Data privacy is a top-of-mind issue in 2022, and biometric privacy and issues relating to artificial intelligence (AI) have been subject to recent scrutiny from state and federal government officials and legislators. These topics also continue to be areas of focus in the realm of putative privacy class action litigations.

Partners Kristin Bryan and Kyle Fath, as well as senior associate David Oberly, will provide an overview of key developments and trends in this developing area of the law. This will include, among other matters:

  • AI and privacy compliance – An overview of restrictions on and obligations with respect to AI, profiling and other automated decision-making processes under forthcoming privacy laws in California, Virginia, Colorado and Utah.
  • AI and biometrics litigation overview – An overview of the current litigation landscape concerning biometric data and AI, as well as related insights.
  • State legislative priorities – Approaches states are taking to the use of facial recognition technology.
  • Anticipated federal developments – Proposed federal legislation concerning biometrics, AI and other anticipated developments in 2022.

CLE is pending in the following jurisdictions: AZ, CA, NJ, NY, OH and TX.  Registration is available here.

The new UK International Data Transfer Agreement (“IDTA”) and Addendum to the new 2021 EU Standard Contract Clauses (“New EU SCCs”) are now in force (as of the 21 March 2022), providing much needed certainty for UK organisations transferring personal data to service providers and group companies based outside of the UK/EEA.

The IDTA and Addendum replace the old EU Standard Contractual Clauses  (“Old EU SCCs”) for use as a UK GDPR-compliant transfer tool for restricted transfers from the UK, which also enables UK data exporters to comply with the European Court of Justice’s ‘Schrems II’ judgement.

For new UK data transfer arrangements or where UK organisations are in the process of reviewing their existing arrangements, use of the new ITDA or Addendum would be the best option to seek to future proof against the need to replace them in 2 years’ time.

Where the data flows involve transfers of personal data from both the UK and the EU, the use of the Addendum alongside the New EU SCCs, will enable organisations to implement a more harmonised solution. This will be discussed in an upcoming blog post on Consumer Privacy World, subscribe here for further updates.

To view copies of the documents please follow the links below:

To read our previous blog post on this topic, click here.

Our global Data Privacy, Cybersecurity and Digital Assets team is perfectly placed to assist organisations in navigating through this area. For assistance, please reach out to the authors.

On March 21, 2022, President Biden warned U.S. companies, particularly those operating in critical infrastructure sectors, that “[b]ased upon evolving intelligence, Russia may be planning a cyberattack against us.”  See details here.  The evolving intelligence appears to be based upon, among other things, a March 18th advisory from the FBI to U.S. businesses that threat actors associated with Russian internet addresses have been scanning the networks of five U.S. energy companies and at least eighteen U.S. companies in other sectors, such as defense and financial services.

The FBI identified 140 overlapping IP addresses linked to “abnormal scanning” activities.  Vulnerability scanning is the process of identifying security weaknesses and flaws in systems and software running on them.  Threat actors often dedicate time to observing and probing target computer networks to find weaknesses in its defenses to further assess and develop a strategy for exploitation.  Accordingly, the FBI warns, Russia is exploring its options for potential cyberattacks on U.S. companies in critical infrastructure sectors.

Russia has already used Ukraine as a testing ground for powerful cyber weapons.  According to the Ukrainian government, since February 15th, it has suffered approximately 3,000 Distributed Denial of Service Attacks on government websites, rendering them unusable.  As the conflict in Ukraine escalates, President Biden therefore warns that “[t]he magnitude of Russia’s cyber capacity is fairly consequential and its coming.”  As such, U.S. Intelligence is proactively sharing this information to encourage the private sector to shore up its defenses.  To assist, the White House released a fact sheet detailing ways that U.S. companies can defend themselves against cyberattacks.

While every company’s cybersecurity needs are different, organizations should ensure that it has implemented at least the following as part of its comprehensive approach to mitigate its risk of a cybersecurity attack.

