Ninth Circuit Sharply Circumscribes Cell-Phone Searches in Light of Riley

We here at White Collar Alert get excited by Riley v. California.  We’ve previously written about it here, here, and here.  And with good reason—smartphones have become a central part of most of our daily lives, and contain some of our most sensitive personal information.  Well, we’re back with Riley news out of the Ninth Circuit, where last week the court reaffirmed the digital-privacy rights of smartphone users by suppressing evidence illegally obtained from a criminal defendant’s cell phone.

As we’ve noted before, the Supreme Court has observed that cell phones are so important to many of us that a “proverbial visitor from Mars might conclude they were an important feature of human anatomy,” which “place vast quantities of personal information literally in the hands of individuals.”  That’s why police ordinarily must have a warrant to search a phone, even incident to an arrest.

But what happens when you’re on probation?  That was the question resolved yesterday in United States v. Lara.  As is quite often the case when a defendant is placed on probation, Lara agreed to certain conditions in order to secure his release from jail to probation.  One of those things was a blanket “Fourth Amendment Waiver,” which permitted the government to search his “person and property, including any residence, premises, container or vehicle under [his] control” at any time. Lara, ___ F.3d ___, No 14-50120, slip op. at 4 (9th Cir. Mar 3, 2016).  When the police came knocking at Lara’s door to conduct a “probation search,” one of the officers found Lara’s cell phone in the living room and searched it. Id. at 5.  Lo and behold, Lara was trying to sell an acquaintance a gun, and had sent him pictures of guns using the smartphone. Id.

Armed with the photographs, the police were able to use GPS data to determine the pictures were taken at Lara’s mother’s house – somewhere the police would have had absolutely no reason to look – and found a gun there that belonged to Lara.  It’s illegal under federal law for a felon to possess a gun (though Justice Thomas suggested at argument in Voisine v. United States last week he thinks otherwise about misdemeanors), and so Lara, a felon, was charged with a federal firearms offense.

Before trial (and before Riley), the district court denied Lara’s suppression motion, and he appealed.

The Ninth Circuit, with the benefit of the intervening Riley decision, reversed.  While it noted that Lara’s acceptance of the waiver bore on the reasonableness of the search, it held that searching Lara’s phone was unreasonable, since his privacy interests outweighed the government’s interest in combatting recidivism and integrating probationers back into their communities. Lara, ___ F.3d. ___, No 14-50120, slip op. at 14-15.  While Lara’s probationary status diminished his privacy interest, it did not extinguish or waive it.  Of particular interest, the court held that the “waiver” was no waiver at all because it was equivocal and unclear.  Looking to Riley, the court observed that it made “no sense to call a cell phone a ‘container,’” and that a phone is not the kind of “property” meant to be encompassed by the waiver, when read in conjunction with the other types of things that waiver included. Id. at 11-12.  It also rejected the government’s suggestion (as “almost fanciful”) that Lara’s decision to Anglicize his name (from “Paolo” to “Peter”) on his phone bill somehow diminished his privacy interest.  Under the exclusionary rule, Lara’s case goes back to the district court, where the government will be unable to present the fruits of its illegal search.

And so, go out into the light and breathe, and text, freely.  Riley’s advance continues to sweep the nation’s courts, and data-privacy supporters have scored another significant legal victory.

SOTU: What Obama’s Mandate Means for Cybersecurity, Data Protection, and Enforcement

This guest post was co-authored by Stephen Grossman and Michael Hayes. Stephen and Michael are partners in Montgomery McCracken’s Litigation Department and co-chairs of the firm’s Electronic Discovery practice. Stephen can be reached at 856.488.7767 or at sgrossman@mmwr.com. Michael can be reached at 215.772.7211 or at mhayes@mmwr.com.

During his State of the Union address last evening, President Obama urged Congress to enact legislation to “better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.” The President’s call to action comes on the heels of his remarks before the Federal Trade Commission in which he outlined his administration’s latest cybersecurity and data protection proposals. Prompt consideration of the President’s proposals appears to be a hopeful prospect, with the Subcommittee on Commerce, Manufacturing, and Trade set to hold its first related hearing next week (entitled “What are the Elements of Sound Data Breach Legislation?”). More effective data protections and uniform breach notification requirements stand to benefit individuals. But will the President’s proposals better protect and support American businesses? It may be too early to tell, but one outcome of any successful legislation is likely certain: broader regulatory and enforcement power for the FTC and DOJ.

