Richmond Journal of Law and Technology

The first exclusively online law review.

Category: Blog Posts (Page 1 of 18)

HUMVEE Maker Files Trademark Case against Call of Duty

By: Seth Bruneel,

The ears of any lawyer who even dabbles in video games will perk up at the mention of “Call of Duty” and their attention will be fully captured when the title of the popular video game is found in context with “lawsuit.” Such is the case here. The maker of Call of Duty, Activision, is being sued by AM General for trademark infringement. [1]

AM General owns the registered trademark “HMMWV” (Reg. No. 3026594), more commonly referred to as “HUMVEE” (Reg. NO. 1697530). AM General alleges that by using the vehicles and names in Call of Duty Activision “[w]rongfully leverag[es] the goodwill and reputation AM General has developed in these marks … in advertising and promotion of their Call of Duty video game franchise” and that Activision uses the trademarks in the “manufacture and sale of collateral toys and books to further derive wrongful profits.”[2]

There is little room to dispute that Activision is using the trademark in the video games as shown in some of the pictures from AM General’s brief. [3] (In its brief (link) AM General provides further analysis of the similarities.)

AM General Activision


Activision has yet to file an answer to the complaint but there are several defenses that would qualify their use of the trademarks as non-infringement including: lack of consumer confusion and fair-use. [5]

The main test for infringement of a trademark is the likelihood of confusion. [6] However, here Activision has a strong argument that there is not likelihood of confusion because there is no intent to confuse. In fact, the best defense to the idea that consumers will confuse the Call of Duty version of the HUMVEE and AM General’s HUMVEE is to admit that they are both the same vehicle. Activision will then need to show that the use of the trademark is an allowable use.

One such use would be if the use of HUMVEE was a fair-use. Activision’s use of the registered trademarks is fair use if an alleged infringer uses a mark solely to describe the trademark holder’s product, but not the alleged infringer’s produce, for purposes such as comparison, criticism, or simply a point of reference. [7] In this upcoming action, Activing is merely using the trademarked terms and likenesses to refer to AM General’s military vehicles without referring to any of Activision’s products so the trademarks are used simply as a point of reference.

Another way for Activision to escape liability is to claim a free-speech defense. Activision’s use of the trademarks can be free-speech if it meets the Rogers Test. [8] The Rogers test says that a “use of a trademark that would otherwise violate the Lanham Act is not actionable unless [use of the mark] has no artistic relevance to the underlying work whatsoever, or, if it same some artistic relevance, unless [it] explicitly misleads as to the source or content of the work”. [9] Here, it is likely that the court will find that Activision’s use of the trademarks HUMVEE and MMMWV has “at least some artistic relevance” so the court will have to decide if the use misleads consumers as to the source of the HUMVEEs. [10] It is on this second prong of the test that Activision will likely succeed because there is little argument that Call of Duty explicitly mislead consumers to believe that the HUMVEEs are made by Call of Duty, rather than AM General.

While it may seem Activision is likely to evade liability for using AM General’s trademarks in-game, Activision could be in real trouble with the toy products as the toys do much more than simply use HUMVEE as a point of reference. [11] The toys present a higher likelihood of confusion for consumers as they could see the military vehicle as a Call of Duty product rather than a product of American General.[12]

The pending litigation is intriguing as it presents a confluence of commercial and artistic use. While I expect more practical solutions before a judge’s final ruling, it would be interesting to see if the courts are still likely to find that the use is artistic (thus, non-infringing) when the infringer gobbles up such massive amounts of commercial success as Call of Duty: Modern Warfare ($1.23 Billion). [13]


[1] Anandashankar Mazumdar, Humvee Maker Targets Activision’s ‘Call of Duty’ in Trademark Case, PATENT, TRADEMARK & COPYRIGHT J. BNA, (Nov. 10, 2017).

[2] Complaint at 1-2, AM General v. Activision Blizzard, (S.D.N.Y, Nov. 7, 2017) (No. 2:17-cv-08644).

[3] Id. at 5-7, 14-16, 20-22.

[4] Id. at 5-6, 16, 20, (Figs. 1, 2, 11, 12).

[5] Winthrop & Weinstine, Call of Duty Trademark Lawsuit: A Humvee Humdinger, DUETS BLOG (Nov. 15, 2017), (last visited Nov. 28, 2017).

[6] Lanham Act, 15 U.S.C. § 1114 (2017).

[7] See Winthrop, supra note 4.

 [8] See RockStar Videos, 547 F.3d at 1095(quoting Rogers v. Grimaldi, 875 F.2d 994, 999 (2d Cir. 1989)).

[9] Id.

[10] Id. at 1099-1101.

[11] See Muzumdar, supra note 1.

[12] Supra note 2, at 29.

[13] Tom Gernencer, How Much Money Has Every Call of Duty Game Made?, MONEYNATION (Dec. 23, 2015), (last visited Nov. 28, 2017).

Image Source:

Fishing for Location

By: David Hart,

It is no longer the era of buddy-cop stakeouts, waiting outside of a suspect’s home or hangout. Instead, law enforcement has been employing a device that pinpoints a supposed criminal’s location. The most well-known brand of this device is the StingRay, which has become the catch-all term for these devices. The StingRay disguises itself as a cellphone tower, tricking the suspect’s phone into transmitting data to it.[1] This may seem fine at first glance; after all, who doesn’t want criminals off our streets? Unfortunately, it’s not as cut and dry as it seems. The device does not simply target one cellphone. It dupes all cell phones in an area to send information.[2] Additionally, law enforcement does not always obtain a search warrant before utilizing StingRays.[3] So not only is a net being dragged through innocent citizens’ data, oftentimes law enforcement does not explain their probable cause to a magistrate, in an attempt to obtain a warrant, before targeting a suspect’s cell phone. The use of these devices raises significant privacy and civil liberty concerns.

