CURRENT MONTH (September 2018)
Internet Law
Third Circuit Upholds Life Sentences for Cyberstalking Convictions
By Sara Beth A.R. Kohut, Young Conaway
The U.S. Court of Appeals for the Third Circuit has affirmed the U.S. District Court for the District of Delaware in upholding what is thought to be the first convictions under a federal statute prohibiting cyberstalking. U.S. v. Gonzalez, No. 16-1559 (3d Cir. Sept. 7, 2018).
Siblings David Matusiewicz and Amy Gonzalez appealed their life sentences for cyberstalking, interstate stalking, and related conspiracy claims after their father shot and killed Matusiewicz’s ex-wife, Christine Belford, in the lobby of the New Castle County Courthouse in Delaware, as she arrived for a family court hearing in 2013. Matuseiewicz and Belford had been engaged in a bitter custody battle over their three children, a battle that included an alleged kidnapping of the children by Matusiewicz’s family and termination of his parental rights.
The Court of Appeals found the trial record was sufficient to support the jury verdict with respect to the charges for conspiracy and cyberstalking that ended in death. During the five-week trial, the government presented 65 witnesses and over 760 exhibits that showed Matusiewicz and Gonzalez had coordinated with others to implement a three-year campaign of webpages, YouTube videos, mailings, and other content to falsely depict Belford as an abusive mother, and to harass Belford and the children. The evidence also demonstrated that the goal of the campaign “was to obtain custody of the children by driving Belford out of the picture” and “[k]illing Belford would clearly be in furtherance of this goal.” Evidence also showed that Matusiewicz and his father arrived at the courthouse in vehicles with an arsenal of weapons and other evidence indicating intent to harm Belford and others.
Among other rulings, the Court of Appeals rejected Gonzalez’s challenges to the interstate stalking statute based upon the First Amendment. The Court held that Gonzalez had not engaged in protected speech, but in conduct that was both defamatory and integral to criminal conduct.
Cybersecurity
$148 Million Settlement Reached Over Uber Data Breach
By Sara Beth A.R. Kohut, Young Conaway
The California Attorney General announced that a nationwide settlement had been reached to resolve allegations relating to the Uber Technologies, Inc. data breach in 2016. Uber allegedly violated state laws requiring data breach reporting and reasonable security measures by paying hackers to cover up the breach that exposed the personal data of 57 million drivers and customers. Reportedly, Uber paid the hackers $100,000 to stay silent about the breach. Uber did not notify consumers or law enforcement until an internal probe by its Board of Directors revealed the breach in November 2017.
Under the settlement, Uber will pay $148 million that will benefit all 50 states and the District of Columbia. California, which spearheaded the settlement, will receive $26 million. The company must also improve its data security program to prevent future breaches, comply with data protection and breach reporting laws, implement a corporate integrity program, and implement privacy-by-design into its products, meaning it must take privacy matters into account when designing and developing products.
International Law
Brazil Adopts New Privacy Law
By Sara Beth A.R. Kohut, Young Conaway
Brazil recently adopted a comprehensive data privacy regulation, the General Data Privacy Law or Lei Geral de Protecao de Dados Pessoais (LGPD). The LGPD will apply to companies headquartered in Brazil and that process personal data in Brazil. Similar but not identical to the European Union’s General Data Protection Regulation, the law broadly defines personal data, provides rights to data subjects, requires mandatory breach notification, governs the transfer of personal data across borders, purports to have extraterritorial application, and permits severe fines for violations. The LGPD will take effect in 2020.
E-Commerce
FTC Settles With Four Companies Over False EU-US Privacy-Shield Statements
By Sara Beth A.R. Kohut, Young Conaway
The U.S. Federal Trade Commission has settled with four companies who allegedly made false certifications that they complied with the EU-U.S. Privacy Shield framework, which enables companies to transfer data from countries in the European Union to the United States. The FTC had initiated separate actions against IDmission, LLC (a cloud technology platform), mResource LLC (doing business as Loop Works, LLC, a talent management and recruitment company), SmartStart Employment Screening, Inc. (an employment and background-screening supplier), and VenPath, Inc. (a data analytics firm), all of which posted statements on their websites that the participated in the Privacy Shield. IDmission had started but not completed the Privacy Shield certification program, while the other three companies had allowed their prior certifications to lapse. Additionally, VenPath and Smart Start were faulted for failing to affirm to the Department of Commerce, which implements the Privacy Shield program, upon stopping participation that they would continue to apply required protections to personal information obtained during their participation in Privacy Shield (they must do so under the proposed settlements).
The proposed settlements prohibit the four companies from misrepresenting their participation in a government or other regulatory privacy/data security program. The settlements will be subject to public comment through the end of October, after which the FTC may declare them final.