  1. Conduct a Cybersecurity Risk Assessment (“Assessment”). In general, the purpose of an Assessment is to identify cybersecurity vulnerabilities in an organizations policies, procedures, and IT environment and to provide remediation strategies as appropriate. An Assessment may identify vulnerabilities, exploit attempts and secondary attackers’ actions. As best practice, Assessments should be conducted by an independent IT Security firm, at the direction of counsel, to protect the Assessment’s findings under Privilege.
  2. Prepare a Written Cybersecurity Policy. A written cybersecurity policy sets forth an organization’s policies and procedures for the protection of its information systems, particularly its sensitive business information. The cybersecurity policy should address key areas of concern, to the extent applicable, such as data governance and classification, customer data privacy, and vendor and third-party service provider management. To instill a “tone from the top” culture, the cybersecurity policy should be approved by a senior officer or the organization’s board of directors.
  3. Develop or update your Incident Response Plan (IRP). Many industries and jurisdictions require organizations to have a policy addressing how the company with effectively respond to a cybersecurity incident, like a ransomware attack. An IRP sets forth the key steps that organizations need to immediately take during a cyber-incident. For example, an IRP will set forth reporting escalation procedures, alternative communication plans and will create a response team of stakeholders and outside experts to assist with the response.
  4. Ensure your personnel are adequately trained. Organizations should provide regular training for all personnel based upon the risks identified in the Assessment. Given that a common method of attack is through email phishing or downloads from malicious websites, an effective defense mechanism is to train your personnel on the basics of cyber-hygiene. Likewise, your response team should conduct at least yearly tabletop exercises to practice its response in accordance with the IRP. Having a well-trained Incident Response Team in place prior to an attack, positions organizations to efficiently act in a measured, calm, and unified manner.

On March 21, 2022, President Biden publicly recognized that, while his Administration is prioritizing modernizing the federal government’s cybersecurity practices, it is the patriotic obligation of the private sector to invest as much as it can in preparing for cyberattacks.

Over the course of the past month, media images of the war in Ukraine show the kinetic destruction of Russian artillery, missiles, and aerial assaults.  Yet, as President Biden warns, it is the unseen Russian cyber capabilities that now presents a clear and present danger to U.S. national security.   President Biden warned that “[b]ased upon evolving intelligence Russia may be planning a cyberattack against us.”  He noted that “[t]he magnitude of Russia’s cyber capacity is fairly consequent and its coming.”

Notwithstanding, he notes that while the Federal government is doing its part, the private sector largely decides the protections that it will or will not take to mitigate the risk of and prepare for the inevitable cybersecurity attack.  Understanding this dichotomy, President Biden urges companies, particularly those companies considered operating in or supporting critical infrastructure sectors, to take a selfless approach to cybersecurity.  He admonishes, “[l]et me be absolutely clear about something, it is not just in your interests that are at stake…it is the national interests at stake and I would respectfully suggest it is a patriotic obligation to invest as much as you can.”

What does this mean for U.S. companies, particularly those considered operating in or supporting critical infrastructure sectors?  It means act now.

In short, it has arguably never been more critical for U.S. companies to assess their preparation to mitigate the risk of and respond to a cybersecurity incident.  This is particularly so, as trends indicate that cybersecurity regulations and respective enforcement will only continue to expand under the Biden Administration.

As a clear demarcation line, on May 12, 2021, President Biden signed the Executive Order (“EO”) “Improving the Nation’s Cybersecurity,” setting forth his priority to protect the United States from malicious cyber actors.  Since then, the federal government has not only taken significant measures to modernize the federal government’s cybersecurity practices, but has begun to further regulate the cybersecurity practices of the private sector. By way of example, this includes:

As the EO makes clear, “[t]he private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”  Whether it is out of a patriotic duty to protect critical infrastructure against malicious cyber actors or to prepare to meet inevitable additional regulations, the time is now to ask yourself are we ready?

