disclose any knowledge he might have or to speak his guilt.”); but see Opinion and Order at 11-14, In re Application for a Search Warrant, No. 1:17-mc-00081 (N. D. Il. Feb. 16, 2017), ECF No. 1 (denying application for warrant to compel all individuals present during execution to use fingerprints to unlock “any Apple iPhone, iPad, or other Apple brand device” and noting that “[t]he connection between the fingerprint and Apple’s biometric security system, shows a connection with the suspected contraband.”) [590] See Oleg Afornin, New Security Measures in iOS 11 and Their Forensic Implications , Elcomsoft.com (Sep. 7, 2017), https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/ (last visited Dec. 20, 2017). [591] In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 15 F. Supp. 3d 466, 467 (S.D.N.Y. 2014), rev’d, 829 F.3d 197 (2d Cir. 2016). [592] Brief for Microsoft at 17-18, In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 15 F. Supp. 3d 466, 467 (S.D.N.Y. 2014), rev’d, 829 F.3d 197 (2d Cir. 2016). [593] In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 15 F. Supp. 3d at 467, rev’d, 829 F.3d 197 (2d Cir. 2016). [594] Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 829 F.3d 197, 201 (2d Cir. 2016), cert. granted, United States v. Microsoft Corp., No. 17-2, 2017 WL 2869958 (U.S. Oct. 16, 2017). [595] Id. at 214-20. [596] Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 855 F.3d 53, 76 (2d Cir. 2017) (Carney, J., concurring) (denying rehearing en banc). [597] Id. at 55-56 (Carney, J., concurring). [598]   Id. at 61 (Jacobs, J., dissenting); Id. at 63, 66 (Cabranes, J., dissenting); Id. at 70 (Raggi, J., dissenting); Id. at 75 (Droney, J., dissenting). [599]   Id. at 61 (Jacobs, J., dissenting). [600]   Id. at 63, 66 (Cabranes, J., dissenting). [601]   Id. at 75 (Droney, J., dissenting). [602] In re Search of Info. Associated with [redacted]@gmail.com that Is Stored at Premises Controlled by Google, Inc. , No. 16-MJ-00757 (BAH), 2017 WL 3445634 (D.D.C. July 31, 2017); Matter of Search of Content Stored at Premises Controlled by Google Inc. , No. 16-MC-80263-RS, 2017 WL 3478809 (N.D. Cal. Aug. 14, 2017); In re Search Warrant No. 16-960-M-1 to Google, No. 16-1061, 2017 WL 3535037 (E.D. Pa. Aug. 17, 2017). [603] In re Search of Info. Associated with [redacted]@gmail.com that Is Stored at Premises Controlled by Google, Inc. , 2017 WL 3445634, at *16, *23-24; Matter of Search of Content Stored at Premises Controlled by Google Inc. , 2017 WL 3478809, at *3; In re Search Warrant No. 16-960-M-1 to Google, 2017 WL 3535037, at *7-9. [604] United States v. Microsoft Corp. , No. 17-2, 2017 WL 2869958, at *1 (U.S. Oct. 16, 2017). [605] Brief for Petitioner at 21-25, United States v. Microsoft Corp., No. 17-2, 2017 WL 2869958 (U.S. Dec. 6, 2017). [606] Id. at 29-31. [607] Id. at 26-28. [608] Id. at 32-37. [609] Id. at 42-43. [610]   Brief for Respondent at 20-37, United States v. Microsoft Corp., No. 17-2, 2017 WL 2869958 (U.S. Jan. 11, 2018). [611]   Id. at 19. [612] Comput. Crime & Intellectual Prop. Section, Criminal Div., U.S. Dep’t of Justice, Seeking Enterprise Customer Data Held by Cloud Service Providers, at 1 (Dec. 2017), https://www.justice.gov/criminal-ccips/file/1017511/download. [613] Id. at 2. [614] Id. at 2-3. [615] Neal Suggs, DOJ’s Newly Released Recommended Practices Are a Win for Cloud and Enterprise Customers , Microsoft (Dec. 14, 2017), https://blogs.microsoft.com/on-the-issues/2017/12/14/new-doj-guidelines-win-cloud-enterprise-customers. [616] 50 U.S.C. §§ 1801-1885. [617] 50 U.S.C. § 1802(a)(1). [618] 50 U.S.C. § 1801(e). [619] See http://www.fisc.uscourts.gov/ (last visited Dec. 20, 2017). [620] Barton Gellman and Laura Poitras, U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program , The Washington Post, available at https://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html [621] See Decoding 702: What is Section 702 , Elec. Frontier Found., https://www.eff.org/702-spying . [622] See Reauthorizing FISA Section 702 , The Heritage Found., http://www.heritage.org/reauthorizing-fisa-section-702 . [623] See Decoding 702: What is Section 702 , Elec. Frontier Found., https://www.eff.org/702-spying . [624]   Dustin Volz, Trump signs bill renewing NSA’s internet surveillance program , Reuters (Jan. 19, 2018), https://www.reuters.com/article/us-usa-trump-cyber-surveillance/trump-signs-bill-renewing-nsas-internet-surveillance-program-idUSKBN1F82MK. [625] FISA Amendments Reauthorization Act of 2017, S. 2010, 115th Congr., available at https://www.congress.gov/bill/115th-congress/senate-bill/2010 ; see also Daniel Wilson, Senate Intel Panel Approves Renewal of Surveillance Powers , Law 360, https://www.law360.com/articles/978227/senate-intel-panel-approves-renewal-of-surveillance-powers . [626] See id. [627] Daniel Wilson, House Panel Approves Surveillance Renewal Bill, Law 360, https://www.law360.com/articles/989972/house-panel-approves-surveillance-renewal-bill . [628]   Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, available at http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf. [629] Art. 3, ¶ 2, GDPR. [630] Art. 3, ¶ 2(b), GDPR. [631] Art. 7, GDPR. [632] Id. [633] Art. 35, GDPR. [634] Id. [635] Id . [636] Art. 44–48, GDPR. [637]   Art. 83, ¶¶ 4–5, GDPR. [638] European Commission, Report from the Commission to the European Parliament and the Council on the first annual review of the functioning of the EU-U.S. Privacy Shield 2 (2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=605619. [639] Id. at 4. [640]   Id. at 4–7. [641]   Press Release, Federal Trade Commission, FTC Gives Final Approval to Settlements with Companies that Falsely Claimed Participation in Privacy Shield (Nov. 29, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/11/ftc-gives-final-approval-settlements-companies-falsely-claimed . [642] See FT Cyber Security, “China’s cyber security law rattles multinationals,” Financial Times (May 30, 2017), available at https://www.ft.com/content/b302269c-44ff-11e7-8519-9f94ee97d996 . [643] Alex Lawson, “US Asks China Not To Implement Cybersecurity Law,” Law360 (Sept. 27, 2017) available at https://www.law360.com/articles/968132/us-asks-china-not-to-implement-cybersecurity-law. [644] Sophie Yan, “China’s new cybersecurity law takes effect today, and many are confused,” CNBC.com (June 1, 2017), available at https://www.cnbc.com/2017/05/31/chinas-new-cybersecurity-law-takes-effect-today.html. [645] Christina Larson, Keith Zhai, and Lulu Yilun Chen, “Foreign Firms Fret as China Implements New Cybersecurity Law”, Bloomberg News (May 24, 2017), available at https://www.bloomberg.com/news/articles/2017-05-24/foreign-firms-fret-as-china-implements-new-cybersecurity-law . [646] Clarice Yue, Michelle Chan, Sven-Michael Werner and John Shi, “China Cybersecurity Law update: Draft Guidelines on Security Assessment for Data Export Revised!,” Lexology (Sept. 26, 2017), available at https://www.lexology.com/library/detail.aspx?g=94d24110-4487-4b28-bfa5-4fa98d78a105 . [647] Singapore Personal Data Protection Commission, Proposed Advisory Guidelines on the Personal Data Protection Act For NRIC Numbers,  published 7 November 2017, available at https://www.pdpc.gov.sg/docs/default-source/public-consultation-6—nric/proposed-nric-advisory-guidelines—071117.pdf?sfvrsn=4 . [648] Office of the Australian Information Commissioner, “De-identification Decision-Making Framework”, Australian Government (Sept. 18, 2017), available at https://www.oaic.gov.au/agencies-and-organisations/guides/de-identification-decision-making-framework ; Lyn Nicholson, “Regulator issues new guidance on de-identification and implications for big data usage”, Lexology (Sept. 26, 2017) available at https://www.lexology.com/library/detail.aspx?g=f6c055f4-cc82-462a-9b25-ec7edc947354 ; “New Regulation on the Deletion, Destruction or Anonymization of Personal Data,”  British Chamber of Commerce of Turkey (Sept. 28, 2017), available at https://www.bcct.org.tr/news/new-regulation-deletion-destruction-anonymization-personal-data-2/64027 ; Jena M. Valdetero and David Chen, “Big Changes May Be Coming to Argentina’s Data Protection Laws,” Lexology (June 5, 2017), available at https://www.lexology.com/library/detail.aspx?g=6a4799ec-2f55-4d51-96bd-3d6d8c04abd2. [649] Naïm Alexandre Antaki and Wendy J. Wagner, “No escaping notification: Government releases proposed regulations for federal data breach reporting & notification”, Lexology (Sept. 6, 2017), available at https://www.lexology.com/library/detail.aspx?g=0a98fd33-1f2c-4a52-98c0-cf1feeaf0b90 ; Ministry of Electronics & Information Technology, “White Paper of the Committee of Experts on a Data Protection Framework for India,”  Government of India (Nov. 27, 2017), available at  http://meity.gov.in/white-paper-data-protection-framework-india-public-comments-invited .   The following Gibson Dunn lawyers assisted in the preparation of this client alert:  Alexander Southwell, Joshua Jessen, Caroline Krass, Eric Vandevelde, Ryan Bergsieker, Abbey Barrera, Kamola Kobildjanova, Lindsey Young, Amy Chmielewski, Melissa Goldstein, Alex Murchison, Reid Rector and Ilissa Samplin, with contributions from Angelica Agishi, Jacob Arber, Stephanie Balitzer, Melinda Biancuzzo, Sheli Chabon, Alli Chapin, Soolean Choy, Josiah Clarke, Tim Deal, Amanda George, Zoey Goldnick, Christian Hudson, Jordan Jacobsen, Miranda Lievsay, Ian Long, Cary McClelland, Jon Newmark, Sheri Pan, Nathan Powell, Jacob Rierson, Alon Sachar, Nick Scheiner, Sydney Sherman, Frances Smithson, Sam Spears, Marc Takagaki, Kayla Wieche and Alex Zbrozek. Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group: United States Alexander H. Southwell – Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com) Caroline Krass – Chair, National Security Practice, Washington, D.C. (+1 202-887-3784, ckrass@gibsondunn.com) M. Sean Royall – Dallas (+1 214-698-3256, sroyall@gibsondunn.com) Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com) Richard H. Cunningham – Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com) Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com) Shaalu Mehra – Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com) Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com) Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) Europe Ahmed Baladi – Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) James A. Cox – London (+44 (0)207071 4250, jacox@gibsondunn.com) Patrick Doris – London (+44 (0)20 7071 4276, pdoris@gibsondunn.com) Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, jrobe@gibsondunn.com) Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com) Nicolas Autet – Paris (+33 (0)1 56 43 13 00, nautet@gibsondunn.com) Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com) Sarah Wazen – London (+44 (0)20 7071 4203, swazen@gibsondunn.com) Emmanuelle Bartoli – Paris (+33 (0)1 56 43 13 57, ebartoli@gibsondunn.com) Alejandro Guerrero Perez – Brussels (+32 2 554 7218, aguerreroperez@gibsondunn.com) Asia Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com) Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com) Questions about SEC disclosure issues concerning data privacy and cybersecurity can also be addressed to the following leaders and members of the Securities Regulation and Corporate Disclosure Group: James J. Moloney – Orange County, CA (+1 949-451-4343, jmoloney@gibsondunn.com) Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com) Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

January 19, 2018 |
2017 Trade Secrets Litigation Round-Up

2017 saw a number of interesting developments in trade secrets law, including the emergence of several trends under the Defend Trade Secrets Act, as courts grappled with the federal civil trade secrets statute enacted just over a year and a half ago.  On the criminal side, we saw the Trump administration aggressively prosecute individuals for trade secret theft and cyberespionage, including an engineer who allegedly sold military trade secrets to an undercover FBI agent whom he believed to be a Russian spy.  We also saw the U.S. Supreme Court deny certiorari in two closely watched trade secrets cases under the Computer Fraud and Abuse Act. Jason Schwartz, Greta Williams, Mia Donnelly and Brittany Raia discuss these and other significant 2017 developments in trade secrets law in their article “2017 Trade Secrets Litigation Round-Up” published in BNA’s Patent, Trademark & Copyright Journal in January 2018. Reprinted with permission from BNA’s Patent, Trademark & Copyright Journal, January 19, 2018.  © 2018, The Bureau of National Affairs, Inc.  Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update.  Please contact the Gibson Dunn lawyer with whom you usually work or the authors in the firm’s Washington, D.C. office: Jason C. Schwartz (+1 202-955-8242, jschwartz@gibsondunn.com) Greta B. Williams (+1 202-887-3745, gbwilliams@gibsondunn.com) Mia C. Donnelly (+1 202-887-3617, mdonnelly@gibsondunn.com) Brittany A. Raia (+1 202-887-3773, braia@gibsondunn.com) Please also feel free to contact any of the following practice group leaders and members: Labor and Employment Group: Catherine A. Conway – Los Angeles (+1 213-229-7822, cconway@gibsondunn.com) Jason C. Schwartz – Washington, D.C. (+1 202-955-8242, jschwartz@gibsondunn.com) Intellectual Property Group: Josh Krevitt – New York (+1 212-351-2490, jkrevitt@gibsondunn.com) Wayne Barsky – Los Angeles (+1 310-557-8183, wbarsky@gibsondunn.com) Mark Reiter – Dallas (+1 214-698-3360, mreiter@gibsondunn.com) Michael Sitzman – San Francisco (+1 415-393-8200, msitzman@gibsondunn.com) Privacy, Cybersecurity and Consumer Protection Group: Alexander H. Southwell – New York (+1 212-351-3981, asouthwell@gibsondunn.com) Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

January 18, 2018 |
2017 Year-End E-Discovery Update

Click for PDF E-discovery in 2017  featured increasing stability and maturity, due in large part to the continuing impact of the 2015 federal rule amendments addressing sanctions and proportionality. Yet, many challenges remain. Here are some of the highlights from the past year: Most courts are faithfully applying the requirements of amended Rule 37(e) to sanctions motions, only awarding the most serious sanctions where the responding party destroyed evidence with the intent to deprive, tailoring sanctions to be proportionate to actual prejudice, and denying sanctions where there was no prejudice. Nevertheless, some courts have based their findings of an intent to deprive on inferences drawn from conduct that might reasonably have been interpreted as negligent. A surprising number of courts continued to analyze spoliation sanctions issues on common law pre-dating the 2015 rule amendments, apparently unaware of amended Rule 37(e) and its requirements. Reliance on courts’ inherent powers to sanction persists—and may even have increased in 2017—despite the statement in the Committee Note that the amendment to Rule 37(e) was intended to foreclose such reliance. Proportionality continues to gain traction in limiting the scope of discovery. With respect to possession, custody and control, there continues to be a split in authority between courts applying the legal right test and those applying the practical ability test. Courts in jurisdictions applying the practical ability test are increasingly finding litigants to have control—and therefore preservation obligations—over discoverable information in the possession of non-parties. Discovery of social media is becoming increasingly commonplace. Decisions in 2017 reflected that early notions of social media having a “special status” because of privacy concerns (leading to, for example, a requirement of a threshold showing before discovery could be propounded) are giving way to social media being treated no differently from other forms of evidence. The use of technology assisted review (“TAR”)—also known as predictive coding—to search and review large document populations appears more widespread than in past years, particularly for requesting parties’ review of substantial incoming productions and in symmetrical litigation involving large document volumes, where both sides may want to use TAR. The consolidation among medium-sized and large e-discovery service providers only seemed to accelerate in 2017. It is not apparent whether this consolidation is fundamentally altering the market for e-discovery services, other than to possibly result in greater stability in the space once all of the M&A dust settles. Local and regional vendors seem to be increasingly squeezed, being acquired or facing stiff competition from large commodity vendors on the one hand, and potentially losing smaller customers to vendors of do-it-yourself online e-discovery software services, on the other hand. Other noteworthy