In the recent and significant Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) decision the High Court in England clarified the limited circumstances in which claims for breach of confidence, misuse of private information and the tort of negligence might be advanced by individuals for compensation for distress relating to a cyber-security breach where the proposed defendant was itself a victim of a third-party cyber-attack. The decision has made it harder to bring free standing/non-statutory cyber-security breach claims in England and Wales where the proposed defendant has not positively caused the breach, and has also brought into question how such claims may be funded going forward (particularly, via “After-the-Event insurance”).
Southwest Airlines Wins Injunction Barring Travel Site from Scraping
On September 30, 2021, a Texas district court granted Southwest Airline Co.’s (“Southwest”) request for a preliminary injunction against online travel site Kiwi.com, Inc. (“Kiwi”), barring Kiwi from, among other things, scraping fare data from Southwest’s website and committing other acts that violate Southwest’s terms. (Southwest Airlines Co. v. Kiwi.com, Inc., No. 21-00098 (N.D. Tex. Sept. 30, 2021)). Southwest is no stranger in seeking and, in most cases, obtaining injunctive relief against businesses that have harvested its fare data without authorization – ranging as far back as the 2000s (See e.g., Southwest Airlines Co. v. BoardFirst, LLC, No. 06-0891 (N.D. Tex. Sept. 12, 2007) (a case cited in the current court opinion)), and as recently as two years ago, when we wrote about a 2019 settlement Southwest entered into with an online entity that scraped Southwest’s site and had offered a fare notification service, all contrary to Southwest’s terms.
In this case, the Texas court found that Southwest had established a likelihood of success on the merits of its breach of contract claim. Rejecting Kiwi’s arguments that it did not assent to Southwest’s terms, the court found that Kiwi had knowledge of and assented to the terms in multiple ways, including by agreeing to the terms when purchasing tickets on Southwest’s site. In all, the court found the existence of a valid contract and Kiwi’s likely breach of the terms, which prohibit scraping Southwest’s flight data and selling Southwest flights without authorization. The court also found that Southwest made a sufficient showing that Kiwi’s scraping and unauthorized sale of tickets, if not barred, would result in irreparable harm. In ultimately granting Southwest’s request for a preliminary injunction, the Texas court also found that Southwest also demonstrated the threatened injury if the injunction is denied outweighed any harm to Kiwi that will result if the injunction is granted and that the injunction would be in the public interest.
What made this result particularly notable is that the preliminary injunction is based on the likelihood of success on the merits of Southwest’s breach of contract claim and Kiwi’s alleged violation of Southwest’s site terms, as opposed to other recent scraping disputes which have centered around claims of unauthorized access under the federal Computer Fraud and Abuse Act (CFAA). Continue Reading
SEC Brings First Enforcement Action Against Alternative Data Provider
On September 14, 2021, the Securities and Exchange Commission (“SEC”) filed a settled securities fraud action against App Annie Inc., one of the largest sellers of market data on how apps on mobile devices are performing, and its co-founder and former CEO and Chairman Bertrand Schmitt. The settlement is the first enforcement action brought by the SEC against an alternative data provider. As part of the settlement, App Annie agreed to pay a $10 million civil penalty and Schmitt agreed to pay a $300,000 penalty and to be barred from serving as an officer or director of a public company for three years.
For further discussion of this enforcement, please see our Client Alert posted on Proskauer’s website.
Another NY Court Repudiates Ninth Circuit “Server Test” in Case over Embedded Video
On July 30, 2021, a New York district court declined to dismiss copyright infringement claims with respect to an online article that included an “embedded” video (i.e., shown via a link to a video hosted on another site). The case involved a video hosted on a social media platform that made embedding available as a function of the platform. The court ruled that the plaintiff-photographer plausibly alleged that the defendants’ “embed” may constitute copyright infringement and violate his display right in the copyrighted video, rejecting the defendants’ argument that embedding is not a “display” when the image at issue remains on a third-party’s server (Nicklen v. Sinclair Broadcast Group, Inc., No. 20-10300 (S.D.N.Y. July 30, 2021)). Notably, this is the second New York court to decline to adopt the Ninth Circuit’s “server test” first adopted in the 2007 Perfect 10 decision, which held that the infringement of the public display right in a photographic image depends, in part, on where the image was hosted. With this being the latest New York court finding the server test inapt for an online infringement case outside of the search engine context (even if other meritorious defenses may exist), website publishers have received another stark reminder to reexamine inline linking practices. Continue Reading
Settlement in Plaid Fintech Data Case
On August 5, 2021, a proposed class action settlement was reached in the closely-watched privacy action against fintech services company Plaid Inc. (“Plaid”). The settlement features a $58 million settlement fund and certain injunctive relief that would make changes to Plaid’s methods of notice and consumer data collection, including provisions requiring the deletion of certain banking transaction data. (In re Plaid Inc. Privacy Litig., No. 20-3056 (N.D. Cal. Memorandum of Points for Proposed Settlement Aug. 5, 2021)). The settlement is still subject to court approval.
