Megan Brown Co-Authors National Security Institute’s New Law and Policy Paper on ‘Privacy Regulation and Unintended Consequences for Security’

Megan L. Brown, partner in Wiley Rein’s National Security, Privacy, Cyber & Data Governance, and Telecom, Media & Technology practices, co-authored a new law and policy paper published today by the National Security Institute (NSI) at George Mason University’s Antonin Scalia Law School. The paper is co-authored with NSI Visiting Fellow James B. Burchfield.

Ninth Circuit Opens the Floodgates to Privacy Litigation

On Thursday, the Ninth Circuit—in Patel v. Facebookissued an opinion in a much-watched privacy class action suit, inviting more litigation over claimed privacy violations.  The court allowed a class action suit to go forward where plaintiffs had alleged that Facebook violated Illinois’ privacy law by scanning individuals’ faces from photographs uploaded to the social network on an opt-out basis.  In a sweeping decision, the court held that the statutory violation was, itself, a concrete injury sufficient to satisfy the traditional constitutional requirement of Article III standing.  This case will grease the wheels on the deluge of no-harm privacy class action lawsuits.

CFPB Highlights Innovative Uses of Data and Machine Learning in Credit

On Tuesday, the Consumer Financial Protection Bureau (CFPB) released a noteworthy blog post providing an update on key findings about the use of alternative data for credit access in connection with the Bureau’s first no-action letter (NAL). The post, written by top agency officials, discusses a NAL that the CFPB issued in September 2017 to Upstart Network, Inc., a company with an online lending platform that utilizes “alternative data” and machine learning to make credit decisions.

NIST Releases Draft IoT Security Baseline

This week, the National Institute of Standards and Technology (NIST) released NISTIR 8259, a draft of the long awaited[1] “Core Cybersecurity Feature Baseline for Securable IoT Devices.”  The publication (the baseline draft) proposes a voluntary, flexible, minimum set of “baseline of cybersecurity features based on common cybersecurity risk management approaches as a starting point for manufacturers.”  (p. 1).  We expect it to shape standards of care and regulatory expectations for manufacturers and sellers of all connected devices. For stakeholders, and others, there are multiple opportunities for engagement.  NIST is holding a workshop on the baseline on August 13.  Comments for the baseline draft are due September 30. 

It Turns Out that Using Drones to Smuggle Drugs is Illegal

In an innovative use of existing criminal statutes, the US Attorney for the Middle District of Georgia has secured a guilty plea from a man accused of planning to use an unmanned aircraft system (UAS or drone) to smuggle marijuana into a state prison.  The crime?  A federal charge under 49 USC § 46306 (b)(6) and (c)(2), which makes it unlawful to “knowingly and willfully operate[] or attempt[] to operate an aircraft eligible for registration knowing that” the aircraft is not registered, and which imposes a five year prison sentence if the offense is “related to transporting a controlled substance by aircraft.”

Time to Gear Up for Auction 103 (Upper 37 GHz, 39 GHz, and 47 GHz bands)

The FCC dropped a Public Notice establishing application and bidding procedures for Auction 103—the next in a series of millimeter wave spectrum auctions by the Commission as part of its Spectrum Frontiers proceeding.  Auction 103, scheduled to begin December 10, 2019, features UMFUS licenses in the 37.6-38.6 GHz (Upper 37 GHz), 38.6-40 GHz (39 GHz), and 47.2-48.2 GHz (47 GHz) bands.

States Continue to Move Forward on Their Own Privacy and Security Laws: Nevada, Maine, and Oregon Are The Latest

As federal lawmakers consider national privacy legislation, states have moved to implement their own consumer privacy and data security laws. California has led the charge with the passage of the California Consumer Privacy Act of 2018 (CCPA), a broad privacy law that regulates how certain businesses use personal information. On the heels of the CCPA, in September 2018, California also passed legislation addressing security of Internet of Things (IoT) devices, SB 327.