developments in the vendor space have been the challenges posed by mobile devices, social media and ESI stored in the cloud—often requiring advanced tools and significant expertise to collect, process and search—and the more widespread availability of analytics applications that vendors can license and provide to their clients rather than having to develop in-house. As always, the year was an interesting one for e-discovery. We invite you to read our more detailed analysis and observations below. Spoliation Sanctions: Rule 37(e) Continues to Have a Substantial Impact Amended Federal Rule of Civil Procedure 37(e) continues to have a substantial impact on sanctions for failure to preserve ESI. Most courts are faithfully applying the requirements of amended Rule 37(e) to sanctions motions, only awarding the most serious sanctions where the responding party destroyed evidence with intent to deprive, tailoring sanctions to be proportionate to actual prejudice, and denying sanctions where there was no prejudice. Nevertheless, a surprising number of courts still relied on common law pre-dating the 2015 rule amendments, apparently unaware of amended Rule 37(e) and its requirements. Intent to Deprive Leads to Most Serious Sanctions Under amended Rule 37(e), courts can only issue the most serious sanctions—e.g., case terminating sanctions or an adverse inference jury instruction—where a party acted with the intent to deprive another party from using the ESI in the litigation. In Organik Kimya, San ve Tic. A.S. v. Int’l Trade Comm’n, 848 F.3d 994, 103 (Fed. Cir. 2017), the defendant presented evidence that, days before an investigation was to take place, the plaintiffs intentionally began overwriting their laptops to delete what the court estimated to be hundreds of thousands of relevant files. Applying Rule 37(e), the court found that the plaintiffs acted with intent to deprive and held that a default judgment was appropriate “not merely to penalize those whose conduct may be deemed to warrant such a sanction, but [also] to deter those who might be tempted to such conduct in the absence of such a deterrent.” In Basra v. Ecklund Logistics, Inc., No. 8:16-cv-832017, WL 1207482, at *1, *4 (D. Neb. Mar. 31, 2017), which arose out of an accident involving two trailer-tractors, the plaintiffs alleged the defendant had intentionally destroyed relevant ESI, including accident logs and reports. The plaintiffs requested an adverse jury instruction and attorneys’ fees. The court found that, “although [the] defendant’s record-keeping [was] less than meticulous,” the plaintiffs did not establish that the defendant had destroyed evidence with an intent to suppress the truth. The court therefore held that the defendant did “not engage in conduct that would warrant the sanction of an adverse jury instruction for spoliation of evidence,” and did not issue any sanctions. The court did not explicitly reference Rule 37(e), but appeared to apply its requirements. In Jackson v. Haynes & Haynes, No. 2:16-cv-01297-AKK, 2017 WL 3173302, at *3–4 (N.D. Ala. Jul. 26, 2017), the court found that the plaintiff failed to take reasonable steps to preserve relevant ESI on her smartphone when she relinquished it to her provider after having retained counsel to pursue the litigation. The court denied the defendants’ request for default judgment or an adverse inference jury instruction, however, because the plaintiff had not acted with intent to deprive the defendants of the evidence. The court reasoned that being “negligent and irresponsible in maintaining the information” and “knowing of her obligation to preserve the integrity of the information” are “not sufficient to show an intent to deprive[.]” Some courts have found an intent to deprive based on inferences drawn from conduct that might reasonably have been interpreted as negligent, at worst. For example, in Moody v. CSX Transp., — F. Supp. 3d —, No. 07-CV-6398 P, 2017 WL 4173358, at *15 (W.D.N.Y. Sept. 21, 2017), a case arising out of railway accident, the court granted the plaintiff’s motion for an adverse inference instruction where the defendant transferred information from an event data recorder saved on a laptop computer to a central repository, permitted the data on the recorder to be overwritten and recycled the laptop, only to later discover that the data in the repository was unreadable. The court found that the defendant’s conduct supported an inference that it acted with the intent to deprive plaintiff of the event recorder data. Actual Prejudice Required Absent evidence of actual prejudice, courts continued to deny sanctions under amended Rule 37(e)—even in the face of an intentional failure to preserve evidence. For example, in HCC Ins. Holdings, Inc. v. Flowers, No. 1:15-cv-3262-WSD, 2017 WL 393732, at *2-*4 (N.D. Ga. Jan. 30, 2017), the defendant and her husband ran several computer cleaning programs on her personal laptop after a court ordered her to produce her computer. The court concluded that, although the couple’s actions were “troubling, and in breach of [their] duty to preserve,” spoliation sanctions were “not warranted” because the presence of any trade secrets or other information that was relevant to the case was merely “speculati[ve].” Similarly, in Simon v. City of New York, No. 14-CV-8391-JMF, 2017 WL 57860, at *7 (S.D.N.Y. Jan. 5, 2017), the court refused to impose sanctions against the plaintiff for failing to retain a cell phone video of the events giving rise to an alleged false arrest. The court held there was no prejudice under amended Rule 37(e) because there was no evidence that the video would help the defendants and arguments regarding the contents of the video amounted to “pure speculation.” In Eshelman v. Puma Biotechnology, Inc., No. 7:16-cv-18-D, 2017 WL 2483800, at *5 (E.D. N.C. June 7, 2017), the plaintiffs sought an adverse inference jury instruction due to the defendant’s failure to preserve internet web browser and search histories relating to an alleged defamatory investor presentation. In refusing to sanction the defendant, the court first noted that, despite the loss of the internet browser history, “other avenues of discovery [were] likely to reveal information about the searches performed.” For example, the defendant could seek such information from people who previously had worked with the plaintiff and assisted her in preparing the investor presentation. The court also found that the defendant had failed to present any evidence “regarding the particular nature of the missing ESI in order to evaluate the prejudice it [was] being requested to mitigate.” In Crow v. Cosmo Specialty Fibers, Inc., No. 3:15-cv-05665-RJB, 2017 WL 1128505, at *1, *5 (W.D. Wa. Mar. 24, 2017), a court refused to sanction a party under amended Rule 37(e) for its failure to produce an email, where the email was later produced after a more careful search, finding only “meager prejudice.” The moving party was able to conduct several depositions in which it explored topics in the email, and there was no showing that delayed receipt of the email had affected any aspects of the case. In Edelson v. Cheung, No. 2:13-cv-5870 (JLL (JAD), 2017 WL 150241, at *2-*4 (D. N.J. Jan. 12, 2017), the court awarded an adverse inference jury instruction sanction against the defendant for deleting emails from his personal computer. The plaintiff presented evidence that the defendant had opened a second email account, which he did not disclose even to his own counsel, for the purpose of evading discovery, and then deleted key emails when it was discovered. The plaintiff pointed to an email from the undisclosed account obtained from a third party that stated, “don’t forget to use only gmail account . . . Do not use frontier email. They read everything.” The defendant, for his part, testified that it “didn’t occur” to him to disclose the email account and that he deleted the e-mails because his computer “was running very sluggish” and someone recommended that he delete “certain items” from his computer in order to increase its speed. The court did not find the defendant’s explanation credible. Remedy Should be No Greater than Necessary to Cure the Prejudice Pursuant to amended Rule 37(e), courts have continued to order remedies no greater than necessary to cure the prejudice that the moving party suffered. For example, in Edelson, supra, 2017 WL 150241 at *1, *4, the plaintiff sought a default judgment, or, in the alternative, an adverse inference jury instruction, where the defendant deleted key emails from his personal computer. The court found that the defendant had intentionally deleted the emails in an attempt to deprive the plaintiff of relevant information. Nevertheless, the court held that the plaintiff had “failed to demonstrate that he ha[d] suffered a degree of prejudice that merit[ed] the imposition of a default judgment against [the] defendant.” Other evidence besides the emails at issue was available for use at trial to support the plaintiff’s allegations. Thus, the court adopted the “more appropriate sanction [and] instruct[ed] the jury that it [could] presume the information was unfavorable to [the] defendant.” Some Courts Still Fail to Apply Amended Rule 37(e) Despite fairly broad application of amended Rule 37(e) in 2017, a surprising number of courts failed to apply it in spoliation sanctions motions. In many, but not all, of the cases, it nevertheless appears that the sanctions decision would have been the same under Rule 37(e). For example, in Dallas Buyers Club, LLC v. Huszar, No. 3:15–cv–907–AC, 2017 WL 481469 (D. Or. Feb. 6, 2017), the plaintiff claimed that the defendant illegally downloaded its eponymous movie. The defendant denied doing so, and subsequently destroyed his computer’s hard drive. He claimed the computer began exhibiting signs of failure, at which point he took it to a technician and the content was lost. Id. The court found the defendant credible but still issued an adverse inference jury instruction, finding that “although an adverse inference instruction is not as drastic a remedy as a default order, it is still a harsh remedy and will sufficiently compensate for the potential prejudice suffered by [the plaintiff].” Id. The Court did not consider amended Rule 37(e). Had it done so, the court’s finding that the defendant’s explanation was credible may have precluded a finding of intent to deprive, which would have been necessary to award an adverse inference instruction, and its finding of “potential prejudice” rather than actual prejudice would have been insufficient for any sanction under Rule 37(e). In Redzepagic v. Hammer, No. 14-civ-9808-ER, 2017 WL 780809, at *4, n. 9 (S.D.N.Y. Feb. 27, 2017), the court refused to issue spoliation sanctions for the plaintiff’s deletion of text messages following commencement of the lawsuit, despite the defendant’s argument that a “very strong inference” could be drawn “that the information [the] plaintiff had would support [the] defendant’s position.” Without reference to amended Rule 37(e), the court found that an employee of the defendant had separately preserved the relevant text messages, and the employee voluntarily turned over those texts to the court. The court reasoned that “because these documents were preserved by an employee . . . and were available to both parties in the action, there [was] no reason to infer that the text messages [the plaintiff] deleted would support [the defendant’s] position.” Thus, the court “decline[d] to impose sanctions or grant an adverse inference,” a result that would likely have been the same under Rule 37(e). Brown v. Certain Underwriters at Lloyds, London, No. 16-cv-02737, 2017 WL 2536419, at *2–6 (E.D. Pa. Jun. 12, 2017), arose out of a fire that occurred at plaintiffs’ property. The defendants suspected that the plaintiff was involved in setting the fire. They were interested in examining his cell phone to determine whether it contained any evidence that would tend to corroborate their suspicion. A day before the plaintiff was scheduled to produce the contents of his cell phone, he claimed for the first time that he had lost it “months ago.” He provided no details, however, regarding how he lost the phone or his attempts to preserve or recover its contents. The court failed to reference Rule 37(e) and instead relied on common law superseded by the rule. Finding that the defendant’s explanation lacked credibility, the court awarded an adverse inference jury instruction and attorneys’ fees. Finally, in Charles v. City of New York, No. 12-cv-6180 (SLT) (SMG), 2017 WL 530460, at *25-26 (E.D.N.Y. Feb. 8, 2017), a wrongful arrest case, the court declined to apply Rule 37(e) to a video recording on a smart phone. The defendant sought case terminating sanctions because the plaintiff had lost the smart phone on which she recorded video of her interaction with the police. Noting that the smart phone was not the only evidence in the case, and that there was no evidence of intentional destruction, the court refused to issue sanctions, finding that the plaintiff’s actions at most amounted to “mere negligence, not gross negligence.” The court did not apply amended Rule 37(e), reasoning that amended Rule 37(e) only applies to ESI and that neither the phone nor the video constituted ESI. Inherent Authority: Still Alive Many had expected that the December 2015 amendment to Rule 37(e) would eliminate courts’ inherent authority to impose sanctions for preservation failures, particularly in light of the statement in the Committee Notes that the amended rule “forecloses reliance on inherent authority or state law to determine when certain measures should be used.” Yet, the language of the amended rule itself did not address the issue. And, barely a month after the amendment’s effective date, Magistrate Judge James C. Francis IV held in Cat 3 LLC v. Black Lineage Inc., 164 F. Supp. 3d 488 (S.D.N.Y. 2016), that if a party’s apparent alteration of e-mails was not sanctionable under amended Rule 37(e), then the court could still impose sanctions pursuant to its inherent authority. Judge Francis subsequently co-authored an article laying out his case for the survival of inherent authority. See Hon. James C. Francis IV & Eric P. Mandel, Limits on Limiting Inherent Authority: Rule 37(e) and the Power to Sanction, The Sedona Conference Journal (Vol. 17, No. 2, p. 613) (2016). Following Judge Francis’ opinion in Cat 3, Judge Paul Grimm, who was a member of the Civil Rules Advisory Committee, stated that “[w]hen the drafters were crafting Rule 37(e), we did so with a desire to occupy the field.” To obtain spoliation sanctions under inherent authority, according to Judge Grimm, you would “have to argue that in some way, the existing Rule is insufficient and you also have to be faithful to the law of inherent authority,” meaning “you would need to show bad faith.” Tera Brostoff, Reports of Death of Inherent Judicial Authority Exaggerated?, Bloomberg BNA Electronic Discovery and E-Evidence (Nov. 15, 2016). Judge Grimm’s statement is reminiscent of the Supreme Court’s statement in Chambers v. NASCO, a key case regarding inherent authority, that courts ordinarily should rely on the Rules in imposing sanctions, but “if in the informed discretion of the court, neither the statute nor the Rules are up to the task,” the court may rely on inherent authority. Similarly, Judge Francis has stated that “[t]he point is, if there is a gap in the rule, then the exercise of inherent power is appropriate[.]”  Views from the Bench: Leading Federal Judges in Conversation on EDiscovery and More, 34 (R. Hilson & C. Sullivan eds., 2017). Nevertheless, it appears to be Judge Francis’ view that inherent authority exists even if a matter is covered by Rule 37(e). See id. at 34-35. That view is not shared by all others.  See, e.g., id. at 35 (Hon. Frank Maas, ret., quoted as stating “I’m far less sure than Judge Francis is that inherent authority lives on in cases that fall within the four corners of Rule 37(e).”) See also Gareth Evans and Phillip Favro, Unfinished Business: A Holiday Wish List For New E-Discovery Centered FRCP Amendments, LegalTech News (Dec. 15, 2017) (calling for moving to the text of the rule the language in the Rule 37(e) Committee Note foreclosing reliance on inherent authority). In 2017, the Supreme Court addressed courts’ inherent authority to impose discovery-related sanctions in Goodyear Tire & Rubber Co. v. Haeger, __ U.S. __, 137 S.Ct. 1178 (2017). The Court held that sanctions imposed under inherent authority must be compensatory rather than punitive and must have been “causally related to the sanctioned party’s misconduct.” The case did not involve spoliation, however, and the court did not address whether amended Rule 37(e) forecloses reliance on inherent authority. Thus, it appears unlikely that Goodyear has resolved the issue whether courts may rely on inherent powers in awarding sanctions for a failure to preserve ESI. Meanwhile, some courts continued to rely upon inherent powers in issuing sanctions for preservation failures. In Hsueh v. New York State Dept. of Financial Servs., 15-civ.