Robinson Cole LLP
High Contrast Mode

Kathleen M. Porter's practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law, and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. Kathleen has been named the Best Lawyers® Information Technology Law "Lawyer of the Year" in Boston for 2025, 2020 and 2013. She is an intellectual property and technology lawyer in our Business Transactions group, co-chair of the International Practice, and former chair of our Intellectual Property + Technology group.

Her clients include companies in the precision manufacturing, life science, food + beverage, energy, consumer products, software, Internet and e-commerce sectors, and other technology-driven businesses.

Business Transactions

Kathleen has extensive experience in structuring and negotiating sophisticated domestic and cross-border commercial transactions, including license, OEM, distribution, co-packing, manufacturing, and development agreements; acquisitions; supply, distribution outsourcing, and partnering arrangements; strategic alliances; business opportunities; and joint ventures.

Intellectual Property + Technology

Her clients include companies in the precision manufacturing, life science, food + beverage, energy, consumer products, software, Internet and e-commerce sectors, and other technology-driven businesses.

Business Transactions

Kathleen has extensive experience in structuring and negotiating sophisticated domestic and cross-border commercial transactions, including license, OEM, distribution, co-packing, manufacturing, and development agreements; acquisitions; supply, distribution outsourcing, and partnering arrangements; strategic alliances; business opportunities; and joint ventures.

Intellectual Property + Technology

Kathleen counsels clients on the development, protection, and commercialization of intellectual property and technology. In particular, she has significant experience with e-commerce and Internet law issues, specifically online contracting, including click-through and browse-wrap agreements, mobile applications, social media, online advertising, promotions, blogs, testimonials and sweepstakes, terms of use, and electronic signatures; and with online and Internet-related agreements, including website development and hosting agreements as well as content and other licensing arrangements.

Trade Regulation/Competition

Kathleen advises clients on competition and regulatory issues, including price restraints and discrimination, volume discounts, Minimum Advertised Price (MAP) and other pricing programs, territorial and exclusive licensing restrictions, joint buying programs and other trade association or group activities, consumer protection, promotions, and advertising. She also counsels clients on compliance with competition law, including the preparation of competition law pre-merger filings, and coordinates the preparation of foreign competition law filings.

International

In addition to the cross-border transactional representation of domestic and international clients, Kathleen regularly advises foreign companies on their entry into the U.S. market, including corporate and regulatory issues such as entity selection, regulatory filings (including CFIUS and Department of Defense filings), structuring commercial and co-packing agreements and marketing and sales issues, intellectual property protection, and day-to-day legal advice.

Data Security/Privacy

Kathleen counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. She prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. Kathleen also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies' privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathleen often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators.

Additionally, Kathleen is active in trade and privacy-focused professional organizations and attends professional, FTC, and state AG-sponsored workshops and programs to keep apprised of trade and privacy initiatives, trends, and legislative agendas as well as behavioral and dynamic marketing and emerging uses of personal data.

A regular speaker and author on data privacy and technology issues in commercial transactions, Kathleen was a panelist at the Annual PLI Privacy Data Security Conference in Chicago for several years, speaking on IT transactions. Over the last several years, she also has spoken about and authored articles on the use of mobile devices in the workplace (BYOD), including for the American Bar Association's Business Section, the International Legal Technology Association, and Network World. In 2022, she presented on Cybersecurity and Data Privacy at the SCG Legal 2022 Midyear Meeting in Lisbon, Portugal. Kathleen is also a regular contributor to our firm's Data Privacy + Security Insider blog. For several years prior to law school, Kathleen worked for a Northeast food and beverage manufacturer.

  • Western New England University School of Law (Juris Doctor, cum laude)
    • Law Review
  • Fitchburg State University (Bachelors, cum laude)
    • B.A., English
    • Professional Writing Tract

  • Commonwealth of Massachusetts
  • State of Connecticut

Named the Best Lawyers® Information Technology Law "Lawyer of the Year" in Boston for 2025, 2020 and 2013

Selected by her peers for inclusion in The Best Lawyers in America© in the area of Information Technology Law since 2009 and in the area of Privacy and Data Security Law in 2023

Certified Information Privacy Professional/US (CIPP/US) by the International Association of Privacy Professionals (IAPP)

Recognized by Massachusetts Lawyers Weekly as a 2021 “Massachusetts Go To Lawyer” in the area of Intellectual Property

Recognized as a 2022 Top Women of Law honoree by Massachusetts Lawyers Weekly

American Bar Association
Business Law Section, Cyberspace Law and Intellectual Property Committees
Former Member Chair of Electronic Contracting Practices Working Group, Cyberspace Law Committee
Section of Antitrust Law 

International Association of Privacy Professionals (2010 - Present)

CPR Institute for Dispute Resolution
Former Advisory Board on Privacy

Licensing Executives Society
Former Member

Women's Competition Network (2010 - Present)

Envisioning Access Inc.
Former Board of Directors

Transactional LawMeet
New England Regional Competition Judge

Experience


Counsel To Global Boat Electronics Supplier

Served as U.S. counsel to one of the leading global suppliers of electronics for recreational boats, including commercial, M&A, litigation, employment, and intellectual property matters.

Environmental Technology Company Counsel

Served as counsel to an environmental technology company, a subsidiary of a NYSE company, that specializes in remote monitoring of underground storage tank systems to provide environmental compliance, fuel inventory, and logistic services. Represented subsidiary in the development of standard terms and conditions for service; the negotiation of service agreements with major oil companies and independent station owners; the negotiation and implementation of a strategic alliance agreement with a major petroleum industry B2B exchange; the development and implementation of several online and offline marketing initiatives; and the development of click-wrap agreements for the manufacturer's website for the sale of equipment and services.

Read More

Paperboard Company Acquisitions

Represented publicly traded paperboard company in numerous acquisitions in the U.S. and Canada.