Colin Jennings has been invited to speak at a Lunch and Learn hosted by the FCBA on March 24, 2022.

At the virtual event organized by the FCBA’s New York Chapter and Cybersecurity Committee, Colin will participate in a session titled, “Cybersecurity and Ransomware Payments: The Legal Landscape and Practical Guidelines.”

Colin will be joined by Mitch Wander of the US Department of Treasury and Paul Benda, Sr. Vice President, Operational Risk and Cybersecurity, for the American Bankers Association. The esteemed panelists will review the latest case law developments, highlight emerging issues and offer best practices for preventing and limiting the impact of a ransomware cyberattack.

The FCBA is a volunteer organization of attorneys, engineers, consultants, economists, government officials and law students involved in the study, development, interpretation and practice of communications and information technology law and policy.

 

Advancements in artificial intelligence (AI) have led to a wide range of innovations in many aspects of our society and economy, including in a wide range of industry verticals such as healthcare, transportation, and cybersecurity. Recognizing that there are limitations and risks that must be addressed, AI has garnered the attention of regulators and legislators worldwide.

In 2020, Congress directed the National Institute of Standards and Technology (NIST) to develop an AI Risk Management Framework with the public and private sectors.  Last week, pursuant to its mandate, and following initial requests for information and workshops on AI it held in 2021, NIST released two documents relating to its broader efforts on AI. First, it published an initial draft of the AI Risk Management Framework on March 17. Public comments on the framework are open through April 29. In addition, the agency is holding a public workshop March 29-31.  Second, it updated a special publication, Towards a Standard for Identifying and Managing Bias in Artificial Intelligence. While it is unclear whether NIST’s efforts will lead to a broader consensus or federal legislation on AI, the Federal Trade Commission (FTC) and state legislatures are already focused on it in the immediate term.

As we have previously reported here on CPW (here), the FTC is focused on AI and has indicated consideration of promulgating AI-related regulations.  Though statements by Commissioner Wilson seem to have casted doubt on the Commission’s likelihood of issuing AI-focused regulations in the first half of this year, its recent settlement in the Weight Watchers case reinforces the agency’s commitment to consumer privacy and related issues and the effects that AI has on them.

AI and State Privacy Laws

AI is also a focus at the state level as well. Starting in 2023, AI, profiling, and other forms of automated decision-making will become regulated under the broad and sweeping privacy laws in California, Virginia, and Colorado, providing corresponding rights for consumers to opt-out of certain processing of their personal information by AI and similar processes.  We can expect to see AI and profiling concepts fleshed out substantially in regulations promulgated pursuant to the California Privacy Rights Act (CPRA). As of now, the CPRA is very light on details regarding profiling and AI, but seemingly will require businesses, in response to consumer requests to know/access “to include meaningful information about the logic involved in such decision-making processes” – in other words, information about the algorithms used in AI and automated decision-making. For now, we can expect to see regulations issued pursuant to the Colorado Privacy Act as well (in Virginia, it’s less clear as the Attorney General was not given rulemaking authority). Organizations should understand the requirements as to AI, profiling, and automated decision-making in these quickly approaching privacy regimes, and continue to pay attention as rulemaking in California and Colorado progresses.

 

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

SPB Team Defeats $70 Billion Driver Privacy Litigation With Ruling From Fifth Circuit, As Reported in Law360 | Consumer Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Consumer Privacy World

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up | Consumer Privacy World

New Law Requires 72-Hour Notice for Cyber Incidents | Consumer Privacy World

BREAKING Florida Senate Adjourns, Data Privacy Bill Yet Again Fails to Pass | Consumer Privacy World

Virginia Work Group Report Leads to Proposed CDPA Amendments | Consumer Privacy World

CPW on Speaking Circuit in April: Alan Friel and Exterro Discuss Preparing for 2023—Tools and Tips to be Ready for New US Privacy Laws | Consumer Privacy World