-3401-PAC, 2017 WL 1194706, at *4, *6 (S.D.N.Y. Mar. 31, 2017), for example, the court found that amended Rule 37(e) did not apply to the destruction of ESI where the party had “intentionally deleted” the information (despite the fact that Rule 37(e) expressly applies where a party acted with intent to deprive). The court stated that “[b]ecause Rule 37(e) does not apply, the Court may rely on its inherent power to control litigation in imposing spoliation sanctions” in granting an adverse inference sanction for spoliation. The court in Hsueh observed that amended Rule 37(e) is aimed at “serious problems resulting from the continued exponential growth in the volume of ESI as well as excessive effort and money that litigants have had to expend to avoid potential sanctions for failure to preserve ESI.”  In this case, the court reasoned, the ESI was not lost on account of “improper systems in place to prevent the loss of the recording” but rather “because she took specific action to delete it.” The court concluded, however, that under either amended Rule 37(e) or the court’s inherent authority an adverse inference and attorneys’ fees were appropriate because (i) the plaintiff was under an obligation to preserve the recording, (ii) there was no doubt the destroyed evidence was relevant to the claims in the case, and (iii) the plaintiff acted in bad faith and with an intent to destroy the ESI. Accordingly, the debate continues over whether inherent authority survives as a basis for spoliation sanctions. At least some of the discussion, however, has shifted to limits on the circumstances under which inherent authority may be invoked (assuming that it can be invoked at all)—for example, that Rule 37(e) must not provide an adequate remedy and bad faith conduct must have been involved. In any event, we doubt that we have heard the last of this issue from courts, commentators and possibly even drafters of future rule amendments. Proportionality: Alive, and Well Proportionality as a limit on the scope of discovery continues to gain traction following its incorporation into Rule 26(b)(1)’s definition of the scope of discovery in the 2015 rule amendments. Of particular note in 2017, the Sedona Conference released its Commentary on Proportionality in Electronic Discovery, 18 Sedona Conf. J. 141 (2017), which sets forth six “Principles of Proportionality” pertaining to the amended rule’s proportionality factors and courts’ application of them since the 2015 rule amendments. These principles consist of the following: (1) “[t]he burdens and costs of preserving relevant electronically stored information should be weighed against the potential value and uniqueness of the information when determining the appropriate scope of preservation;” (2) “[d]iscovery should focus on the needs of the case and generally be obtained from the most convenient, least burdensome, and least expensive sources;” (3) “[u]ndue burden, expense, or delay resulting from a party’s action or inaction should be weighed against that party;” (4) “[t]he application of proportionality should be based on information rather than speculation;” (5) “[n]onmonetary factors should be considered in the proportionality analysis;” and (6) “[t]echnologies to reduce cost and burden should be considered in the proportionality analysis.” The discussion in the Commentary on Proportionality reflects that the evaluation of whether discovery is “proportional to the needs of the case” is highly dependent on the specific facts of any given case, and it is the parties’ burden to provide evidence and educate the court on their specific situation. Additionally, proportionality does not merely involve an analysis of the cost of collection and production compared to the need for the documents—it extends beyond this, taking into account the good faith of the parties, the parties’ comparative access to information, and the importance of the issues. Further, the Commentary advocates that parties work together and utilize appropriate technologies in the discovery process. Judicial decisions in 2017 continued to reflect that proportionality in discovery has gained traction since the 2015 federal rule amendments. In Solo v. United Parcel Service Co., No. 14-12719, 2017 WL 85832 (E.D. Mich., Jan. 10, 2017), for example, the court considered whether UPS should be compelled to produce information stored on backup tapes because their billing system only maintained live data for a short period of time. Id. at *2. UPS submitted a declaration attesting that it would take six months and $120,000 to recover the data from the back-up tapes. The court held that restoring back-up tapes was not proportional to the needs of the case not only because of the expense, but also because the data would only be relevant if the plaintiffs prevailed on certain issues on the merits. In Scott v. Eglin Fed. Credit Union, No. 3:16-CV-719-RV-GRJ2017, 2017 WL 1364600, at *3 (N.D. Fla. Apr. 13, 2017), an employment discrimination case, the defendant (the plaintiff’s former employer) moved to compel the plaintiff’s current employer (a third party) to produce emails and text messages with the plaintiff. Noting that “emails and text messages may be fair game for discovery in most cases,” the court nonetheless denied the motion to compel, explaining  “[b]alancing the marginal relevance of information in emails and text messages against the time and expense that would be involved for a small business … in searching cellular telephones, servers and other electronic storage facilities makes little sense and would cause Plaintiff’s current employer to incur an expense that ultimately will have little or no impact on the outcome of this case.” Id. at *3. In Simon v. Northwestern Univ., No. 1:150-CV-01433, 2017 WL 467677 (N.D. Ill. Feb. 3, 2017), the court engaged in a substantial proportionality analysis, including analyzing the importance of the issues (“The court finds the importance of the issues at stake in this action extremely high”); the amount in controversy (“the Court finds this amount to be high as well”); the relative burden on the defendants (the court determined it was high as to the individuals but “relatively low” as to the university); and the parties’ access to relevant information (determining that the university had the greatest access). In Crabtree v. Angie’s List, Inc., No. 1:16-CV-0087-SEP-MJD, 2017 WL 413242, at *3 (S.D. Ind. Jan. 31, 2017), a wages and hours action, the defendant requested a forensic examination of the plaintiffs’ electronic devices to determine how many hours the plaintiffs were working offsite. The court denied the request as not proportional to the needs of the case. Notably, as part of its proportionality analysis, the court considered the plaintiffs’ privacy and security interests. In Gordon v. T.G.R. Logistics, Inc., 321 F.R.D. 401 (D. Wyo. 2017), the defendant moved to compel production of an electronic copy of the “entire Facebook account history” from the plaintiff’s two Facebook accounts on the ground that the information would be relevant to her claims of physical and emotional injury resulting from a motor vehicle accident. The court engaged in a proportionality analysis, stating that “[s]ocial media presents some unique challenges to courts in their efforts to determine the proper scope of discovery of relevant information and maintaining proportionality.” While it is conceivable that almost any post to social media will provide some relevant information concerning a person’s physical and/or emotional health, it also has the potential to disclose more information than has historically occurred in civil litigation. Possession, Custody or Control: Split in Authority Persists Whether a party has “possession, custody or control” over relevant and responsive documents—and therefore an obligation to preserve and produce them—continued to be an important issue in 2017. A split in authority has persisted between courts applying the “legal right” test (i.e., finding that a party has control over documents in the possession of others only when it has the legal right to the documents) and those applying the “practical ability” (i.e., finding that a party has control when it has the practical ability to obtain the documents, even if it does not have a legal right to them). In Parris v. Pappas, No. 3:10-cv-1128 WWE, 2017 WL 3314001, at *2 (D. Conn. Aug. 3, 2017), the court applied the practical ability test in denying a motion to compel the defendant to produce documents in the possession of his girlfriend. The court held that the plaintiff had failed to sustain her burden of establishing that the documents were in the defendant’s possession, custody or control because the defendant attested that he had asked his girlfriend for the documents, but she had refused to provide them. The court noted, however, that the plaintiff could subpoena the documents from the girlfriend pursuant to Rule 45. By contrast, the court in Ronnie Van Zant, Inc. v. Pyle, No. 17 Civ. 3360-RWS, 2017 WL 3721777, at *8-*9 ( S.D.N.Y. Aug. 28, 2017), also applying the practical ability test, imposed sanctions on a defendant for its failure to prevent a third-party independent contractor from destroying relevant text messages on his smart phone. The lawsuit arose out of a “blood oath” among the surviving members of the band Lynyrd Skynyrd and the family members of band members who had been killed in a 1977 plane crash that none would seek to profit from the band’s name or story. Despite the oath, which was later reflected in a consent order, the band’s drummer—Artemis Pyle—worked with the defendant film company to produce a film about the band. In the ensuing lawsuit for breach of the consent order, the court awarded an adverse inference jury instruction holding the defendant film company responsible for the failure of the film’s director—an independent contractor—to preserve relevant text messages that were lost when he turned in and upgraded his personal smart phone. The court reasoned not only that the film company had the ability to ensure that the director preserved relevant data on his smart phone, but also that its failure to do so coupled with the director’s actions “evince the kind of deliberate behavior that sanctions are intended to prevent and weigh in favor of an adverse inference.” In Williams v. Angie’s List, No. 1:16-00878-WTL-MJD, 2017 WL 1318419, at *2-*3 (S.D. Ind. April 10, 2017), a wage and hours action, the court applied the legal right test. The plaintiffs—who often worked from home and, accordingly, their hours were not reflected in badge-swipe data—sought from the defendant background data automatically recorded while they were working on Salesforce, a sales platform utilized by the defendant. The court rejected the defendant’s argument that it did not have possession, custody or control of the Salesforce data, citing the defendant’s contractual relationship with Salesforce giving the defendant the right to the data. Discovery of Social Media Grows Increasingly Commonplace It is not an overstatement to say that social media has become an integral part of modern life. Social media has played an important role for a number of years in keeping us in touch with friends and family. In recent years, social media applications have also played an prominent role in professional networking and, increasingly, in workplace communications and collaboration. Not surprisingly, therefore, the discovery of social media is also becoming increasingly commonplace. As social media has expanded into many different areas, conceptions of what it exactly is are becoming somewhat blurred. No longer just Facebook, but numerous other social and professional networking and communication applications may be considered social media. The Oxford English Dictionary defines “social media” as “websites and applications used for social networking” and “social network,” in turn, as “the use of dedicated websites and applications to communicate with each other by posting information, comments, messages, images, etc.” See Concise Oxford English Dictionary (12th ed. 2011). Many social media applications have their own direct and group messaging functions, and many instant messaging applications have features that are common to social media. As social media is becoming ubiquitous, early notions that social media might have a special status because of privacy concerns (leading to, for example, a requirement of a threshold showing before discovery could be propounded) are giving way to social media being treated no differently from other forms of evidence. See, e.g., United States ex rel Reaster v. Dopps Chiropractic Clinic, LLC, No.13-1453-EFM-KGG, 2017 WL 957436, at *1-*2 (D. Kan. Mar. 13, 2017) (“while information on social networking sites is not entitled to special protection, discovery requests seeking this information should be tailored so as not to constitute the proverbial fishing expedition in the hope that there might be something of relevance in the respondent’s social media presence”) (internal quotations and citation omitted). Proportionality and relevance requirements can play a particularly important role in discovery of social media. Because social media accounts usually contain a substantial amount of irrelevant and personal information, courts must balance legitimate rights to discovery against overly broad and intrusive inquiries. See, e.g., Brown v. Ferguson, No. 4:15-cv-0083-ERW, 2017 WL 386544, at *1-*2 (E.D. Mo. Jan. 27, 2017) (rejecting disclosure of social media passwords as constituting unfettered access, but also rejecting a distinction between private messages and public content on Facebook). Gordon v. T.G.R. Logistics, Inc., 321 F.R.D. 401 (D. Wyo. 2017), illustrates the challenge facing courts in determining the appropriate scope of social media discovery. In Gordon, the defendant brought a motion to compel the production of the “entire Facebook account history” of the plaintiff’s two Facebook accounts on the ground that the information would be relevant to her claims of physical and emotional injury resulting from a motor vehicle accident. The court engaged in a proportionality analysis, observing that “[s]ocial media presents some unique challenges to courts in their efforts to determine the proper scope of discovery of relevant information and maintaining proportionality.” The court continued that “[w]hile it is conceivable that almost any post to social media will provide some relevant information concerning a person’s physical and/or emotional health, it also has the potential to disclose more information than has historically occurred in civil litigation. While we can debate the wisdom of individuals posting information which has historically been considered private, we must recognize people are providing a great deal of personal information publicly to a very loosely defined group of ‘friends,’ or even the entire public internet.” The court explained that the relative ease and low cost of downloading a user’s Facebook history would not itself resolve the issue. The court observed that, in the past, “[n]o court would have allowed unlimited depositions of every friend, social acquaintance, co-employee or relative of a plaintiff to inquire as to all disclosures, conversations or observations. Now, far more reliable disclosures can be obtained with a simple download of a social media history.” The court reasoned, on the one hand, that even though producing the plaintiff’s Facebook history would involve very little time or expense, it could nevertheless have a very significant impact in generating additional discovery and in lengthening testimony. “It’s not difficult to imagine a plaintiff being required to explain every statement contained within a lengthy Facebook history in which he or she expressed some degree of angst or emotional distress or discussing life events which could be conceived to cause emotion upset, but which is extremely personal and embarrassing.” On the other hand, the court recognized that “Defendant has a legitimate interest in discovery which is important to the claims and damages it is being asked to pay. Information in social media which reveals that the plaintiff is lying or exaggerating his or her injuries should not be protected from disclosure. Courts must balance these realities regarding discovery of social media and that is what most of the courts which have addressed this issue have done.” In the end, the court denied the defendant’s request for the entirety of the plaintiff’s Facebook history and instead limited the scope of the discovery to Facebook posts after the accident that relate to the accident and her resulting physical and emotional injuries and any posts relating to other events that could reasonably be expected to result in emotional distress. Technology Assisted Review: Gaining Strength? A noticeable practice trend in 2017 has been that the use of technology assisted review (“TAR”)—also known as predictive coding—to search and review large document populations appears to be more widespread than in past years. We are seeing requesting parties more frequently using TAR in their review of substantial incoming productions, where the TAR protocol and training of the TAR tool will not be subject to challenge from the opposing party. We are also seeing TAR used more often in symmetrical litigation, where both sides have large production obligations and both use TAR—or want to have the option to use TAR—in their document search and review process. That is not to say that the use of TAR is commonplace, as many had anticipated would be the case by now. Rather, within a relatively small slice of litigation matters—those that involve particularly massive amounts of ESI to search and review—it appears that TAR is being used more than in the past. A substantial body of case law has developed regarding issues relating to the use of TAR.  