Publications


After U.S. Supreme Court Strikes Down IEEPA Tariffs, Court of International Trade Orders Path Forward teaser
March 6, 2026

After U.S. Supreme Court Strikes Down IEEPA Tariffs, Court of International Trade Orders Path Forward

DOJ Accelerates Trade Fraud Enforcement with Interagency Task Force after a Series of False Claims Act Case Resolutions teaser
September 18, 2025

DOJ Accelerates Trade Fraud Enforcement with Interagency Task Force after a Series of False Claims Act Case Resolutions

Legal Update: New Rulemaking Announced: Treasury Department Suspends Reporting, Enforcement and Fines under the Corporate Transparency Act until Further Notice teaser
March 7, 2025

Legal Update: New Rulemaking Announced: Treasury Department Suspends Reporting, Enforcement and Fines under the Corporate Transparency Act until Further Notice

After U.S. Supreme Court Strikes Down IEEPA Tariffs, Court of International Trade Orders Path Forward teaser
March 6, 2026

After U.S. Supreme Court Strikes Down IEEPA Tariffs, Court of International Trade Orders Path Forward

DOJ Accelerates Trade Fraud Enforcement with Interagency Task Force after a Series of False Claims Act Case Resolutions teaser
September 18, 2025

DOJ Accelerates Trade Fraud Enforcement with Interagency Task Force after a Series of False Claims Act Case Resolutions

Legal Update: New Rulemaking Announced: Treasury Department Suspends Reporting, Enforcement and Fines under the Corporate Transparency Act until Further Notice teaser
March 7, 2025

Legal Update: New Rulemaking Announced: Treasury Department Suspends Reporting, Enforcement and Fines under the Corporate Transparency Act until Further Notice

Legal Update: Corporate Transparency Act Back in Effect with March 21 Deadline teaser
February 21, 2025

Legal Update: Corporate Transparency Act Back in Effect with March 21 Deadline

Legal Update: No Enforcement of Corporate Transparency Act Despite SCOTUS Ruling teaser
January 24, 2025

Legal Update: No Enforcement of Corporate Transparency Act Despite SCOTUS Ruling

Legal Update: FinCEN Seeks SCOTUS Ruling on Corporate Transparency Act Injunction teaser
January 7, 2025

Legal Update: FinCEN Seeks SCOTUS Ruling on Corporate Transparency Act Injunction

Legal Update: Corporate Transparency Act Enforcement On Hold... Again teaser
December 27, 2024

Legal Update: Corporate Transparency Act Enforcement On Hold... Again

Legal Update: Corporate Transparency Act Enforcement Resumes with Extended Deadlines teaser
December 24, 2024

Legal Update: Corporate Transparency Act Enforcement Resumes with Extended Deadlines

Data Privacy + Cybersecurity Insider teaser
December 5, 2024

Data Privacy + Cybersecurity Insider



Legal Update: Corporate Transparency Act Back in Effect with March 21 Deadline teaser
February 21, 2025

Legal Update: Corporate Transparency Act Back in Effect with March 21 Deadline

Legal Update: No Enforcement of Corporate Transparency Act Despite SCOTUS Ruling teaser
January 24, 2025

Legal Update: No Enforcement of Corporate Transparency Act Despite SCOTUS Ruling

Legal Update: FinCEN Seeks SCOTUS Ruling on Corporate Transparency Act Injunction teaser
January 7, 2025

Legal Update: FinCEN Seeks SCOTUS Ruling on Corporate Transparency Act Injunction

Legal Update: Corporate Transparency Act Enforcement On Hold... Again teaser
December 27, 2024

Legal Update: Corporate Transparency Act Enforcement On Hold... Again

Legal Update: Corporate Transparency Act Enforcement Resumes with Extended Deadlines teaser
December 24, 2024

Legal Update: Corporate Transparency Act Enforcement Resumes with Extended Deadlines

Data Privacy + Cybersecurity Insider teaser
December 5, 2024

Data Privacy + Cybersecurity Insider


Events


Past

The Corporate Transparency Act: Understanding the New Beneficial Ownership Reporting Requirements for Companies Doing Business in the United States

Feb 8 2024
Virtual
Past

Cybersecurity/GDPR and Data Privacy Outlook and Review

May 12 2023
SCG Legal's 2023 Mid-Year Meeting
Past

The Corporate Transparency Act: Understanding the New Beneficial Ownership Reporting Requirements for Companies Doing Business in the United States

Feb 8 2024
Virtual
Past

Cybersecurity/GDPR and Data Privacy Outlook and Review

May 12 2023
SCG Legal's 2023 Mid-Year Meeting
Past

How to Structure Your Business in the U.S.

May 1 2023
2023 SelectUSA Investment Summit
Past

Supporting your international strategy with a spotlight on the higher education market and key jurisdictions from our best friend firms

Oct 11 2022
Mills & Reeve
Past

How to Register and Structure Your Business in the U.S.

Jun 26 2022
SelectUSA 2022 Investment Summit
Past

Cybersecurity/GDPR and Data Privacy Outlook and Review

May 20 2022
SCG Legal 2022 Midyear Meeting
Past

How to Structure Your Business in the U.S.

May 1 2023
2023 SelectUSA Investment Summit
Past

Supporting your international strategy with a spotlight on the higher education market and key jurisdictions from our best friend firms

Oct 11 2022
Mills & Reeve
Past

How to Register and Structure Your Business in the U.S.

Jun 26 2022
SelectUSA 2022 Investment Summit
Past

Cybersecurity/GDPR and Data Privacy Outlook and Review

May 20 2022
SCG Legal 2022 Midyear Meeting

News


May 4, 2026

Capital Markets + Securities Group Represents SingAuto Inc. in Merger Agreement with Blueport Acquisition Ltd

Robinson+Cole’s Capital Markets + Securities group was pleased to represent SingAuto Inc., a global innovator providing green cold-chain logistics technology solutions for smart commercial electric vehicles, in its entry into a definitive business combination agreement with Blueport Acquisition Ltd, a publicly traded special purpose acquisition company, on May 1, 2026. The acquisition merger for SINGAUTO, the sole surviving entity of the merger, is valued at $1.2 billion with 120,000,000 shares valued at $10 per share. Upon consummation of the business combination of SingAuto and Blueport, a newly formed holding company for the purpose of the transactions is expected to be listed on the Nasdaq Stock Market LLC. The team advising on the transaction was led by Capital Markets + Securities group partner Arila Zhou, and included members Chenyi Wang and Yang Xu, with support from Intellectual Property + Technology group partners Jackie Pennino Scheib and Kathy Porter, and Business Litigation group partner Ben Daniels. To read the press release, click here.