The law struggles to keep up with the sprinting advance of technology, but it seems the judiciary is finally closing the gap. An important development has recently come from the D.C. Court of Appeals, through the case of Jones v. United States. Jones was convicted on charges of sexual assault and robbery.[4] Law enforcement had used a StingRay-type device (a cell-site simulator) to locate him, without obtaining a warrant.[5] Jones argued that this was a 4th amendment violation but the trial court denied his claim.[6] Jones then appealed his conviction to the D.C. Court of Appeals. The Court found that “the government violated the Fourth Amendment when it deployed the cell-site simulator against him without first obtaining a warrant based on probable cause.”[7] In the words of Judge Beckwith, “under ordinary circumstances, the use of a cell-site simulator to locate a person through his or her cellphone invades the person’s actual, legitimate, and reasonable expectation of privacy in his or her location information and is a search.”[8]

The D.C. Court of Appeals is not the only authority that has spoken on the issue of StingRays. In 2016, The Maryland Court of Special Appeals held that law enforcement must have a valid warrant to use cell-site simulators.[9] The Baltimore City Police Department had used a cell-site simulator to locate Kerron Andrews, who was wanted on charges of attempted murder.[10] They tracked his cellphone with this device and located him in a residence.[11] Andrews claimed that the use of this device without a warrant was a violation of the 4th amendment. The Court found that the use of the cell-site simulator was indeed a 4th amendment violation and suppressed the evidence found in the residence where Andrews was located.[12]

Virginia is one of the states that has passed laws restricting the use of StingRay devices. VA Code § 19.2 – 70.3 K. provides that: “an investigative or law-enforcement officer shall not use any device to obtain electronic communications or collect real-time location data from an electronic device without first obtaining a search warrant authorizing the use of the device if, in order to obtain the contents of such electronic communications or such real-time location data from the provider of electronic communication service or remote computing service, such officer would be required to obtain a search warrant pursuant to this section.”[13] In essence, this means that if law enforcement would need a warrant to get location data from a cell-service provider then they also need a warrant to use a StingRay device.

With courts ruling against warrantless use of StingRay devices and legislatures passing laws requiring warrants, it seems we’re headed in the right direction in regards to cell-phone locating and our 4th amendment rights.


[1] See Cyrus Farivar, Another Court Tells Police: Want to Use a Stingray? Get a Warrant (Sep. 22, 2017),

[2] Id.

[3] See generally, Jones v. United States, 168 A.3d 703 (2017); State v. Andrews, 227 Md. App. 350 (2015).

[4] See Jones v. United States, 168 A.3d 703, 707 (2017).

[5] Id.

[6] Id.

[7] Id.

[8] Id. at 715.

[9] See generally, State v. Andrews, 227 Md. App. 350 (2015).

[10] Id. at 354.

[11] Id.

[12] See generally, State v. Andrews, 227 Md. App. 350 (2015).

[13] See Va. Code Ann. § 19.2 – 70.3 (2017).

Image Source:×960.jpg?itok=vaHqbpk5.

#Sponsored: Holding Social Media Influencers Responsible for Their Representations

By: Helen Vu,

Those familiar with the social media world may recall the disaster that was the inaugural Fyre Festival. The music festival was slated to take place during a weekend in April 2017 on the island of Great Exuma, in the Bahamas.[1] Organized by an entrepreneur named Billy McFarlane, Fyre Festival was framed as “Coachella in the Caribbean”[2] and was promoted almost exclusively through social media platforms such as Instagram, Facebook, and Twitter.[3] Organizers paid celebrities and social media influencers, such as Jeffrey “Ja Rule” Atkins, Bella Hadid, and Kendall Jenner, to upload posts promoting the event onto their Instagram accounts.[4] These influencers, who have millions of followers, convinced their fans to hand over thousands of dollars for tickets to a lavish music festival on a tropical island.[5]

Unfortunately, the event turned into more of a dumpster fire than a Fyre Festival. The organizers were woefully unprepared for the actual event, had barely anything set up, and cancelled the festival as people were boarding planes from Miami to the Bahamas.[6] A large group of individuals received the news too late and ended up stuck on an island with not enough departing flights.[7] These unlucky attendees had to wait a day to find a flight back to the United States.[8] Meanwhile, instead of staying in the beachside villas promised, they had to find shelter in half-built tents.[9] At mealtime, organizers handed festivalgoers cheese sandwiches rather than the world-class cuisine they paid for.[10] Social media lit up with discussions of how the Fyre Festival had turned into such a nightmare and how the organizers had known for at least a month that there was no feasible way that the event could occur.[11] Eventually the failed festival became old news but as the furor died down, legal consequences for the festival organizers and promoters began rolling in.[12]

Several individuals brought class action lawsuits on behalf of other festivalgoers, alleging fraud, breach of contract, and negligent misrepresentation.[13] While these complaints all name the main organizer, Mr. McFarlane, as a defendant, it is noteworthy that some of the claimants attempt to hold the influencers who promoted the Fyre Festival accountable as well.[14] A suit filed in the United States District Court for the Central District of California included claims against 50 unnamed individuals, alleging that these defendants made misrepresentations to their followers to induce them into purchasing tickets to the event.[15] Another suit was brought in the Los Angeles County Superior Court against 100 unnamed individuals, claiming false and misleading advertising.[16] It is unclear whether the Fyre Festival ticketholders have a valid claim against the promoters who advertised the event on their social media accounts. After all, attendees purchased their tickets from the organizers rather than the promoters. In addition, these celebrities likely did not have much more knowledge of the event than the attendees did. They merely posted promotional content with a tap of a finger in exchange for compensation.

As social media developed and its use grew exponentially, users who had extremely high numbers of followers found a way to take advantage of the influence they had over so many individuals. Brands and companies commonly pay popular users to post material on their social media accounts promoting goods and services. These sponsored posts are often couched as recommendations from the influencer to her followers rather than as outright advertisements. Thus, users view these sponsored posts as more authentic than regular ads posted by the companies themselves.[17] As this business-savvy practice grows, steps should be taken to ensure that these promoters post truthful material or, at the least, do diligent research on the products they advertise. The companies who pay for these posts have regulations they must follow themselves when they advertise directly to consumers.[18] Instagram influencers should have similar regulations as well. Otherwise, little stops them from posting false advertising for the company that pays the most.

The Federal Trade Commission (“FTC”) is a federal agency that protects consumers from unfair, deceptive, and fraudulent practices in the marketplace by regulating advertising and marketing.[19] While the bulk of the work that the FTC does involves traditional methods of advertising, it has gotten more involved with social media marketing as online influencers play an increasingly larger role in promoting products and services. The FTC recently sent more than 90 letters to influencers and online marketers reminding them that they are required to disclose to their followers which social media posts they are being paid to upload as a promotion or endorsement.[20] This signals a shift from holding only the brands responsible for advertising violations to making the influencers accountable as well.[21]

While the Fyre Festival is arguably the most well known social media marketing failure, it is only a part of the bigger picture involving promotional posts, influencers, and fraud. Internet users will find more and more innovative ways of using social media not just to connect with friends but also to make money. How will we ensure that those making financial gains off an inherently untrustworthy medium are held responsible for their actions? Does the FTC have the power to strictly regulate anyone who gets compensated for his or her posts, even if the posts are on a forum for self-expression? Influencer marketing fraud is a growing area of concern not just for the consumers who may fall prey to deceptive advertising, but for the influencers who may be held liable for their sponsored posts as well.[22]


[1] See Bryan Burrough, Fyre Festival: Anatomy of a Millennial Marketing Fiasco Waiting to Happen.  Vanity Fair, Aug. 2017,

[2] Id.

