[Co-Author: Elena Rivas and Isabella Egetenmeir]

US Federal Appellate Court Issues Opinion on Proof of Injury in Data Breach Cases

On September 2, 2022, the U.S. Court of Appeals for the Third Circuit reinstated a class action lawsuit that had previously been dismissed for lack of standing, holding that the named plaintiff’s risk of injury caused by a data breach was “sufficiently imminent” to confer standing.

The case, Clemens v. ExecuPharm, Inc., is a putative class action lawsuit brought by a former ExecuPharm employee after ExecuPharm suffered a data breach in which a hacking group known as CLOP accessed ExecuPharm’s servers through a phishing attack, stole employee personal information, and posted the information on the Dark Web. After taking several actions to prevent identity theft and fraud, the Plaintiff filed a class action against her former employer, asserting claims for breach of contract, breach of implied contract, negligence, negligence per se, breach of confidence, and breach of fiduciary duty.

In February 2021, the District Court dismissed the Plaintiff’s complaint due to lack of standing. The District Court determined that the Plaintiff’s risk of future harm was “not imminent, but speculative” because the Plaintiff had “not yet experienced actual identity theft or fraud.” In reaching this conclusion, the District Court relied on the Third Circuit’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), in which the Appeals Court held that the increased risk of future identity theft or fraud stemming from a data breach by an unknown hacker was not sufficiently imminent to establish standing.

In reversing the District Court’s dismissal, the Third Circuit held that Reilly “did not create a bright line rule precluding standing based on the alleged risk of identity theft or fraud.” The Third Circuit noted that “whereas Reilly involved an unknown hacker who potentially gained access to sensitive information,” the data breach in this case was perpetrated by a known and sophisticated hacker group that had already posted the Plaintiff’s personal information on the Dark Web. As a result, the Third Circuit concluded that “[g]iven that intangible harms like the publication of personal information can qualify as concrete, and because plaintiffs cannot be forced to wait until they have sustained the threatened harm before they can sue, the risk of identity theft or fraud constitutes an injury-in-fact.” Based on these facts, the Third Circuit held that the Plaintiff had alleged a “substantial risk that the harm will occur” sufficient to establish an “imminent injury,” thereby conferring standing. The Third Circuit vacated the District Court’s decision and remanded the case to be considered on the merits.

Takeaway: In Clemens, the Third Circuit holds that even if victims of a cyberattack have not experienced actual harm as the result of the breach, the hacker’s public posting of information obtained through the intrusion represents an “imminent” risk of future harm that can establish the requisite injury for Article III standing. The key fact seemed to be that the threat actor and its proclivities were known. Future cases will determine how far the Court will take this “substantial risk” formulation of the injury standard. Plaintiffs will try to stretch the Court’s holding well beyond situations mirroring Clemens’ facts.

FTC Hosts Forum on Commercial Surveillance and Data Security Practices to Inform Data Security Rulemaking

On September 8, 2022, the FTC held a Public Forum on commercial surveillance and lax data security practices, focusing on the potential harms of these practices. The Forum followed the FTC’s Advance Notice on Proposed Rulemaking (“ANPR”) from August 11, 2022, which invited public comment on the FTC’s intention to use its Section 18 rulemaking powers to address data security practices. The public consultation and Forum were intended to assist the FTC in deciding whether and how to proceed with rulemaking.

The Public Forum included opening comments from FTC Chair Lina Khan and observations from FTC Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, followed by two panels discussing industry and consumer advocates’ perspectives on commercial surveillance and data security. The FTC Commissioners focused their comments on expanding the notion of unfair data privacy practices beyond violations of “notice and choice” protections, to imposing limitations on the collection or processing of consumer data. Participants argued that notice and choice-based privacy protections are insufficient to address potential harm from “commercial surveillance.” Consumer advocates argued that automated decision-making based on large-scale data collection may subject certain communities to discrimination.

Other topics from the ANPR were also addressed, including potential discrimination concerning protected categories of individuals by automated systems, and increased regulatory visibility into online platforms. Several participants also offered their views on data security best practices, including encrypting data in transit, conducting risk assessments, implementing access controls, ensuring data back-ups, and use of anti-malware.

Following the FTC’s consideration of comments, a decision on whether to proceed with rulemaking is anticipated by October 21, 2022. If the FTC finds that unfair and/or deceptive data security and surveillance practices are prevalent, it will proceed with rulemaking. It will then issue a Notice of Proposed Rulemaking (“NPR”) with an invitation to stakeholders to comment on the NPR during public hearings.

Takeaway: The FTC’s commitment to establishing strong privacy regulations was unambiguous at the forum. The Agency appears poised to move beyond the procedural protections that have generally sufficed under U.S. law to date (i.e., notice and choice). The outcome of the FTC proceeding is likely to result in concrete limits on the collection and processing of certain consumer data, including indirect data collection reflected in the EU GDPR, Californian CCPA/CPRA, and recently in state consumer privacy laws.

FTC Issues Staff Report on Dark Patterns

Following a Federal Trade Commission (“FTC”) hosted public workshop that explored “whether user interfaces can have the effect of obscuring, subverting, or impairing consumer autonomy and decision-making,” the FTC issued, on September 15, 2022, a new Staff Report that addresses the rise of sophisticated “dark patterns” in the digital marketplace. The Staff Report discusses key topics from this workshop, outlines common types of dark patterns, and makes recommendations for companies.

