CURRENT MONTH (January 2019)
Data Privacy
Magistrate Rejects Warrant Compelling Fingerprint Swiping to Unlock Device
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
A California magistrate recently held that the government cannot compel a person to unlock a digital device using a finger swipe or other biometric features without violating the Fifth Amendment to the U.S. Constitution. In In re Search of a Residence in Oakland, CA, No. 4-19-70053 (N.D. Cal. Jan. 10, 2019), Magistrate Judge Kandis A. Westmore denied a search warrant application that targeted two individuals believed to be involved in extortion using Facebook Messenger. The warrant sought authority to search various items, including mobile telephones, and to compel any person present to press a finger or use other biometric features to unlock digital devices and permit a search of their contents. The court held that the latter request was overbroad and violated the Fifth Amendment’s privilege against self-incrimination, noting that technology outpaces the law and digital devices provide access to a trove of records. Case law has established that one cannot be compelled to provide a passcode because it is a testimonial communication. Likewise, the court found that because biometric features are the functional equivalent of a passcode, a person cannot be compelled to provide biometric features to unlock a device.
GDPR Article 32 Obligations and the UK Information Commissioners Guidance on Encryption
By Valerie Surgenor, MacRoberts LLP
The UK Information Commissioners (UK ICO), which is the Data Protection supervisory authority in the UK, has recently updated its GDPR Guidance to give advice on compliance and use of encryption to protect personal data from unauthorised or unlawful processing.
The UK ICO highlights some important considerations. Whilst the UK ICO believes that encryption is a beneficial safeguard in the majority of cases, the UK ICO emphasises that it is not the only technical and organisational security measure, highlighting that whilst encryption covers the transmission of the data, there needs to be more consideration of control of it, following receipt. The ICO recommends, that in seeking to answer the question as to whether the use of encryption is “an appropriate and effective response” to the risk posed to the particular organisation, a first step in determining this is by carrying out a Data Protection Impact Assessment (DPIA).A DPIA is a process to help organisations identify and minimise the data protection risks of a project.
By carrying out a DPIA, organisations can better identify what data they do and do not need to process for each particular project and its purpose. The UK ICO believes that this will provide a trail which documents the decisions and reasoning behind, “processing certain data, the reasons for processing and can ensure that you are only using the minimum personal data necessary for the purpose.”
Illinois Supreme Court Upholds Biometric Privacy Information Act
By Alan S. Wernick, Esq., Wernick & Associates, Ltd., Contributing Editor, Internet Law and Cybersecurity
The Illinois Supreme Court recently ruled that a failure to follow the requirements of the Illinois Biometric Privacy Information Act (740 ILCS 14/1 et seq.) (“BIPA”) is sufficient to find liability without needing a separate finding of actual injury. BIPA imposes numerous restrictions on how private entities collect, retain, disclose and destroy biometric identifiers, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or biometric information. In Rosenbach v Six Flags Entertainment Corporation, 2019 IL 123186 (January 25, 2019) the defendant collected fingerprint scans from people purchasing annual park passes. The Illinois Supreme Court held “…an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the [Biometric Privacy Information] Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.” The Supreme court reversed the Appellate court and remanded the case for further proceedings.
Wendy’s Data Breach Shareholders Derivative Action Moves Forward
By Alan S. Wernick, Esq., Wernick & Associates, Ltd., Contributing Editor, Internet Law and Cybersecurity
From October 2015 through June 2016 The Wendy’s Company (“Wendy’s”) experienced a data breach that allegedly compromised customers’ personal and financial information during the period that resulted in, among other things, the In Re Wendy’s Company Shareholder Derivative Action. Recently, the U.S. District Court in Ohio was asked (1) to select a Lead Counsel to represent the plaintiffs in the consolidated action from two consolidated cases involving two separate shareholder derivative lawsuits against Wendy’s, and (2) consider a motion for a preliminary settlement approval. On December 17, 2018, (2018 WL 6605394) the Court selected a Lead Counsel from the cases’ counsels ordering that they file a consolidated complaint or designate one of the competing complaints as the operative pleading, and denied the motion for settlement approval as premature since the Court was seeking additional information in order to determine whether the proposed settlement merits preliminary and/or final approval.
Digital Currency
DC Gets Council to Study Feasibility of a Regulatory Sandbox
By Stephen T. Middlebrook, Womble Bond Dickinson
On January 23, 2019, the Mayor of DC created a 21-member District of Columbia Financial Services Regulatory Sandbox and Innovation Council to study the feasibility of developing a “regulatory sandbox” that would enable businesses to test innovative products for financial services without incurring all the normal regulatory consequences of engaging in the proposed activity. Regulatory sandboxes are a becoming a popular way for state and local legislatures to show they are supportive of new businesses in blockchain, digital currency and other spaces.
PA Says Virtual Currency Exchanges Do Not Need Money Transmission Licenses
By Stephen T. Middlebrook, Womble Bond Dickinson
The Pennsylvania Department of Banking and Securities issued guidance that virtual currency exchanges operating in the state do not need money transmitter licenses because virtual currency isn’t money and the exchanges don’t handle fiat currency. Similarly, virtual currency ATMs which exchange fiat for virtual currency or virtual currency for fiat also do not need licenses because there is not transmission to a third party. The guidance is a little over a page long and provides very little analysis or explanation.
Report Concludes Central Banks Are Intrigued by but Wary of Digital Currency
By Stephen T. Middlebrook, Womble Bond Dickinson
The Bank of Internal Settlements issued a report on a survey of 63 central banks serving 80% of the world’s population to find out what they think about issuing digital currencies. While a majority of banks were investigating digital currencies, most were proceeding cautiously. Only a limited number were engaging in pilot projects.
Money Laundering in Popular Online Game
By Stephen T. Middlebrook, Womble Bond Dickinson
Fortnite, the massively popular online video game introduced by Epic Games in 2017, reportedly had 200 million players worldwide in 2018. One news outlet reports that some of those players are apparently using the in-game virtual currency to launder money. Starting with stolen credit cards, these bad guys buy the in-game currency and then sell it at a discount on the black market or use it buy in-game weapons and other items which are then resold on eBay and other marketplaces.
