RSS Feed LinkedIn Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Internet of Things Device Manufacturer Settles Class Action Lawsuit

Posted on: March 20th, 2017

IoTBy: Matthew N. Foree

Last week, the United States District Court for the Northern District of Illinois preliminarily approved a class action settlement involving the manufacturer of an Internet of Things (“IoT”) device. In this case, two plaintiffs, whose names were withheld “due to the sensitive subject matter of this case,” filed a lawsuit against Standard Innovation Corporation (“Standard Innovation” or “Defendant”), a “sensual lifestyle products” company that sells a “high end vibrator called the We-Vibe.” As stated in the complaint, to fully operate the We-Vibe, users download Defendant’s “We-Connect” application and install it on their smart phones. With this app, users can “pair” their smart phone to We-Vibe, allowing them and others remote control over the device’s settings and features. As alleged in the complaint, the customers were unaware that Defendant designed the We-Connect app to collect and record data regarding consumers’ personal use of the device, including the date and time and the settings of the device, and then to transmit such data usage with the user’s personal email address to its servers in Canada. Based on these allegations, Plaintiffs sought an injunction to prohibit Defendant from monitoring, collecting and transmitting the information, as well as damages from the invasion of privacy and from the purchase of the device, including return of the purchase price and disgorgement of profits. Specifically, Plaintiff raised claims of violation of the Wiretap Act (18 U.S.C. § 2510), intrusion upon seclusion, and unjust enrichment.

On March 9, 2017, Plaintiffs’ filed the class action settlement agreement as part of Plaintiffs’ motion for preliminary approval of the settlement. Under the agreement, the parties agreed to divide the class into two separate classes, one for individuals who downloaded the We-Connect application and used it to control a We-Vibe brand product before September 26, 2016 (the “App Class”), and a second class including individuals who purchased a Bluetooth enabled We-Vibe brand product before September 26, 2016 (the “Purchaser Class”). Per the agreement, the parties agreed on a settlement fund for the App Class in the amount of $4 million CAD and a separate settlement fund for the Purchaser Class in the amount of $1 million CAD. Members of the App Class can receive up to $199.00 USD, while members of the Purchaser Class can receive up to $10,000 USD.

On March 14, 2017, the court granted an order preliminarily approving the class action settlement as defined by the parties. Among other things, the Order certified the proposed Purchaser Class and the App Class for settlement purposes only. It also approved the appointment of the Plaintiffs as class representatives and set the schedule for Notice to the Class and other deadlines. Significantly, the settlement agreement requires Defendant to remove and not include a registration process, and not collect email addresses, through the We-Connect application. It also requires Defendant to update its privacy notice to specifically disclose its data collection practices concerning the application. Additionally, the Defendant must, subject to any legal requirements, purge the data collected from its users.

We have reported previously about the proliferation of issues related to IoT devices, including the development of guidance for securing such devices. The security of IoT devices and the unauthorized use of information generated from them are topics ripe for litigation. The We-Vibe case, which may be the first IoT class action settlement, provides an early glimpse at theories of litigation involving IoT devices and, specifically, allegations of use of private consumer data without knowledge or consent. This case could create a framework for plaintiffs’ attorneys to use in bringing other IoT device cases, including class action matters. It remains to be seen whether actions such as this ultimately will lead to regulation in the IoT space and, if so, how long it will take to enact such regulation.

Please contact Matt Foree if you have any questions regarding the decision, or wish to obtain copies of the documents in this case. In the meantime, we will continue to provide updates regarding IoT litigation and other developments.

MLB Approves Wearable Biometric Monitor During Games – What Are The Risks?

Posted on: March 16th, 2017

baseballBy: Amy C. Bender

Major League Baseball has announced it will allow players to wear a WHOOP Strap during games beginning in the 2017 season. The device gathers and analyzes levels of strain, sleep, and recovery by measuring factors such as heart rate, ambient temperature, and levels of motion. It specifically is targeted to athletes and aims to optimize performance and avoid overtraining and injury, such as by determining how much sleep athletes need to perform their best and when it’s time to pull a pitcher from the mound. The biometric data will be available to the player and his or her team as well as – if the player and team consent – the public.  The device has various privacy settings that provide the player control over how much and which data to share.

Importantly, from a data privacy perspective, certain questions naturally arise from use of the device. How much of the data will players and teams want and need to share with sponsors, fans, and competitors? Will – and should – players be able to withhold any of their biometric information from their own team? Can the device be hacked? While most information stored on computers or other electronic devices is subject to some type of cyber attack, data on pro athletes obviously would be of heightened public interest. If such information got into in the wrong hands, it could be used to damage a player’s present and future career prospects and the financial health of the player and the team.

It remains to be seen how prolific the device will become in baseball and other pro sports, whether it improves players’ performance, and if and how data stored in the device is vulnerable to cyber attacks. In the meantime, it should make sports more interesting to watch.

For more information contact Amy Bender at [email protected].

The FCC Stays Data Security Rules for Internet Service Providers

Posted on: March 8th, 2017

By: Robyn M. Flegal

The Federal Communications Commission (FCC) voted on Wednesday, March 1, 2017, to temporarily stay a portion of the data security rules passed in October of 2016. The portion of the rules stayed by the FCC would have imposed heightened customer data security requirements on broadband internet service providers. Before the stay went into effect, high-speed internet providers would have been required to (1) secure customer data against hacking and unauthorized uses, and (2) obtain customer permission before using or sharing data on web browsing and usage. The FCC says the stay will remain in effect while the FCC  reconsiders the privacy rules and works with the Federal Trade Commission to create a “comprehensive and consistent” framework for protecting American consumers’ online privacy.