BREAKING: SEC Proposes Cybersecurity Disclosure Rules for Public Companies | Consumer Privacy World

Florida Pursuing Privacy Bill with Private Right of Action (Again) | Consumer Privacy World

CPW on March Speaking Circuit: Kristin Bryan and Ericka Johnson To Virtually Appear at London Privacy and Security Conference on March 15 | Consumer Privacy World

CPW’s Kristin Bryan and Kyle Fath Discuss Implications of Utah Privacy Bill With Bloomberg Law | Consumer Privacy World

Federal Court Finds Plaintiff has Article III Standing in FCRA Suit against Employer, In Reminder of Litigation Risk Arising From Background Screening | Consumer Privacy World

Now Available: A Practical Guide to Cyber Insurance For Businesses With Chapter From CPW’s Kristin Bryan | Consumer Privacy World

SEC Set to Consider Cybersecurity Proposal to Amend Regulations, Likely Affecting Public Companies | Consumer Privacy World

Privacy Continues to be Top of Mind Issue With President Biden’s State of the Union Address and Movement on FTC Nominee Today | Consumer Privacy World

UPDATED: Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

CPW on the Speaking Circuit in March: Warren to Speak at PrivSec China on China’s Data Privacy Law | Consumer Privacy World

Georgia Considering Broad Privacy Bill With Private Right of Action and Liquidated Statutory Damages That Would Exceed Scope of California Law | Consumer Privacy World

As readers of CPW know, the Federal Trade Commission (“FTC”) has made it clear that privacy and security will be top-of-mind issues for the Commission for the foreseeable future. Recently, the FTC announced its settlement with WW International, Inc.—formerly known as Weight Watchers (“Weight Watchers”)—over claims the company violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting children’s personal information without providing notice or obtaining parental consent.

The settlement requires the company to pay a $1.5 million penalty, delete personal information that was improperly collected from children, and destroy any models or algorithms developed with the use of that data. Importantly, the settlement illustrates the FTC’s increased focus on children’s privacy, as well as the Commission’s increased reliance on the disgorgement remedy in privacy and security enforcement actions—including in the AI context.

I.     Factual Background & FTC Allegations

By way of background, COPPA requires that websites, apps, and online services that are child-oriented or knowingly collect personal information from children notify parents and obtain their consent before collecting, using, or disclosing personal information from children under 13. It was passed in 1998 amid rising concerns regarding children’s privacy online. Unlike other some other federal regulatory regimes, both the FTC and state attorneys general have concurrent jurisdiction to enforce COPPA (meaning as a practical matter private entities are subject to potential regulator scrutiny at both the state and federal level for alleged COPPA violations).

Weight Watchers marketed a health and wellness app and website to both adults and children that allowed users to track their food intake, activity, and weight. The app also collected personal information, including names, email addresses, and birth dates. Up until late 2019, users could sign up for the app by indicating (1) they were a parent registering their child or (2) a child over the age of 13 signing up for themselves.

The non-neutral age gate that was presented by Weight Watchers at registration indicated to younger users that they could sign up without a parent by falsely claiming they were at least 13. Not only that, hundreds of users who signed up for the app did, in fact, circumvent the age gate by creating an account and later revising their profiles to reflect their true age. Despite this, these users were still permitted to access the app without parental involvement. Further, while the company implemented a new age gate in late 2019 that removed any reference to being “at least 13” and indicated that individuals under the age of 13 needed parental permission to use the app, Weight Watchers’ screening mechanism still failed to ensure that users who selected the parent signup option were truly parents—and not children attempting to bypass the age restriction.

According to the FTC, Weight Watchers violated COPPA as a result of its failure to provide a mechanism to prevent children from using the parent registration option to bypass the age restriction, as well as COPPA’s notice and data retention provisions.

II.     The Settlement Terms and Key Takeaways

The Weight Watchers settlement is comprised of three primary components, all of which carry significant implications for potential FTC enforcement actions going forward.

