Internet Law

FTC v. Wyndham Worldwide Corporation

Published on: November 23, 2015 | by Law Offices of Salar Atrizadeh

On August 24, 2015, the United States Court of Appeals for the Third Circuit handed down its decision in favor of the Federal Trade Commission (FTC) against Wyndham Worldwide Corporation. This lawsuit was against the defendant and its subsidiaries for their failure to implement proper cybersecurity measures and protect consumers’ personal information against hackers. The FTC alleged that defendants did not use encryption, firewalls, and other commercially reasonable methods for protecting personal information.

What was the basis of the lawsuit?

In general, the FTC has the responsibility to protect consumers against unfair and deceptive business practices. These illegal practices could range from false advertising to antitrust issues. The FTC has started to prosecute companies with inadequate cybersecurity to protect consumer data. The companies that made false statements about their level of security in their terms of service also had lawsuits filed against them. In this case, between 2008 and 2009, hackers breached Wyndham Worldwide Corporation’s network and computer systems three separate times. One incident occurred in 2008 and two occurred in 2009. The hackers were allegedly able to breach the network due to the use of weak and obvious passwords, lack of response to the first incident, and inadequate monitoring systems. In one of the instances, it took approximately two months for Wyndham Worldwide Corporation to discover its systems had been accessed without authorization. The hackers successfully accessed personal information of approximately 619,000 consumers and managed to cause $10.6 million in fraudulent charges. Therefore, on June 26, 2012, the FTC brought the lawsuit against defendants. Their motion to dismiss was denied by the district court and their appeal was heard on two issues in order to determine whether there was a valid claim. The issues that were raised included: (1) whether the FTC had authority to regulate cybersecurity under 15 U.S.C. § 45; and (2) if so, whether defendants received fair notice that their cybersecurity practices were inadequate under the guidelines.

Radio Frequency Identification and Related Issues

Published on: November 9, 2015 | by Law Offices of Salar Atrizadeh

The term RFID is everywhere these days. Consumers are seeing RFID blocking wallets, credit card holders, and passport covers as the holidays approach. However, many still do not know what it is and how it is used in their every day life.

What is RFID?

RFID stands for “Radio Frequency Identification” and is a term used to describe technology that makes identifications via radio waves. It is usually discussed in conversations and articles about the Internet of Things because it is a form of automatic identification. The term automatic identification covers a broad range of identification technologies, from bar codes to retinal scans, used by machines to make identifications. The identification of people or objects occurs through the use of microchips that store electronic information. The microchip has an antenna and the information is picked up through a reader using radio waves. The microchip can be as small as a grain of sand and made out of silicone. Although, this technology has been in use since World War II, it has only become widely used in the past two decades as costs have decreased. RFID technology is now used in certain products and businesses. Walmart and other stores use RFID technology to keep track of products and consumer activities. They use RFID to do anything from detecting an item about to be stolen as it exits the door, or trigger cameras when an item is removed from the shelf. Anyone who has ever used the EZ-Pass toll roads has experienced the use of RFID technology as it is used to identify cars with EZ-Pass. Nonetheless, this is just a limited representation of the use of RFID technology to track consumers and products.

Data Breach Notification and Applicable Laws

Published on: October 26, 2015 | by Law Offices of Salar Atrizadeh

This year saw the data breaches of Sony Pictures, Ashley Madison, and Experian Credit Bureau. The increasing commonality of data breaches has prompted the federal and state legislatures to review their data breach notification laws.

What is a data breach?

A data breach occurs when an unauthorized user (i.e., hacker) accesses sensitive personal identifiable information. The hacker then copies the confidential information and uses it as he or she sees fit. Often times, the personally identifiable information is used to commit identity theft and fraud. This information can include, names, telephone numbers, email addresses, credit card numbers, or social security numbers. The target of these breaches can be businesses, financial institutions, and health care institutions.

Eagle v. Morgan: Employer Access to Employee Social Media Accounts

Published on: October 19, 2015 | by Law Offices of Salar Atrizadeh

The case of Eagle v. Morgan is about an employer’s access to employee’s social media account. This case highlights the importance of companies having social media policies to address the ownership of social media accounts during and after employment.

What is the case about and how does it affect your rights?

