CURRENT MONTH (January 2021)
Data Privacy
FTC Announces Proposed Settlement with Everalbum for Deceptive Facial Recognition Policies
Patrick McKnight, Klehr Harrison Harvey Branzburg LLP
On January 11, 2021, the Federal Trade Commission (“FTC”) announced a proposed settlement with Everalbum, Inc. Everalbum is accused of using facial recognition technology without the consent of consumers and failing to delete consumers’ photos and videos as promised. The proposed terms are noteworthy because, unlike similar FTC settlements in the past, it would require Everalbum to delete certain photos, videos, and algorithms.
The FTC’s complaint against Everalbum claims the California-based company used its “Ever” app to mislead consumers. The complaint alleges Everalbum represented consumers’ content would only be subject to facial recognition if consumers opted into the feature. It also states Everalbum promised to delete photos and videos of consumers who chose to delete the Ever app.
According to the FTC complaint, Everalbum’s claims were deceptive. In particular, the complaint alleges that until April 2019, the facial recognition feature was automatically active and could not be turned off for most users. The complaint also alleges the company failed to delete photos and videos of Ever users who deleted their accounts, as it had promised.
The FTC voted unanimously 5-0 to issue the proposed administrative complaint and accept the consent agreement. The proposed settlement is subject to public comment through February 24, 2021, when the FTC will decide whether to make the consent agreement final.
Cybersecurity
Law Firm Compelled to Produce Cyber-Forensics Report
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The U.S. District Court for the District of Columbia recently required a law firm to produce a forensics report prepared after the firm was hit with a cyberattack that compromised confidential data about a Chinese dissident client. Wengui v. Clark Hill, PLC, No. 19-3195 (JEB) (D. D.C. Jan. 12, 2021).
Clark Hill withheld the forensics report under both the attorney-client privilege and work-product protection, on the grounds that its outside counsel had retained the forensics consultants and the report was prepared for litigation relating to the cyberattack. The court disagreed, concluding that, as a business that routinely handles sensitive materials, the law firm likely would have conducted an investigation into the cyberattack even in the absence of prospective litigation and the report itself would have been the same if prepared in the ordinary course of business. While the firm argued it had conducted a two track investigation, one to restore business continuity and one in anticipation of litigation, the court rejected that argument as unsupported by the record, which showed only the latter track produced a report, and that report was shared with firm leadership and others for purposes other than litigation. Likewise, the court found that the forensics consultant had been retained for its cybersecurity expertise, rather than to obtain legal advice from its outside counsel, and the report itself focused on remediation of the breach.
Concluding that the forensics report and related information were not protected as privileged, the court ordered the firm to produce the materials. Additionally, the court rejected the law firm’s blanket refusal to respond to interrogatories about the cyberattack on the grounds of privilege, finding that appropriate redactions could be used to safeguard confidential information.
