At McGuireWoods, we deliver quality work, personalized service and exceptional value. We use technology to provide efficient legal solutions and employ a diverse workforce to bring real-world and innovative perspectives to meeting our clients’ needs. With 1,100 lawyers and 21 strategically located offices worldwide, McGuireWoods uses client-focused teams to serve public, private, government and nonprofit clients from many industries, including automotive, energy resources, healthcare, technology and transportation.

UpdateOn April 1, 2021, the U.S. Supreme Court issued its long-awaited opinion in Facebook v. Duguid, which resolved the circuit split regarding the meaning of “automatic telephone dialing system” under the Telephone Consumer Protection Act. For more details, see our alert.

On Dec. 8, 2020, the U.S. Supreme Court heard long-awaited oral argument in Facebook v. Duguid on what constitutes an “automatic telephone dialing system” (ATDS) under the Telephone Consumer Protection Act (TCPA).Continue Reading U.S. Supreme Court Signals Narrow Interpretation of TCPA’s Autodialer Definition

On November 9, 2020 the FTC entered into a consent agreement with Zoom Video Communications, Inc. to address concerns over the videoconferencing platform’s security practices. With the onset of the COVID-19 pandemic, the need for a reliable, online videoconferencing and meeting platform skyrocketed. Zoom met that need. It advertised its platform as a secure space with various safety measures to protect user data, including “end-to-end” 256-bit encryption. In short order, individuals, businesses, and organizations quickly flocked to the user-friendly communications platform; and, by the end of April 2020 Zoom’s user base was booming.

Then came a backlash of sorts. The FTC began investigating Zoom’s security practices, and private plaintiffs brought class-action lawsuits alleging violations of the California Consumer Privacy Act and failure to adhere to Zoom’s terms of service. The FTC’s complaint alleged several concerns with Zoom’s advertising and security promises, concluding that Zoom made misleading claims about the strength of its encryption and security of its platform that gave customers a false sense of security. The five-count complaint alleged that Zoom:Continue Reading FTC “Zooms” Into Settlement Agreement with Communications Company Over Concerns with its Security Practices

Did the U.S. Supreme Court ruling in Barr v. American Association of Political Consultants wipe out nearly five years of liability under the Telephone Consumer Protection Act? One district court answered yes. Does the TCPA apply to text messages? An amicus brief in another case headed to the Supreme Court argued no.

For analysis of

On October 13. 2020, White Castle System, Inc. petitioned the United States Court of Appeals for the Seventh Circuit for permission to seek an interlocutory appeal pursuant to 28 U.S.C. § 1292(b).  This petition arises out of the United States District Court for the Northern District of Illinois’ opinion on White Castle’s motion for judgment on the pleadings issued on August 7, 2020.  The matter hinged on whether repeated collection of the same biometric information from an employee without prior consent constituted separate violations of the Illinois Biometric Information Privacy Act (BIPA).

Summary of District Court’s Cothron v. White Castle Opinion

In the district court’s opinion, Judge Tharp held that “[a] party violates Section 15(b) [of the BIPA] when it collects, captures, or otherwise obtains a person’s biometric information without prior informed consent.”  Judge Tharp continued, “[t]his is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection.”  Similarly, Judge Tharp held that BIPA requires that dissemination of information without consent, even if to the same third party as previously disseminated, is an additional violation of the BIPA.Continue Reading Does Continued Collection of The Same Biometric Information Increase BIPA Violations? The Seventh Circuit (or Illinois Supreme Court) Has An Opportunity to Clear the Air

On October 12, 2020, the California Attorney General provided public notice of a new Proposed Third Set of Modifications to the Regulations under the California Consumer Privacy Act (the “CCPA”).  You will be forgiven if you assumed that “final approval” of the existing Regulations back in August meant the Regulations were final—or at least we hope so because we made the same assumption.

Since August, however, it appears the AG was working behind the scenes to resurrect previously withdrawn Sections 999.306(b)(2) (covering offline notice of opt-out if a business substantially interacts with consumers offline); 999.315(c) (minimum standards for opt-out requests); and 999.326(c) (specific requirements for authorized agents).  The AG describes the newly proposed rules as follows:Continue Reading Spooky: Presumed-Dead CCPA Regulations Come Back to Life

Monetary penalties are the attention-grabbing headline when the FTC or any regulator brings an enforcement action against a company.  They are the looming threat to incentivize and influence compliance.  Over the summer, FTC Chairman Joseph J. Simons (“Chairman Simons”) issued a statement in connection with a settlement that Chairman Simons believes “the goal of a civil penalty should be to make compliance more attractive than violation.  Said another way, violation should not be more profitable than compliance.”
Continue Reading FTC Fines: FTC Chairman Reminds Companies That Fines Are the FTC’s Strategic Tool To Deter Noncompliance

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) reached a settlement for $1,500,000 and entered into a substantial corrective action plan with Athens Orthopedic Clinic (AOC) as a result of AOC’s alleged systemic noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. AOC, located in Georgia, provides a wide range of orthopedic services to approximately 138,000 patients a year.

Problems began for AOC in June 2016, when the practice was notified by a journalist that AOC patient records may have been posted for sale on the internet. Shortly thereafter, AOC was contacted by a hacker demanding payment for the stolen patient records. It was later determined that the hacker had accessed AOC’s electronic medical records using a vendor’s credentials on June 14, 2016, and continued to access protected health information (PHI) until July 16, 2016. AOC filed a breach report with OCR on July 29, 2016, revealing that the names, dates of birth, social security numbers, and other PHI of over 200,000 patients had been compromised by this breach.Continue Reading Hacked Patient Records Land Athens Orthopedic Clinic in Hot Water with OCR

On July 21, the New York Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for violating multiple sections of the New York Cybersecurity Regulation,  23 NYCRR 500.00, et seq.  The significance of the NYDFS enforcement action cannot be overemphasized.  This is the first action filed under the Cybersecurity Regulation, signaling a more aggressive enforcement stance by the regulator.  The good news is the filings provide important guidance on best practices and red flags to avoid agency sanctions.

The NYDFS Statement of Charges alleges that First American knowingly exposed tens of millions of documents containing consumer sensitive personal information (e.g., bank account numbers, bank statements, mortgage records, Social Security numbers, wire transaction receipts, drivers’ license images, etc.). The charges further allege that for almost 5 years (from October 2014 through May 2019) these records were available on First American’s public-facing website to anyone with a web browser.  The fact that First American failed to remediate the vulnerability, even after it was discovered by a penetration test in December 2018, was particularly troublesome for the regulators.  The charges state that, “Remarkably, [First American] allowed unfettered access to the personal and financial data of millions of its customers for six more months. . .”   Clearly, the NYDFS found this treatment of sensitive consumer data unconscionable and that First American demonstrated a total disregard for the Cyber Regulations.Continue Reading NYDFS State of Mind: Regulator Focus and Enforcement Trends

Earlier this year, U.S. Senator Sherrod Brown of Ohio released a draft discussion bill that if implemented would drastically alter corporations’ ability to collect and use personal information from consumers.

According to Sen. Brown, “We need legislation now more than ever that empowers Americans to control their personal information. No person should have to worry about being spied on, just as no one should worry about their information being bought and sold or stolen.” Brown believes that his bill would “change the fundamental framework of privacy in this country” by shifting the burden of privacy protection from consumers to corporations. Brown’s new bill is critical of the current consent-based framework that requires customers to agree to privacy policies in order to use specific online service.Continue Reading Senator Brown Proposes New Privacy Bill