In Eagle v. Morgan, the plaintiff (i.e., Linda Eagle) had founded the company Edcomm, Inc. (“Edcomm”) and remained an employee when she sold her shares to Sawabeh Information Services Company (“SISCOM”). While employed at the company as CEO, Eagle’s coworker recommended creating a LinkedIn account for marketing purposes. Although, the business would occasionally become involved in the social media account’s content, and Eagle used her company email address, however, she was individually bound by the User Agreement and had made connections through her own efforts. Edcomm did not require its employees to have social media accounts and had only limited guidelines in place regarding employee use of LinkedIn. When Linda Eagle’s employment was terminated, the question of who owned the social media account became an issue. Edcomm changed Linda Eagle’s password by using her former company email address and replaced her name with that of her new replacement, i.e., Sandy Morgan. Linda Eagle sued Edcomm and multiple defendants in the United States District Court for the Eastern District of Pennsylvania. She claimed that this was an infringement of the Computer Fraud and Abuse Act and Lanham Act, as well state laws against invasion of privacy by misappropriation of identity, conversion, civil conspiracy, civil aiding and abetting, tortious interference with contract, unauthorized use of name in violation of Pa. C.S. § 8316, misappropriation of publicity, and identity theft under Pa. C.S. § 8316.

E-commerce Transactions: Issues and Disputes

Published on: October 12, 2015 | by Law Offices of Salar Atrizadeh

From a practical perspective, transactions that occur over the Internet can face similar issues that regular business transactions may encounter in their daily operations. However, e-commerce transactions have the added problems associated with cyberspace laws. It is nearly impossible for a business to be successful these days without having a website. Although, not all websites actively conduct business over the Internet, however, e-commerce related issues and disputes may arise from having an online presence.

What issues and disputes face e-commerce transactions?

E-commerce transactions have created a new environment for companies that conduct their business on the Internet. For example, contractual and non-contractual issues, such as free speech, consumer protection, and competition laws now face businesses that ship products, provide online goods/services, and use the Internet for marketing. Therefore, conducting business online involves unique legal concerns that is distinct from traditional business models. In sum, the concerns are centered on privacy, security, and regulation.

E-commerce Transactions

Published on: September 28, 2015 | by Law Offices of Salar Atrizadeh

The phrase “e-commerce transactions” invokes thoughts of a complicated and technical phenomenon. In fact, many people partake in e-commerce transactions every day.

What is an e-commerce transaction?

An electronic commerce (a/k/a “e-commerce”) transaction involves a commercial transaction that takes place over the Internet. So, any trading of products or services over any electronic network, including, but not limited to, the Internet, is considered a part of e-commerce. The e-commerce transactions covered by the term include, business-to-business, business-to-consumer, consumer-to-consumer, and consumer-to-business. There are three categories of e-commerce transactions. There are agreements with: (1) Shrinkwrap terms—when a tangible product is delivered to a physical address usually in shrinkwrap or clear packaging; (2) Clickwrap terms—in which a digital product is delivered over a network (e.g., e-book); and (3) Browsewrap terms—when terms are agreed to in order for a consumer to access and use a website. However, e-commerce does not always involve actual money. The transaction can involve e-cash, digital currencies (e.g., Bitcoin), or services.

Internet of Things and Security

Published on: September 21, 2015 | by Law Offices of Salar Atrizadeh

The Internet of Things (“IoT”) is the network of electronic devices that communicate with each other via the Internet without human intervention. It has caused concerns regarding security since vast amounts of unsecure electronic devices are being used to send and receive information. Furthermore, the data breaches that lead to the loss of privacy have become more common as the Internet is used to connect electronic devices via private and public networks.

What is the proper security level for electronic devices?

Electronic devices that connect to each other over the Internet were created to transfer information, but were not originally designed with proper security features. What is the proper security level when electronic devices are interconnected? In order to avoid unauthorized access, security precautions should be implemented within the electronic devices and computer networks. For example, firewalls, encryptions, intrusion detection systems, and multi-factor authentications should be implemented as preventive and reactive measures. The electronic devices—which are accessed via the Internet—should be segmented into their own network and include network access restrictions. Also, consumers should change the default passwords on smart devices and implement strong passwords.