See The Sedona Conference TAR Case Law Primer, 18 Sedona Conf. J. 1 (2017). Yet, many issues remain unresolved—except that TAR is generally accepted by the courts as a legitimate search and review methodology. There was a dearth of case law in 2017 involving disputes over TAR, perhaps reflecting that TAR is most being used on incoming productions and pursuant to stipulated protocols in symmetrical litigation. The two decisions in 2017 regarding TAR disputes dealt with the extent of transparency required regarding the TAR process and the use of search terms to cull a document population before the use of TAR. In Winfield v. City of New York, No. 15-cv-05236 (S.D.N.Y. Nov. 27, 2017), the plaintiffs argued that the defendant’s TAR model was improperly trained because its reviewers had over designated documents in the seed and training sets as non-responsive. The plaintiffs argued—and the court agreed—that several inadvertently produced documents designated as non-responsive used to train the TAR model were actually responsive. The plaintiffs sought both to bar the defendant from continuing to use TAR and to require disclosure of information about the TAR process—including the defendant’s coding of seed and training documents, how the defendant trained its document reviewers, and detailed information about the ranking system used in the TAR process (i.e., what relevance score cut-off was used, and how many documents were deemed responsive and unresponsive at each ranking level). The court referenced Sedona Principle 6, which provides that the producing party is in the best position to “evaluate the procedures, methodologies, and technologies appropriate for preserving and producing their own electronically stored information.” Id., slip op. at 20; see also The Sedona Conference Principles, Third Edition, 19 Sedona Conf. J. 1, 118 et. seq. (forthcoming 2018) (available at www.thesedonaconference.org). The court stated that, “[t]raditionally, courts have not micro-managed parties’ internal review processes for a number of reasons.” Those reasons include that “attorneys, as officers of the court, are expected to comply with Rules 26 and 34 in connection with their search, collection, review and production of documents, including ESI.” Additionally, the court stated that “internal attorney ESI work processes may reveal work product” and noted that “perfection in ESI discovery is not required[.]” Nevertheless, the court asserted, “parties cannot be permitted to jeopardize the integrity of the discovery process by engaging in halfhearted and ineffective efforts to identify and produce relevant documents.” Id., slip op. at 20-21. The court reviewed information about the defendant’s TAR process in camera—including information about the seed and training sets, its training of reviewers, and the validation process the defendant used. The court concluded that “the City’s training and review processes and protocols present no basis for finding that the City engaged in gross negligence in connection with its ESI discovery—far from it.” Id., slip op. at 23. Additionally, with respect to detailed information about the defendant’s TAR process—such as the cut-off used and the number of responsive and unresponsive documents at each ranking level—the court stated that it “views this information as protected by the work product privilege and, accordingly, [it] is not subject to disclosure.” Id., slip op. at 27; see also John M. Facciola and Philip J. Favro, Safeguarding the Seed Set: Why Seed Set Documents May Be Entitled to Work Product Protection, 8 Fed. Cts. L. Rev. 1 ( Feb. 2015). Nevertheless, because there was some evidence of “human error” in the training process, the court ordered the defendant to provide the plaintiffs, on an attorneys’ eyes only basis, with a random sample of 300 non-privileged documents from the population of documents the TAR process determined to be non-responsive. Id., slip op. at 25-26. The only other reported or widely publicized TAR decision in 2017, FCA US LLC, v. Cummins, Inc., No. 16-12883, 2017 WL 2806896, at *1 (E.D. Mich. Mar. 28, 2017), involved a dispute over “whether the universe of electronic material subject to TAR review should first be culled by the use of search terms.” Without any substantive discussion, other than to cite materials that it reviewed, the court stated that “[a]pplying TAR to the universe of electronic material before any keyword search reduces the universe of electronic material is the preferred method.” E-Discovery Vendor Developments The consolidation among medium-sized and large e-discovery service providers, usually financed by private equity funding, that has been going on for several years now only seemed to accelerate more in 2017. It is not apparent whether this consolidation is fundamentally altering the market for e-discovery services, other than to possibly result in greater stability in the space once all of the M&A dust settles. Generally, the market appears to be settling into several different segments: (1) large vendors with a national and often international footprint providing basic, commodity services using mostly standard technologies; (2) medium-sized vendors—also with a national and global footprint—focused on providing both expert e-discovery consulting and professional services as well as standard and more advanced technologies; (3) vendors of “do it yourself” online e-discovery software services (i.e., “SAAS,” aka software as a service), usually targeted at small and medium-sized law firms that now, increasingly, must deal with e-discovery; and (4) traditional local and regional vendors providing basic services, much as they have in the past. The local and regional vendors seem to be increasingly squeezed in this market, either being acquired by or not able to compete with the large vendors providing commodity services. Notably, it appears that there are far fewer new entrants in e-discovery services market—which used to have relatively low barriers to entry—than in the past. Also, there appears to have been significant maturation of some of the SAAS providers, which appear to be finding a solid niche in a potentially large market segment—small and medium-sized law practices—often not previously serviced by e-discovery providers. Other noteworthy developments in the vendor space have been the challenges posed by mobile devices, social media and ESI stored in the cloud—often requiring advanced tools and significant expertise to collect, process and search—and the more widespread availability of analytics applications that vendors can license and provide to their clients rather than having to develop in-house. Conclusion The past year showed once again that e-discovery continues to progress, but also continues to face new and pre-existing challenges. We hope that you found our 2017 Year-End E-Discovery Update informative. We invite you review further the many articles, client alerts and updates that our attorneys have published by going to the Gibson Dunn Electronic Discovery Practice Group’s page on the Firm’s website. The following Gibson Dunn lawyers assisted in the preparation of this client update:  Gareth Evans, Jennifer Rearden, Heather Richardson, Chelsea Mae Thomas and Natalie Dygert. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. The Electronic Discovery and Information Law practice group brings together lawyers with extensive knowledge of electronic discovery and information law.  The group is comprised of seasoned litigators with a breadth of experience who have assisted clients in various industries and in jurisdictions around the world.  The group’s lawyers work closely with the firm’s technical specialists to provide cutting-edge legal advice and guidance in this complex and evolving area of law.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or the following leaders of the Electronic Discovery and Information Law practice group: Gareth T. Evans – Orange County (+1 949-451-4330, gevans@gibsondunn.com) Jennifer H. Rearden – New York (+1 212-351-4057, jrearden@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

January 7, 2018 |
2017 Year-End German Law Update

Click for PDF “May you live in interesting times” goes the old Chinese proverb, which is not meant for a friend but for an enemy. Whoever expressed such wish, interesting times have certainly come to pass for the German economy. Germany is an economic giant focused on the export of its sophisticated manufactured goods to the world’s leading markets, but it is also, in some ways, a military dwarf in a third-tier role in the re-sketching of the new world order. Germany’s globally admired engineering know-how and reputation has been severely damaged by the Volkswagen scandal and is structurally challenged by disruptive technologies and regulatory changes that may be calling for the end of the era of internal combustion engines. The top item on Germany’s foreign policy agenda, the further integration of the EU-member states into a powerful economic and political union, has for some years now given rise to daily crisis management, first caused by the financial crisis and, since last year, by the uncertainties of BREXIT. As if this was not enough, internal politics is still handling the social integration of more than a million refugees that entered the country in 2015, who rightly expect fair and just treatment, education, medical care and a future. It has been best practice to address such manifold issues with a strong and hands-on government, but – unfortunately – this is also currently missing. While the acting government is doing its best to handle the day-to-day tasks, one should not expect any bold move or strategic initiative before a stable, yet to be negotiated parliamentary coalition majority has installed new leadership, likely again under Angela Merkel. All that will drag well into 2018 and will not make life any easier. In stark contrast to the difficult situation the EU is facing in light of BREXIT, the single most impacting piece of regulation that will come into effect in May 2018 will be a European Regulation, the General Data Protection Regulation, which will harmonize data protection law across the EU and start a new era of data protection. Because of its broad scope and its extensive extraterritorial reach, combined with onerous penalties for non-compliance, it will open a new chapter in the way companies world-wide have to treat and process personal data. In all other areas of the law, we observe the continuation of a drive towards ever more transparency, whether through the introduction of new transparency registers disclosing relevant ultimate beneficial owner information or misconduct, through obligatory disclosure regimes (in the field of tax law), or through the automatic exchange under the OECD’s Common Reporting Standard of Information that hitherto fell under the protection of bank secrecy laws. While all these initiatives are well intentioned, they present formidable challenges for companies to comply with the increased complexity and adequately respond to the increased availability and flow of sensitive information. Even more powerful than the regulatory push is the combination of cyber-attacks, investigative journalism, and social media: within a heartbeat, companies or individuals may find themselves exposed on a global scale to severe allegations or fundamental challenges to the way they did or do business. While this trend is not of a legal nature, but a consequence of how we now communicate and whom we trust (or distrust), for those affected it may have immediate legal implications that are often highly complex and difficult to control and deal with. Interesting times usually are good times for lawyers that are determined to solve problems and tackle issues. This is what we love doing and what Gibson Dunn has done best time and again in the last 125 years. We therefore remain optimistic, even in view of the rough waters ahead which we and our clients will have to navigate. We want to thank you for your trust in our services in Germany and your business that we enjoy here and world-wide. We do hope that you will gain valuable insights from our Year-End Alert of legal developments in Germany that will help you to successfully focus and resource your projects and investments in Germany in 2018 and beyond; and we promise to be at your side if you need a partner to help you with sound and hands-on legal advice for your business in and with Germany or to help manage challenging or forward looking issues in the upcoming exciting times. ________________________________ Table of Contents 1.  Corporate, M&A 2.  Tax 3.  Financing and Restructuring 4.  Labor and Employment 5.  Real Estate 6.  Data Protection 7.  Compliance 8.  Antitrust and Merger Control ________________________________ 1. Corporate, M&A 1.1       Corporate, M&A – Transparency Register – New Transparency Obligations on Beneficial Ownership As part of the implementation of the 4th European Money Laundering Directive into German law, Germany has created a new central electronic register for information about the beneficial owners of legal persons organized under German private law as well as registered partnerships incorporated within Germany. Under the restated German Money Laundering Act (Geldwäschegesetz – GWG) which took effect on June 26, 2017, legal persons of German private law (e.g. capital corporations like stock corporations (AG) or limited liability companies (GmbH), registered associations (eingetragener Verein – e.V.), incorporated foundations (rechtsfähige Stiftungen)) and all registered partnerships (e.g. offene Handelsgesellschaft (OHG), Kommanditgesellschaft (KG) and GmbH & Co. KG) are now obliged to “obtain, keep on record and keep up to date” certain information about their “beneficial owners” (namely: first and last name, date of birth, place of residence and details of the beneficial interest) and to file the respective information with the transparency register without undue delay (section 20 (1) GWG). A “beneficial owner“ in this sense is a natural person who directly or indirectly holds or controls more than 25% of the capital or voting rights, or exercises control in a similar way (section 3 (2) GWG). Special rules apply for registered associations, trusts, non-charitable unregulated associations and similar legal arrangements. “Obtaining” the information does not require the entities to carry out extensive investigations, potentially through multi-national and multi-level chains of companies. It suffices to diligently review the information on record and to have in place appropriate internal structures to enable it to make a required filing without undue delay. The duty to keep the information up to date generally requires that the company checks at least on an annual basis whether there have been any changes in their beneficial owners and files an update, if necessary. A filing to the transparency register, however, is not required if the relevant information on the beneficial owner(s) is already contained in certain electronic registers (e.g. the commercial register or the so-called “Unternehmensregister“). This exemption only applies if all relevant data about the beneficial owners is included in the respective documents and the respective registers are still up to date. This essentially requires the obliged entities to