CURRENT MONTH (February 2018)
Data Privacy
Ninth Circuit Finds Overly Revealing Receipt Not Enough for Statutory Damages
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The U.S. Court of Appeals for the Ninth Circuit has joined the Second and Seventh Circuits in applying Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (U.S. 2016), for Article III standing purposes. In Bassett v. ABM Parking Servs., Inc., No. 16-35933 (9th Cir. Feb. 21, 2018), the court of appeals found that more than an increased risk of identity theft was needed to establish a concrete injury sufficient to recover statutory damages under the Fair Credit Reporting Act (FCRA). The court of appeals affirmed the lower court’s dismissal of plaintiff Steven Bassett’s putative class action against a parking service that he claimed violated the FCRA by printing the expiration date of his credit card on a receipt. Bassett did not allege that another copy of the receipt existed, that the receipt was lost or stolen, that anyone other than his lawyers had seen it, or that he had suffered identity theft. Accordingly, the court of appeals analogized the “overly revealing credit card receipt unseen by others and unused by identity thieves” to the proverbial tree falling in the woods with no one around (and declined to answer whether anyone hears it).
Pennsylvania High Court Strikes Down Warrantless Cell-Phone Search
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The Pennsylvania Supreme Court has struck down a murder conviction that rested on a warrantless cell-phone search. Pennsylvania v. Fulton, No. 3EAP2017 (Pa. Feb. 21, 2018). While investigating a 2010 shooting death, the Philadelphia police obtained several flip-type cell phones, powered them up to determine the numbers they were connected to, reviewed the call logs, and monitored the incoming calls and text messages. The police then used that information to locate other evidence and witnesses for the prosecution to obtain a conviction against I. Dean Fulton. On appeal, the supreme court strictly applied Riley v. California, 134 S. Ct. 2473 (U.S. 2014), which analogized the breadth and sensitivity of information available on a cell phone to that of one’s home. Holding that Riley required a warrant to search the phones, the court found that all evidence obtained pursuant to the warrantless search was acquired in violation of the Fourth Amendment and the Pennsylvania Constitution, and thus had to be suppressed.
Second Circuit Finds Right to Privacy in Medical Records
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The U.S. Court of Appeals for the Second Circuit has concluded that individuals have a right to privacy in their medical records even if there are no stigmatizing details in those records. Hancock v. County of Rensselaer, No. 16-2888 (2d Cir. Feb. 9, 2018). After being notified that their medical records may have been compromised, several county jail employees sued their employer. Allegedly, a jail supervisor had inspected the employees’ medical records to verify that employees were not abusing the county’s sick-leave policy. The supervisor reportedly obtained access by using a password belonging to a jail-employed nurse who had access to the medical records of the local hospital, which was the primary health-care provider to the community, including the jail and its employees. The U.S. District Court for the Northern District of New York had concluded the jail employees failed to establish a constitutionally protected right to privacy because their records contained no medical condition that could be used to discriminate against them. In reversing, the court of appeals held that an individual has a Fourteenth Amendment right to privacy in personal information about one’s body regardless of whether the information indicates any serious medical conditions; to hold otherwise would provide no protection from arbitrary government intrusions.
E-Commerce
Montana and New York Fight Back Against Net Neutrality Repeal
By Sherri Marie Carr, The S. M. Carr Law Firm, Ltd. Co.
In January 2018, the governors of Montana and New York each signed executive orders to fight back against the Federal Communications Commission (FCC) vote on December 14, 2017, to repeal Net Neutrality. Montana Executive Order 3-2018, which became effective immediately, provides that after July 1, 2018, service providers seeking a contract with the State of Montana must not engage in paid prioritization, block lawful content, unreasonably interfere with an end user’s internet experience, or impair lawful internet use, among other things. New York Executive Order 175 provides that “Affected State Entities [will] only enter into contracts with ISPs that adhere to net neutrality principles and [the purpose of the Executive Order is] to ensure that internet services provided to Affected State Entities include net neutrality protections, and specifically state that ISPs may not block lawful content, applications, services, non-harmful devices, or applications that compete with other services provided by the ISP.” The New York order applies to any contract or renewal dated March 1, 2018, or thereafter.
International Law
Australian Notifiable Data Breaches Scheme Takes Effect
By Heidi A. Kuffel, Skarzynski Black LLC
As of February 22, 2018, the Notifiable Data Breaches Scheme, which was established through the Privacy Amendment Act 2017, is applicable to organizations and agencies that have obligations relating to the security of personal information under the Australian Privacy Act of 1988. The Scheme mandates notification to the Australian Information Commissioner, as well as to individuals who may be seriously harmed by their involvement in a personal information data breach. It also imposes an obligation of notification detail, including a description of the breach, the types of information involved, and recommended responsive actions. In order to comply with the notification requirements, agencies and organizations will need to quickly assess if a data breach will result in serious harm.
