News & Insights

Newsletter

April 12, 2017

Data, Privacy & Security Practice Report – April 10, 2017


Lawmakers Push FCC To Confront Cell Phone Cyber Threats — In a letter dated March 28, 2017, Senator Ron Wyden, D-Ore., and Representative Ted Lieu, D-Calif., urged the Federal Communications Commission (“FCC”) to address cybersecurity vulnerabilities in the cell phone industry, which the lawmakers said has thus far been unsuccessfully policing itself.  The letter states that the industry has failed to protect itself effectively and has taken a “lax approach to cybersecurity” that requires the FCC to step in and take “swift action” to fill the gaps.

One of those gaps in cybersecurity protection, called Signaling System No. 7, or SS7, was highlighted in a report released earlier this month by a working group of the FCC’s Communications Security Reliability and Interoperability Council (“CSRIC”).  SS7 is an inter-carrier network that allows cell phones to communicate with each other and, for example, roam from one cell phone network to another.  The interconnectivity of SS7 also presents major cybersecurity concerns because it may let hackers record phone calls and access a cell phone user’s information using only the user’s phone number.

Wyden’s and Lieu’s letter specifically identified SS7 as a cybersecurity threat and stated that vulnerabilities to mobile phones “are no less dangerous than those cybersecurity threats that receive far more attention from other government agencies.”  The lawmakers stressed that “industry self-regulation isn’t working when it comes to telecommunications cybersecurity.”

The CSRIC working group suggested several methods to reduce exposure, including a layered approach to security and improved firewalls to stop SS7 attacks.  The working group’s charter expired on March 18, and the lawmakers’ letter urged the FCC to establish a new CSRIC working group to explore broader security issues beyond the scope of the previous group’s mandate.

The letter said that the FCC can no longer afford to neglect cybersecurity threats and instead must (1) force the cellular industry to address serious cybersecurity vulnerabilities in its systems; (2) warn the American public that their movements, communications, and devices may be vulnerable to foreign governments and hackers; and (3) promote the use of end-to-end encryption apps, which can be used to mitigate some of the SS7 risks.

Reporter, Yelena Kotlarsky, New York, +1 212 556 2207, ykotlarsky@kslaw.com.

App Privacy Litigation Settles For $5.3 Million — Several major app developers, including Twitter, Facebook, Instagram, and Yelp, settled a putative class action pending in California federal court last week.  The app companies have agreed to pay a consolidated $5.3 million to resolve claims of invasion of privacy/intrusion upon seclusion.  The consolidated case is Opperman et al. v. Kong Technologies, Inc. et al., Case No. 3:13-cv-00453, in the U.S. District Court for the Northern District of California. 

The class action alleged that the apps invaded users’ privacy by gathering information stored in users’ personal address books and transmitting it without their knowledge.  The alleged practice of taking address book information without permission first came to light in February 2012, when a developer claimed that Path, a mobile social network, was uploading users’ contacts to its own servers without informing users.  Commentators expressed concern that individuals’ address books could contain private information.  For example, in some countries, dissidents would not want state officials to use their address books to obtain information about where they live, their families, or the identities of other protesters. 

The Opperman class action finally moved into the discovery phase in March 2015, when U.S. District Judge Jon S. Tigar denied defendants’ motions to dismiss the proposed class action, saying the plaintiffs adequately alleged they relied on defendants’ ads and other statements touting the security of their devices and adequately alleged the developers invaded their privacy.  However, the judge also denied injunctive relief because there was no “realistic threat” that the defendants would allow contact information contained in consumers’ address books to be accessed by app developers in the future.

The settlement covers a purported class of about 7 million individuals.  In the settlement proposal, plaintiffs noted that it “is the product of protracted and highly adversarial litigation, spanning five years and reflected in the case’s procedural history before the Court, together with extensive and complex negotiations between and among the parties and their experienced and informed counsel.”  Individuals who downloaded apps such as Instagram and utilized the Find Friends or similar features between 2010 and 2012 and who submit valid claims will be sent cash or cash-equivalent payments on a per app basis according to the settlement documents.  The settlement proposal notes that “the App Defendants have vigorously contested both their liability and Plaintiffs’ ability to certify the asserted claims for class treatment” and “liability remains highly disputed in the case.”

Reporter, Anush Emelianova, Atlanta, +1 404 572 4616, aemelianova@kslaw.com.

ALSO IN THE NEWS

King & Spalding’s 2017 Cybersecurity & Privacy Summit — On Monday, April 24, 2017, make plans to join the cybersecurity and privacy experts from King & Spalding and PwC, as well as representatives from the U.S. Department of Justice, the Federal Trade Commission, Georgia Institute of Technology, The Home Depot, and TSYS, to learn about the latest strategies for protecting your company against the legal and financial risks of cybersecurity breaches and other privacy incidents.