August 26, 2025

78 Robinson+Cole Lawyers Listed in The Best Lawyers in America© 2026

Firm receives top listing in Connecticut lawyer count in national peer review survey
78 Robinson+Cole Lawyers Listed in The Best Lawyers in America© 2026 teaser
June 23, 2025

Capital Markets + Securities Group Represents Dr Ashleys Limited in Merger with Impact BioMedical Inc

GlobeNewswire
May 4, 2026

Capital Markets + Securities Group Represents SingAuto Inc. in Merger Agreement with Blueport Acquisition Ltd

Robinson+Cole’s Capital Markets + Securities group was pleased to represent SingAuto Inc., a global innovator providing green cold-chain logistics technology solutions for smart commercial electric vehicles, in its entry into a definitive business combination agreement with Blueport Acquisition Ltd, a publicly traded special purpose acquisition company, on May 1, 2026. The acquisition merger for SINGAUTO, the sole surviving entity of the merger, is valued at $1.2 billion with 120,000,000 shares valued at $10 per share. Upon consummation of the business combination of SingAuto and Blueport, a newly formed holding company for the purpose of the transactions is expected to be listed on the Nasdaq Stock Market LLC. The team advising on the transaction was led by Capital Markets + Securities group partner Arila Zhou, and included members Chenyi Wang and Yang Xu, with support from Intellectual Property + Technology group partners Jackie Pennino Scheib and Kathy Porter, and Business Litigation group partner Ben Daniels. To read the press release, click here.

August 26, 2025

78 Robinson+Cole Lawyers Listed in The Best Lawyers in America© 2026

Firm receives top listing in Connecticut lawyer count in national peer review survey
78 Robinson+Cole Lawyers Listed in The Best Lawyers in America© 2026 teaser
June 23, 2025

Capital Markets + Securities Group Represents Dr Ashleys Limited in Merger with Impact BioMedical Inc

GlobeNewswire
August 15, 2024

78 Robinson+Cole Lawyers Listed in The Best Lawyers in America© 2025

78 Robinson+Cole Lawyers Listed in <i>The Best Lawyers in America</i>© 2025 teaser
July 1, 2024

Capital Markets + Securities Team Represents Blue World Acquisition Corp. in Complex DeSPAC Transaction with TOYO Co., Ltd

May 20, 2024

Robinson+Cole Receives Second Presidential Award for Export Service

U.S. Department of Commerce
Robinson+Cole Receives Second Presidential Award for Export Service teaser
September 29, 2023

Robinson+Cole Represents TradeUP Acquisition Corp. in Complex DeSPAC Transaction with Estrella Biopharma, Inc.

September 29, 2023

Robinson+Cole Represents TradeUP Acquisition Corp. in Complex DeSPAC Transaction with Estrella Biopharma, Inc.

August 17, 2023

78 Robinson+Cole Lawyers Listed in The Best Lawyers in America© 2024

Best Lawyers in America
78 Robinson+Cole Lawyers Listed in The Best Lawyers in America© 2024 teaser

August 15, 2024

78 Robinson+Cole Lawyers Listed in The Best Lawyers in America© 2025

78 Robinson+Cole Lawyers Listed in <i>The Best Lawyers in America</i>© 2025 teaser
July 1, 2024

Capital Markets + Securities Team Represents Blue World Acquisition Corp. in Complex DeSPAC Transaction with TOYO Co., Ltd

May 20, 2024

Robinson+Cole Receives Second Presidential Award for Export Service

U.S. Department of Commerce
Robinson+Cole Receives Second Presidential Award for Export Service teaser
September 29, 2023

Robinson+Cole Represents TradeUP Acquisition Corp. in Complex DeSPAC Transaction with Estrella Biopharma, Inc.

September 29, 2023

Robinson+Cole Represents TradeUP Acquisition Corp. in Complex DeSPAC Transaction with Estrella Biopharma, Inc.

August 17, 2023

78 Robinson+Cole Lawyers Listed in The Best Lawyers in America© 2024

Best Lawyers in America
78 Robinson+Cole Lawyers Listed in The Best Lawyers in America© 2024 teaser

Data Privacy + Cybersecurity Insider


Below is an excerpt of Data Privacy + Cybersecurity Insider blog posts authored by Kathleen.

Public Urged to Encrypt Mobile Phone Messaging and Calls

On December 4, 2024, four of the five members of the Five Eyes intelligence-sharing group (the United States, Australia, Canada, and New Zealand) law enforcement and cyber security agencies (Agencies) published a joint guide for network engineers, defenders of communications infrastructure and organizations with on-premises enterprise equipment (the Guide). The Agencies strongly encourage applying the Guide’s best practices to strengthen visibility and strengthen network devices against exploitation by reported hackers, including those hackers affiliated with the People’s Republic of China (PRC). The fifth group member, the United Kingdom, released a statement supportive of the joint guide but stated it had alternate methods of mitigating cyber risks for its telecom providers. In November 2024, the Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement to update the public on its investigation into the previously reported PRC-affiliated hacks on multiple telecommunications companies’ networks. The FBI and CISA reported that these hacks appeared to focus on cell phone activity of individuals involved in political or government activity and copies of law enforcement informational requests subject to court orders. However, at the time of the update, these U.S. agencies and members of Congress have underscored the broad and significant nature of this breach. At least one elected official stated that the hacks potentially expose unencrypted cell phone conversations with someone in America to the hackers. In particular, the Guide recommends adopting actions that quickly identify anomalous behavior, vulnerabilities, and threats and respond to a cyber incident. It also guides telecoms and businesses to reduce existing vulnerabilities, improve secure configuration habits, and limit potential entry points. One of the Guide’s recommended best practices attracting media attention is ensuring that mobile phone messaging and call traffic is fully end-to-end encrypted to the maximum extent possible. Without fully end-to-end encrypted messaging and calls, the content of calls and messages always has the potential to be intercepted. Android to Android messaging and iPhone to iPhone messaging is fully end-to-end encrypted but messaging from an Android to an iPhone is not currently end-to-end encrypted. Google and Apple recommend using a fully encrypted messaging app to better protect the content of messages from hackers. The FBI and CISA are continuing to investigate the hacks and will update the public as the investigation permits. In the interim, telecom providers and companies are encouraged to adopt the Guide’s best practices and to report any suspicious activity to their local FBI field office or the FBI’s Internet Crime Complaint Center. Cyber incidents may also be reported to CISA.

