CURRENT MONTH (January 2020)
Cybersecurity
FTC Issues “New and Improved” Data-Security Orders
By Tim Wolfe, University of Washington School of Law
The FTC has made “significant improvements” to its data-security orders, according to a January 2020 blog post. The changes follow FTC Hearing #9: Data Security in December 2018, which addressed possible improvements to the FTC’s data-security orders, and the 11th Circuit’s 2018 decision in LabMD v. Federal Trade Commission, which found an FTC-proposed order was unenforceable for its “indeterminable standard of reasonableness.” The FTC referenced seven orders announced in 2019 that reflect these changes: ClixSense, i-Dressup, DealerBuilt, D-Link, Equifax, Retina-X, and Infotrax.
The orders move away from a reasonableness standard and provide specific procedures the companies must put into place to maintain compliance. They also increase third-party assessor accountability by mandating that assessors identify and disclose to the FTC specific evidence to support their findings. The FTC is granted the authority to approve and re-approve assessors every two years, with the ability to withhold approval and force the companies to hire a different assessor. Finally, the governing body of the companies must be presented with and approve a written information-security program every year. By requiring the approval of senior management under oath, the FTC expects “better year-round governance and controls.”
OCIE Releases Cybersecurity Observations
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission recently published Cybersecurity and Resiliency Observations. The publication notes that the OCIE has seen a variety of practices and approaches for addressing cybersecurity based on its examinations of thousands of different types of SEC registrants. While not an official rule or statement of the SEC, the observations are intended to “assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.” The brochure discusses observations concerning topics like governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and security-awareness training.
Maryland Court Requires Insurer to Cover Ransomware Losses
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The U.S. District Court for The District of Maryland recently held that an insurance company had to cover losses that an embroidery and screen-printing business suffered from a 2016 ransomware attack. National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Co., No. SAG-18-2138 (D. Md. Jan. 23, 2020).
The attack left National Ink and Stitch, LLC, unable to access certain software, even after paying the demanded ransom. The company had to replace and reinstall its software, and add protective software that caused its system to run slowly.
State Auto Property and Casualty Insurance company denied coverage for the costs to replace National Ink’s entire computer system, on the grounds that the company suffered loss only to intangible data and not a physical loss of the system. The court disagreed, finding that the policy covered a loss of data and software. Alternatively, the court held that National Stitch could recover for the impaired functionality of its computer system, because nothing in the policy required a complete disability for coverage. Accordingly, the court granted summary judgment on liability in favor of National Stitch and denied the insurer’s competing motion.
Electronic Contracting
Pennsylvania Court Rejects Uber’s Bid to Enforce Arbitration Terms
By John E. Ottaviani, Partridge Snow & Hahn LLP
A Pennsylvania state court recently found that Uber failed to enter into an enforceable agreement with a user, either when she initially signed up for the ride-share service on her mobile phone, or when Uber tried to subsequently update the terms. The case illustrates the dangers in not having a sign-up process that obtains explicit consent, and in trying to modify terms and conditions without obtaining explicit consent.
In Kemenosh v. Uber Technologies, Inc., No. 181102703 (C.P. Phila. Co. Jan. 3, 2020), the plaintiff alleged that she suffered severe personal injuries when her Uber driver ran a red light and crashed into another vehicle. Uber moved to compel arbitration, based on both an arbitration clause in its terms and conditions when the plaintiff created her account and on subsequent modifications to those terms purportedly sent by email several years later.
After reviewing screenshots of the sign-up process when the plaintiff created her account, the court found that the screens did not properly communicate an offer to arbitrate under Pennsylvania law. In doing so, the decision rejected the “conspicuous” standard used by the First Circuit in Cullinane v. Uber Techs., Inc., 893 F.3d 53 (1st Cir. 2018) and by the Second Circuit in Meyer v. Uber Techs., Inc., 868 F.3d 66 (2d Cir. 2017) because that analysis previously had been rejected by the Pennsylvania Supreme Court. The sign-up process used the words “by creating an Uber account you are agreeing to the Terms of Service and Privacy Policy,” where the words “Terms of Service and Privacy Policy” had a hyperlink that would display the terms of service (including an arbitration clause) when clicked. However, Uber’s sign up process did not contain a “check-box” to confirm that the user had read the terms and conditions, did not require the user to click on the hyperlink to complete the registration process, did not use the typical blue underlined text for the hyperlink, and did not even suggest that the user read the terms. The court felt that the words “by creating an Uber account you are agreeing to the Terms of Service and Privacy Policy” only conveyed the message that by creating an Uber account, one is agreeing to pay money in exchange for transportation, and to the terms of a privacy policy. Under Pennsylvania law, the deficiency in Uber’s registration process was not the inconspicuousness of the arbitration provision, but rather Uber’s failure to adequately communicate an offer to arbitrate in a definite manner, to create a meeting of the minds.
Similarly, the court rejected Uber’s argument that its subsequent attempt to update its terms created a binding agreement to arbitrate. Several years later, Uber sent an email which linked to new “U.S. Terms of Use,” which also contained an arbitration clause. The email stated that Uber had revised its arbitration agreement and advised that “[i]f you use our app or other services … you’re confirming you’ve read and agree to the updated terms.” The court found there was a significant factual dispute about whether the plaintiff received the email, such that Uber had failed to prove that the email constituted an offer to arbitrate.
E-Commerce
E-Commerce Sales Hit Record High, Jump Nearly 19% During 2019 Holiday Season
By John E. Ottaviani, Partridge Snow & Hahn LLP
Despite a shorter holiday season, U.S. shoppers spent 3.4% more this holiday season than in 2018, according to a survey by Mastercard SpendingPulse. But online sales during this period jumped 18.8%, a record high, exceeding the 18.4% increase the year before.
The survey, which measured shopping from November 1 through December 24, 2019, demonstrates the continuing change in how U.S. consumers shop. Online shopping sales made up 14.6% of total retail spending during the 2019 holiday period. In contrast, the SpendingPulse survey found a 1.8% decline in sales at brick and mortar department stores. In addition, the online sales of those stores only grew 6.9 percent over the prior holiday season.
Other facts and figures from the SpendingPulse report show the increasing importance of online sales and omni-channel offerings:
- Two days—Black Friday (15.4%) and Cyber Monday (24.5%)—accounted for nearly 40% of overall retail spending during the holiday season.
- Sales of apparel increased 1% overall, but online sales of apparel increased 17% compared to 2018.
- Similarly, jewelry sales grew 1.8% overall, but online sales grew 8.8% over the prior year