The FTC defines “dark patterns” as “design practices that trick or manipulate users into making choices they would not otherwise have made and that may cause harm.” In the Staff Report, the FTC identified four practices that they believe pose harm to consumers: (i) design elements that induce false beliefs; (ii) design elements that hide or delay disclosure of material information; (iii) design elements that lead to unauthorized changes; and (iv) design elements that obscure or subvert privacy choices.

Design elements that induce false beliefs may include, for example: “advertisements deceptively formatted to look like independent, editorial content and purportedly neutral comparison-shopping sites that actually rank companies based on compensation.” Similarly, design elements that hide or delay disclosure of material information from consumers include “burying key limitations of the product or service in dense Terms of Service documents that consumers don’t see before purchase,” or tricking consumers into paying hidden fees that are not appropriately disclosed.

According to the Staff Report, another common dark pattern involves design elements that can trick consumers “into paying for goods or services that they did not want or intend to buy.” For example, the FTC has brought enforcement actions against companies (see here and here) in which gaming apps designed for children were advertised as “free” while burying in fine print that users could make in-app purchases. The FTC also has brought enforcement actions against companies that offer a “free trial period” without prominently disclosing that the trial period is followed by a recurring subscription charge, as well as against companies that intentionally made it difficult for consumers to cancel subscription services.

Lastly, the Staff Report identified what it viewed as a fourth common dark pattern practice – design elements that obscure or subvert the user’s privacy choices. The report specifically recommends that companies “avoid default settings that lead to the collection, use, or disclosure of consumers’ information in a way that they did not expect.” Companies also should “make consumer choices easy to access and understand.” With respect to sensitive personal information, the FTC advised that consumer choices should “be presented so that it is clear to the consumer what they are consenting to – as opposed to a blanket consent – and should be presented along with information that they need to make an informed decision."

Takeaway: Organizations that employ dark pattern architecture or techniques that manipulate consumers are squarely on the FTC’s radar: “Take notice: where these practices violate the FTC Act, ROSCA, the TSR, TILA, CAN-SPAM, COPPA, ECOA, or other statutes and regulations enforced by the FTC, we will continue to take action.” Increased FTC scrutiny may result in increased risk for non-compliance. Therefore, organizations should carefully review the Staff Report and consider whether any online design choices or data collection practices could potentially qualify as dark patterns that might fall under the scrutiny of the FTC.

UK Government Calls for Information on Increasing the Duty of Online Providers to Secure Online Accounts and Data

The previous UK government instigated the issuing of a call for information on measures to enhance the security of online accounts. This is part of the UK government's National Cyber Strategy which seeks to reduce the burden of cybersecurity on citizens and reduce the harms caused by unauthorized access. This strategy forms part of the broader government policy effort to tackle the various threats posed by online crime.

The UK Government’s call for information expresses the view that online account providers have a greater responsibility to protect users. Online account login processes for UK citizens should be secure by default and not over-reliant on customers taking protective actions. Therefore, the UK government is considering requiring a more widespread implementation of secure-by-default principles, a so-called “Cyber Duty to Protect."

With the call for information, the UK government seeks feedback on three issues: (1) the risks associated with unauthorized access to online accounts and personal data; (2) actions that companies currently take to address the problem; and (3) actions that should be taken to address the problem and who should be responsible.

The call for information is open until October 27, 2022. The UK government then anticipates developing proposals for: (1) appropriate security measures which account providers and organizations processing personal data could implement to ensure users’ accounts and their personal data are better protected against attack; and (2) compliance with those measures. The government will consult the tech industry, victim support groups, the cyber security industry, the business sector and service providers, and consumer organizations before putting forward any proposals. Any proposal will also be subject to a public consultation.

Takeaway: The call for information is an example of the UK government’s mission to enhance the protection of online consumer accounts and data to reduce cybercrime. There are increasing indications that the new government will adopt a less interventionist attitude generally and specifically in relation to Data Privacy Issues. This is arguably at odds with a trend of increased responsibility for online service providers to prevent online crime whereby the burden on consumers is reduced.

CISA Starts Cybersecurity Rulemaking Process for Cybersecurity Incident and Ransomware Reporting

On September 12, 2022, the US Cybersecurity & Infrastructure Agency (“CISA”) published a Request for Information (“RFI”) to solicit public comments on the development of proposed regulations required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).

Under CIRCIA, CISA is required to publish a Notice of Proposed Rulemaking for cybersecurity incident and ransomware reporting. The RFI is a first step in this process to better understand how these rules should be designed. It seeks comments on a number of questions and topics, in particular:

• Definitions for the terminology to be deployed in the proposed regulations: what constitutes a “covered entity,” a “covered cyber incident,” a “ransom payment,” “ransomware attack,” “supply chain compromise,” and other essential terms expected to frame the new regulations?
• Structure of report content and submission procedures: what constitutes “reasonable belief” that a covered cyber incident has occurred, which would initiate the 72-hour deadline for reporting the incidents; and when should the 24-hour period for reporting ransom payments begin?
• Other incident reporting requirements: what are the costs of collecting information and reporting on cyber incidents under existing reporting requirements or voluntary sharing arrangements; questions on areas of actual, likely, or potential overlap, duplication, or conflict between regulations, directives, or policies and CIRCIA's reporting requirements?
• Additional policies, procedures, and requirements: information on enforcement procedures and information protection policies.

The public consultation ends on November 14, 2022. CISA will also be hosting eleven in-person hearing sessions across the US to obtain additional feedback.

Takeaways: CISA’s rulemaking continues calls from various governments for more reporting of cybersecurity incidents and ransomware payments. CISA believes that prompt reporting of such incidents will help it to quickly leverage resources to assist victims of attacks, identify emerging threats, and coordinate with other public agencies and network defenders.