Visit Blog

European Commission Adopts EU-U.S. Data Privacy Framework

On July 10, the European Commission (EC) published its data adequacy decision for the new EU-U.S. Data Privacy Framework (EU-U.S. DPF).  This means that companies can transfer personal data from EU countries and from Iceland, Liechtenstein and Norway to U.S. organizations participating in the EU-U.S. DPF consistent with EU law. It is also expected that the adequacy decision will facilitate transfers through other EU legal mechanisms, including Standard Contractual Clauses and Binding Corporate Rules. Previous adequacy decisions for the transfer of personal data from the EU to the US were struck down by the Court of Justice of the European Union (CJEU), in decisions known as Schrems I and Schrems II.  Most recently, in the Schrems II decision, the EU judges expressed continued concerns about the relatively easy access to European personal data by US intelligence agencies. In response, last October, US President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086) to address these concerns. After EO 14086 was issued, the European Commission began the formal process for adopting an adequacy decision on this new EU-US Data Privacy Framework which resulted in the announcement on July 10. EO 14086 sets forth a self-certification program similar to its predecessors known as the “Safe Harbor” and the “Privacy Shield”, but with stronger safeguards for certain US intelligence activities regarding European personal data, as well as an independent redress mechanism which includes a new Civil Liberties Protection Officer of the Office of the Director of National Intelligence and a new Privacy and Civil Liberties Oversight Board. The strengthened safeguards include putting US intelligence services under the supervision of a Privacy and Civil Liberties Oversight Board, which will have access to all relevant documents, including classified information. Earlier this month, the US Commerce Secretary announced that the Office of the Director of National Intelligence has confirmed that the U.S. Intelligence Community has adopted policies and procedures pursuant to EO 14086. In the coming days, US companies will be able to undergo the EU-U.S. DPF self-certification process on the US Commerce Department’s website. Once certified, companies will be able to import personal data from the EU and EEA into the U.S. without the need to rely on another data transfer mechanism, such as Standard Contractual Clauses (SCCs). This latest data adequacy decision will be reviewed by the European Commission at least annually. In addition, the European privacy regulators will monitor how the redress mechanism works in practice. This third attempt on an adequacy decision for US/EU data transfers is bound to face a legal challenge from Austrian activist Max Schrems, who has already expressed reservations about the redress mechanism, which while strengthened, still operates under the executive branch of the US government and thus is not fully independent.

Visit Blog

Growing Calls to Ban Chinese Owned TikTok App and Other Software Apps Considered to be National Security Threats

Chinese company ByteDance faces growing concerns from governments and regulators that user data from its popular short video-sharing app TikTok could be handed over to the Chinese government. The concern is based on China’s national security laws, which give its government the power to compel Chinese-based companies to hand over any user data. More than 100 million Americans have reportedly downloaded this popular short video-sharing app on their devices. In its defense, ByteDance maintains TikTok is operated independently of ByteDance, that all TikTok app user data is held on servers outside of China and further that it doesn’t share data with the Chinese government. ByteDance also claims other social media companies collect far more user data than does TikTok, yet aren’t being threatened with bans. Concerns about TikTok have existed for years. Since 2017, the Committee on Foreign Investment in the United States (CFIUS), which investigates foreign investments in U.S. companies which have a potential national security risk, has been reviewing ByteDance’s practices, as a result of ByteDance’s acquisition of U.S. company Musical.ly. CFIUS’ investigation into the Bytedance/Musical.ly transaction remains open because of unresolved concerns about ByteDance’s use of user data, the potential data could be passed on to the Chinese government and concerns about the inability to monitor or enforce whatever restrictions ByteDance might even agree even to. However, CFIUS has suggested ByteDance should divest the TikTok’s American operations. Meanwhile, more than 30 states and now the Biden Administration have banned government employees from using the TikTok app on government-owned devices. In Congress, the House Foreign Affairs Committee voted to advance a bill, known as the Deterring America’s Technology Adversaries Act (DATA Act) to ban anyone in the United States from accessing or downloading the TikTok app on their phones. If enacted into law, this would mean that Apple and Google would no longer be able to offer the TikTok app in their app stores. ByteDance is reportedly talking with Apple and Google about a data security plan that ByteDance has proposed to CFIUS to be sure the plan would also be acceptable to Apple and Google. The plan purportedly includes having Oracle host TikTok’s U.S. user data on its servers, as well as vet TikTok’s software and updates before they are sent to the app stores. The U.S. is not alone in raising security concerns over the TikTok app. Canada, The European Parliament, European Commission and the EU Council have banned the TikTok app from being loaded onto government or organization owned devices. Some require employees and staff ban the TikTok app on personal devices with access to government or organization systems. Most have also recommended lawmakers and employees remove the TikTok app from their personal devices, even if they don’t access government or organization systems. Pakistan and Afghanistan have also imposed bans on TikTok, but because of its content, not because of security concerns. Some countries have gone even further to impose outright bans on the TikTok app. In 2021, India imposed a permanent ban on the TikTok app and several other Chinese apps. In December 2022, Taiwan imposed a public sector ban on the TikTok app after the FBI warned that the TikTok app posed a national security risk.  While TikTok is the current focus of legislators and regulators, some say security developments at other social media platforms should also be kept under constant review. The DATA Act bill would also require Biden to impose a ban on companies transferring sensitive personal data to an entity subject to the influence of China, although the details of this provision are not completely clear from the bill. 

Visit Blog

Biden’s Executive Order Implementing New EU-U.S. Data Privacy Framework to Replace Privacy Shield

President Biden recently signed an executive order establishing the implementation of the new EU-U.S. Data Privacy Framework, which would provide for the possibility of the lawful transfer of personal data from the European Union (EU) to the United States (U.S.), while ensuring a strong set of data protection requirements and safeguards.[1]  Once approved by the European Commission (EC), the new Framework would replace the “Privacy Shield” framework, which was invalidated by the Court of Justice of the European Union (CJEU) in the case commonly known as Schrems II. It is expected that the new Framework will be effective by the end of the first quarter of 2023, after the EC’s review of the executive order and preparation of a draft adequacy decision, the issuance of a non-binding opinion by the European Data Protection Board, a vote of approval of the decision by EU member states, and formal adoption by the EC College of Commissioners.[2] On the basis of the new Framework, EU (and later European Economic Area) businesses would be able to legally transfer personal data to U.S.-based companies that were self-certified the new Data Privacy list at the U.S. Department of Commerce. There are three components to the new EU-U.S. Data Privacy framework: (a) limits on U.S. surveillance programs; (b) sufficient redress mechanisms to pursue alleged violations; and (c) the Framework’s commercial data protection principles. In Schrems II, the CJEU declared the Privacy Shield framework invalid because the court found there were insufficient restrictions on U.S. signals intelligence activities and inadequate redress rights for individuals who wanted to challenge what they considered to be unlawful U.S. government surveillance. Biden’s executive order addresses the CJEU’s findings by expressly mandating necessity and proportionality limits on U.S. surveillance programs and including oversight procedures to verify compliance by U.S. intelligence authorities. The executive order also includes other specifics, such as identifying what signals intelligence can be collected, how it can be used and shared, and how long it can be maintained.  In addition, Biden’s executive order directed the Department of Justice to adopt regulations[3]  to establish a Data Protection Review Court (DPRC) for individuals to challenge U.S. government surveillance activities. The DPRC will be a second level of review in the redress mechanism, the first level being the Civil Liberties Protection Officer (CLPO) of the Office of the Director of National Intelligence.  The CLPO will also provide training to U.S. intelligence authorities and review their compliance with the executive order and U.S. intelligence priorities. The DPRC will independently review the CLPO’s determinations.  The U.S. Department of Commerce (Department) has authority over the last component of the new Framework, the commercial data protection principles and self-certification process. The Department is currently updating its requirements for companies to self-certify to the commercial data protection principles.  While the CJEU did not question these commercial principles in Schrems II,  there will still be some changes to these principles because of the need to update references from the 1995 EU Data Protection Directive to the General Data Protection Regulation (GDPR), which went into effect after the Privacy Shield framework was adopted. These modifications include changing the definitions of personal data etc., to conform to the GDPR. Until the new Framework is adopted, U.S. companies should consult with legal counsel to insure that any transfers of personal data (as defined in the GDPR) to the United States are done in compliance with law. [1] See https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/ . [2] See https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045. [3] See https://www.justice.gov/opcl/redress-data-protection-review-court.

