Judge Dismisses Facebook Web-Tracking MDL

In November 2017, Judge Edward J. Davila dismissed a major multidistrict litigation accusing Facebook of unlawfully tracking users’ browsing activity across websites while they were signed out of their accounts.1 The plaintiffs originally asserted several common law, tort, and statutory claims. Judge Davila dismissed most of those claims pursuant to earlier motions, leaving only the plaintiffs’ breach of contract claims intact. Continue Reading

Cybersecurity for This Tax Season

Nearly a year ago, in February 2017, the IRS issued a warning regarding phishing attacks targeting a broad range of companies. The scam involves a hacker impersonating an employee of a company, usually the CEO, and sending an email asking for a list of employees and their W-2 forms. The hacker would then make fraudulent tax filings using the W-2 forms. The scam is similar to the traditional Business Email Compromise (BEC), which involves spoofing an employee account in order to direct wire transfers to fraudulent accounts. Continue Reading

Sears Petitions FTC to Reopen and Modify 2009 Order Concerning Online Browsing Tracking

The Federal Trade Commission (FTC) is seeking public comment on a petition by Sears Holding Management requesting that the FTC reopen and modify a 2009 FTC order settling charges that Sears failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software app.

For more information, click here to see our complete WSGR Alert.

To Disclose or Not To Disclose: The FTC’s Dueling Concurrences over Deceptive Omissions in Lenovo

On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo, Inc., regarding the company’s practice of pre-loading advertising software on its laptops that compromised consumers’ cybersecurity and privacy.1 In many respects, the case was reasonably straightforward: the facts as alleged were clear, and the terms of the settlement were not unusual. But what makes this case interesting are the dueling concurrences issued by Acting Chairman Ohlhausen and Commissioner McSweeny regarding the FTC’s authority to challenge omissions. These concurrences continue a debate that has been stirring on and off at the FTC for more than 30 years, and they raise important questions about the agency’s future enforcement priorities. Continue Reading

Northern District of California Drops FTC Unfairness Claim Against D-Link Systems

The U.S. District Court for the Northern District of California recently issued a mixed ruling on D-Link Systems’ motion to dismiss in FTC v. D-Link Sys., Inc.1 D-Link sells routers and Internet protocol (IP) cameras that it markets as having good data security, including “the latest wireless security features to help prevent unauthorized access” and “the best possible encryption.”2 The Federal Trade Commission (FTC) filed a complaint against D-Link, alleging that the company’s products were in fact subject to “widely known and reasonably foreseeable risks of unauthorized access,” and that, among other things, D-Link failed to deploy “free software, available since at least 2008, to secure users’ mobile app login credentials.”3 The complaint alleges five claims for deceptive marketing practices and one count for unfair practices under Section 5 of the FTC Act. Continue Reading

Class Action Standing and Data Breaches: When Is There an Injury-in-Fact?

The biggest question looming over every class-action case filed in response to a data breach is: Will the plaintiffs have standing? The answer has divided courts in recent cases across the country.

Last year, the U.S. Supreme Court held in Spokeo, Inc. v. Robins that Congress could not confer standing to plaintiffs based on a violation of a statute alone.1 Instead, the Court held that, even if a statute has been violated, plaintiffs must prove they have an injury-in-fact and that the injury is both concrete and particularized. Spokeo added a new layer of complexity in pleading standing in data breach cases. Previously, the Supreme Court held in Clapper v. Amnesty International USA that “conjectural” or “hypothetical” injuries were insufficient to confer standing and that harm must be “certainly impending.”2 What Spokeo and Clapper mean in practice for data-breach cases is far from settled.

Continue Reading

LexBlog