[3] See id.

[4] See id.  

[5] See id.

[6] See id.

[7] See Burrough, supra note 1. 

[8] See id.

[9] Jung v. McFarland, No. 2:17-cv-03245 (D. Cal. filed Apr. 30, 2017).

[10] See id. 

[11] Burrough, supra note 1.

[12] See Jeff John Roberts, Celebrity Influencers Face Moment of Truth in Fyre Festival Lawsuit, Fortune (May 7, 2017),

[13] See The Fyre Festival is Facing 9 Lawsuits, FBI Investigation, Organizer Arrested, The Fashion Law (July 3, 2017),

[14] See id.

[15] See Jung, No. 2:17-cv-03245.

[16] See Chinery v. Fyre Media, Inc., No. BC659938 (Super. Ct. Cal. filed May 2, 2017).

[17] See Shareen Pathak, Cheatsheet: what you need to know about influencer fraud, Digiday (Nov. 3, 2017),

[18] Federal Trade Commission, Advertising and Marketing on the Internet (Sept. 2009),

[19] Federal Trade Commission, What We Do, (last visited Nov. 21, 2017).

[20] Federal Trade Commission, FTC Staff Reminds Influencers and Brands to Clearly Disclose Relationship (Apr. 19, 2017),

[21] Roberts, supra note 12.

[22] See id.

Image Source:

Can an Employer Fire You If You Sit on Facebook Too Much?

By: Daria Ivanova,

In 1990, Congress enacted Americans with Disabilities Act with a purpose to protect individuals with disabilities from workforce discrimination.[1]  The ADA was a successor to the Rehabilitation Act of 1973, which was the first attempt of Congress to fill the gap in the Civil Rights Act of 1964, in relation to discrimination based on a “physical or mental impairment.”[2] However, the Rehabilitation Act’s reach was limited to only employers “receiving Federal financial assistance,”[3] and the ADA eliminated this limitation covering other employers as well.[4] Congress experienced difficulties in defining a “disability” when enacting the Rehabilitation Act, but the definition they settled on was essentially incorporated into the ADA. The ADA defines a “disability” as “(A) a physical or mental impairment that substantially limits one or more major life activities of such individual; (B) a record of such an impairment; or (C) being regarded as having such impairment.”[5] In order for a plaintiff to prove disability discrimination, he or she must show that: (1) the employer is an entity covered by the ADA; (2) the plaintiff meets the definition of “disabled” under the ADA; (3) the plaintiff was otherwise qualified to perform the essential functions of his or her job, with or without reasonable accommodation; and (4) the plaintiff suffered adverse employment action based on the disability.[6]

Following the enactment of the ADA, the Equal Employment Opportunity Commission (EEOC) and the Supreme Court of the United States limited the application of the Act by narrowing the definition of a “disability.” The formerly defined “substantially limits” as “(i) unable to perform a major life activity that the average person in the general population can perform; or (ii) significantly restricted as to the condition, manner duration under which an individual can perform a particular major life activity.”[7] The Supreme Court did a similar thing in the case Toyota Motor Manufacturing, Kentucky, Inc. v. Williams and Sutton v. United Air Lines, Inc. In the first case, the Court found that for the impairment to be debilitating to the ADA level, it must “prevent[] or severely restrict[] the individual from doing activities that are of central importance to most people’s daily lives.”[8] In the second case, the Court limited the meaning of the phrase “regard as” in the last prong of the statute. The Court stated that it required “an ADA plaintiff to show that the  employer regarded the plaintiff as having an impairment that substantially limited a major life function, as opposed to merely showing that the employer regarded the plaintiff as having an impairment.”[9] However, in 2008, Congress pushed back by introducing the ADA Amendments Act (“ADAAA”) with the purpose of “restoring the intent and protections of the Americans with Disabilities Act of 1990,” [because] “the holdings of the Supreme Court [in Sutton and Toyota] have narrowed the broad scope of protection intended to be afforded by the ADA, thus eliminating protection for many individuals whom Congress intended to protect.” [10] Moreover, the ADAAA stated that the definition of a disability was to be interpreted in the broadest extent allowed by the Act and covering the broadest coverage of individuals.[11]

As surprising as it may seem, scientists still cannot come to an agreement as to the definition of an addiction. Moreover, it has been said that the state of scientific discussion regarding the definition is in a state of “conceptual chaos.”[12] For example, the APA’s Diagnostic and Statistical Manual of Mental Disorders (“DSM IV-TR”) does not even use the word “addiction,” but uses “substance dependence” defining it as “[a] maladaptive pattern of substance use, leading to clinically significant impairment or distress,” and setting forth seven criteria to aid in diagnosis.”[13] Traditionally, the state of an addiction (even though there was no agreement as to its definition) was said to consist of two elements of (1) tolerance and (2) withdrawal. The first one “refers to the tendency of a given dosage of a substance to be less successful in achieving the desired effect over time.”[14] The second one presents itself by “physiological side effects that result from the cessation of repeated use of a substance.”[15] Simply stated, when the body is exposed to a potent drug, it maintains the balance through counter-regulatory mechanisms; for example, in reaction to alcohol, which is a depressant, the body produces more stimulants.[16] These two factors are often elaborated by other, behavioral, factors indicating the person’s relationship to the drug.[17]

As early as 1990, researchers started discussing the idea that addiction might not only include the substance abuse, but also certain excessive behavior, such as shopping, Internet use, and sex addictions.[18]  The latest Diagnostic and Statistical Manual of Mental Disorders (DSM-5) did not include behavioral disorders, except for gambling, but recommended them for further research.[19] Two of the theories which support the idea of including behavioral addiction are (1) the “dopamine theory” and (2) “the looks-like addiction theory.” The “dopamine theory” rationalizes behavioral addiction  because it “corresponds with activity in the brain’s reward circuitry similar to that which occurs during drug use.” [20] The “looks-like-addiction theory” bases its conclusion on the fact that “the relationship between an individual and the behavior looks like the relationship between an individual and a drug because both involve craving, excessive use, withdrawal, tolerance, and continuation despite negative repercussions.”[21]