Visit Blog

Location Data Results in Resignation of High-Profile Church Official

Location data is data that marks the longitude/latitude location of a smartphone or other device at a particular time, or over a period of time. It works like this: each day our device, which has a unique identifier or ID, uses or connects to multiple location signals, like GPS, Wi-Fi, Bluetooth, cell towers or other external location signals. Each location signal combined with an identifier permits you to plot the location of the device at a particular time, and the movement of the device over time. Carriers, private companies, and apps collect users’ location data, usually automatically and often even when you aren’t using the app. You can literally track a device’s physical location over the course of a day by the monitoring of the external location signals, tracking from a home to an office, to the grocery store, to the gym, to the beach. As you use your device to look up information, data is collected that flags your interests, such as vacation spots, new mattress models, restaurants, etc. Your location data is then sold to aggregators, advertisers and marketers, sometimes in real time and usually without your express consent. Advertisers then use the location data to target relevant ads to your device. Ever wonder why the special offer for airline fare pops up into your social media app while you are looking up hotels in Hawaii? Law enforcement and government agencies are also interested in location data as it can be used to put a suspect near a crime scene. Using location data, they can determine whether a particular device owned by the suspect was used to make a phone call near a particular cell tower at a particular time. Given this value and interest, it is no surprise that location data market continues to grow. Lots of data brokers, aggregators and marketing companies are profiting from these currently legal transactions, which are based on our tracked movements and activities as we go about our day. The New York Times 2019 piece has an interesting visual view of location data. These purveyors of this widely available location data claim it is anonymized. By that they mean while the ads are delivered to your device and your apps based on your location data, the advertisers don’t know your name. While the data usually doesn’t include your name or phone number, it can contain other information, such as your gender, your age and your unique device ID. It is also very easy to combine location data with other purchased or acquired data, such as real estate records or office location, which can permit the identification of individuals by name. There are many examples where location data has been used against specific individuals. The most recent example involves a Catholic priest who was confronted with location data that showed the use of gay social “hook-up” app Grindr almost daily over multiple years from locations near his office and his work-owned home, as well as trips to gay bars in other cities during timeframes he was known to have been there for work events. After being confronted, the priest resigned his high profile position. Some of the details are still murky as to how the data was acquired and tied to a specific person. Nonetheless, this story is likely to further concerns about the collection, sharing and sale of location data.

Visit Blog

Colonial Pays Millions in Ransomware Attack on Pipeline

Colonial Pipeline paid hackers a ransom of $4.4 million in bitcoin soon after discovering a cybersecurity hack on its systems that began on May 6.  The company’s acknowledgement comes after days of speculation about whether a ransom was paid to the hackers.  The company’s CEO defended the “difficult” decision to pay the ransom, maintaining he was trying to avoid widespread fuel shortages for the East Coast. Even with the ransom payment, Colonial’s pipeline was shut down  for days, resulting in price spikes and shortages at gasoline stations in the Southeastern U.S. In addition to the ransom payment, Colonial also revealed it would be spending tens of millions of dollars over the next several months to restore its systems. Meanwhile, the hacker, identified by the FBI as Darkside, a group out of Eastern Europe, lost access to its IT infrastructure and cryptocurrency funds.  Many believe that law enforcement seized the group’s assets, given that it occurred on the same day President Biden announced the U.S. would “pursue a measure to disrupt” Darkside. There are no mandatory federal cybersecurity requirements for U.S. critical infrastructure, including the energy sector. To date, federal government agencies have issued cybersecurity guidelines for the energy sector, but since most operations are privately owned, they are not obligated to follow them.  President Biden is trying to provide funding to harden security systems in U.S. critical infrastructure.  His proposed American Jobs Plan includes $20 billion for cities and towns to strengthen energy cybersecurity and $2 billion in grants for energy grids in high-risk areas. In the interim, Biden’s recently issued Executive Order on Improving the Nation’s Cybersecurity controls how security incidents are managed and how hardware and software is used by federal government agencies. For vendors and developers who want to do business with the federal government, this means focusing on improving product security in order to win new contracts from a very large customer.

Visit Blog

Crippling Ransomware Attack on Pipeline Exposes Vulnerabilities in U.S. Critical Infrastructure

Colonial Pipeline, a company that transports more than 100 million gallons of gasoline and other fuel daily across 14 states from Houston to New York Harbor, shut down the pipeline last Friday after discovering ransomware on its computer systems.  The FBI has blamed the attack on a ransomware group called DarkSide. The hack reportedly began last Thursday when hackers stole about 100 gigabytes of data as part of a double extortion scheme.  After stealing the data, the hackers then locked Colonial’s computers. Darkside threatened to publish the stolen data online and to keep the computers locked unless Colonial paid an unknown ransom amount. Colonial Pipeline notified the FBI of the attack on Friday morning and is cooperating with the investigation. The FBI also brought into the investigation the Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies that regulate energy and infrastructure.  The FBI and other government agencies are still awaiting access to the company’s security protocols to determine how hackers pulled off the crippling ransomware attack. U.S. critical infrastructure has been the target of an increasing number of cyberattacks. Earlier this year, an unknown hacker breached the access controls at the Oldsmar, Florida, water treatment plant, in an attempt to poison the city’s water supply with lye. In 2020, an unnamed natural gas compressor facility was shut down for two days due to a cyberattack.  Several natural gas pipeline operators had service interruptions in 2018, when a technology vendor that facilitated electronic communications between the operators was hacked. Many members of Congress and the Biden Administration agree that making cybersecurity improvements is essential for the nation’s critical infrastructure, including our electric grid, local energy and utility companies, water treatment plants, and wastewater facilities. All of these operators face significant challenges to make such improvements, including sufficient funding, staffing and training.  In addition, even though the federal government adopted cybersecurity requirements for certain infrastructure operators, funding shortages can result in very little oversight and inspection to make sure operators are complying with the requirements. Some states, like Connecticut, have adopted requirements for certain infrastructure as well as provided funding to make sure operators in the state are complying. In addition, it is recognized that our cybersecurity standards need updating.  The Biden Administration has proposed significant funding for the National Institute of Standards and Technology (NIST) to work with industry, science, and government to evaluate and improve the standards for our critical infrastructure.