diligently review the information available in the respective electronic registers. Furthermore, as a matter of principle, companies listed on a regulated market in the European Union (“EU“) or the European Economic Area (“EEA“) (excluding listings on unregulated markets such as e.g. the Entry Standard of the Frankfurt Stock Exchange) or on a stock exchange with equivalent transparency obligations with respect to voting rights are never required to make any filings to the transparency register. In order to enable the relevant entity to comply with its obligations, shareholders who qualify as beneficial owners or who are directly controlled by a beneficial owner, irrespective of their place of residence, must provide the relevant entity with the relevant information. If a direct shareholder is only indirectly controlled by a beneficial owner, the beneficial owner himself (and not the direct shareholder) must inform the company and provide it with the necessary information (section 20 (3) sentence 4 GWG). Non-compliance with these filing and information obligations may result in administrative fines of up to EUR 100,000. Serious, repeated or systematic breaches may even trigger sanctions up to the higher fine threshold of EUR 1 million or twice the economic benefit of the breach. The information submitted to the transparency register is not generally freely accessible. There are staggered access rights with only certain public authorities, including the Financial Intelligence Unit, law enforcement and tax authorities, having full access rights. Persons subject to know-your-customer (“KYC“) obligations under the Money Laundering Act such as e.g. financial institutions are only given access to the extent the information is required for them to fulfil their own KYC obligations. Other persons or the general public may only gain access if they can demonstrate a legitimate interest in such information. Going forward, every entity subject to the Money Laundering Act should verify whether it is beneficially owned within the aforementioned sense, and, if so, make the respective filing to the transparency register unless the relevant information is already contained in a public electronic register. Furthermore, relevant entities should check (at least) annually whether the information on their beneficial owner(s) as filed with the transparency or other public register is still correct. Also, appropriate internal procedures need to be set up to ensure that any relevant information is received by a person in charge of making filings to the registers. Back to Top 1.2       Corporate, M&A – New CSR Disclosure Obligations for German Public Interest Companies  Effective for fiscal years commencing on or after January 1, 2017, large companies with more than 500 employees are required to include certain non-financial information regarding their management of social and environmental challenges in their annual reporting (“CSR Information“). The new corporate social responsibility reporting rules (“CSR Reporting Rules“) implement the European CSR Directive into German law and are intended to help investors, consumers, policy makers and other stakeholders to evaluate the non-financial performance of large companies and encourage companies to develop a responsible and sustainable approach to business. The CSR Reporting Rules apply to companies with a balance sheet sum in excess of EUR 20 million and an annual turnover in excess of EUR 40 million, whose securities (stock or bonds etc.) are listed on a regulated market in the EU or the EEA as well as large banks and large insurance companies. It is estimated that approximately 550 companies in Germany are covered. Exemptions apply to consolidated subsidiaries if the parent company publishes the CSR Information in the group reporting. The CSR Reporting Rules require the relevant companies to inform on the policies they implemented, the results of such policies and the business risks in relation to (i) environmental protection, (ii) treatment of employees, (iii) social responsibility, (iv) respect for human rights and (v) anti-corruption and bribery. In addition, listed stock corporations are also obliged to inform with regard to diversity on their company boards. If a company has not implemented any such policy, an explicit and justified disclosure is required (“comply or explain”). Companies must further include significant non-financial performance indicators and must also include information on the amounts reported in this respect in their financial statements. The CSR Information can either be included in the annual report or by way of a separate CSR report, to be published on the company’s website or together with its regular annual report with the German Federal Gazette (Bundesanzeiger). The CSR Reporting Rules will certainly increase the administrative burden placed on companies when preparing their annual reporting documentation. It remains to be seen if the new rules will actually meet the expectations of the European legislator and foster and create a more sustainable approach of large companies to doing business in the future . Back to Top 1.3       Corporate, M&A – Corporate Governance Code Refines Standards for Compliance, Transparency and Supervisory Board Composition Since its first publication in 2002, the German Corporate Governance Code (Deutscher Corporate Governance Kodex – DCGK) which contains standards for good and responsible governance for German listed companies, has been revised nearly annually. Even though the DCGK contains only soft law (“comply or explain”) framed in the form of recommendations and suggestions, its regular updates can serve as barometer for trends in the public discussion and sometimes are also a forerunner for more binding legislative measures in the near future. The main changes in the most recent revision of the DCGK in February 2017 deal with aspects of compliance, transparency and supervisory board composition. Compliance The general concept of “compliance” was introduced by the DCGK in 2007. In this respect, the recent revision of the DCGK brought along two noteworthy new aspects. On the one hand, the DCGK now stresses in its preamble that good governance and management does not only require compliance with the law and internal policies but also ethically sound and responsive behavior (the “reputable businessperson concept”). On the other hand, the DCGK now recommends the introduction of a compliance management system (“CMS“). In keeping with the common principle of individually tailored compliance management systems that take into account the company’s specific risk situation, the DCGK now recommends appropriate measures reflecting the company’s risk situation and disclosing the main features of the CMS publically, thus enabling investors to make an informed decision on whether the CMS meets their expectations. It is further expressly recommended to provide employees with the opportunity to blow the whistle and also suggested to open up such whistle-blowing programs to third parties. Supervisory Board In line with the ongoing international trend of focusing on supervisory board composition, the DCGK now also recommends that the supervisory board not only should determine concrete objectives for its composition, but also develop a tailored skills and expertise profile for the entire board and to disclose in the corporate governance report to which extent such benchmarks and targets have been implemented in practice. In addition, the significance of having sufficient independent members on the supervisory board is emphasized by a new recommendation pursuant to which the supervisory board should disclose the appropriate number of independent supervisory board members as well as the members which meet the “independence” criteria in the corporate governance report. In accordance with international best practice, it is now also recommended to provide CVs for candidates for the supervisory board including inter alia relevant knowledge, skills and experience and to publish this information on the company’s website. With regard to supervisory board transparency, the DCGK now also recommends that the chairman of the supervisory board should be prepared, within an appropriate framework, to discuss topics relevant to the supervisory board with investors (please see in this regard our 2016-Year-End Alert, section 1.2). These new 2017 recommendations further highlight the significance of compliance and the role of the supervisory board not only for legislators but also for investors and other stakeholders. As soon as the annual declarations of non-conformity (“comply or explain”) are published over the coming weeks and months, it will be possible to assess how well these new recommendations will be received as well as what responses there will be to the planned additional supervisory board transparency (including, in particular, by family-controlled companies with employee co-determination on the supervisory board). Back to Top 1.4       Corporate, M&A – Employee Co-Determination: No European Extension As set out in greater detail in past alerts (please see in this regard our 2016 Year-End Alert, section 1.3 with further references), the scope and geographic reach of the German co-determination rules (as set out in the German Co-Determination Act; Mitbestimmungsgesetz – MitbestG and in the One-Third-Participation Act; Drittelbeteiligungsgesetz – DrittelbG) were the subject of several ongoing court cases. This discussion has been put to rest in 2017 by a decision of the European Court of Justice (ECJ, C-566/15 – July 18, 2017) that held that German co-determination rules and their restriction to German-based employees as the numeric basis for the relevant employee thresholds and as populace entitled to vote for such co-determined supervisory boards do not infringe against EU law principles of anti-discrimination and freedom of movement. The judgment has been received positively by both German trade unions and corporate players because it preserves the existing German co-determination regime and its traditional, local values against what many commentators would have perceived to be an undue pan-Europeanization of the thresholds and the right to vote for such bodies. In particular, the judgment averts the risk that many supervisory boards would have had to be re-elected based on a pan-European rather than solely German employee base. Back to Top 1.5       Corporate, M&A – Germany Tightens Rules on Foreign Takeovers On July 18, 2017, the amended provisions on foreign direct investments under the Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung – AWV), expanding and specifying the right of the Federal Ministry for Economic Affairs and Energy (“Ministry“) to review whether the takeover of domestic companies by investors outside the EU or the European Free Trade Area poses a danger to the public order or security of the Federal Republic of Germany came into force. The amendment has the following five main effects which will have a considerable impact on the M&A practice: (i) (non-exclusive) standard categories of companies and industries which are relevant to the public order or security for cross-sector review are introduced, (ii) the stricter sector-specific rules for industries of essential security interest (such as defense and IT-security) are expanded and specified, (iii) there is a reporting requirement for all takeovers within the relevant categories, (iv) the time periods for the review process are extended, and (v) there are stricter and more specific restrictions to prevent possible circumventions. Under the new rules, a special review by the German government is possible in cases of foreign takeovers of domestic companies which operate particularly in the following sectors: (i) critical infrastructure amenities, such as the energy, IT and telecommunications, transport, health, water, food and finance/insurance sectors (to the extent they are very important for the functioning of the community), (ii) sector-specific software for the operation of these critical infrastructure amenities, (iii) telecom carriers and surveillance technology and equipment, (iv) cloud computing services and (v) telematics services and components. The stricter sector-specific rules for foreign takeovers within the defense and IT-security industry are also expanded and now also apply to the manufacturers of defense equipment for reconnaissance and support. Furthermore, the reporting requirement no longer applies only to transactions within the defense and IT-security sectors, but also to all foreign takeovers that fall within the newly introduced cross-sector standard categories described above. The time periods allowed for the Ministry to intervene have been extended throughout. In particular, if an application for a clearance certificate is filed, the clearance certificate will be deemed granted in the absence of a formal review two months following receipt of the application rather than one month as in the past, and the review periods are suspended if the Ministry conducts negotiations with the parties involved. Further, a review may be commenced until five years after the signing of the purchase agreement, which in practice will likely result in an increase of applications for a clearance certificate in order to obtain more transaction certainty. Finally, the new rules provide for stricter and more specific restrictions of possible circumventions by, for example, the use of so-called “front companies” domiciled in the EU or the European Free Trade Area and will trigger the Ministry’s right to review if there are indications that an improper structuring or evasive transaction was at least partly chosen to circumvent the review by the Ministry. Although the scope of the German government’s ability to intervene in M&A processes has been expanded where critical industries are concerned, it is not clear yet to what extent stronger interference or more prohibitions or restrictions will actually occur in practice. And even though the new law provides further guidance, there are still areas of legal uncertainty which can have an impact on valuations and third party financing unless a clearance certificate is obtained. Due to the suspension of the review period in the case of negotiations with the Ministry, the review procedure has, at least in theory, no firm time limit. As a result, the M&A advisory practice has to be prepared for a more time-consuming and onerous process for transactions in the critical industries and may thus be forced to allow for more time between signing and closing. In addition, appropriate termination clauses (and possibly break fees) must be considered for purposes of the share purchase agreement in case a prohibition or restriction of the transaction on the basis of the amended AWV cannot be excluded. Back to Top 2. Tax 2.1       Tax – Unconstitutionality of German Change-of-Control Rules Tax loss carry forwards are an important asset in every M&A transaction. Over the past ten years the German change-of-control rules, which limit the use of losses and loss carry forwards (“Losses“) of a German target company, have undergone fundamental legislative changes. The current change-of-control rules may now face another significant revision as – according to the German Federal Constitutional Court (Bundesverfassungsgericht – BVerfG) and the Lower Tax Court of Hamburg – the current tax regime of the change-of-control rules violates the constitution. Under the current change-of-control rules, Losses of a German corporation will be forfeited on a pro rata basis if within a period of five years more than 25% but not more than 50% of the shares in the German loss-making corporation are transferred (directly or indirectly) to a new shareholder or group of shareholders with aligned interests. If more than 50% are transferred, Losses will be forfeited in total. There are exceptions to this rule for certain intragroup restructurings, built-in gains and – since 2016 – for business continuations, especially in the venture capital industry. On March 29, 2017, the German Federal Constitutional Court ruled that the pro rata forfeiture of Losses (share transfer of more than 25% but not more than 50%) is not in line with the constitution. The BVerfG held that the provision leads to unequal treatment of companies. The aim of avoiding legal but undesired tax optimizations does not justify the broad and general scope of the provision. The BVerfG has asked the German legislator to amend the change-of-control rules retroactively for the period from January 1, 2008 until December 31, 2015 and bring them in line with the constitution. The legislative changes need to be finalized by December 31, 2018. Furthermore, in another case on August 29, 2017, the