On March 3, 2017, the FTC announced the results of a study about online businesses’ use of proper email authentication technology to prevent phishing attacks. The study’s sample included 569 large online businesses with strong ties to the U.S. The FTC found that 86 percent of those businesses use Sender Policy Framework—an email authentication technology that enables Internet Service Providers (“ISPs”) to determine whether an email is from a legitimate source (e.g., whether an email that claims to be from a business’s domain in fact came from the business). Continue Reading FTC Study Recommends Wider Implementation of DMARC to Combat Phishing Attacks
On February 6, 2017, the House of Representatives suspended its rules and passed by voice vote H.R 387, the Email Privacy Act. As we previously reported, the Email Privacy Act amends the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers. Continue Reading House of Representatives Passes Email Privacy Act
On January 9, 2017, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act, which would amend the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers. Although ECPA currently requires law enforcement agencies to obtain a warrant to search the contents of electronic communications held by service providers that are less than 180 days old, communications that are more than 180 days old can be obtained with a subpoena. Continue Reading Email Privacy Act Reintroduced in Congress
On December 27, 2016, the Securities and Exchange Commission (“SEC”) announced charges against three Chinese traders who allegedly made almost $3 million in illegal profits by fraudulently trading on nonpublic information that had been hacked from two New York-based law firms. This is the first action in which the SEC has brought charges in connection with an incident involving hacking into a law firm’s computer network.
On October 18, 2016, the United States Court of Appeals for the Fifth Circuit held in Apache Corp. v. Great American Ins. Co., No 15-20499 (5th Cir. Oct. 18, 2016), that a crime protection insurance policy does not cover loss resulting from a fraudulent email directing funds to be sent electronically to the imposter’s bank account because the scheme did not constitute “computer fraud” under the policy. Continue Reading Court Rules Fraud Involving a Computer Is Not ‘Computer Fraud’ under Crime Protection Policy
This post has been updated.
On July 14, 2016, the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation (“Microsoft”) cannot be compelled to turn over customer emails stored abroad to U.S. law enforcement authorities. Continue Reading Second Circuit Holds Microsoft Cannot Be Compelled to Turn Over Emails Stored Abroad
On October 23, 2015, the United States District Court for the District of Minnesota, in large part, upheld Target’s assertion of the attorney-client privilege and work-product protections for information associated with a privileged, internal investigation of Target’s 2013 data breach.
On September 11, 2015, the Federal Communications Commission (“FCC”) announced that Lyft Inc. (“Lyft”) and First National Bank Corporation (“FNB”) violated the Telephone Consumer Protection Act (“TCPA”) by forcing their users to consent to receive automated text messages as a condition of using their services. The FCC warned that these violations could result in fines if they continue.
On April 8, 2015, a New York Assemblyman introduced the Data Security Act in the New York State Assembly that would require New York businesses to implement and maintain information security safeguards. The requirements would apply to “private information,” which is defined as either:
- personal information consisting of any information in combination with one or more of the following data elements, when either the personal information or the data element is not encrypted: Social Security number; driver’s license number or non-driver identification card number; financial account or credit or debit card number in combination with any required security code or password; or biometric information;
- a user name or email address in combination with a password or security question and answer that would permit access to an online account; or
- unsecured protected health information (as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule).
In December 2014, we reported that various technology companies, academics and trade associations filed amicus briefs in support of Microsoft’s attempts to resist a U.S. government search warrant seeking to compel it to disclose the contents of customer emails that are stored on servers in Ireland. On December 23, 2014, the Irish government also filed an amicus brief in the 2nd Circuit Court of Appeals.