2014 Developments in Cyberspace Law

• Publication year: 2015
• Author: Sarah de Diego

2014 Developments in Cyberspace Law

Sarah de Diego

This article briefly summarizes selected developments in Cyberspace Law during 2014, including noteworthy cases, new legislation, and other developments in internet and technology law.

California Legislation

Assembly Bill 1710 (Dickinson)—Personal Information Privacy

(Enacted Chapter 855)

Previous law required any person or business conducting business in California who owned, maintained, or licensed computerized data, including personal information, to disclose a breach of the security of the system or the data to any California resident. Section 2 (1798.82 of the Civil Code)¹ now requires that if the person or business was the source of the breach, in addition to the disclosure/notification, they must provide identity theft protection for no less than 12 months, following the breach, to those affected from exposure or possible exposure of personal information.

Amends sections 1798.81.5, 1798.82, and 1798.85 of the Civil Code, relating to personal information privacy.

Senate Bill 568 (Steinberg) Prohibited Advertising To Minors - Effective Jan 1, 2015

(Enacted Chapter 336)

Effective January 1, 2015, section 22580² of the Business Professions Code prohibits California website operators from advertising a product or service to a minor in any of 19 categories outlined in the Code. Categories include alcohol, firearms, ammunition, spray-paint, tobacco, BB guns, fireworks, UV tanning devices, diet pills, lottery tickets, tattoos, drug paraphernalia, electronic cigarettes, and obscene matter, among other things. Website operators who use an advertising service will be deemed in compliance with this statute as long as they properly advise the advertising service that the site is directed to minors. Advertising services should then put in place a specific measure to prevent such advertising.

Adds Chapter 22.1 (commencing with section 22580) to Division 8 of the Business and Professions Code, relating to the Internet.

Senate Bill 568 (Steinberg) Part 2—"California's Internet Eraser Law"- Also effective Jan 1, 2015

Also enacted under S.B. 568, effective January 1, 2015, section 22581³ requires web hosting companies and other entities hosting the content of others to implement new takedown options for their minor users. Specifically, the newly minted Business and Professions Code section provides that an operator of a website, which is defined broadly under the statute, shall permit anyone under the age of 18 who is a registered user of a web site to remove or request removal of content posted by the minor. The statute also requires that the operator provide notice to the minor that the minor has such right and clear instructions to the minor as to how to accomplish removal. The notice must also advise the minor that such removal "does not ensure complete or comprehensive removal of the content." There are exceptions to the requirements that may be applicable in certain situations.

Federal Regulations

IRS Issues Guidance Regarding Treatment Of Virtual Currency As Property Under U.S. Federal Tax Law

On March 25, 2014, the IRS issued Notice 2014-21,⁴ regarding the tax treatment of virtual currency like Bitcoin. According to this tax guidance notice, virtual currency is

[Page 37]

to be treated as property for purposes of Federal tax. As such, the general tax principles that apply to property will also apply to transactions that use this virtual currency. As described by the IRS in Notice 2014-21, use of virtual currency in the following transactions has U.S. Federal tax implications: (1) wages paid by employers to employees using virtual currency, requiring withholding and payroll taxes, (2) transactions involving virtual currency regarding payments to independent contractors, requiring a Form 1099, (3) gains or losses through the sale or exchange of virtual currency, and (4) the mining of virtual currency, which may result in self-employment taxation relating to income. According to IRS Notice 2014-21, taxpayers who do not follow proper Federal tax treatment of virtual currency may be subject to penalties.

Data Breaches

Plaintiffs Attempt to Hold Directors Personally Liable for Company Data Breaches

On January 21, 2014, a plaintiff filed a shareholder derivative action against the directors of Target Corporation relating to the data breach previously disclosed in numerous media outlets.⁵ The plaintiff alleges the delayed disclosure of the data breach had a negative impact on the company's share value and consumer goodwill, and that individual corporate directors are liable based upon breach of their fiduciary duty to Target and its shareholders by failing to implement a system of internal controls to protect customer personal and financial information.