Within the framework of ADA, Internet addiction started to be widely discussed after Congress expressly stated its willingness to apply the ADA on as many cases as permitted by the text of the Act. Additionally, courts have held that once a health professional diagnoses a mental health condition, this condition can count as an “impairment” under the ADA.[22] The regulations proposed by the EEOC to implement the ADAAA included “major depression, bipolar disorder, [and] PTSD.”[23] For example, in order for a plaintiff to be able to make a case under the ADA, he would have to bring an expert testifying that Internet addiction is a mental health condition which substantially limits one or more major life activities of a plaintiff, such as not allowing a plaintiff to interact with other people due to prolonged Internet usage. This scenario in the example does not seem too crazy. The plaintiff in Pacenza v. IBM Corp. tried to link his “long-standing Internet sexual addiction” to PSTD he suffered after the Vietnam War and sexual abuse he suffered as a child.[24] Pacenza’s job did not require his utmost attention all of the time, and one of the ways he filled his time was participating in sexually-explicit chat rooms.[25] Pacenza received a warning after the first time, but, subsequently, his supervisor caught him again and discharged Pacenza.[26] Pacenza sued IBL claiming protection under the ADA because his PTSD “manifested through various addictive behaviors including ‘Internet sex addiction.’”[27] The U.S. District Court for the Southern District of New York granted summary judgement to IBM, but based its decision on the fact that Pacenza’s supervisor did not know about his PTSD; thus, the court neither completely foreclosed, nor validated the ability of prevailing in the ADA suit based on a behavioral addiction. As society gets more technologically dependent, it seems fairly certain that these arguments could potentially become more prevalent and more accepted by the courts.


[1] Americans with Disabilities Act of 1990, Pub. L. No. 101-336, § 2(a), 104 Stat. 327, 328-29 (codified as amended at 42 U.S.C. § 12101(a) (2006)).

[2] 42 U.S.C. § 12102(1)(A) (Supp. II 2008).

[3] Rehabilitation Act of 1973, Pub. L. No. 93-112, 87 Stat. 355, § 504 (codified as amended in scattered sections of 29 U.S.C.).

[4] See 42 U.S.C. § 12111(5)(A) (2006) (“The term ‘employer’ means a person engaged in an industry affecting commerce who has 15 or more employees….”).

[5] See Rehabilitation Act Amendments of 1974, Pub. L. No. 93-516, § 111(a), 88 Stat. 1617, 1619.

[6] Behavioral Addictions and the Law.

[7] 29 C.F.R. § 1630.2(j)(1) (2010).

[8] Toyota Motor Mfg., Ky., Inc. v. Williams, 534 U.S. 184, 198 (2002).

[9] BEHAVIORAL ADDICTIONS AND THE LAW, 84 S. Cal. L. Rev. 161, 180-181 (citing Sutton v. United Air Lines, Inc., 527 U.S. 471, 493 (1999)).

[10] Id. (citing ADA Amendments Act, Pub. L. No. 110-325, 122 Stat. 3553, §2(a)(4) (codified in scattered sections of 28 and 42 U.S.C.).

[11] ADA Amendments Act § 3(4)(A).

[12] Howard J. Shaffer, The Most Important Unresolved Issue in the Addictions: Conceptual Chaos, 32 Substance Use & Misuse 1573, 1574 (1997).

[13] Am. Psychiatric Ass’n, Diagnostic and Statistical Manual of Mental Disorders (4th ed., text rev. 2000).

[14] BEHAVIORAL ADDICTIONS AND THE LAW, supra note 9, at 165.

[15] Id.

[16] Nathanael J. McKeown & Patrick L. West, Withdrawal Syndromes, eMedicine, (last updated Aug. 12, 2016).

[17] Hanan Frenk & Reuven Dar, A Critique of Nicotine Addiction 30-32 (2000); Shaffer, supra note 7, at 1577 (“It is the relationship of the addicted person with the object of their excessive behavior that defines addiction.”).

[18] See, e.g., Isaac Marks, Behavioural (Non-Chemical) Addictions, 85 Brit. J. Addiction 1389, 1389 (1990).

[19] Anita Everett, Can You be Addicted to the Internet?, American Psychiatric Association (Jul. 20, 2016)

[20] See Jerald J. Block, Issues for DSM-V: Internet Addiction, 165 Am. J. Psychiatry 306, 306 (2008).

[21] Id.

[22] Ekstrand v. Sch. Dist. of Somerset, 583 F.3d 972 (7th Cir. 2009).

[23] Regulations to Implement the Equal Employment Provisions of the Americans With Disabilities Act, as Amended, 74 Fed. Reg. at 48,441.

[24] See Pacenza v. IBM Corp., No. 04 Civ. 5831 (PGG), 2009 U.S. Dist. LEXIS 29778, at 2 (S.D.N.Y. Apr. 2, 2009).

[25] Id.

[26] Id. at 9, 17.

[27] Id. at 30.

Image Source:

You’re Autonomous, Your Car Should Be Too

By: Lilias Gordon,

A professor in class today told us he doesn’t think his kids will ever learn to drive. My first reaction was incredulous, thinking back to the week before my sixteenth birthday when I preemptively took drivers ed. Driving myself meant life altering freedom. Self-driving cars, this is the reason my professor gave for thinking his two-year-old, growing up in Virginia, will never need to drive himself.

Self-driving cars will likely trigger novel legal issues that will be sorted out using tort law. However, if self-driving cars become common, this technology may impact criminal law in a way that probably will not have such an easy answer.

A central theme for tort cases will likely be untangling who is at fault when a self-driving car is in an accident.[1] For example, if a car is partly self-driving but requires human overriding during an accident, identifying who is liable and what caused the accident may be very difficult. In this scenario, one problem may be determining whether the car gave adequate warning to the driver before the crash.[2] Or, perhaps the owner failed to maintain the car, declining to install appropriate updates.

Complicating the situation, a self-driving car will have a plethora of complicated parts, manufactures, and data providers. Diagnosing what went wrong to cause an accident may be incredibly difficult as cars use more new technology. A single crash may implicate dozens of possible defendants;[3] this starts to sound more like particularly vexing civil procedure exam question.

So, here’s the more interesting criminal law question: how will self-driving cars impact the 4th Amendment? First, suppose Lyft and Uber develop autonomous cars and their use becomes ubiquitous. These companies keep detailed records of trips, showing where and when a person traveled as well as which roads were taken.[4] This information has traditionally been viewed as your garden variety business record belonging to the company,[5] but using this information at trial has the potential to be a warrantless search, violating the 4th Amendment.