Visit Blog

Unidentified Hacker Breaches Florida City’s Water Treatment System

A Tampa, Florida area water facility was recently hacked using a popular remote-access software tool.  The unidentified hacker also used the software to connect to an on-site computer and then used that computer to access the facility’s control panel.  Once there, the hacker programmed a 100x-increase in the levels of sodium hydroxide (lye) to be added to the water supply.  While small amounts of lye are used to control the acidity of water, at these massively-increased levels, lye is corrosive. Drinking the water could be like drinking liquid drain cleaner. There are many valuable and legitimate uses of remote-access software. This software allows a user to take full control of another computer as if they were sitting in front of it. The particular brand of remote-access software involved in this incident is popular with consumers and businesses and has more than 200 million users globally. It can be used by individuals to remotely access and troubleshoot their family members’ computer issues.  However, there are now questions about whether remote-access software is appropriate to monitor and change controls at critical infrastructure facilities. There are alternative approaches. Some critical infrastructure facilities permit remote-access software, but only to monitor the facility systems.  Any changes must be completed on site from computers not connected to external systems or software.  Some in the critical infrastructure industry recommend requiring a secure VPN to remotely access the internal network.  After using the VPN, any additional access by the remote user would be done via a secured login with mandatory, multi-factor authentication.  Some recommend a second secure login inside the network that controls the critical infrastructure. Industry members are quick to point out that critical infrastructure systems often have multiple safeguards to prevent extreme manipulation of the systems.  For example, many water treatment facilities have physical size restriction limits on the quantities of chemicals that can be introduced into the system over any given period. This type of safeguard could restrict the speed and/or amount of chemicals that would actually be pumped into a system, even if programmed to do so. But if a hacker can remotely access the system controls to program changes in quantity, could they possibly program other changes, such as changes to these safeguards? In the case of the Florida water facility, any possible crisis was averted because an attentive employee saw the controls being changed, and notified the company, which notified the police. The increases in sodium hydroxide were quickly reversed. The incident remains under investigation by the FBI and Secret Service, as well as local law enforcement officials. See: https://www.tampabay.com/news/pinellas/2021/02/08/someone-tried-to-poison-oldsmars-water-supply-during-hack-sheriff-says/

Visit Blog

Twitter fined $546,000 in December 2020 by European Data Protection Authority for 2019 Breach Notification Violations

The Irish Data Protection Commission (DPC) fined Twitter 450,000 euros (about US$546,000) for failing to timely notify the Irish DPC within the required 72 hours of discovering a Q4 2018 breach involving a bug in its Android app, and also for failing to adequately document that breach.  The bug caused some 88,726 European Twitter users’ protected tweets to be made public. The case is notable because it is the first fine levied against a U.S. technology company in a cross border violation under the EU’s General Data Protection Regulation’s (GDPR), which went into effect in 2018.  Under the GDPR, the member state of the foreign company’s EU headquarters takes the lead on inquiries on behalf of all the EU’s 27 member states. Because Twitter EU’s headquarters are in Ireland, the DPC took the lead on the investigating the 2018 breach incident, which Twitter attributed to poor staffing during the holidays. Pursuant to Article 60 of the GDPR, the Irish DPC submitted its draft decision last May to the other EU DPAs. In the draft decision, the Irish DPC found Twitter’s violations to be negligent, but not intentional or systematic.  Other member states disagreed with the Irish DPC draft decision, due in part to the small proposed fine.  The Irish DPC‘s proposed fine was only a small fraction of the maximum fine amount permitted, which under GDPR is up to 4% of a company’s global revenue or 20 million euros ($22 million), whichever is higher. Twitter’s global annual revenue was reportedly about $60 million in 2018. The Irish DPC responded to the criticisms from other member states by stating that its proposed fine under the GDPR was an “effective, proportionate and dissuasive measure” and brought the matter before the European Data Protection Board, which upheld most of the decision but directed Ireland to increase the fine. The Twitter case is just the first of many cases involving U.S. companies before the Irish DPC, as there are some 20 other pending inquiries. Ireland also serves as the EU headquarters for U.S. technology companies such as Facebook, Apple and Google. The decision is available here.

Visit Blog

U.S. Supreme Court Declines to Hear Case on Whether Commercial Websites and Mobile Apps Subject to Title III of the Americans with Disabilities Act (the “ADA”)

The ADA was enacted in 1990 to prohibit discrimination against persons with disabilities. It did not include express rules about access to websites and mobile apps. But that hasn’t stopped a flood of lawsuits against companies based on claims their websites or mobile apps might not be accessible to people with disabilities, such as visual, hearing or limited manual dexterity. According to UsableNet, a technology and accessibility company, nearly 2000 ADA-related lawsuits are expected to be filed by the end of 2019. UsableNet claims almost half of top 500 retailers have been sued since just the last two years. In one such case, the pizza chain Domino’s was sued in federal District Court in California by a blind man who wasn’t able to order pizza on Domino’s website and mobile app. Domino’s claimed applicable law didn’t require it make its website accessible to people with visual impairments because websites and mobile apps generally didn’t exist in 1990 when the ADA was enacted. The plaintiff argued the ADA should apply, so long as the business contains physical locations in the US and is soliciting customers over the Internet. The District Court agreed with the plaintiff. On appeal, the Ninth Circuit held that the ADA and California law applied to Domino’s websites and mobile apps, which were inaccessible by persons with visual disabilities. The Ninth Circuit then ordered the case to be sent back to the District Court for further rulings, but before that could happen, Dominos filed a petition for a Writ of Certiorari hearing with the United States Supreme Court, asking it to review whether its website is required to comply with ADA, or a comparable California state law. To the disappointment of companies and the U.S. Chamber of Commerce, the Supreme Court recently decided not to review the Ninth Circuit decision. This means the Ninth Circuit court decision will stand, and the case will return to the District Court to determine whether and perhaps how Domino’s makes its website and mobile app accessible to all of its prospective customers. The Supreme Court’s decision is difficult for companies, as there are no federal regulations or rules describing the steps they must take to comply. In 2017, the Justice Department withdrew its compliance guidance on this topic. Companies are typically left to negotiate a settlement regarding the applicable standards with the applicable plaintiff and court. Often that settlement requires compliance with the Web Content Accessibility Guidelines (WCAG), the international standards in digital accessibility for business websites that are set by the World Wide Web Consortium (W3C). Hopefully, the District Court in California can provide more guidance to companies to comply with the ADA and California law. Or perhaps, Domino’s will appeal again. The case is known as Domino’s Pizza v. Guillermo Robles, No. 18-1539.