Class Action Plaintiffs Agree to Settle Data Breach Case For $4.1 Million

In March 2014, the parties in the action Shana Springer, et al. v. Stanford Hospital, et al.,⁶ agreed to a settlement of $4.1 million on their original class action seeking damages of $20 million against Stanford Hospital and the hospital's billing subcontractor, which alleged that more than 19,000 emergency patient names, diagnoses, and account numbers for a 6-month period in 2009 were leaked, or improperly disclosed, and subsequently posted on a website in violation of the California Confidentiality of Medical Information Act. The hospital confirmed the data breach in September 2011, and suit was filed thereafter. Under section 56.36(b) of the Act, a patient has the right to bring an action against any person or entity that negligently releases that individual's identifiable medical information, and may seek nominal damages of $1,000 or actual damages, and, under section 56.35 of the Act, a patient who has sustained economic loss or personal injury as a result of disclosure of individual, identifiable, medical information can recover compensatory damages, punitive damages up to $3,000, attorneys' fees up to $1,000, and the cost of litigation. The Act also provides for criminal penalties and administrative fines and civil penalties of up to $250,000+.

User IDs Are Not Content Under the ECPA

Class plaintiffs asserting violations of the Electronic Communications Privacy Act ("ECPA"), which prohibits disclosure of the contents of electronic communications carried or maintained by an internet service provider, were recently rebuffed by the ninth circuit.⁷ Plaintiffs claimed that the publication of unique user IDs in URLs by both Facebook and Zynga violated the ECPA. The ninth circuit held that such user IDs are not "content," but instead, are "non-content" and are expressly authorized by the Act.

Federal Court Dismisses Claims Under Federal Computer Fraud and Abuse Act and California Computer Data Access and Fraud Act

In Enki Corporation v. Freedman,⁸ Enki brought claims against its former employee, Mr. Freedman, and Freedman's current employer, Zuora, Inc., for breach of contract, as well as violations of the Computer Fraud and Abuse Act ("CFAA") and the California Computer Data Access and Fraud Act ("CDAFA"). Following the termination of a contract between Enki and Zuora, which Freedman was hired to work on, Enki brought suit due to Freedman and Zuora's having accessed certain servers and allegedly copied Enki's proprietary information.

The court held that in accessing certain servers, Freedman and Zuora had not violated the CFAA. The Magistrate Judge held that under the ninth circuit's decision in Nosal, a claim under the CFAA requires access to a protected computer without any permission at all, or the accessing of information on the computer that the person is not entitled to access, but that an individual does not exceed authorized access simply by misusing information that the individual is entitled to view for some other purpose; thus, the CFAA regulates access to data, not its use by those entitled to access it. The court held that neither Zuora nor Freedman violated the statute,

[Page 38]

because both were authorized to access the information, and the complaint simply alleged misuse. With regard to the CDAFA claim, the court dismissed that claim, as Enki failed to argue or allege that the defendants had overcome or circumvented some technical obstacle or code barrier, which is a requirement to state a claim under CDAFA.

California Attorney General's Office Issues Guidance To Businesses About Cyber Security

In late February 2014, the California Attorney General's Office issued a Review and Recommendation to businesses regarding threats relating to cyber security data breaches and theft and basic guidance in preventing them.⁹The message describes the four dominant cyber security threats, including social engineering scams, network breaches, physical breaches, and mobile breaches, and outlines steps to minimize vulnerability to such attacks.

The California Attorney General's message dovetails with a report issued in 2013 regarding data breaches for the year ending 2012.¹⁰

Email

Maryland Court Rules Must Be Bona Fide ISP to Have Standing for Anti-Spam Suit

In Beyond Systems, Inc. v. Kraft Foods, Inc.,¹¹ the Federal District Court granted summary judgment to Defendant Kraft Foods based upon the failure of Plaintiff Beyond Systems, Inc. ("BSI") to demonstrate that it was a bona fide Internet Service Provider (ISP); therefore, BSI lacked standing to sue under California Business and Professions Code section 17529.5 and Maryland Commercial Electronic Mail Act §14-3001. The court held that both anti-spam statutes required that to have standing to sue, an ISP must be bona fide. Defendant Kraft Foods...