The Supreme Court is set to hear oral argument discussing this exact issue on November 29, 2017, in a case called Carpenter v. United States.[6] Defendants were convicted of nine counts of armed robbery. At trial, the government used evidence of Defendant’s cell phone records to show they were using their phones within two miles of the robberies.[7] The 6th Circuit held that the government may use cell phone records in order to place a suspect at the scene of a crime.[8] If self-driving cars become the norm, transportation companies may be able to generate a massive amount of information about where people are and when. If you found “checking in” on Facebook creepy, buckle up.

The Supreme Court may reverse the Sixth Circuit and hold that police officers cannot accessed your cell phone (or possibly Uber) records for a criminal investigation unless they have a warrant.  However, there is still a question of whether this information will also be protected from advertisers. Google has invested heavily in developing self-driving cars; they also generate much of their revenue through advertising.[9] One possible scenario that has been suggested is a company, let’s suppose it’s Krispy Kreme, has paid the company that navigates your self-driving car to advertise their product.[10] On a road trip, your car is now motivated to suggest you take the next exit for a doughnut.[11] A much more invasive example might be a car that continues to drive a recovering alcoholic past her favorite bar.[12]

A second possible criminal law implication for self-driving cars may actually be a really good thing for society. The Supreme Court has held that police officers are allowed to pull over drivers for minor driving infractions regardless of the real reason they may want investigate a car.[13] The classic example of a pretextual traffic stop is when a police officer pulls a driver over for not using a turn signal as an excuse to search a car for drugs. This practice has incited much criticism because pretextual traffic stops are used to target drivers based on race.[14] Consider, self-driving cars may be programed to perfectly comply with traffic law. This may eliminate a police officer’s ability to patrol a predominantly black neighborhood with the intention of using traffic violations to conduct a drug search. Certainly, without traffic tickets, there may be a whole new problem of funding local government, but it’s hard to argue with less racial profiling.

My initial reaction to my professor’s comment about his kids never learning to drive— that this an outright efface to the freedom every sixteen-year-old should have — could not have been more off base. Consider this, Virginia Tech just unveiled four new expansions to its Smart Road test site to simulate city and residential environments.[15] Yes, Virginia Tech has a two-mile, two-lane loop for conducting test on autonomous car technology. I didn’t know about it either until I heard an NPR story on the drive home that explained it like this. The industry of autonomous cars is developing fast and soon we will have technology that is capable of making people more autonomous themselves. If an elderly man wants to go to the store or run other errands but no longer feels comfortable driving, autonomous cars give him the freedom.


[1] Damien Riehl, Car Minus Driver, Part II, 73 J. Mo. B. 264, 266 (2017).

[2] Id. at 265.

[3] Bryant Walker Smith, Tesla and Liability, The Center for Internet and Society at Stanford Law School, (May 20, 2015).

[4] Orin Kerr, How Self-Driving Cars Could Determine the Future of Policing, Wash. Post (Jun. 16, 2017)

[5] Id.

[6] Carpenter v. United States, 810 F.3d 880 (6th Cir. 2016), cert. granted 85 U.S.L.W 3569 (Jun. 5, 2017) (No. 16-402).

[7] Id. at 884.

[8] Id.

[9] Riehl, supra note 1, at 290.

[10] Patrick Lin, What If Your Autonomous Car Keeps Routing you Past Krispy Kreme?, The Center for Internet and Society at Stanford Law School (Jan. 22, 2014)

[11] Id.

[12] Id.

[13] Whren v. United States, 517 U.S. 806, 815 (1996).

[14] See generally David Harris, Driving While Black, and All Other Traffic Offenses: The Supreme Court Pretextual Traffic Stops, 87 J. Crim. L. & Criminology 544 (1997).  

[15] Robbie Harris, Smarter “Smart Road” Paves the way for Driverless Vehicles, Radio IQ WVTF (November 16, 2017) (Quoting Center of Public Police head Myra Blanco)

Image Source:

Technology Gives Victims a Voice

By: Nicole Gram,

The successful 2015 pilot of Callisto in the college setting has proved to be beneficial in encouraging sexual assault victims, who otherwise would have remained silent, to speak up.[1] This success is driving consideration of expanding the application of allegation escrows to employment and political settings.[2] Information escrows contain private information that is deposited with an escrow agent who will release the information only under predefined conditions.[3] Allegation escrows, such as Callisto, connect people who have reported similar problems with the same individual or group and enables them to file complaints together.[4] The escrow provides a mechanism to overcome the “first mover disadvantage” in which the first accuser faces the greatest risk of retaliation or skepticism.[5] It reduces the fear of potential retaliation from the accused harasser and reputational risk since multiple complainants eliminates the “he said, she said” situation.[6] The existence of similar reports of misconduct reinforces the confidence of the victim that their claims are unacceptable acts of harassment.[7]

There are several legal implications to be considered relative to the technology of allegation escrows. Specific to Callisto, the antidiscrimination regulations of Title IX that prohibit gender based discrimination has been interpreted to include sexual harassment. This may cause schools to be discouraged from an escrow that may not inform them until there are reports from multiple parties due to concern about satisfying their obligation to investigate and address harassment when they reasonably should know about the conduct.[8] However, the obligation of schools to investigate all complaints without guaranteeing confidentiality reinforces the value of the escrow in encouraging victims to deposit who might otherwise be reluctant to report by themselves.  In the workplace, Title VII requires employers to take an even more active role than schools in the prevention and investigation of sexual harassment.[9] While employers may be concerned about escrows because they don’t always notify the employer of every complaint, there are ways to leverage the escrow as an additional option toward providing adequate harassment reporting mechanisms.[10]

There are additional legal considerations in the relationships between the escrow agent, the depositor and the sponsoring institution or organization. To mitigate privacy and confidentiality concerns, contractual relationships between the escrow agent and the sponsoring organization should be extremely limited, and preferably nonexistent, to avoid employee rights to documents and to separate the sponsoring institution from the escrow reports in satisfying governing regulations.[11] Another area of concern is abuse of the escrows via fake and false reporting. Providing the escrow agent with rights to review the reports deposited to determine whether the content is sufficient and made in good faith by a valid member of the sponsoring organization is a preventative measure to address this.[12] However, the rights of the escrow agent must be administrative only to avoid any liability on their part.[13] Another measure to avoid abuse and protect privacy is to automatically forward matched deposits for investigation without providing flexibility for the matching depositors to collaborate or decide action.[14]

In light of recent media reports of rampant sexual harassment surrounding famous players in the motion picture industry and prominent politicians, there appears to be an opportunity for Callisto beyond the college setting. The manner in which the flood gates have been opened by initial accusers willing to risk retaliation and their reputation supports the value proposition of an allegation escrow. An ancillary benefit is the ability to leverage aggregate data without the specifics of unmatched reports to allow institutions to address systemic issues in particular departments, locations and organizations.[15] The legal issues of antidiscrimination regulations, privacy, liability and abuse via fake or false reporting present current challenges to be overcome via careful construction of contracts and relationships between the key stakeholders of allegation escrows.