  • First, the company must pay a $1.5 million penalty.
  • Second, the company must destroy all personal information that was collected in a manner that failed to comply with COPPA.
  • Finally, the company must destroy all models or algorithms developed in whole or in part using improperly collected personal information 

     A.     FTC’s Continued Focus on Children’s Privacy 

There are three major takeaways from the Weight Watchers settlement. The first pertains to the FTC’s increased activity in the children’s privacy space. The Weight Watchers settlement comes on the heels of several other FTC enforcement actions against companies who ran afoul of COPPA. In December 2021, advertising platform OpenX Technologies agreed to pay a $2 million penalty to resolve similar FTC allegations that it collected children’s personal information without parental consent. And in July of last year, online coloring book app Kuuhuub agreed to a $3 million penalty to settle COPPA allegations as well.

Relatedly, during his State of the Union address President Joe Biden urged Congress to strengthen children’s privacy protections and clamp down on companies that improperly collect children’s personal information.

Taken together, companies that market their online products or services to children—or otherwise collect children’s personal information—are well-advised to review their compliance with COPPA’s requirements to mitigate the heightened legal risk posed by the FTC’s increased emphasis on children’s privacy.

     B.     Utilization of Disgorgement Remedy

The second major takeaway pertains to the requirement that Weight Watchers destroy any models or algorithms developed through the use of personal information that was improperly collected from minors in violation of COPPA.

Importantly, the Weight Watchers matter marks the first time that the FTC has utilized this enforcement tool—known as disgorgement—in a COPPA case. This is part of a larger shift by the FTC to prioritize “meaningful disgorgement” as a remedy in privacy and security and enforcement actions. Disgorgement was first used by the FTC in its first enforcement action specifically targeting improper facial recognition practices with photo developer Everalbum, Inc. As part of the settlement, Everalbum was forced to delete not only all photos and other user data that had been improperly collected and/or retained, but also all facial recognition algorithms that were developed with Everalbum’s ill-gotten data.

Shortly after the Everalbum settlement—during remarks at the 2021 Future of Privacy Forum—the FTC’s then-Acting Chairwoman, Rebecca Kelly Slaughter, noted that where companies unlawfully collect and/or use consumers’ personal information, the FTC would seek disgorgement of both the improperly collected data, as well as any benefits from that data—pointing to Everalbum as an example of how the FTC could leverage disgorgement in privacy and security matters.

     C.     Algorithmic Disgorgement As New Normal In Near Future?

Third, the Weight Watchers settlement not only represents a continuation of the disgorgement remedy trend in FTC enforcement actions, but also indicates that algorithmic disgorgement may soon become a standard component in future FTC settlements. This may have a particularly outsized impact on developers of artificial intelligence and related technologies which rely heavily on the development of advanced algorithms.

This settlement is yet another example of the FTC’s focus on the impact AI can have in relation to consumer privacy and related issues.  In December the FTC issued a notice (“Notice”) that it was “considering initiating a rulemaking under Section 18 of the FTC Act to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”

There are a range of privacy, cybersecurity and AI issues that the FTC may seek to regulate as previewed by its Notice, should internal disagreement at the agency not stall this effort in 2022.  For instance, as seen in an April 2021 release the FTC has increasingly cautioned that AI may be utilized and “inadvertently introduce[e] bias or other unfair outcomes” to medicine, finance, business operations, media, and other sectors.  In addition, the FTC declared algorithmic and biometric bias as a focus of enforcement in resolutions passed in Fall 2021.

For more on this, stay tuned.  CPW will be there to keep you in the loop.

Background

President Biden has recently delivered on a long stated priority of his presidency: requiring the disclosure of cyber security incidents for companies that operate critical infrastructure. After announcing an executive order in May 2021 aimed at modernizing the federal government’s cybersecurity practices, the same sweeping changes will now effect private companies that operate critical infrastructure. At the time of the executive order, some noted that the recent string of high profile ransomware attacks was leading to a bipartisan effort to require disclosures of such incidents by those effected in the private sector. Indeed, Congress has acted quickly in codifying disclosure requirements for those that operate critical infrastructure.