Visit Blog

Recruiting Scams on the Rise

With more companies hiring, online recruiting scams have re-emerged to prey on job seekers and employers. The Better Business Bureau tracked more than 3,000 recruiting scams in the first 10 months of 2018 with losses in the million dollars. The online recruiting scam works this way: the scammer fraudulently uses a company’s name and logo, and perhaps the names of the company’s employees handling recruiting or human resources, to solicit applications from job seekers for fake jobs. Many times the companies are household names or long established, which gives the scam an air of legitimacy. Sometimes the solicitation comes by email, but most often it is posted on a professional or recruiting website or social media platform. Like most phishing schemes, the scammer’s email address is similar to, but not the same as the legitimate company’s email address. Job seekers responding to the scammer’s solicitation are offered fake job interviews by phone followed up by fake job offers. As part of “onboarding” the new “employee,” scammers ask the job seeker for his or her sensitive personal information, such as a social security number and bank account information for direct deposits. In some cases, the scammers even ask the job seeker for money to run background checks, obtain certifications or cover alleged “advance costs” of office supplies. Because many jobs today involve remote or home offices, these types of advance cost requests for supplies or do not appear wholly unreasonable. In an effort to shut down this type of activity, would-be employers have added a recruiting page (or added to that page) on their corporate websites alerting job seekers that these types of recruiting scams exist and how to avoid them. A recruiting page addressing these scams makes clear that the company’s recruiting process requires job applicants to apply directly through the application process on the company’s corporate website. There, job seekers can securely complete an online application and/or upload a resume, references etc., and avoid the scammer’s trick inviting them to email documents or use the scammer’s link on a third party website or platform. In addition, recruiting pages addressing these scams state that the employer would never ask a candidate for payment of any kind as part of the hiring or onboarding process. Most importantly, these recruiting pages warn candidates not to provide his or her sensitive personal information, such as a social security number, over the phone or by email. If a company receives a call or email from an individual who has been scammed by a fake recruiter, the company could recommend that the individual contact his or her state’s attorney general to report the scam, and also, report the scam to the business or recruiting website or social media platform that might have been involved.

Visit Blog

EU-US Transatlantic Data Flows Subject to Further Legal Challenge

Last week, the High Court of Ireland submitted eleven questions to the Court of Justice for the European Union (CJEU) to consider about the personal data transfer regime between the European Union (EU) and the United States. This referral stems from a new claim by Max Schrems, an Austrian lawyer and privacy activist. Schrems previously challenged the adequacy of the U.S. Safe Harbor data transfer regime to protect EU personal data transferred by technology companies and affiliates in Ireland (including Facebook) to the United States. In 2015, the CJEU struck down the U.S. Safe Harbor as a valid mechanism to transfer data to the US as a result of a referral from the Irish High Court arising from Schrems’ prior lawsuit. Schrems’ new claim specifically challenged whether EU’s standard contractual clauses (SCCs) adequately protect EU personal data transferred from Facebook’s Irish entity to the United States. Schrems’ concern is that EU personal data transferred by Facebook to the U.S. under the SCCs could be accessed by the National Security Agency as part of the NSA’s mass surveillance programs. However, the Irish High Court’s eleven question referral to the CJEU was much broader than questioning just the adequacy of SCCs. The CJEU is being asked to consider the adequacy of the Privacy Shield mechanism (adopted in 2016 as a replacement to the EU-U.S. Safe Harbor) as well as SCCs, to address how to resolve conflicts between conflicting country data protection rules and regulations, as well as violations of individual rights caused by surveillance law and the authority of data protection authorities to suspend cross border data transfers, particularly based on concerns about mass surveillance law. Additionally, in the EU Article 29 Data Protection Working Party’s (WP29) first annual review of the Privacy Shield data transfer mechanism, it called for an appointment of a permanent Privacy Shield ombudsperson in the U.S. among other protective safeguards. The WP29 requested that the U.S. address these safeguards by May 25, 2018, when the GDPR, the EU’s new data protection law comes into effect. To date, the U.S. has not addressed the WP29’s concerns. If anything, US extension to FISA earlier this year may have created more questions, as it is did not include privacy protections for foreigners’ data. While CJEU’s response to the eleven questions is not likely to be issued for months, significantly higher fines for violations of the GDPR are possible beginning on May 25.

Visit Blog

Improper Data Sharing With Cambridge Analytica May Affect 87 Million Facebook Users

Facebook reports that the personal data of 87 million Facebook users, mostly located in the United States, “may have been improperly shared” with British data analytics firm Cambridge Analytica. Previous estimates put the possible scope of improper sharing at about 50 million users. The increased number was calculated by Facebook by totaling the friends of the 270,000 Facebook users who permitted a researcher’s personality quiz app “thisisyourdigitallife” to collect and share personal data about the users and their Facebook friends for research purposes. The researcher allegedly shared the data with Cambridge Analytica, allegedly in violation of Facebook’s rules. See [view related post] for more details. In addition to Facebook reporting a significantly higher number of potentially affected Facebook users, Facebook also announced a number of measures it states are designed to restrict access to data across its social media platform. Additionally, beginning on April 9, Facebook will also inform individual Facebook users whether their data may have been improperly shared with Cambridge Analytica, by a notice at the top of their news feeds [See complete notice – https://newsroom.fb.com/news/2018/04/restricting-data-access/]. This news comes after Facebook CEO Mark Zuckerberg agreed to appear before a Congressional committee investigating the company’s practices. Zuckerberg’s scheduled April 11 testimony before the House Energy and Commerce Committee will focus on the Facebook’s “use and protection of user data.” Zuckerberg has also been requested to testify before the Senate Commerce and Judiciary committees, although no dates have been announced. In addition, the company faces an investigation by the Federal Trade Commission, as well as several state investigations. Meanwhile, Cambridge Analytica suspended its CEO Alexander Nix as the Facebook scandal broke open two weeks ago, together with videos showing him talking with an undercover reporter about potential bribery and entrapment. The British firm has also been engulfed in a number of inquiries by Parliament and the British data protection watchdog, the Information Commissioner’s Office.