[1] See Callisto, What We Do, Callisto: Tech to combat sexual assault (2017),

[2] See id.

[3] See Ian Ayres & Cait Unkovic, Information Escrows, 111 Mich. L. Rev. 145, 150 (2012).

[4] See id at 147.

[5] See Laura Bassett, How A New Technology Could Help Find The Next Harvey Weinstein, Huff. Post (2017),

[6] See Ayres, supra note 3 at 147.

[7] See id at 161.

[8] See id at 174.

[9] See id at 174 n. 87.

[10] See Ayres, supra note 3 at 176.

[11] See id. at 176-77.

[12] See id. at 178-79.

[13] See id. at 177-78.

[14] See Ayres, supra note 3 at 180.

[15] See id. at 183.

Image source:

A Pedestrian’s Paradise: The Future of Jaywalking and Self-Driving Cars

By: Jenna Bouley,

Most people have at some point in their lives jaywalked regardless of the safety concerns with the practice. While jaywalking is still generally illegal, the rule is often not enforced.[1] As defined by Merriam-Webster, jaywalking is a verb meaning “to cross a street carelessly or in an illegal manner so as to be endangered by traffic.”[2] However, in practice it is more likely that people do not consider the safety concerns implicated by the definition, but simply see jaywalking as the easiest way to get from one point to another. Obviously, jaywalking presents safety concerns and can even result in death. The United States Department of Transportation provides that in 2015, 71% of all pedestrian fatalities were at non-intersection locations whereas at intersection locations fatalities were only at 19%.[3] In a report produced by the Governors Highway Safety Association in 2016 that percentage appeared to increase to 82% of pedestrian fatalities occurring outside of intersections.[4] The report also provided that around 6,000 pedestrian fatalities are estimated to have occurred in 2016, which would make 2016 the first year in more than two decades with more than 6,000 pedestrian deaths.[5] The cause of this surge may be an increase in distractions by both pedestrians and drivers having their eyes are down, staring at their phones.[6] Since, phones are unlikely to be going away anytime soon the answer may in fact lie in the use of more technology, self-driving cars.

A report recently released from the National Association of City Transportation Officials, a nonprofit representing cities on transportation issues, provides a blueprint of cities with self-driving cars that allow pedestrians to cross anywhere they want.[7] The concept being that the technology in self-driving cars will be able to identify when a person is trying to cross a street, and slowdown to allow the person to safely cross the street.[8] The report goes on to provide that  streets should be designed to allow maximum a speed on 20 to 25 mph.[9] As such the authors of the report provide that concept of jaywalking would become a thing of the past stating that: “the instinctive human act of walking straight to one’s destination, pejoratively known as “jaywalking,” becomes simply “walking”.”[10]

While cities often look to the National Association of City Transportation Officials for guidance on what policies to adopt it is unclear if they would be willing to adopt such a policy.[11] Cities must make decisions about what they want to prioritize and that includes deciding whether to place their resources in vehicles, pedestrians or other uses of streets.[12] However, the theoretical benefit of self-driving cars in this area is that there is considerable evidence that autonomous vehicles drive much more cautiously than the majority of human drivers and will be able to sense when a human is crossing in front of it.[13] Moreover, an autonomous vehicle would likely be programmed to respect the pedestrian’s right of way, regardless of whether a crosswalk is unmarked or marked.[14] These improvements will help ensure that pedestrians will remain safe regardless of whether they are jaywalking. While, self-driving cars are still a developing technology they could be the answer to providing a safer way of life for pedestrians.


[1] Matt McFarland, Self-driving Cars Could Make Jaywalking Legal, CNN Tech (Nov. 3, 2017),

[2], (last visited Nov. 9, 2017).

[3] United State Department of Transportation: National Highway Traffic Safety Administration, Pedestrian Safety, (last visited Nov. 9, 2017).

[4] Government Highway Safety Association, Pedestrian Traffic Fatalities by State: 2016 Preliminary Data, (last visited Nov. 9, 2017).

[5] Richard Retting & Sam Schwartz, Pedestrian Traffic Fatalities by State: 2016 Preliminary Data, Government Highway Safety Association, 4 (last visited Nov. 9, 2017).

[6] See David Schaper, Distraction, On Street And Sidewalk, Helps Cause Record Pedestrian Deaths, NPR (Mar. 30 2017),

[7] See McFarland, supra note 1.

[8] Id.

[9] Janette Sadik-Khan et al., BlueprintfFor Autonomous Urbanism, National Association of City Transportation Officials, 12 (Nov. 9, 2017), last visited.

[10] Id. at 41.

[11] See McFarland, supra note 1.

[12] See id.

[13] Adam Millard-Ball, Pedestrians, Autonomous Vehicles, and Cities, J. of Planning Ed. & Research, 3 (Nov. 9, 2017),

[14] Id at 4.

Image Source:

Move Fast and Break Things Up: Considering the Possibility of Breaking Up Big Tech with Anti-Trust Law

By: Mitch Torrence,

“Robber Baron” is a term that conjures up images of John D. Rockefeller, Andrew Carnegie, Henry Frick, and Cornelius Vanderbilt; men in dark, smoke filled rooms amassing their fortunes on the backs of monopolistic enterprises. The days of the Robber Barons are gone now. The heads of Silicon Valley, Mark Zuckerberg and Sheryl Sandberg, Jeff Bezos, Tim Cook, Larry Paige, and Sergey Brin don’t exactly fit the description or so it would seem. Rockefeller’s Standard Oil Company was broken up pursuant to the Sherman Anti-Trust Act when the Supreme Court handed down its decision in Standard Oil Company v. United States.[1] Today, Silicon Valley has assumed the mantle once occupied by the likes of Standard Oil, yet conversations about the potential of anti-trust laws to break up the Big Tech companies remain muted. The current state of anti-trust poses a serious problem, but it may be time to consider breaking up the Big Tech companies.