Lower Tax Court of Hamburg held that the change-of-control rules, which result in a full forfeiture of Losses after a transfer of more than 50% of the shares in a German corporation, are also incompatible with the constitution. The ruling is based on the 2008 wording of the change-of-control rules but the wording of these rules is similar to that of the current forfeiture rules. In view of the March 2017 ruling of the Federal Constitutional Court on the pro-rata forfeiture, the Lower Tax Court referred this case also to the Federal Constitutional Court to rule on this issue as well. If the Federal Constitutional Court decides in favor of the taxpayer the German tax legislator may completely revise the current tax loss limitation regime and limit its scope to, for example, abusive cases. A decision by the Federal Constitutional Court is expected in the course of 2018. Affected market participants are therefore well advised to closely monitor further developments and consider the impact of potential changes on past and future M&A deals with German entities. Appeals against tax assessments should be filed and stays of proceedings applied for by reference to the case before the Federal Constitutional Court in order to benefit from a potential retroactive amendment of the change-of-control rules. Back to Top 2.2       Tax – New German Tax Disclosure Rules for Tax Planning Schemes In light of the Panama and Paradise leaks, the respective Finance Ministers of the German federal states (Bundesländer) created a working group in November 2017 to establish how the new EU Disclosure Rules for advisers and taxpayers as published by the European Commission (“Commission“) on July 25, 2017 can be implemented into German law. Within the member states of the EU, mandatory tax disclosure rules for tax planning schemes already exist in the UK, Ireland and Portugal. Under the new EU disclosure rules certain tax planners and advisers (intermediaries) or certain tax payers themselves must disclose potentially aggressive cross-border tax planning arrangements to the tax authorities in their jurisdiction. This new requirement is a result of the disclosure rules as proposed by the OECD in its Base Erosion and Profit Shifting (BEPS) Action 12 report, among others. The proposal requires tax authorities in the EU to automatically exchange reported information with other tax authorities in the EU. Pursuant to the Commission’s proposal, an “intermediary” is the party responsible for designing, marketing, organizing or managing the implementation of a tax payer´s reportable cross border arrangement, while also providing that taxpayer with tax related services. If there is no intermediary, the proposal requires the taxpayer to report the arrangement directly. This is, for example, the case if the taxpayer designs and implements an arrangement in-house, if the intermediary in question does not have a presence within the EU or in case the intermediary cannot disclose the information because of legal professional privilege. The proposal does not define what “arrangement” or “aggressive” tax planning means but lists characteristics (so-called “hallmarks“) of cross-border tax planning schemes that would strongly indicate whether tax avoidance or abuse occurred. These hallmarks can either be generic or specific. Generic hallmarks include arrangements where the tax payer has complied with a confidentiality provision not to disclose how the arrangement could secure a tax advantage or where the intermediary is entitled to receive a fee with reference to the amount of the tax advantage derived from the arrangement. Specific hallmarks include arrangements that create hybrid mismatches or involve deductible cross border payments between related parties with a preferential tax regime in the recipient’s tax resident jurisdiction. The information to be exchanged includes the identities of the tax payer and the intermediary, details about the hallmarks, the date of the arrangement, the value of the transactions and the EU member states involved. The implementation of such mandatory disclosure rules on tax planning schemes are heavily discussed in Germany especially among the respective bar associations. Elements of the Commission’s proposal are regarded as a disproportionate burden for intermediaries and taxpayers in relation to the objective. Further clarity is needed to align the proposal with the general principle of legal certainty. Certain elements of the proposal may contravene EU law or even the German constitution. And the interaction with the duty of professional secrecy for lawyers and tax advisors is also still unclear. Major efforts are therefore needed for the German legislator to make such a disclosure regime workable both for taxpayers/intermediaries and the tax administrations. It remains to be seen how the Commission proposal will be implemented into German law in 2018 and how tax structuring will be affected. Back to Top 2.3       Tax – Voluntary Self-Disclosure to German Tax Authorities Becomes More Challenging German tax law allows voluntary self-disclosure to correct or supplement an incorrect or incomplete tax return. Valid self-disclosure precludes criminal liability for tax evasion. Such exemption from criminal prosecution, however, does not apply if the tax evasion has already been “detected” at the time of the self-disclosure and this is at least foreseeable for the tax payer. On May 5, 2017 the German Federal Supreme Court (Bundesgerichtshof – BGH) further specified the criteria for voluntary self-disclosure to secure an exemption from criminal prosecution (BGH, 1 StR 265/16 – May 9, 2017). The BGH ruled that exemption from criminal liability might not apply if a foreign authority had already discovered the non- or underreported tax amounts prior to such self-disclosure. Underlying the decision of the BGH was the case of a German employee of a German defense company, who had received payments from a Greek business partner, but declared neither the received payments nor the resulting income in his tax declaration. The payment was a reward for his contribution in selling weapons to the Greek government. The Greek authorities learned of the payment to the German employee early in 2004 in the course of an anti-bribery investigation and obtained account statements proving the payment through intermediary companies and foreign banks. On January 6, 2014, the German employee filed a voluntary self-disclosure to the German tax authorities declaring the previously omitted payments. The respective German tax authority found that this self-disclosure was not submitted in time to exempt the employee from criminal liability. The issue in this case was by whom and at what moment in time the tax evasion needed to be detected in order to render self-disclosure invalid. The BGH ruled that the voluntary self-disclosure by the German employee was futile due to the fact that the payment at issue had already been detected by the Greek authorities at the time of the self-disclosure. In this context, the BGH emphasized that it was not necessary for the competent tax authorities to have detected the tax evasion, but it was sufficient if any other authority was aware of the tax evasion. The BGH made clear that this included foreign authorities. Thus, a prior detection is relevant if on the basis of a preliminary assessment of the facts a conviction is ultimately likely to occur. This requirement is for example met if it can be expected that the foreign authority that detected the incorrect, incomplete or omitted fact will forward this information to the German tax authorities as in the case before the BGH. In particular, there was an international assistance procedure in place between German and Greek tax authorities and the way the payments were made by using intermediaries and foreign banks made it obvious to the Greek authorities that the relevant amounts had not been declared in Germany. Due to the media coverage of the case, this was also at least foreseeable for the German employee. This case is yet another cautionary tale for tax payers not to underestimate the effects of increased international cooperation of tax authorities. Back to Top 3. Financing and Restructuring 3.1       Financing and Restructuring – Upfront Banking Fees Held Void by German Federal Supreme Court On July 4, 2017, the German Federal Supreme Court (Bundesgerichtshof – BGH) handed down two important rulings on the permissibility of upfront banking fees in German law governed loan agreements. According to the BGH, boilerplate clauses imposing handling, processing or arrangement fees on borrowers are void if included in standard terms and conditions (Allgemeine Geschäftsbedingungen). With this case, the court extended its prior rulings on consumer loans to commercial loans. The BGH argued that clauses imposing a bank’s upfront fee on a borrower fundamentally contradict the German statutory law concept that the consideration for granting a loan is the payment of interest. If ancillary pricing arrangements (Preisnebenabreden) pass further costs and expenses on to the borrower, the borrower is unreasonably disadvantaged by the user (Verwender) of standard business terms, unless the additional consideration is agreed for specific services that go beyond the mere granting of the loan and the handling, processing or arrangement thereof. In the cases at hand, the borrowers were thus awarded repayment of the relevant fee. The implications of these rulings for the German loan market are far-reaching. The rulings affect all types of upfront fees for a lender’s services which are routinely passed on to borrowers even though they would otherwise be owed by the lender pursuant to statutory law, a regulatory regime or under a contract or which are conducted in the lender’s own interest. Consequently, this covers fees imposed on the borrower for the risk assessment (Bonitätsprüfung), the valuation of collateral, expenses for the collection of information on the assessment of a borrower’s financing requirements and the like. At this stage, it is not yet certain if, for example, agency fees or syndication fees could also be covered by the decision. There are, however, good arguments to reason that services rendered in connection with a syndication are not otherwise legally or contractually owed by a lender. Upfront fees paid in the past, i.e. in 2015 or later, can be reclaimed by borrowers. The BGH applied the general statutory three year limitation period and argued that the limitation period commenced at the end of 2011 after Higher District Courts (Oberlandesgerichte) had held upfront banking fees void in deviation from previous rulings. As of such time, borrowers should have been aware that a repayment claim of such fees was possible and could have filed a court action even though the enforcement of the repayment was not risk-free. Going forward, it can be expected that lenders will need to modify their approach as a result of the rulings: Choosing a foreign (i.e. non-German) law for a separate fee agreement could be an option for lenders, at least, if either the lender or the borrower is domiciled in the relevant jurisdiction or if there is a certain other connection to the jurisdiction of the chosen law. If the loan is granted by a German lender to a German borrower, the choice of foreign law would also be generally recognized, but under EU conflict of law provisions mandatory domestic law (such as the German law on standard terms) would likely still continue to apply. In response to the ruling, lenders are also currently considering alternative fee structures: Firstly, the relevant costs and expenses underlying such fees are being factored into the calculation of the interest and the borrower is then given the option to choose an upfront fee or a (higher) margin. This may, however, not always turn out to be practical, in particular given that a loan may be refinanced prior to generating the equivalent interest income. Secondly, a fee could be agreed in a separate fee letter which specifically sets out services which go beyond the typical services a bank renders in its own interest. It may, however be difficult to determine services which actually justify a fee. Finally, a lender might charge typical upfront fees following genuine individual negotiations. This requires that the lender not only shows that it was willing to negotiate the amount of the relevant fee, but also that it was generally willing to forego the typical upfront fee entirely. However, if the borrower rejects the upfront fee, the lender still needs to rely on alternative fee arrangements. Further elaboration by the courts and market practice should be closely monitored by lenders and borrowers alike. Back to Top 3.2       Financing and Restructuring – Lingering Uncertainty about Tax Relief for Restructuring Profits Ever since the German Federal Ministry of Finance issued an administrative order in 2003 (“Restructuring Order“) the restructuring of distressed companies has benefited from tax relief for income tax on “restructuring profits”. In Germany, restructuring profits arise as a consequence of debt to equity swaps or debt waivers with regard to the portion of such debt that is unsustainable. Debtors and creditors typically ensured the application of the Restructuring Order by way of a binding advance tax ruling by the tax authorities thus providing for legal certainty in distressed debt scenarios for the parties involved. However, in November 2016, the German Federal Tax Court (Bundesfinanzhof – BFH) put an end to such preferential treatment of restructuring profits. The BFH held the Restructuring Order to be void arguing that the Federal Ministry of Finance had lacked the authority to issue the Restructuring Order. It held that such a measure would need to be adopted by the German legislator instead. The Ministry of Finance and the German restructuring market reacted with concern. As an immediate response to the ruling the Ministry of Finance issued a further order on April 27, 2017 (“Continuation Order”) to the effect that the Restructuring Order continued to apply in all cases in which creditors finally and with binding effect waived claims on or before February 8, 2017 (the date on which the ruling of the Federal Tax Court was published). But the battle continued. In August 2017, the Federal Tax Court also set aside this order for lack of authority by the Federal Ministry of Finance. In the meantime, the German Bundestag and the Bundesrat have passed legislation on tax relief for restructuring profits, but the German tax relief legislation will only enter into force once the European Commission issues a certificate of non-objection confirming the new German statutory tax relief’s compliance with EU restrictions on state aid. This leaves uncertainty as to whether the new law will enter into force in its current wording and when. Also, the new legislation will only cover debt waivers/restructuring profits arising after February 8, 2017 but at this stage does not provide for the treatment of cases before such time. In the absence of the 2003 Restructuring Order and the 2017 Continuation Order, tax relief would only be possible on the basis of equitable relief in exceptional circumstances. It appears obvious that no reliable restructuring concept can be based on potential equitable relief. Thus, it is advisable to look out for alternative structuring options in the interim: Subordination of debt: while this may eliminate an insolvency filing requirement for illiquidity or over indebtedness, the debt continues to exist. This may make it difficult for the debtor to obtain financing in the future. In certain circumstances, a carve-out of the assets together with a sustainable portion of the debt into a new vehicle while leaving behind and subordinating the remainder of the unsustainable portion of the debt, could be a feasible option. As the debt subsists, a silent liquidation of the debtor may not be possible considering the lingering tax burden on restructuring profits. Also, any such carve-out measures by which the debtor is stripped of assets may be challenged in case of a later insolvency of the debtor. A debt hive up without recourse may be a possible option, but a shareholder or its affiliates are not always willing to assume the debt. Also, as tax authorities have not issued any guidelines on the tax treatment of debt hive ups, a binding advance tax ruling from the tax authorities should be obtained before the debt hive up is executed. Still, a debt hive up could be an option if the replacement debtor is domiciled in a jurisdiction which does not impose detrimental tax consequences on the waiver of unsustainable debt. Converting the debt into a hybrid instrument which constitutes debt for