What is Quantum Computing?

Published on: September 14, 2015 | by Law Offices of Salar Atrizadeh

A quantum computer is a highly-advanced computer system that works exponentially faster than today’s conventional computers. Quantum computing is the practice of studying quantum computers and their potential. This practice is growing and has caused the rapid decrease in the size of computers at the same time as these systems are rapidly increasing in their capability. However, quantum computers are still being developed and have not yet become accessible.

What is a quantum computer?

A quantum computer is an advanced computer system. Quantum computing studies theoretical computation systems which use quantum-mechanical phenomena (e.g., superposition, entanglement) to perform data operations. While the average computer’s memory is made up of bits, a quantum computer’s memory is made up of qubits. A regular computer saves information in binary form using zeroes and ones, which are called bits. These strings of numbers, which are comprised of 0s and 1s, create codes that instruct the computer on how to proceed. However, a qubit in a quantum computer is a particle (e.g., atom, electron, photon) which is manipulated to store information. It is a two-state quantum-mechanical system, such as the polarization of a single photon, which can be vertical and horizontal polarization. So, the particle is manipulated in its quantum properties, like its spin or polarization, and can have multiple properties. Because of the flexibility and variation of qubits, more information can be stored on a quantum computer. Most importantly, information can be processed at an exponentially faster rate. For example, a problem that would take a conventional computer several minutes to solve due it its complexity, could be solved in less than a second by a quantum computer. This is because today’s conventional computers must go through each problem one step at a time, where a quantum computer has the ability to solve multiple problems instantaneously.

Class Action and the Song-Beverly Credit Card Act

Published on: September 7, 2015 | by Law Offices of Salar Atrizadeh

Class certification can be a complicated issue that does not just rely on fulfilling the usual requirements. For example, in Gass v Best Buy Co., Inc., an issue of fact had to be determined in order to confirm the class action certification.

What was the court’s decision in Gass v. Best Buy Co., Inc.?

Gass v. Best Buy Co., Inc. was a class action that failed due to the way plaintiffs’ claim was brought. In this case, multiple parties brought separate lawsuits against Best Buy claiming that its practices were against the Song-Beverly Credit Card Act. The claimants then merged their claims. The “class” claimed to be representing “[a]ll persons from whom Defendant requested and recorded personal identification information in conjunction with a credit card transaction… and a subclass of those who were asked for their information relating to the pre-enrollment . . . in Defendant’s Reward Zone program in conjunction with a credit card transaction.” The Song-Beverly Credit Card Act says that companies may not request or require, as a condition to accepting the credit card, the cardholder to provide personal identification information. The practices in question were: (1) when employees asked customers for additional information if they agreed to be in the Rewards program; (2) when customers were asked for their phone number if they forgot their member cards; and (3) if a card failed to swipe on a charge over $100, the customer would be asked for a zip code in order to look up his/her information. First, the court determined that these requests for identification were not illegal. Second, since the requests for information were not a violation, the court ruled that plaintiffs could not be certified as a class. This was because the definition of those affected was overbroad and included customers who may not have suffered any violation. The court ruled that, if the plaintiffs wished to pursue a specific violation, each could proceed individually.

Internet of Things and Privacy

Published on: September 3, 2015 | by Law Offices of Salar Atrizadeh

The Internet of Things (a/k/a “IoT”) functions through smart devices that communicate with each other and collect data without human interaction. These devices include smart cars, smart homes, smart hospitals, smart highways, or smart factories. However, the lack of security protecting information is creating privacy concerns as data is collected by companies and shared with third parties (e.g., marketing firms, governmental agencies). Also, the smart device can be accessed without authorization (i.e., hacked) by third parties and its information can be used for various illegal purposes.

What is the Internet of Things and what private information does it hold?

According to the Organization for Economic Cooperation and Development (“OECD”), one of the Fair Information Practice Principles is the collection limitation of personal data. Stated otherwise, data should be collected with the owner’s consent, through fair and lawful means, and should be limited. The OECD has issued its guidelines that are considered as minimum standards for the protection of privacy and individual liberties. From a practical standpoint, these principles (and relevant guidelines) should be uniformly enforced in the United States and other countries.