Perhaps the largest hurdle to clear when considering breaking up Big Tech is the state of anti-trust today. Gone are the days of the Standard Oil, American Tobacco, and AT&T breakups.[2] Since the 1980’s, anti-trust has been far less aggressive and less concerned with companies being oversized and depressing competition.[3] The primary driver of this is the rise in prominence of the Chicago School, which moved the focus of anti-trust from structuralism to price theory, focusing on whether or not consumers are paying inordinate prices as opposed to a company driving competition out of the market.[4] This poses an issue with Big Tech companies as many of the services they provide are ostensibly free. This has, as Hubbard notes, allowed the companies to largely fly under the radar but the reality is that the users pay with their data.[5] This line of thinking recently has been challenged more and more by people like Khan and Hubbard, but it remains dominant. It also bears mentioning that the line the Chicago School takes is at odds with the political origin of the Sherman Act.[6] There exists an additional messaging issue in that it’s fairly difficult to say to consumers “the convenience you enjoy from Amazon etc. and the low prices you enjoy, they don’t matter”. [7] Perhaps the most daunting task that remains is the fact that Tech Companies don’t necessarily resemble monopolies as they’re classically understood.[8] It is worth noting that while the iPhone is the most popular phone in America, it accounts for around only a third of phones sold.[9] Furthering this point, Amazon does not account for the majority of online sales, and its market share of American retail remains in the single digits.[10] It’s true that Facebook and Google constitute a duopoly in digital ads, but this is one of the few classic examples.[11] All of this paints a rather bleak picture for the prospect of breaking up the tech companies; at the very least it is an uphill battle. However, a legitimate case remains to be made and it begins with the outsized effect the Big Tech companies have in the economy.

In the first quarter of 2017 the world’s four most valuable companies were Apple, Alphabet, Microsoft, and Amazon; Facebook came in at number 8.[12] This in and of itself is not necessarily problematic; it is generally a good thing for American companies to occupy these slots. The problem arises when one considers how this value is being attained and the cost that comes along with it, most notably the lack of competition in the space. It isn’t a coincidence that the number of companies started in the United States is at a 40-year low.[13] The barrier to entry in these industries, despite what common wisdom would suggest, is high. Moreover, the structure of companies like Amazon or Alphabet that have their hands in every area creates a structural problem that may manifest itself as outsized leverage.[14] As Khan notes, Amazon is able to use its structural advantages to create anti-competitive environments.[15] This is a problem that anti-trust moving away from the Chicago School may be able to solve. Additionally, there are criticisms of the way these companies are developing that may be the province of anti-trust. There is a mythology associated with Big Tech that paints the companies as scrappy upstarts that stay on top of the market through innovation; the reality is murkier. Google, for example, did not develop Android, but rather acquired it.[16] Amazon has employed similar tactics.[17] The result being that these companies can wield their structural power and create anti-competitive environments that may necessitate anti-trust.[18]

The mythology surrounding Big Tech complicates the matter at hand; the reality is that the level of convenience Americans enjoy due to Amazon, Apple, Google, etc. is largely, and perhaps rightly, considered to be a net positive. However, this does not mean these companies can do no wrong nor does it mean that we ought to ignore the very real structural problems these companies are creating. It is not a forgone conclusion that breaking up Big Tech is necessary, and more to the point the current status of anti-trust doctrine in the U.S. would seem to preclude it. That being said, it may still be time to move fast and break up Big Tech.


[1] See generally, Standard Oil Co. v. U.S., 221 U.S. 1 (1911).

[2] Id.; see generally American Tobacco v. U.S., 221 U.S. 106 (1911).

[3] See Lina Khan, Amazon’s Antitrust Paradox, 126 Yale L.J. 710 (2017).

[4] Id.

[5] Sean Illing, Why “Fake News” Is an Antitrust Problem, VOX (Sept. 23, 2017),

[6] Id.

[7] See Farhad Manjoo, Can Washington Stop Big Tech? Don’t Count on It, New York Times (Oct. 25, 2017),,

[8] Id.

[9] Id.

[10] Id.

[11] Id.

[12] See Natasha Tiku, Digital Privacy is Making Antitrust Exciting Again, Wired (June 04, 2017),

[13] Id.

[14] See Khan, supra note 3.

[15] Id.

[16] See Tiku, supra note 12.

[17] See Khan, supra note 14.

[18]  Id.

Image Source:

SCOTUS Catching Up With the Times – Electronic Filing Is Finally Here

By: Nicole Allaband,

Courts in general have been slow to adopt technological changes. However, the Supreme Court of the United States has finally taken the plunge and will launch an electronic filing system on November 13, 2017.[1] Chief Justice John G. Roberts, Jr. promised to bring the Supreme Court into the 21st century and implement an electronic filing system back in 2014.[2] It took three years for the new system, developed in-house, to become available but the time has finally arrived.[3]

The federal courts implemented electronic filing in 2001, with bankruptcy courts joining first.[4] The Case Management/Electronic Case Files (CM/ECF) program allows more than 700,000 nationwide to file court documents electronically. Additionally, the public has access to virtually all the documents filed through the website Public Access to Court Electronic Records (PACER).[5] PACER does charge fees for searching, accessing, and printing.[6] The fees are set by the Judicial Conference and are currently $0.10 a page.[7] The new Supreme Court system will make all unsealed documents available to the public for free.[8] The free and quick access to electronic filings will benefit practicing lawyers as well as researchers.

Electronic filing in the federal courts has provided many benefits, including allowing attorneys to file documents from their home or office all day, every day.[9] Initially, the Supreme Court system will require litigants represented by attorneys to file both electronically and in paper.[10] The Supreme Court will likely maintain the dual filing for some time until the Court is sure the system works and is not vulnerable. After review, the filings will be publicly available. Attorneys can file electronically at no extra cost than the regular filing fees.[11] Pro se litigants must still file in paper form and the documents will subsequently be scanned and uploaded to the system.[12]

The CM/ECF system employs a two-step security process.[13] A program verifies each PDF document as it is uploaded.[14] Another program runs periodically to verify that the documents have not been changed since they were uploaded.[15]

To file electronically for the Supreme Court, attorneys must first register with the new system, which can take 1-2 days to process.[16] Only attorneys admitted to the Supreme Court Bar and those attorneys appointed for a specific case are able to register.[17]

The launch of the Supreme Court’s new electronic filing system has many potential benefits for practicing lawyers, as well as researchers. But there are also security concerns.[18] In the age of cyberattacks, ransomware, and hacking, courts are especially cautious because they deal with sensitive information on a daily basis.[19] Courts and the electronic filing systems have been targeted in the past.[20]

The Supreme Court developed its online filing system in-house over the last three years. Developers undoubtedly considered and developed security mechanisms to prevent hacking to steal sensitive information and cyber-attacks that could shut the system down. Technological advances are coming in an increasingly fast pace. Malicious hackers also move at a fast place, finding vulnerabilities in systems faster than “white hat” hackers can plug the holes.[21]


[1] See Electronic Filing, The Supreme Court of the United States, (last visited November 7, 2017).