What are the key proposals the President is advocating? First, the Administration wants to “promote better cybersecurity information sharing between [and amongst] the private sector and government” by encouraging the private sector to share cyber threat information with the Department of Homeland Security. The President has alluded to certain liability protections to incent businesses to report cyber threats to DHS, but we’ve yet to see any concrete details – so more to come. According to the White House, its proposal will enable DHS to more rapidly and effectively communicate emerging threats to the private sector through new industry collectives it coins “Information Sharing and Analysis Organizations.” We’ve yet to see a draft bill on this proposal, but we will keep you posted.

Next, the Administration wants passage of a unifying, federal data breach notification statute (the “Personal Data Notification and Protection Act”) to replace the patchwork of state laws that businesses have had to contend with to date. According to the White House, businesses will have a bright-line, 30 day notification period when they discover customers’ personal or financial information has been compromised. Notification methods authorized by the proposal include mailings, personal telephone calls, emails (if authorized by the individual), and even through media outlets. Notably, the White House proposal includes provisions for authorized delays and even exemptions for good cause such as national security and law enforcement purposes, to determine the scope of the breach, to complete risk assessments, and to prevent further intrusions. If passed, this proposal will vest significant new regulatory and enforcement authority in the FTC. While a federal notification standard is sorely needed for the benefit of business and consumers, we hope that any regulation provides a clear framework and incentives to businesses for compliance.

Another Administration proposal, the Student Digital Privacy Act, focuses on the protection of students’ personal information and data collected in the educational context. Modeled on a California statute, the bill “would prevent companies from selling student data to third parties for purposes unrelated to the educational mission” or from engaging in search-engine-style targeted advertising based on data collected in schools. This should be the least controversial and most easily passed of the Administration’s several cybersecurity proposals.

The Administration also wants to “modernize” the Computer Fraud and Abuse Act by at once increasing criminal and civil penalties (including forfeiture) for violations and “ensuring that insignificant conduct does not fall within the scope of the statute.” The former, according to the White House, will help deter cyber criminals, while the latter (we surmise) is intended to prevent abusive prosecutions such as the one that led to the suicide of Aaron Swartz. This proposal may not gain sufficient traction to ensure passage. Even if it does, we doubt the CFAA amendment will have an appreciable effect on the behavior of true bad actors, and the amendments could spawn further confusion regarding what types of behavior are or are not prohibited. Hopefully, “modernization” of the CFAA won’t just mean increasing enforcement powers and penalties, but also provide better clarity on prohibited conduct. For an in-depth discussion of the proposed amendments to the CFAA, check our Orin Kerr’s post on the subject here.

No matter what side of the political aisle suits your fancy, a commitment to combating the threat of cybercrime, improving cybersecurity, and better protecting the personal and financial information of Americans is vital in our digital world. Unfortunately, that likely will mean broader government enforcement powers and a focus on companies that fail to have what the government considers adequate policies in place to protect and safeguard personal information.

Of Dropbox and Data Breaches: Highlighting the need for increased cyber-security at home and in the workplace

This guest post is authored by Michael B. Hayes. Hayes’ practice concentrates on commercial litigation, government and corporate investigations. Hayes is frequently called upon by clients and colleagues to provide legal expertise and consultation concerning electronic discovery issues. He can be reached at mhayes@mmwr.com or 215.772.7211. Gareth Suddes, manager of Montgomery McCracken’s Legal Technology Support and Application Development also contributed to this blog post.

Reports of massive data breaches at trusted American retail businesses, banks, credit card companies and even governmental agencies have unfortunately become routine. So much so, in fact, that many of us have become desensitized to the serious personal privacy, identity protection and financial risks involved. That is especially unfortunate, because the costs to individuals, businesses and the government are very real and dramatically increasing.

We are falling prey to exploitation of the same consumer and other electronic technologies upon which we rely for our daily communications, purchases, banking, social networking and information storage. The most nefarious culprits are individual hackers (who may share loose affiliations with one another) and cyber agents in the service of foreign powers. The former seek personal profit at our expense, to embarrass some, to titillate others, to stick a cyber-thumb in the eye of business or the government, or just to show off. The latter are often thieves as well, but their overarching goals are strategic in nature. Foreign cyber agents seek to misappropriate sensitive information, to disrupt our economy, to shake public confidence in our government and systems, and to explore our cyber-vulnerabilities for potential use in the event of future hostilities.

In light of these threats, increased vigilance should be the order of the day – especially wherever significant volumes of personal, business and/or government information tend to intersect electronically. One such area is occupied by well-known consumer cloud-based data storage and file sharing services such as Dropbox, Google Drive, OneDrive, Box, Copy, and Amazon Cloud Drive. Continue reading