Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • 9th Circuit: Networking site cannot deny data scraping access to publicly available profiles

    Privacy, Cyber Risk & Data Security

    On April 18, on remand from the U.S. Supreme Court, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order preliminarily enjoining a professional networking site from denying a data analytics company access to publicly available member profiles. At issue are allegations brought by the networking site claiming the data analytics company used automated bots to extract user data from the networking site’s website (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The networking site sent the data analytics company a cease-and-desist letter, asserting violations of state and federal law, including the Computer Fraud and Abuse Act (CFAA). The data analytics company responded that it had a right to access the public pages and later sought a preliminary injunction. In granting the preliminary injunction, the district court ordered the networking site to, among other things, “remove any existing technical barriers to [its] public profiles, and to refrain from putting in place any legal or technical measures” that would block access.

    The 9th Circuit previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the data analytics company’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States.

    On remand, the appellate court reviewed whether the data analytics company accessed data “without authorization” in violation of the CFAA after it received the cease-and-desist letter. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested that the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. “A defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser,” the appellate court wrote. “In other words, applying the ‘gates’ analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place.” Therefore, the court held, the phrase “without authorization” does not apply to public websites.

    In determining that a preliminary injunction was appropriate, the appellate court held that the district court did not abuse its discretion in concluding that the data analytics company met the standard of establishing that the plaintiff is likely to succeed on the merits, is likely to suffer irreparable harm without such relief, that the “balance of equities” is in the favor of the plaintiff, and that the injunction would be in the public interest.  The court found that the data analytics company showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” In considering the balance of hardships, the 9th Circuit agreed that the scales “tipped sharply” in favor of the data analytics company “when weighing the likelihood that [the data analytics company] would go out of business against [the networking site’s] assertion that an injunction threatened its members’ privacy” and therefore risked the goodwill it had developed with its members. Finally, the court rejected the networking site’s claims that the data analytics company violated the CFAA, which would have preempted the remaining state law claims.  
     

    Privacy/Cyber Risk & Data Security Courts Appellate Ninth Circuit Cyber Risk & Data Security Computer Fraud and Abuse Act Data Scraping

    Share page with AddThis
  • District Court grants motion to dismiss in privacy suit

    Courts

    On February 17, the U.S. District Court for the District of Delaware granted a motion to dismiss a putative class action suit for lack of Article III standing, in which plaintiffs alleged that the defendant violated their privacy rights by intercepting and recording mouse clicks and other website visit information. According to the memorandum opinion, the plaintiffs alleged defendant’s recording of that information violated, among other things, the California Invasion of Privacy Act (CIPA) and the Federal Wiretap Act. In finding the plaintiffs’ failed to plead a concrete injury, the district court found while the “[p]laintiffs have a legally cognizable interest in controlling their personal information and that intrusion upon that interest would amount to a concrete injury[,]” they failed to identify how any of their personal information was implicated in the complaint. The court explained: “[p]laintiffs fail to explain how either [the defendants] possession of anonymized, non-personal data regarding their browsing activities on [the defendant’s] website harms their privacy interests in any way.” The district court also noted that the plaintiffs did not make any allegations to suggest a risk of imminent or substantial future harm.

    Courts Privacy Cyber Risk & Data Security California Class Action

    Share page with AddThis
  • New Jersey settles CFA and HIPAA violations following 2019 data breach

    Privacy, Cyber Risk & Data Security

    On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately safeguard patient data. The settlement resolved allegations that patients’ personal and protected health information, including health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers, were exposed when several employee email accounts were compromised in a 2019 data breach. The AG additionally contended that while notifying clients of the initial data breach, the defendants “improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin.” Federal and state law require medical providers to implement appropriate safeguards to protect consumers’ sensitive health and personal information and identify potential threats—measures, the AG alleged, the defendants failed to take. Without admitting to any violation of law, the defendants agreed to the terms of the consent order and will pay $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. The defendants will also adopt additional comprehensive privacy and security measures to safeguard consumers’ protected information and will obtain a third-party assessment of their policies and practices related “to the collection, storage, maintenance, transmission, and disposal of patient data.”

    Privacy Cyber Risk & Data Security State Issues State Attorney General Settlement Data Breach Consumer Protection

    Share page with AddThis