Incorporated into the Consolidated Appropriations Act of 2022, the Cyber Incident Reporting for Critical Infrastructure Act (the “Act”) will require that covered entities that reasonably believe that they have experienced a “covered cyber incident” file a report with the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours. Further, in the event that a covered entity makes a ransomware payment as a result of a ransomware attack, they must report the payment to CISA within 24 hours. Supplemental reports to CISA are also required in the event that the covered entity becomes aware of substantial new or different information.

Who is Covered

As previously noted, the Act will require covered entities to alert CISA when they suspect that they have been the victim of a covered cyber incident. The Act defines a covered entity as “an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21.” Presidential Policy Directive 2021(the “Directive”) refers to a directive from 2013 pertaining to the security and resilience of critical infrastructure. The Directive defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This broad definition can effect large swaths of the private sector from energy production to banking.

Further, the Act requires the disclosure of covered cyber incidents which is defined as “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule issued pursuant to section 2242(b)”. While the Act punts to the Director of CISA to determine what types of incidents will require notification, it provides some general guidance. At a minimum, the guidance provided by the final rule will require the disclosure of a cyber incident that:

  1. leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
  2. disrupts the business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against (1) an information system or network; or (2) an operational technology system or process; or
  3. results in the unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

Following the enactment of the Act, the Director of CISA will issue a notice of proposed rulemaking within 24 months. A final rule will then be adopted within 18 months following the notice of proposed rulemaking. Ultimately, these rules will outline in greater detail both what qualifies as a covered entity and a covered cyber incident.

Complying with the Act

The main purpose of the Act is to collect data on cyber security incidents. To that end, the only major change from the present status quo as a result of this Act is that reports regarding incidents and ransomware payments must be made to CISA. In the event that the Director suspects that a covered entity has been the victim of a cyber security incident, she may request that a report be filed by that entity within 72 hours. Similarly, in the event that the Director becomes aware that a ransomware payment has been made by a covered entity without filing a report, she may request one be filed within 24 hours. Failure to respond to the Director’s s requests for either report could result in referrals to the Attorney General for civil penalties.

However, because the Act is merely a means to track and document cyber security incidents, the responses by the covered entities can largely remain the same. Thus, while the Act requires disclosures, it permits covered entities to engage in investigations with third parties. This includes engaging with a third party to conduct ransomware negotiations.

Conclusion

This shift in legal requirements for critical infrastructure represents a concerted effort by numerous actors in government to provide systems that can be used to track cyber security incidents. While this does not affect all private sector entities, all businesses should be aware of this trend. What started as an executive order less than a year ago has evolved into mandatory reporting for companies that engage in critical infrastructure. Since threat actors do not limit their attacks solely to critical infrastructure, it is entirely plausible that future legislation could be enacted to touch other areas in the private sector.

Because of this, all business, both those involved in critical infrastructure and not, should take note of these trends. Ensuring that data is properly protected and that proper IT controls are established, such as double factor authentication, can significantly reduce the possibility of cyber security incidents occurring. Further, establishing strong response plans that are regularly reviewed and updated can help prevent the fallout associated with such incidents. A full list of recommended courses of action was previously explored in this article.

As reported in Law360, last week the Fifth Circuit Court of Appeals in a published decision affirmed dismissal of Plaintiffs’ Complaint in Allen v. Vertafore, 21-20404, Fifth Circuit Court of Appeals, March 11, 2022.  In its Opinion, the Fifth Circuit agreed with the district court that Plaintiffs failed to plead a cognizable claim under the federal Driver’s Privacy Protection Act (“DPPA”), 18 USC § 2721, et seq, refusing to revive a putative class action where Plaintiffs demanded $69.9 billion USD in liquidated damages.