This stay comes after broadband providers and advertising trade groups filed petitions with the FCC, arguing that the rules gave an unfair advantage to web companies who use customer information for advertising purposes. The FCC Chairman stated that the FCC should not be engaged in policing broadband providers over online privacy, and that it did not make sense for internet service providers to be evaluated under a framework distinct from other online companies. This stay is consistent with predictions that the FCC’s privacy rules will be softened under the new administration.

FMG’s Data Security & Privacy team will continue to monitor the FCC’s stay  and will report on any significant developments. For more information contact Robyn Flegal at [email protected].


U.S. Department of Homeland Security Issues Strategic Principles for Securing the Internet of Things

Posted on: March 7th, 2017

IoTBy: Matthew N. Foree

As we have reported previously, the growth of network connected devices (“Internet of Things”) has created increasing concerns about the security risks of those devices.  Recently, the U.S. Department of Homeland Security (“DHS”) issued non-binding guidance on this issue entitled “Strategic Principles for Securing the Internet of Things” (the “Principles”). The purpose of the Principles is to “equip stakeholders with suggested practices that help to account for security as they develop, manufacture, implement, or use network connected devices.” To that end, the Principles provide a “set of non-binding principles and suggested best practices to build toward a responsible level of security for the devices and systems businesses design, manufacture, own, and operate.”

In the Principles, the DHS addresses security challenges through the following suggested steps: incorporate security at the design phase, advance security updates and vulnerability management, build on proven security practices, prioritize security measures according to potential impact, promote transparency across the Internet of Things (“IoT”), and connect carefully and deliberately. The DHS notes that the Principles are designed for IoT developers to factor in security when a device is being designed and developed, manufactures to improve security for consumer devices and vendor management devices, service providers that implement services through IoT devices, and industrial and business level consumers (including the federal government) to serve as leaders in engaging manufacturers and service providers on IoT security.

For each step, the DHS makes several suggestions for best practices. For example, as it relates to incorporating security at the design phase, it suggests enabling security by default through unique, hard to crack default user names and passwords. It also recommends building the device using the most recent operating system that is technically viable and economically feasible. Regarding the promotion of security updates and vulnerability management, the DHS suggests considering ways to secure the device over network connections or through automated means and coordinating software updates among third party vendors. To build on recognized security practices, it recommends starting with basic security and cyber security practices and applying them to the IoT ecosystem in flexible, adaptive and innovative ways.

The DHS notes that “[o]ur nation cannot afford a generation of IoT devices deployed with little consideration for security.” Therefore, the DHS identifies four lines of effort across government and industry to fortify the security of the IoT. First, it suggests coordinating across federal departments and agencies to engage with IoT stakeholders and jointly explore ways to mitigate the risk posed by the IoT.  Second, it suggests building awareness of risk associated with the IoT across stakeholders. Third, it recommends identifying advance incentives for incorporating IoT security. Fourth, it suggests contributing to international standards development processes for IoT devices.

In sum, the DHS’s Principles is another example in a developing list of guidelines for dealing with the growing concerns about the security of IoT devices. It remains to be seen how those who design, manufacture, own, and operate IoT devices choose to incorporate or collaborate regarding these and other suggestions. We will continue to monitor and report on these developments.

For any questions, please contact Matt Foree at [email protected].

Yahoo Pays Steep Price for Data Breaches

Posted on: February 23rd, 2017

By: Kacie L. Manisco

In the wake of Yahoo’s disclosure of two massive data breaches last year, Yahoo and Verizon have finally confirmed that the search giant’s acquisition by Verizon will move forward – but at a steep price for Yahoo. Verizon will now pay $350 million less than its original offer.

The acquisition, which was first announced in July 2016, has been stalled as the companies assess the impact of the two Yahoo data breaches. The first breach, disclosed in September 2016, affected around 500 million accounts, and the second, disclosed in December 2016, affected over 1 billion accounts. These breaches raised uncertainty as to whether Verizon would follow through with the acquisition. Verizon, however, announced this week that it will push ahead. According to Verizon Executive Vice President Marni Walden, “we have always believed this acquisition makes strategic sense.” The deal, now valued at $4.48 billion, is expected to close in the second quarter of 2017.

But, Verizon executives also believe that breach-related costs will continue to mount. Accordingly, the revised acquisition terms call for the two companies to equally share any future legal costs resulting from the data breaches. Yahoo, however – which did not carry cybersecurity insurance –  will be solely responsible for liabilities stemming from SEC investigations and shareholder lawsuits.

The SEC is currently investigating whether the two breaches should have been disclosed sooner to the victims, and whether Yahoo violated securities laws by not providing breach-related documents to the agency. Further, according to an earnings report filed in November 2016, Yahoo faces 23 putative class-action lawsuits in U.S. federal and state courts, just for the September breach alone.

This acquisition has become a cautionary tale about the long-term impact security breaches may have on businesses and big-business deals alike.  All of this underscores the importance of working with experienced legal counsel to properly respond to a data breach when it occurs and being proactive before a breach occurs to review your data security policies and practices, as well as your incident response procedure, to make sure you are well-positioned to protected against and respond to a data breach. Please contact FMG’s Data Security, Privacy, and Cyber Liability team to discuss further the steps you can take to protect yourself and your business.