Plaid is a fintech services company that offers applications that provide account linking and verification services for various fintech apps that consumers use to send and receive money from their bank accounts. The consolidated actions involve claims surrounding Plaid’s alleged collection and use of consumers’ banking login credentials and later processing and selling of such financial transaction data to third parties without adequate notice or consent. Plaintiffs’ complaint also contended that at no time were users ever given conspicuous notice or meaningfully prompted to read through Plaid’s privacy policy indicating that Plaid receives and retains access to their financial institution account login credentials or uses their credentials to collect and sell their banking information. As we wrote about back in May 2021, the California district court, in deciding Plaid’s motion to dismiss, trimmed various federal privacy-related claims, including the Computer Fraud and Abuse Act (CFAA) claim, but allowed other state law privacy claims to go forward. Continue Reading
Second Circuit Vacates CDA Decision and Reissues a Narrower Opinion Reaching Same Conclusion, Providing Some Practical CDA Lessons for the Future
Less than one week after issuing an order vacating its own March 2021 opinion in an important Communications Decency Act (“CDA”) case and granting a petition for rehearing, the Second Circuit issued a new opinion reaffirming “protection” under Section 230 of the CDA for video-sharing site Vimeo, Inc. (“Vimeo”) (Domen v. Vimeo, Inc., No. 20-616 (2d Cir. July 21, 2021) (amended opinion)).
It’s not completely clear why the Second Circuit decided to grant a rehearing and amend its original opinion to only reach essentially the same holding. It is possible that given the attention surrounding the CDA, the court thought it best to narrow the language of its original holding so it could insulate its ruling from possible Supreme Court review (recall, Justice Thomas previously issued a statement following denial of certiorari in a prior CDA case, that “in an appropriate case,” the Court should consider whether the text of the CDA “aligns with the current state of immunity enjoyed by Internet platforms”). The Second Circuit’s second decision arguably watered down some of its stronger statements in its earlier opinion enunciating broad CDA immunity (e.g., even swapping out the word “immunity” for “protection” when discussing the CDA). The court even mused in dicta near the end of the opinion about the types of claims that might fall outside of CDA protection, as if to intimate that CDA Section 230 immunity is broad, but not as broad as its detractors suggest.
Yet, despite the narrowing of its original opinion, the court reached the same result under the same reasoning. As in the original (now vacated) opinion from March 2021, the Second Circuit’s amended decision relied on Section 230(c)(2), the Good Samaritan provision, which allows online providers to self-regulate the moderation of third party content in good faith without fear of liability. Unlike the original opinion, in the second go-round the appeals court also knocked out the plaintiff’s claims on the merits, finding allegations of discrimination based on the presence of similar videos uploaded by other users that were left up on the site as “vanishingly thin” (thereby further reducing the chance of Supreme Court review). Continue Reading
Supreme Court Vacates LinkedIn-HiQ Scraping Decision, Remands to Ninth Circuit for Another Look
On June 14, 2021, in a closely-watched dispute involving the Computer Fraud and Abuse Act (CFAA), the Supreme Court granted LinkedIn Corp.’s (“LinkedIn”) petition for certiorari filed in the hiQ web scraping case. It subsequently vacated the Ninth Circuit 2019 opinion and remanded the case to the Ninth Circuit for further consideration in light of the Supreme Court’s decision from earlier this month in Van Buren v. United States, 593 U. S. ___ (June 3, 2021). (LinkedIn Corp. v. hiQ Labs, Inc., No. 19-1116, 593 U.S. ___ (GVR Order June 14, 2021)).
In Van Buren, the Supreme Court reversed an Eleventh Circuit decision and adopted a narrow interpretation of “exceeds unauthorized access” under the CFAA, ruling that an individual “exceeds authorized access” when he or she accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him or her.