CPW is proud to highlight Squire Patton Boggs (US) LLP’s representation of defendant Vertafore in this high-stakes data privacy case, including in particular the leadership of Partners (and regular CPW contributors) Kristin Bryan and Rafael Langer-Osuna.

Allen concerned a data event Vertafore publicly disclosed in November 2020, which involved the unsecured online storage of Texas drivers’ license data for over 27.7 million individuals.  The first three cases were filed in the District of Colorado, Northern District of Texas and Southern District of Texas, each seeking to represent 27.7 million class members and seeking more than US$69 billion in statutory liquidated damages under the DPPA in addition to damages on negligence claims, injunctive relief, and potential punitive damages.

Consistent with Fifth Circuit precedent, to state a claim for a violation of the DPPA, the complaint must adequately allege that (1) the defendant knowingly obtained, disclosed or used personal information; (2) from a motor vehicle record; and (3) for a purpose not permitted.  On this basis, the first-filed Allen complaint was dismissed as the district court held Plaintiffs failed to adequately allege that Vertafore knowingly disclosed personal information for a purpose not permitted by the DPPA.

Plaintiffs then filed an appeal to the Fifth Circuit.   The Fifth Circuit, however, affirmed the district court’s dismissal.

In its ruling, the Fifth Circuit commented that “[t]he [DPPA] ‘regulates the disclosure of personal information contained in the records of state motor vehicle departments.’”  (quotation omitted).  The statute “was enacted in 1994 to respond to at least two concerns: ‘The first was a growing threat from stalkers and criminals who could acquire personal information from state DMVs.  The second concern related to the States’ common practice of selling personal information to businesses engaged in direct marketing and solicitation.’”  To put it otherwise, the DPPA predated modern developments concerning data events and cyberattacks—notwithstanding its frequent use by plaintiffs in data breach-type litigations.

The Fifth Circuit affirmed dismissal of the Complaint for Plaintiffs’ failure to allege a “disclosure” of their information as required to state a cognizable DPPA claim.  As the Court reasoned:

[T]he only facts alleged in Plaintiffs’ complaint are that Vertafore stored personal information on “unsecured external servers” and that unauthorized users accessed that information.  Without more, these facts do not plausibly state a “disclosure” consistent with the plain meaning of that word.  Nothing about the words “unsecured” or “external” implies exposure to public view, and the mere fact that unauthorized users managed to access the information does not imply that Vertafore granted or facilitated that access.  After all, we would hardly say that personal information was “disclosed” if it was kept in hard copy and the papers were stolen out of an unlocked, but private, storage facility.

Though at this stage of the proceedings we draw all reasonable inferences in Plaintiffs’ favor, the inference Plaintiffs ask us to draw—from “stored on unsecured external servers” to “disclosed”—is not reasonable. Because Plaintiffs have not alleged a disclosure within the meaning of the DPPA, their complaint fails to state a plausible claim for relief.

(citations omitted).  Additionally, the Fifth Circuit also noted in a footnote that “Plaintiffs cite no case in which insufficiently secure data storage constituted a ‘disclosure’ within the meaning of the DPPA.”

Moving forward, the Fifth Circuit’s ruling will have a significant impact on cases brought under the DPPA and similar statutes.  Simply put, such statutes, with their large statutory damages provisions, are not meant to support claims for data breaches.  The Court’s definition of “disclosure”—that it requires that the defendant take action to expose the data to the public—will materially undermine future data breach-based DPPA claims.  This is a significant win for defendants as the DPPA claims carry a minimum of $2,500 in statutory liquidated damages per plaintiff and therefore have become attractive claims for plaintiffs’ attorneys bringing putative class actions in data privacy litigations.

The SPB Vertafore team consists of partners Damond Mace, Rafael Langer-Osuna, Kristin Bryan, and Brent Owen, of-counsel Bobby Hawkins, principal Amanda Dodds Price, and associate Marissa Black.