German tax purposes and equity from a German GAAP perspective is no longer feasible. Pursuant to a tax decree from May 2016, the tax authorities argue that the creation of a hybrid instrument amounts to a taxable waiver of debt on the basis that tax accounting follows commercial accounting. It follows that irrespective of potential alternative structures which may suit a specific set of facts and circumstances, restructuring transactions in Germany continue to be challenging pending the entry into force of the new tax relief legislation. Back to Top 4. Labor and Employment 4.1       Labor and Employment – Defined Contribution Schemes Now Allowed In an effort to promote company pension schemes and to allow more flexible investments, the German Company Pension Act (Betriebsrentengesetz – BetrAVG) was amended considerably with effect as of January 1, 2018. The most salient novelty is the introduction of a purely defined contribution pension scheme, which had not been permitted in the past. Until now, the employer would always be ultimately liable for any kind of company pension scheme irrespective of the vehicle it was administered through. This is no longer the case with the newly introduced defined contribution scheme. The defined contribution scheme also entails considerable other easements for employers, e.g. pension adjustment obligations or the requirement of insolvency insurance no longer apply. As a consequence, a company offering a defined contribution pension scheme does not have to deal with the intricacies of providing a suitable investment to fulfil its pension promise, but will have met its duty in relation to the pension simply by paying the promised contribution (“pay and forget”). However, the introduction of such defined contribution schemes requires a legal basis either in a collective bargaining agreement (with a trade union) or in a works council agreement, if the union agreement so allows. If these requirements are met though, the new legal situation brings relief not only for employers offering company pension schemes but also for potential investors into German businesses for whom the German-specific defined benefit schemes have always been a great burden. Back to Top 4.2     Labor and Employment – Federal Labor Court Facilitates Compliance Investigations In a decision much acclaimed by the business community, the German Federal Labor Court (Bundesarbeitsgericht – BAG) held that intrusive investigative measures by companies against their employees do not necessarily require a suspicion of a criminal act by an employee; rather, less severe forms of misconduct can also trigger compliance investigations against employees (BAG, 2 AZR 597/16 – June 29, 2017). In the case at hand, an employee had taken sick leave, but during his sick leave proceeded to work for the company owned by his sons who happened to be competing against his current employer. After customers had dropped corresponding hints, the company assigned a detective to ascertain the employee’s violation of his contractual duties and subsequently fired the employee based on the detective’s findings. In the dismissal protection trial, the employee argued that German law only allowed such intrusive investigation measures if criminal acts were suspected. This restriction was, however, rejected by the BAG. This judgment ends a heated debate about the permissibility of internal investigation measures in the case of compliance violations. However, employers should always adhere to a last-resort principle when investigating possible violations. For instance, employees must not be seamlessly monitored at their workplace by way of a so-called “key logger” as the Federal Labor Court held in a different decision (BAG, 2 AZR 681/16 – July 27, 2017). Also, employers should keep in mind a recent ruling of the European Court of Human Rights of September 5, 2017 (ECHR, 61496/08). Accordingly, the workforce should be informed in advance that and how their email correspondence at the workplace can be monitored. Back to Top 5. Real Estate Real Estate – Invalidity of Written Form Remediation Clauses for Long-term Lease Agreements On September 27, 2017, the German Federal Supreme Court (Bundesgerichtshof – BGH) ruled that so-called “written form remediation clauses” (Schriftformheilungsklauseln) in lease agreements are invalid because they are incompatible with the mandatory provisions of section 550 of the German Civil Code (Bürgerliches Gesetzbuch – BGB; BGH, XII ZR 114/16 – September 27, 2017). The written form for lease agreements requires that all material agreements concerning the lease, in particular the lease term, identification of the leased premises and the rent amount, must be made in writing. If a lease agreement entered into for a period of more than one year does not comply with this written form requirement, mandatory German law allows either lease party to terminate the lease agreement with the statutory notice period irrespective of whether or not a fixed lease term was agreed upon. The statutory notice period for commercial lease agreements is six months (less three business days) to the end of any calendar quarter. To avoid the risk of termination for non-compliance with the written form requirement, German commercial lease agreements regularly contain a general written form remediation clause. Pursuant to such clause, the parties of the lease agreement undertake to remediate any defect in the written form upon request of one of the parties. While such general written form remediation clauses were upheld in several decisions by various Higher District Courts (Oberlandesgerichte) in the past, the BGH had already rejected the validity of such clauses vis-à-vis the purchasers of real property in 2014. With this new decision, the BGH has gone one step further and denied the validity of general written form remediation clauses altogether. Only in exceptional circumstances, the lease parties are not entitled to invoke the non-compliance with the written form requirement on account of a breach of the good faith principle. Such exceptional circumstances may exist, for example, if the other party faced insolvency if the lease were terminated early as a result of the non-compliance or if the lease parties had agreed in the lease agreement to remediate such specific written form defect. This new decision of the BGH forces the parties to long-term commercial lease agreements to put even greater emphasis on ensuring that their lease agreements comply with the written form requirement at all times because remediation clauses as potential second lines of defense no longer apply. Likewise, the due diligence process of German real estate transactions will have to focus even more on the compliance of lease agreements with the written form requirement. Back to Top 6.  Data Protection Data Protection – Employee Data Protection Under New EU Regulation After a two-year transition period, the EU General Data Protection Regulation (“GDPR“) will enter into force on May 25, 2018. The GDPR has several implications for data protection law covering German employees, which is already very strictly regulated. For example, under the GDPR any handling of personnel data by the employer requires a legal basis. In addition to statutory laws or collective agreements, another possible legal basis is the employee’s explicit written consent. The transfer of personnel data to a country outside of the European Union (“EU“) will have to comply with the requirements prescribed by the GDPR. If the target country has not been regarded as having an adequate data protection level by the EU Commission, additional safeguards will be required to protect the personnel data upon transfer outside of the EU. Otherwise, a data transfer is generally not permitted. The most threatening consequence of the GDPR is the introduction of a new sanctions regime. It now allows fines against companies of up to 4% of the entire group’s revenue worldwide. Consequently, these new features, especially the drastic new sanction regime, call for assessments of, and adequate changes to, existing compliance management systems with regard to data protection issues. Back to Top 7. Compliance 7.1       Compliance – Misalignment of International Sanction Regimes Requires Enhanced Attention to the EU Blocking Regulation and the German Anti-Boycott Provisions The Trump administration has been very active in broadening the scope and reach of the U.S. sanctions regime, most recently with the implementation of “Countering America’s Adversaries Through Sanctions Act (H.R. 3364) (‘CAATSA‘)” on August 2, 2017 and the guidance documents that followed. CAATSA includes significant new law codifying and expanding U.S. sanctions on Russia, North Korea, and Iran. The European Union (“EU“) has not followed suit. More so, the EU and European leaders openly stated their frustration about both a perceived lack of consultation during the process and the substance of the new U.S. sanctions. Specifically, the EU and European leaders are concerned about the fact that CAATSA authorizes secondary sanctions on any person supporting a range of activities. Among these are the development of Russian energy export pipeline projects, certain transactions with the Russian intelligence or defense sectors or investing in or otherwise facilitating privatizations of Russia’s state-owned assets that unjustly benefits Russian officials or their close associates or family members. The U.S. sanctions regime differentiates between primary sanctions that apply to U.S. persons (U.S. citizens, permanent U.S. residents and companies under U.S. jurisdiction) and U.S. origin goods, and secondary sanctions that expand the reach of U.S. sanctions by penalizing non-U.S. persons for their involvement in certain targeted activities. Secondary sanctions can take many forms but generally operate by restricting or threatening to restrict non-U.S. person access to the U.S. market, including its global financial institutions. European, especially export-heavy and internationally operating German companies are thus facing a dilemma. While they have to fear possible U.S. secondary sanctions for not complying with U.S. regulations, potential penalties also loom from European member state authorities when doing so. These problems are grounded in European and German legislation aimed at protecting from and counteracting financial and economic sanctions issued by countries outside of the EU and Germany, unless such sanctions are themselves authorized under relevant UN, European, and German sanctions legislation. On the European level, Council Regulation (EC) No 2271/96 of November, 22 1996 as amended (“EU Blocking Regulation“) is aimed at protecting European persons against the effects of the extra-territorial application of laws, such as certain U.S. sanctions directed at Cuba, Iran and Libya. Furthermore, it also aims to counteract the effects of the extra-territorial application of such sanctions by prohibiting European persons from complying with any requirement or prohibition, including requests of foreign courts, based on or resulting, directly or indirectly, from such U.S. sanctions. For companies subject to German jurisdiction, section 7 of the German Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung – AWV), states that “[t]he issuing of a declaration in foreign trade and payments transactions whereby a resident participates in a boycott against another country (boycott declaration) shall be prohibited” to the extent such a declaration would be contradictory to UN, EU and German policy. With the sanctions regime on the one hand and the blocking legislation at EU and German level on the other hand, committing to full compliance with U.S. sanctions whilst falling within German jurisdiction, could be deemed a violation of the AWV.  Violating the AWV can lead to fines by the German authorities and, under German civil law, might render a relevant contractual provision invalid. For companies conducting business transactions on a global scale, the developing non-alignment of U.S. and European / German sanctions requires special attention. Specifically, covenants with respect to compliance with U.S. or other non-EU sanctions should be reviewed and carefully drafted in light of the diverging developments of U.S. and other non-EU sanctions on the one hand and European / German sanctions on the other hand. Back to Top 7.2       Compliance – Restated (Anti-) Money Laundering Act – Significant New Requirements for the Non-Financial Sector and Good Traders On June 26, 2017, the restated German Money Laundering Act (Geldwäschegesetz – GWG), which transposes the 4th European Anti-Money Laundering Directive (Directive (EU 2015/849 of the European Parliament and of the Council) into German law, became effective. While the scope of businesses that are required to conduct anti-money laundering procedures remains generally unchanged, the GWG introduced a number of new requirements, in particular for non-financial businesses, and significantly increases the sanctions for non-compliance with these obligations. The GWG now extends anti money laundering (“AML“) risk management concepts previously known from the financial sector also to non-financial businesses including good traders. As a matter of principle, all obliged businesses are now required to undertake a written risk analysis for their business and have in place internal risk management procedures proportionate to the type and scope of the business and the risks involved in order to effectively mitigate and manage the risks of money laundering and terrorist financing. In case the obliged business is the parent company of a group, a group-wide risk analysis and group-wide risk management procedures are required covering subsidiaries worldwide who also engage in relevant businesses. The risk analysis must be reviewed regularly, updated if required and submitted to the supervisory authority upon request. Internal risk management procedures include, in particular, client due diligence (“know-your customer”), which requires the identification and verification of customers, persons acting on behalf of customers as well as of beneficial owners of the customer (see also section 1.1 above on the Transparency Register). In addition, staff must be monitored for their reliability and trained regularly on methods and types of money laundering and terrorist financing and the applicable legal obligations under the GWG as well as data protection law, and whistle-blowing systems must be implemented. Furthermore, businesses of the financial and insurance sector as well as providers of gambling services must appoint a money laundering officer (“MLO“) at senior management level as well as a deputy, who are responsible for ensuring compliance with AML rules. Other businesses may also be ordered by their supervisory authority to appoint a MLO and a deputy. Good traders including conventional industrial companies are subject to the AML requirements under the GWG, irrespective of the type of goods they are trading in. However, some of the requirements either do not apply or are significantly eased. Good traders must only conduct a risk analysis and have in place internal AML risk management procedures if they accept or make (!) cash payments of EUR 10,000 or more. Furthermore, client due diligence is only required with respect to transactions in which they make or accept cash payments of EUR 10,000 or more, or in case there is a suspicion of money laundering or terrorist financing. Suspicious transactions must be reported to the Financial Intelligence Unit (“FIU“) without undue delay. As a result, also low cash or cash free good traders are well advised to train their staff to enable them to detect suspicious transactions and to have in place appropriate documentation and reporting lines to make sure that suspicious transactions are filed with the FIU. Non-compliance with the GWG obligations can be punished with administrative fines of up to EUR 100,000. Serious, repeated or systematic breaches may even trigger sanctions up to the higher fine threshold of EUR 1 million or twice the economic benefit of the breach. For the financial sector, even higher fines of up to the higher of EUR 5 million or 10% of the total annual turnover are possible. Furthermore, offenders will be published with their names by relevant supervisory authorities (“naming and shaming”). Relevant non-financial businesses are thus well advised to review their existing AML compliance system in order to ensure that the new requirements are covered. For good traders prohibiting cash transactions of EUR 10,000 or more and implementing appropriate safeguards to ensure that the threshold is not circumvented by splitting a transaction into various smaller sums, is