CURRENT MONTH (March 2019)
Colorado Case Shows Challenges in Establishing Jurisdiction over a Digital Currency Exchange
By William R. Denny, Potter Anderson & Corroon LLP
The recent case of Shaw v. Vircurex, Civ. No. 18-cv-00067-PAB-SKC (D. Col., Feb. 20, 2019), underscores the difficulty of pursuing claims against decentralized exchanges that operate based on algorithmic programming, do not engage in traditional marketing activities and have no traditional physical presence. Shaw arose from the collapse of an online digital currency exchange. Participants used the exchange to buy, sell and trade digital currencies. One participant, Timothy Shaw, lost his money when the exchange shut down, and filed a class action lawsuit in Colorado against the exchange and its operators. Neither the exchange nor any of the other named defendants responded to Shaw’s complaint, so the clerk entered a default against the defendants and Shaw moved the court to enforce the default judgment.
The court, on its own initiative, considered whether the exercise of personal jurisdiction over the defendants offended fundamental due process. Because there was no general jurisdiction over the defendants, the court examined whether there was special jurisdiction, meaning that the lawsuit arose out of the defendants’ contacts with the forum. It held that specific jurisdiction only existed if (1) the defendant purposefully directed its activities giving rise to the claim at residents of the forum, and (2) exercise of personal jurisdiction did not offend traditional notions of fair play and substantial justice.
The three different ways to show that the defendant purposefully directed its activities at residents of the forum were (a) whether the defendants established a continuing relationship with the forum state plaintiff, (b) whether the defendant engaged in a continuous and deliberate exploitation of the forum state market, or (c) whether the defendants’ intentional conduct targeted and had harmful effect in the forum state. The court held that the plaintiff’s creation of an online account with the exchange was insufficient, standing alone, to establish any of the three purposeful direction frameworks, and so dismissed the case for lack of personal jurisdiction.
FTC Shares Report Of Privacy and Data Security Activity in 2018
By Antonia Dumas, XPAN Law Group, LLC
In March 2019, the Federal Trade Commission (“FTC”) released its 2018 Privacy and Data Security Update, an annual report summarizing its role and activity as the nation’s primary privacy and data security enforcer. The Update highlights seven focus areas: enforcement, advocacy, rules, workshops, reports and surveys, consumer education and business guidance and international engagement.
In 2018, the FTC exercised enforcement actions on key issues including misleading and inadequate privacy and security safeguards (Venmo and VTech Electronics Limited), unauthorized disclosure to third parties (BLU Products, Inc., copycat military sites, and Facebook), and other areas including identity theft, credit reporting and financial privacy, children’s privacy and do not call. Settlements with VTech Electronics Limited and BLU Products, Inc. required the entities to implement comprehensive security programs and undergo biennial auditing of their programs by a third party for 20 years.
The FTC’s advocacy activities included comments issued on the risks of poor security in Internet of Things devices and the importance of companies making accurate privacy disclosures, as well as testimony given to committees of the Senate and House regarding potential federal data privacy legislation.
FTC Proposes New Cybersecurity Requirements for Financial Institutions Over Two Commissioners’ Objection
Eric Mogilnicki and Sam Adriance, Covington & Burling LLP
On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”). Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data. In addition, the FTC is proposing technical and clarifying amendments to the GLBA Privacy Rule.
The proposed revisions to the Safeguards Rule, which include mandating encryption and two-factor authentication, represent a substantial change in the cybersecurity regime applicable to financial institutions subject to FTC jurisdiction. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, explained that the purpose of the proposal is “to better protect consumers and provide more certainty for business.” However, this view has proven controversial, with two Republican commissioners issuing a dissenting statement arguing that the proposed approach “trades flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.”