The Matrix

October is National Cybersecurity Awareness month, and the Department of Justice has chosen this month to roll out a new “Civil Cyber-Fraud Initiative.” The announced purpose of the Initiative is to actively pursue cybersecurity-related fraud claims by government contractors and grant recipients. 

Michigan state courts have new privacy protections in court rules that become effective July 1, 2021 (links to the implementing orders are included below) after implementation was previously delayed.  Under revised Michigan Court Rule (“MCR”) 1.109 and 8.119, parties are no longer able to file papers – including pleadings, motions, and briefs – or attachments containing specified types of personally identifying information (PII) such as date of birth, financial account numbers, driver’s license numbers, state-issued personal identification card numbers, or passport numbers.  The existing prohibition on filing more than the last four digits of a social security number remains in force.  The revised MCR 1.109 calls for parties and their attorneys to redact any PII and to prepare a separate form listing the un-redacted information and reference codes to be used in the public document.  That separate form is considered a nonpublic document and is available only to the court, the parties, and other specified persons.  Anyone obtaining a copy of a publicly filed document will receive only the redacted copy and not the separate form.

Yesterday, the U.S. Supreme Court, in AMG Capital Management, LLC v. FTC, sharply curtailed the ability of the Federal Trade Commission to obtain restitution and disgorgement in enforcement actions. In a 9-0 decision, the court found that Section 13(b) of the FTC Act, which authorizes the FTC to seek permanent injunctions in federal court, did not also authorize the Commission to obtain court-ordered monetary relief. 

The Michigan Court of Appeals issued a recent opinion in Long Lake Township v. Maxon, considering the question of whether a private landowner had a reasonable expectation of privacy that would preclude the government from flying a drone over their property.  The Court concluded that there was an expectation of privacy, and distinguished expectations of privacy from drones from those expected of plane or helicopter surveillance.  (A dissent argues that U.S. Supreme Court precedent on the Fourth Amendment mandated the opposite result.)

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit issued its opinion vacating the $4.3 million penalty that the U.S. Department of Health and Human Services (“HHS”) had levied against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”).  Eye-popping penalty amounts for HIPAA and HITECH Act violations have picked up steam in recent years. However, the M.D. Anderson case is among the first such settlement to be litigated. The Fifth Circuit decision contains some critical takeaways as to key requirements under HIPAA and the enforcement actions available to HHS, and should be of particular interest to healthcare providers and also insurers writing cybersecurity policies.

In Tsao v. Captiva MVP Restaurant Partners, LLC, the Eleventh Circuit joined the federal appellate courts holding that a consumer’s exposure to a substantial risk of future identity theft, and efforts to mitigate the risk of future identity theft, are not sufficient to confer Article III standing. The decision highlights federal court’s struggle with the standing requirements in a data breach case, and possibly raises the likelihood that the U.S. Supreme Court will address the issue.