The LinkedIn-hiQ dispute involves a different part of the CFAA’s “unauthorized access” section than the Van Buren case. The question in the hiQ dispute concerns the scope of CFAA liability to unwanted web scraping of publicly available social media profile data and whether once data analytics firm hiQ received a cease-and-desist letter from LinkedIn demanding it stop scraping public profiles, any further scraping of such data was “without authorization” within the meaning of the CFAA. In 2017 the lower court issued a preliminary injunction, expressing “serious doubt” as to whether LinkedIn’s revocation of permission to access the public portions of its site rendered hiQ’s access “without authorization” within the meaning of the CFAA. On appeal, in 2019 the Ninth Circuit affirmed, notably ruling that: “It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.” In 2020 LinkedIn filed a petition for a writ of certiorari asking the Supreme Court to overturn the Ninth Circuit’s ruling. And now, in the wake of Van Buren, the Supreme Court has vacated the appeals court ruling and sent the case back to the Ninth Circuit for further consideration.
So what’s next? Some thoughts: Continue Reading
Some Interesting CDA Section 230 Developments: A Novel FCRA Victory, a Negligent Design Exception and a Startling New State Law
In the past month, there have been some notable developments surrounding Section 230 of the Communications Decency Act (“CDA” or “Section 230”) beyond the ongoing debate in Congress over the potential for legislative reform. These include a novel application of CDA in a FCRA online privacy case (Henderson v. The Source for Public Data, No. 20-294 (E.D. Va. May 19, 2021)) and the denial of CDA immunity in another case involving an alleged design defect in a social media app (Lemmon v. Snap Inc., No. 20-55295 (9th Cir. May 4, 2021), as well as the uncertainties surrounding a new Florida law that attempts to regulate content moderation decisions and user policies of large online platforms. Continue Reading
Supreme Court Ends Long-Running Circuit Split over CFAA “Exceeds Authorized Access” Issue, Adopting a Narrow Interpretation That Will Reverberate in Scraping Disputes and Litigation over Departing Employees
In a closely-watched appeal, the Supreme Court, in a 6-3 decision, reversed an Eleventh Circuit decision and adopted a narrow interpretation of “exceeds unauthorized access” under the Computer Fraud and Abuse Act (CFAA), ruling that an individual “exceeds authorized access” when he or she accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him or her. (Van Buren v. United States, No. 19-783, 593 U.S. ___ (June 3, 2021)). The majority equated “exceed[ing] authorized access” with the act of “entering a part of a system to which a computer user lacks access privileges,” rejecting the Government’s contention that a person who is authorized to access information from a protected computer for certain purposes violates CFAA Section 1030(a)(2) by accessing the computer with an improper purpose or motive. Put simply, the court’s view suggests a “gates-up-or-down” approach where the CFAA prohibits accessing data one is not authorized to access.
Although the case involved a criminal conviction under the CFAA, Van Buren gave the Supreme Court the opportunity to resolve a long-standing circuit split and heavily-litigated issue that arose in both criminal and civil cases under the CFAA’s “unauthorized access” provision. This provision of the CFAA is routinely pled in cases against former employees that have accessed proprietary data in their final days of employment for an improper purpose (e.g., for use in their new job or competing venture). It is also a common claim in disputes involving unwanted web scraping. On the latter point, the Court’s narrow interpretation of the “exceeds authorized access” provision would appear to be right in line with the narrow interpretations of the CFAA enunciated by the Ninth Circuit in its blockbuster hiQ opinion, which held that that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA and in its Power Ventures precedent, which held that, in the context of unwanted data scraping, a violation of the terms of use of a website, without more, cannot be the basis for civil liability under the CFAA. Continue Reading
The President Revokes Prior Administration’s Executive Order on CDA Section 230
On May 14, 2021, President Biden issued an executive order revoking, among other things, his predecessor’s action (Executive Order 13295 of May 28, 2020) that directed the executive branch to clarify certain provisions under Section 230 of the Communications Decency Act (“Section 230” or the “CDA”) and remedy what former President Trump had claimed was the social media platforms’ “selective censorship” of user content and the “flagging” of content that does not violate a provider’s terms of service. The now-revoked executive order had, among other things, directed the Commerce Department to petition for rulemaking with the FCC to clarify certain aspect of CDA immunity for online providers (the FCC invited public input on the topic, but did not ultimately move forward with a proposed rulemaking) and requested the DOJ to draft proposed legislation curtailing the protections under the CDA (the DOJ submitted a reform proposal to Congress last October). Continue Reading
