Epic Games, Inc. (“Epic”) is the publisher of the popular online multiplayer videogame Fortnite, released in 2017. In recent years, Fortnight has gained worldwide popularity with gamers and esports followers (culminating in July 2019 when a sixteen-year-old player won the $3 million prize for winning the Fortnite World Cup).  Players, in one version of the game, are dropped onto a virtual landscape and compete in a battle royale to survive.  In the real world, Epic recently survived its own encounter – not with the help of scavenged weapons or shield potions – but through its well-drafted end user license agreement (“EULA” or “terms”).

Earlier this month, the District Court for the Eastern District of North Carolina granted Epic’s motion to compel individual arbitration of the claims of a putative class action.  The action arose in connection with a cyber vulnerability that allowed hackers to breach user accounts. The court concluded that the arbitration provision contained in the EULA was enforceable in this case, even where a minor was the person who ultimately assented to the terms. (Heidbreder v. Epic Games, Inc., No. 19-348 (E.D.N.C. Feb. 3, 2020)).   

On January 7, 2019, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) announced its 2020 examination priorities. In doing so, OCIE identified certain areas of technology-related concern, and in particular, on the issue of alternative data and cybersecurity. [For a more detailed review of OCIE’s

Last month, a California district court granted a web-based service’s motion to compel arbitration of a putative class action brought by a user whose personal information was allegedly accessed in a massive 2016 data breach that involved 339 million user accounts. (Gutierrez v. FriendFinder Networks Inc., No. 18-05918 (N.D. Cal. May 3, 2019)). While the opinion noted that courts in the Ninth Circuit are traditionally “reluctant to enforce browsewrap agreements against individual consumers,” the outcome of the case suggests that enforcement of website terms is not just a straight up-or-down analysis of the method used to present the terms to the user but may involve tangential, yet important interactions between the user and the site outside the initial registration process. 

As we approach the end of 2017, it is a time to reflect on the dizzying pace of technology evolution this year, and the amazing array of legal issues it presented. Similarly, it is a time to look forward and anticipate what technology-related issues we will be thinking about in the coming year.

For 2017, the list is long and varied.

This year, the true potential of blockchain was recognized by many in the commercial sector. While recent blockchain-related headlines have focused on the rise (and regulation) of cryptocurrencies, a great deal of the blockchain action has been in back office applications in financial services, supply chain and other areas.  Industry wide consortia have been formed, trials and proof of concepts have been run, and, as evidenced by the recent announcement by the Australian Stock Exchange to replace its clearing and settlement system with a blockchain based system, we are moving into full production implementations of blockchain systems.

Cybersecurity garnered major attention in 2017. Unfortunately, data breaches continued to be a constant headline item, as were related class action litigation. As a result, cybersecurity was a “top of the agenda” item for state and federal agencies, state legislatures, regulators, corporate boards, GCs and plaintiffs’ lawyers.

As a related matter, privacy issues were also front and center this year. In particular,  we saw increased activity in some of the cutting edge areas of privacy law, including biometrics-related litigation (particularly under the Illinois Biometric Information Privacy Act (known as BIPA)), video streaming privacy (particularly under the Video Privacy Protection Act, or the VPPA)) and mobile-related privacy issues.

There are many other issues that occupied our minds this year, including artificial intelligence, virtual and augmented reality, online copyright liability (including application of the DMCA in online contexts), and publisher/distributor liability for third party content online (under Section 230 of the Communications Decency Act).  Additionally, parties involved in agreements of all types have been increasingly focused on technology-related legal risk, and were more intent on addressing and shifting technology-related risks with very specific contractual provisions.

UPDATE: Prior to the close of the legislative session, the amended AB 83 failed to make it out committee.

With the session ending on August 31st, the California legislature is debating a bill (AB 83) that would expand data security requirements for businesses that maintain personal information of California residents to include, among other things, protection for geolocation and biometric data. Under existing law (Cal. Civ. Code §1798.81.5(b)), a person or business that owns, licenses, or maintains a California resident’s “personal information,” must implement and maintain “reasonable security procedures and practices appropriate to the nature of the information.”   The current law also lists multiple types of covered “personal information.”

The Ninth Circuit, sitting en banc, has upheld a district court’s dismissal of criminal charges under the Computer Fraud and Abuse Act that were predicated on misappropriation of proprietary documents in violation of the employer’s computer use policy. United States v. Nosal, No. 10-10038, 2012 U.S. App. LEXIS

Newly effective regulations promulgated under Massachusetts’ recent data security law, Mass. Gen. Law ch. 93H, have raised the bar for data security compliance, and they have a long reach. The regulations are national and international in scope, as they apply to all companies – wherever located– using personal data