Visit Blog

Government and Microsoft In Agreement that Pending Case Mooted by CLOUD Act

On March 30, 2018, Solicitor General Noel J. Francisco filed a motion with the U.S. Supreme Court in United States v. Microsoft Corporation that seeks to vacate the judgment of the U.S. Court of Appeals for the Second Circuit in the case (which held in favor of Microsoft) and to remand the case with directions to dismiss it as moot. The motion was submitted in response to the passage of the CLOUD Act on March 23, 2018, and the Solicitor General’s subsequent letter to the Court on that same date prefacing its intent to submit a supplementary filing to address the effect of the CLOUD Act on the Court’s disposition of the Microsoft case (see previous discussion here). In its motion, the government “respectfully submits that this case is now moot” because the CLOUD Act “resolves the question presented” by amending the Stored Communications Act (SCA) in part to state that service providers subject to a court order issued under the SCA are obligated to produce information within their “possession, custody, or control” without regard to whether the information is stored within or outside of the United States. The government further discloses that following enactment of the CLOUD Act, the government actually obtained a new warrant thereunder, and consequently Microsoft’s objection that the prior warrant issued under the SCA impermissibly sought to compel extraterritorial action is no longer applicable. The government argues straightforwardly that “Microsoft must produce information of the sort requested here” under the CLOUD Act (unless it can raise a comity argument as contemplated under the CLOUD Act), and explains that while the government believes the CLOUD Act compels such production under the original warrant, the government determined “that the most efficient means” of obtaining the information sought under the original warrant was to secure a new warrant under the CLOUD Act. The Solicitor General further argues that there is no need for the Court (or lower courts) to address any dispute concerning the retroactive applicability of the CLOUD Act, in part because the government is no longer relying on the original warrant, and further that vacatur of the Second Circuit’s decision is necessary and appropriate to limit the legal consequences of the now-superseded appellate decision “on critical issues involving extraterritoriality and privacy.” On April 3, 2018, Microsoft filed a response in agreement with the government’s position concerning the disposition of the case. Microsoft stated that the government’s withdrawal of its original warrant, and obtainment of a new warrant under the CLOUD Act, “moots this case... [and] Microsoft agrees with the Government that there is no longer a live case or controversy between the parties” with respect to the proper legal interpretation of a prior version of the SCA. Microsoft also noted that it had long maintained that Congress, and not the courts, was the “proper branch” to address the underlying issue in this case, and that the CLOUD Act now “defines a new approach.” Interestingly, although Microsoft supports the government’s request to vacate the Second Circuit’s decision, Microsoft requests that the Court also vacate the underlying decisions of the magistrate judge and district court (which held for the government and against Microsoft), to avoid “collateral estoppel in any future dispute” between Microsoft and the government. It therefore appears likely that the Court will vacate the Second Circuit’s decision and remand this case, and that the CLOUD Act has absolved the Court of its obligation to render a difficult decision concerning technology and privacy in the digital age.

Visit Blog

Congress Enacts CLOUD Act within Omnibus Spending Bill to Address Overseas Storage of Electronic Data, Potentially Mooting Supreme Court’s Pending Microsoft Case

On March 23, 2018, the President signed into law the Consolidated Appropriations Act of 2018 (H.R. 1625), an omnibus spending bill that includes the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). Among other provisions, the CLOUD Act amends the Stored Communications Act of 1986 (18 U.S.C. §§ 2701-2712, hereinafter the SCA) by adding a new § 2713 which states as follows: A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States. The above amendment of the SCA appears intended to address the controversy in United States v. Microsoft Corporation, a case argued before the Supreme Court on February 27, 2018, but not yet decided by the Court. At issue in the Microsoft case is whether a warrant obtained by the Department of Justice under the SCA directing Redmond, Washington-based Microsoft to produce the contents of a subscriber’s email account stored on a Microsoft subsidiary’s server located in Ireland represents an impermissible extraterritorial application of the SCA (see here for our prior analysis of the case). Notably, during oral argument multiple Justices suggested that in lieu of rendering a decision in the case, it may be preferable for the Court to allow Congress to enact a legislative solution to the conflict regarding applicability of the SCA in the modern digital world. For example, Justice Ginsburg asked whether it would not “be wiser” for the Court to “leave things as they are” and to defer to Congress to “regulate in this brave new world,” and Justice Sotomayor similarly questioned whether “we shouldn’t leave the status quo as it is and let Congress pass a bill in this new age... that addresses the potential problems” with interpretation of the SCA. Subsequent to the passage of the CLOUD Act on March 23, Solicitor General Noel Francisco submitted a letter to the Supreme Court notifying the Court of the passage of the CLOUD Act in general and of the above amendment to the SCA in particular. That SCA amendment within the CLOUD Act appears to require a U.S. company served with a court order under the SCA to turn over the data without regard to where the data is stored, provided the data was within the U.S. company’s “possession, custody, or control.” The Solicitor General further stated in his letter that “[t]he United States is currently determining whether, and if so, to what extent the passage of the CLOUD Act affects the Court’s disposition of this case” and indicated that the government will submit a supplementary filing to address that question “as promptly as possible.” It seems likely that the government will take the position that the issue in Microsoft is moot because of the CLOUD Act’s amendment of the SCA (and thus the Court should vacate the Second Circuit decision that gave rise to the appeal and remand the case). But it remains to be determined how the Court will ultimately resolve Microsoft, given the passage of the CLOUD Act and the government’s likely position. Technology companies and other service providers should be aware that in addition to the SCA amendment discussed above, the CLOUD Act includes an extensive legal framework governing the exchange of certain data between the United States and foreign governments. For example, the CLOUD Act includes requirements for a comity analysis in response to attempts by foreign governments to seek the contents of wire or electronic communications, as well as corresponding revisions to federal laws in contemplation of the provision of access to certain data by foreign governments in accordance with the CLOUD Act. Please keep an eye out for a future post that will address these provisions in greater detail.

Visit Blog