Barclay Damon
Barclay Damon

Legal Alert

Cyber Security Update – Recent Developments and Expectations for 2016

Cyber security, data security, and electronic privacy protection are hot topics these days. The law in this area is rapidly developing, and keeping up with the best practices to protect your electronic information and complying with legal requirements can seem daunting. To better assist our clients, Barclay Damon is pleased to announce its multi-disciplinary Cyber Security practice.

With a group of attorneys encompassing nine different practice areas, the goal of our cyber security practice is to provide a comprehensive approach to our clients’ cyber security, privacy, and data protection needs. That means evaluating cyber security and data protection protocols, drafting policies and agreements to ensure best practices for protecting electronically stored data, establishing a response plan in the event of a breach, conducting and advising on investigations into data breach and cyber security matters, interacting with relevant government agencies in relation to such matters, and litigating claims involving electronic data and data privacy matters. We work with general corporate clients as well as in specialized areas such as Energy, Health Care, and Intellectual Property. Our lawyers also have experience in addressing cyber security matters in the context of employment relationships and in relation to professional liability claims. And, our insurance coverage practice group is directly involved in addressing clients’ needs with respect to the relatively new concept of insurance to cover data breach events.

As we kick-off 2016, below are several trending legal developments that have the potential to affect your organization’s approach to data protection and cyber security matters:

Cybersecurity Information Sharing Act (CISA) Becomes Law

The Cybersecurity Information Sharing Act (CISA), which became law in the waning weeks of 2015 as part of $1.15 trillion compromise spending bill, is designed to encourage businesses to voluntarily share information about cyber security threats with each other and the federal government by creating certain antitrust and legal liability protections and other incentives for companies that participate.

The law authorizes private entities to monitor, share, and operate “defensive measures” against cyber threat indicators on their information systems – or information systems of other entities with the second entity’s written consent. While many privacy advocates oppose the new law because it could allow the government to access private information that may have previously required a warrant, the law does impose a requirement that companies sanitize shared information of certain personal information of persons “not directly related to a cybersecurity threat.”

There are sure to be developments regarding this groundbreaking law in the coming year as implementation begins.

The FTC and FCC Emerge as Administrative Enforcers of Data Security

The Federal Trade Commission (FTC), despite a recent setback, appears poised to continue as the lead agency in enforcement of privacy and data security, but the Federal Communications Commission (FCC) is also beginning to take an active role.

FTC v. Wyndham Worldwide Corp. In an August 2015 decision, the Third Circuit held that the FTC had the authority under the “unfairness” prong of Section 5 of the FTC Act to bring a lawsuit against Wyndham Worldwide Corp., a global hotel company, over its data security practices. Such practices allegedly exposed more than 600,000 consumer payment card account numbers and led to more than $10.6 million in fraud loss. The court went further to say the agency does not have a duty to define exactly what reasonable data security standards are expected, holding that the company had sufficient notice that it should perform a standard cost-benefit analysis regarding which cybersecurity protections to invest in given the probability and expected size of reasonably unavoidable harms to consumers.

The FTC and LabMD Inc. A few months after the Wyndham decision, however, an administrative law judge (ALJ) dismissed an FTC data security action against the medical testing company LabMD, Inc., citing no evidence that any consumer whose information was maintained by LabMD suffered any actual harm. The company was accused of leaving customers’ names, Social Security numbers, dates of birth and personal health insurance information exposed on publicly accessible peer-to-peer (P2P) file sharing networks.

The ALJ held that after several years without the occurrence of any identifiable harm traceable to the security incident, the FTC could not sustain its burden to prove “actual” or “likely” harm. If the decision stands after review by FTC commissioners, it may undermine the FTC’s ability to impose liability based solely on the potential for data breach.

The FCC. Last year, the FCC issued its Open Internet Order, in which it asserted its authority to regulate internet service providers (ISPs) as “common carriers” in an effort to enforce so-called net neutrality. This is notable because “common carriers” are exempt from the FTC’s jurisdiction, which places the FCC as the sole federal agency enforcer in the space.

Indeed, the FCC flexed its data security enforcement muscles in 2015, taking on AT&T, Cox Communications Inc., as well as wireless carriers TerraCom Inc. and YourTel America Inc., resulting in settlements ranging from $595,000 to $25 million. The agency’s hiring of prominent cybersecurity expert and consumer advocate Jonathan Mayer in November seems to indicate that it has no intention of scaling back such enforcement efforts.

Consumer-Initiated Data Privacy Actions to Watch

If the threat of administrative enforcement was not enough, several consumer-initiated actions are set make waves in data security law.

Spokeo v. Robins. The U.S. Supreme Court is expected to issue a decision in the first half of 2016 addressing whether consumers can sue companies such as Spokeo Inc., a personal information aggregating website, for violations of the Fair Credit Reporting Act and similar statutes without alleging specific damages.

A consumer named Thomas Robins sued the self-proclaimed “people search engine” for alleged violations of the FCRA because it posted inaccurate information about his financial situation, which he claims harmed his employment prospects. Spokeo argued that the case should be dismissed because Robins did not prove that the publication of inaccurate personal information in violation of the Fair Credit Reporting Act was an injury-in-fact sufficient to confer standing under Article III. The Ninth Circuit sided with Robins and found that Spokeo’s alleged violation of the FCRA amounted to an injury.

Although the case involves primarily the FCRA, it is anticipated that the Supreme Court’s decision could have significant impact on the overall ability of consumers to maintain actions, including class actions, where the plaintiffs have not suffered actual damages.

Campbell-Ewald v. Gomez. The Supreme Court will likely release another highly anticipated decision in early 2016 on the issue of whether companies accused of violating consumer privacy can strategically “pick off” or settle with class representatives in order to avoid or mitigate an impending class action suit.

Gomez accused longtime government contractor Campbell-Ewald Co. of violating the Telephone Consumer Protection Act (TCPA) by sending naval recruitment messages to about 100,000 people in 2006 through a subcontractor. Campbell-Ewald offered Gomez $1,503 for each unsolicited text message he allegedly received – more than three times the statutory amount of $500 per violation. The ability to negotiate with class representatives in this fashion to blunt a class action is an attractive strategy for companies facing significant liability exposure. As with Spokeo, this decision could have a significant impact in the data breach realm, where class actions arising from data breaches continue to become more and more prevalent.


If you have any questions about the firm’s Cyber Security services, please feel free to contact Nicholas J. DiCesare at 716-566-1524 or ndicesare@barclaydamon.com or any of the Barclay Damon attorneys with whom you normally work.