a first and vital step. Furthermore, holding companies businesses who mainly acquire and hold participations (e.g. certain private equity companies), must keep in mind that enterprises qualifying as “finance enterprise” within the meaning of section 1 (3) of the German Banking Act (Kreditwesengesetz – KWG) are subject to the GWG with no exemptions. Back to Top  7.3       Compliance – Protection of the Attorney Client Privilege in Germany Remains Unusual The constitutional complaint (Verfassungsbeschwerde) brought by Volkswagen AG’s external legal counsel requesting the return of work product prepared during the internal investigation for Volkswagen AG remains pending before the German Federal Constitutional Court (Bundesverfassungsgericht – BVerfG). The Munich public prosecutors had seized these documents in a dawn raid of the law firm’s offices. While the BVerfG has granted injunctive relief (BVerfG, 2 BvR 1287/17, 2 BvR 1583/17 – July 25, 2017) and ordered the authorities, pending a decision on the merits of the case, to refrain from reviewing the seized material, this case is a timely reminder that the concept of the attorney client privilege in Germany is very different to that in common law jurisdictions. In a nutshell: In-house lawyers do not enjoy legal privilege. Material that would otherwise be privileged can be seized on the client’s premises – with the exception of correspondence with and work product from / for criminal defense counsel. The German courts are divided on the question of whether corporate clients can already appoint criminal defense counsel as soon as they are concerned that they may be the target of a future criminal investigation, or only when they have been formally made the subject of such an investigation. Searches and seizures at a law firm, however, are a different matter. A couple of years ago, the German legislator changed the German Code of Criminal Procedure (Strafprozessordnung – StPO) to give attorneys in general, not only criminal defense counsel, more protection against investigative measures (section 160a StPO). Despite this legislation, the first and second instance judges involved in the matter decided in favor of the prosecutors. As noted above, the German Federal Constitutional Court has put an end to this, at least for now. According to the court, the complaints of the external legal counsel and its clients were not “obviously without any merits” and, therefore, needed to be considered in the proceedings on the merits of the case. In order not to moot these proceedings, the court ordered the prosecutors to desist from a review of the seized material, and put it under seal until a full decision on the merits is available. In the interim period, the interest of the external legal counsel and its clients to protect the privilege outweighed the public interest in a speedy criminal investigation. At this stage, it is unclear when and how the court will decide on the merits. Back to Top 7.4       Compliance – The European Public Prosecutor’s Office Will Be Established – Eventually After approximately four years of discussions, 20 out of the 28 EU member states agreed in June 2017 on the creation of a European Public Prosecutor’s Office (“EPPO“). In October, the relevant member states adopted the corresponding regulation (Regulation (EU) 2017/1939 – “Regulation“). The EPPO will be in charge of investigating, prosecuting and bringing to justice the perpetrators of offences against the EU’s financial interests. The EPPO is intended to be a decentralized authority, which operates via and on the basis of European Delegated Prosecutors located in each member state. The central office in Luxembourg will have a European Chief Prosecutor supported by 20 European Prosecutors, as well as technical and investigatory staff. While EU officials praise this Regulation as an “important step in European justice cooperation“, it remains to be seen whether this really is a measure which ensures that “criminals [who] act across borders […] are brought to justice and […] taxpayers’ money is recovered” (U. Reinsalu, Estonian Minister of Justice). It will take at least until 2020 until the EPPO is established, and criminals will certainly not restrict their activities to the territories of those 20 countries which will cooperate under the new authority (being: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Estonia, Germany, Greece, Finland, France, Italy, Latvia, Lithuania, Luxembourg, Portugal, Romania, Slovenia, Slovakia and Spain). In addition, as the national sovereignty of the EU member states in judicial matters remains completely intact, the EPPO will not truly investigate “on the ground”, but mainly assume a coordinating role. Last but not least, its jurisdiction will be limited to “offences against the EU’s financial interests”, in particular criminal VAT evasion, subsidy fraud and corruption involving EU officials. A strong enforcement, at least prima facie, looks different. To end on a positive note, however: the new body is certainly an improvement on the status quo in which the local prosecutors from 28 member states often lack coordination and team spirit. Back to Top 7.5       Compliance – Court Allows for Reduced Fines in Compliance Defense Case The German Federal Supreme Court (Bundesgerichtshof – BGH) handed down a decision recognizing for the first time that a company’s implementation of a compliance management system (“CMS“) constitutes a mitigating factor for the assessment of fines imposed on such company where violations committed by its employees are imputed to the company (BGH 1 StR 265/16 – May 9, 2017). According to the BGH, not only the implementation of a compliance management system at the time of the detection of the offense should be considered, but the court may also take into account subsequent efforts of a company to enhance its respective internal processes that were found deficient. The BGH held that such remediation measures can be considered as a mitigating factor when assessing the amount of fines if they are deemed suitable to “substantially prevent an equivalent violation in the future.” The BGH’s ruling has finally clarified the highest German court’s views on a long-lasting discussion about whether establishing and maintaining a CMS may limit a company’s liability for legal infringements. The recognition of a company’s efforts to establish, maintain and improve an effective CMS should encourage companies to continue working on their compliance culture, processes and systems. Similarly, management’s efforts to establish, maintain and enhance a CMS, and conduct timely remediation measures, upon becoming aware of deficiencies in the CMS, may become relevant factors when assessing potential civil liability exposure of corporate executives pursuant to section. 43 German Limited Liability Companies Act (Gesetz betreffend Gesellschaften mit beschränkter Haftung – GmbHG) and section 93 (German Stock Companies Act (Aktiengesetz – AktG). Consequently, the implications of this landmark decision are important both for corporations and their senior executives. Back to Top 8.  Antitrust and Merger Control In 2017, the German Federal Cartel Office (Bundeskartellamt – BKartA) examined about 1,300 merger filings, imposed fines in the amount of approximately EUR 60 million on companies for cartel agreements and conducted several infringement proceedings. On June 9, 2017, the ninth amendment to the German Act against Restraints of Competition (Gesetz gegen Wettbewerbsbeschränkungen – GWB) came into force. The most important changes concern the implementation of the European Damages Directive (Directive 2014/104/EU of the European Parliament and of the Council of November, 26 2014), but a new merger control threshold was also introduced into law. Implementation of the European Damages Directive The amendment introduced various procedural facilitations for claimants in civil cartel damage proceedings. There is now a refutable presumption in favor of cartel victims that a cartel caused damage. However, the claimant still has the burden of proof regarding the often difficult to argue fact, if it was actually affected by the cartel and the amount of damages attributable to the infringement. The implemented passing-on defense allows indirect customer claimants to prove that they suffered damages from the cartel – even if not direct customers of the cartel members – because the intermediary was presumably able to pass on the cartel overcharge to his own customers (the claimants). The underlying refutable presumption that overcharges were passed on is not available in the relationship between the cartel member and its direct customer because the passing-on defense must not benefit the cartel members. In deviation from general principles of German civil procedural law, according to which each party has to produce the relevant evidence for the facts it relies on, the GWB amendment has significantly broadened the scope for requesting disclosure of documents. The right to request disclosure from the opposing party now to a certain degree resembles discovery proceedings in Anglo-American jurisdictions and has therefore also been referred to as “discovery light”. However, the documents still need to be identified as precisely as possible and the request must be reasonable, i.e., not place an undue burden on the opposing party. Documents can also be requested from third parties. Leniency applications and settlement documents are not captured by the disclosure provisions. Furthermore, certain exceptions to the principle of joint and several liability of cartelists for damage claims in relation to (i) internal regress against small and medium-sized enterprises, (ii) leniency applicants, and (iii) settlements between cartelists and claimants were implemented. In the latter case, non-settling cartelists may not recover contribution for the remaining claim from settling cartelists. Finally, the regular limitation period for antitrust damages claims has been extended from three to five years. Cartel Enforcement and Corporate Liability Parent companies can now also be held liable for their subsidiary’s anti-competitive conduct under the GWB even if they were not party to the infringement themselves. The crucial factor – comparable to existing European practice – is the exercise of decisive control. Furthermore, legal universal successors and economic successors of the infringer can also be held liable for cartel fines. This prevents companies from escaping cartel fines by restructuring their business. Publicity The Bundeskartellamt has further been assigned the duty to inform the public about decisions on cartel fines by publishing details about such decisions on its webpage. Taking into account recent efforts to establish a competition register for public procurement procedures, companies will face increased public attention for competition law infringements, which may result in infringers being barred from public or private contracting. Whistleblower Hotline Following the example of the Bundeskartellamt and other antitrust authorities, the European Commission (“Commission“) has implemented a whistleblowing mailbox. The IT-based system operated by an external service provider allows anonymous hints to or bilateral exchanges with the Commission – in particular to strengthen its cartel enforcement activities. The hope is that the whistleblower hotline will add to the Commission’s enforcement strengths and will balance out potentially decreasing leniency applications due to companies applying for leniency increasingly facing the risk of private cartel damage litigation once the cartel has been disclosed. Merger Control Thresholds To provide for control over transactions that do not meet the current thresholds but may nevertheless have significant impact on the domestic market (in particular in the digital economy), a “size of transaction test” was implemented; mergers with a purchase price or other consideration in excess of EUR 400 million now require approval by the Bundeskartellamt if at least two parties to the transaction achieve at least EUR 25 million and EUR 5 million in domestic turnover, respectively. Likewise, in Austria a similar threshold was established (EUR 200 million consideration plus a domestic turnover of at least EUR 15 million). The concept of ministerial approval (Ministererlaubnis), i.e., an extra-judicial instrument for the Minister of Economic Affairs to exceptionally approve mergers prohibited by the Bundeskartellamt, has been reformed by accelerating and substantiating the process. In May 2017, the Bundeskartellamt published guidance on remedies in merger control making the assessment of commitments more transparent. Remedies such as the acceptance of conditions (Bedingungen) and obligations (Auflagen) can facilitate clearance of a merger even if the merger actually fulfils the requirements for a prohibition. The English version of the guidance is available at: http://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Leitlinien/Guidance%20on%20Remedies%20in%20Merger%20Control.html; jsessionid=5EA81D6D85D9FD8891765A5EA9C26E68.1_cid378?nn=3600108. Case Law Finally on January 26, 2017, there has been a noteworthy decision by the Higher District Court of Düsseldorf (OLG Düsseldorf, Az. V-4 Kart 4/15 OWI – January 26, 2017; not yet final): The court confirmed a decision of the Bundeskartellamt that had imposed fines on several sweets manufacturers for exchanging competitively sensitive information and even increased the fines. This case demonstrates the different approach taken by courts in calculating cartel fines based on the group turnover instead of revenues achieved in the German market. Back to Top     The following Gibson Dunn lawyers assisted in preparing this client update:  Birgit Friedl, Marcus Geiss, Jutta Otto, Silke Beiter, Peter Decker, Ferdinand Fromholzer, Daniel Gebauer, Kai Gesing, Franziska Gruber, Johanna Hauser, Maximilian Hoffmann, Markus Nauheim, Richard Roeder, Katharina Saulich, Martin Schmid, Sebastian Schoon, Benno Schwarz, Michael Walther, Finn Zeidler, Mark Zimmer and Caroline Ziser Smith. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. The two German offices of Gibson Dunn in Munich and Frankfurt bring together lawyers with extensive knowledge of corporate / M&A, financing, restructuring and bankruptcy, tax, labor, real estate, antitrust, intellectual property law and extensive compliance / white collar crime experience. The German offices are comprised of seasoned lawyers with a breadth of experience who have assisted clients in various industries and in jurisdictions around the world. Our German lawyers work closely with the firm’s practice groups in other jurisdictions to provide cutting-edge legal advice and guidance in the most complex transactions and legal matters. For further information, please contact the Gibson Dunn lawyer with whom you work or any of the following members of the German offices: General Corporate, Corporate Transactions and Capital Markets Lutz Englisch (+49 89 189 33 150), lenglisch@gibsondunn.com) Markus Nauheim (+49 89 189 33 122, mnauheim@gibsondunn.com) Ferdinand Fromholzer (+49 89 189 33 170, ffromholzer@gibsondunn.com) Dirk Oberbracht (+49 69 247 411 510, doberbracht@gibsondunn.com) Wilhelm Reinhardt (+49 69 247 411 520, wreinhardt@gibsondunn.com) Birgit Friedl (+49 89 189 33 180, bfriedl@gibsondunn.com) Silke Beiter (+49 89 189 33 170, sbeiter@gibsondunn.com) Marcus Geiss (+49 89 189 33 122, mgeiss@gibsondunn.com) Annekatrin Pelster (+49 69 247 411 521, apelster@gibsondunn.com) Finance, Restructuring and Insolvency Sebastian Schoon (+49 89 189 33 160, sschoon@gibsondunn.com) Birgit Friedl (+49 89 189 33 180, bfriedl@gibsondunn.com) Marcus Geiss (+49 89 189 33 122, mgeiss@gibsondunn.com) Tax Hans Martin Schmid (+49 89 189 33 110, mschmid@gibsondunn.com) Labor Law Mark Zimmer (+49 89 189 33 130, mzimmer@gibsondunn.com) Real Estate Peter Decker (+49 89 189 33 115, pdecker@gibsondunn.com) Daniel Gebauer (+ 49 89 189 33 115, dgebauer@gibsondunn.com) Technology Transactions / Intellectual Property / Data Privacy Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com) Kai Gesing (+49 89 189 33 180, kgesing@gibsondunn.com) Corporate Compliance / White Collar Matters Benno Schwarz (+49 89 189 33 110, bschwarz@gibsondunn.com) Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com) Mark Zimmer (+49 89 189 33 130, mzimmer@gibsondunn.com) Finn Zeidler (+49 69 247 411 530, fzeidler@gibsondunn.com) Antitrust and Merger Control Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com) Kai Gesing (+49 89 189 33 180, kgesing@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP, 333 South Grand Avenue, Los Angeles, CA 90071 Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.