[2] See Brian Fung, The Supreme Court is about to become more transparent, thanks to technology, Wash. Post (August 3, 2017),

[3] See Electronic Filing, The Supreme Court of the United States.

[4] See FAQs: Case Management/Electronic Case Files (CM/ECF), United States Courts, (last visited November 7, 2017).

[5] See id.

[6] See Electronic Public Access Fee Schedule, PACER: Public Access to Court Electronic Records, (last visited November 7, 2019).

[7] See id.

[8] See Melissa Heelan Stanzione, Supreme Court Electronic Filing Opens Nov. 13, Criminal Law Reporter, BNA Law Reports,

[9] See FAQs: Case Management/Electronic Case Files (CM/ECF)

[10] See Electronic Filing, The Supreme Court of the United States.

[11] See FAQs: Case Management/Electronic Case Files (CM/ECF)

[12] See Electronic Filing, The Supreme Court of the United States.

[13] See FAQs: Case Management/Electronic Case Files (CM/ECF

[14] See id.

[15] See id.

[16] See Stanzione, Supreme Court Electronic Filing Opens Nov. 13.

[17] See id.

[18] See David Murphy, U.S. Supreme Court to Deploy New Electronic Filing System Around 2016, PCMag (January 1, 2015),,2817,2474456,00.asp.

[19] See, e.g.,Richard Milne, Maersk cuts profit guidance in wake of cyber attack, Financial Times (November 7, 2017); Judy Greenwald, Ransomeware risks go mainstream, Business insurance (November 6, 2017),; Jake Bernstein, The Paradise Papers Hacking and the Consequences of Privacy, New York Times (November 7, 2017)

[20] See U.S. court system targeted in cyber attack: report, Reuters (January 24, 2014),

[21] See obert Siciliano, How Hacking Has Evolved with Technological Advances, Balance (August 28, 2017),

Image Source:

What To Do First When Data Is Hacked: A Guide To Mandatory Notification For Virginia Businesses

By: Spencer Allen,

More than four-billion data records were stolen worldwide in 2016.[1] In 2014 alone, nearly half (47%) of U.S. adults had their personal information stolen.[2] Though it is the big hacks that make the news- Yahoo (3 billion), Equifax (143 million), Verizon (6 million)—small and local businesses are no less vulnerable to data breach, and need to be ready to respond quickly when a breach happens.[3]

Virginia law requires businesses to notify affected parties in certain situations where personal data is compromised.[4] Failure to give proper notice can be expensive—up to $150,000 per breach.[5] This article is intended to help Virginia businesses comply with mandatory notification procedures following a data breach.

I. What sorts of breaches require giving notice?

Virginia Code § 18.2-186.6 requires that companies give notice when each of five criteria are met: 1) unencrypted or unredacted; 2) personal information; 3) is accessed or acquired by an unauthorized person (or reasonably believed to have been accessed or acquired by an unauthorized person); 4) which causes identity theft or another fraud (or is reasonably believed to have caused or cause in the future identity theft or another fraud); 5) to any resident of Virginia.[6] Each of the five criteria must be analyzed to determine whether notice is required.[7]

  1. “Unencrypted or unredacted”

“Encrypted” data is data that has been “scrambled” by an algorithmic process.[8] Though the precise way in which data is encrypted depends on the kind of data and the way in which the data is stored and sent, the basic idea is that an algorithm makes the data unreadable without a specific key (or series of keys).[9]

For example, imagine that we apply an algorithm that subtracts one from each number. If we apply the algorithm to an unencrypted number—4765—we arrive at an encrypted number of 3654. In this example we have no way of knowing that the unencrypted number is 4765 unless we have the key—that is, unless we know the algorithm. Without knowing the algorithm, the unencrypted number could be anything, and there is a low probability that we could figure it out by chance.

“Redacted” data is data for which identifying information or confidential information has been removed, and is thus not tied to a particular person or entity.[10] For example, imagine you come across a detailed medical record with no name attached. That data is considered “redacted” because without the identifying information the data is useless for anyone who would seek to exploit it. The data merely shows that someone, somewhere in the world has that medical history.

Basically, this first criteria for data that triggers mandatory notification is that it must be useable. The person who steals or otherwise acquires the data must be able to actually read what it says, and pair the data to particular persons or entities. If compromised data remains encrypted or is redacted, notification is not required by VA § 18.2-186.6.

  1. “Personal information”

Though “personal information” may cover a lot of things, it is specifically defined in the statute.[11] To qualify as “personal information,” data must include:[12]

  1. The first name or first initial
  2. The last name
  3. In combination with or linked to any of the following:
    • More than five digits of a social security number
    • More than the last 4 digits of a driver’s license number or state identification card number
    • More than the last four digits of a financial account number or credit card or debit card number in combination with any required security code, access code, or password that would permit access to the person’s financial accounts.

If the data that is stolen or compromised does not contain all three of the above, notice is not mandatory.[13]

  1. Accessed or acquired by an unauthorized person (or reasonably believed to have been accessed or acquired by an unauthorized person)

Importantly, the statute does not require the data to have actually been stolen.[14] A company must comply with mandatory notice even if the company only has a reasonable belief that the data has been accessed or acquired by an unauthorized person.[15] “Reasonable belief” is subject to the court’s discretion.[16] The issue of reasonable belief as it relates to this statute has never been brought to trial, and thus it is better to err on the side of caution whenever a data breach is suspected.[17]

  1. “Which causes identity theft or another fraud (or the individual or entity reasonable believes has caused or will cause identity theft or another fraud)

This part of the statute holds that mandatory notice is only triggered when an unauthorized person who receives personal data intends to misuse the data or actually misuses the data.[18] Just like the access requirement, actual identity theft or fraud does not have to occur to trigger mandatory notice, all that is required is a reasonable belief that identity theft or fraud has or will occur.[19] This allows effected parties to be notified as soon as possible—and hopefully before damage has been done. Again, as with access, if personal data is stolen it is best to err on the side of caution and assume that the data will be used for identity theft or fraud. Virginia crimes involving fraud are codified in Chapter 6 of Title 18.2 of the Code of Virginia.[20]

This part of the statute is important because it creates a carve-out so that accidental “good faith” breaches do not trigger mandatory notification.[21] For example, imagine that a business owner’s mother-in-law, while snooping on her computer, opens a file called “business records.” The file contains all of the transaction information from the business, including credit card numbers and personal information of customers. Without criteria four, this would trigger mandatory notification because 1) unencrypted; 2) personal information; was 3) accessed by an unauthorized person.[22] However, because the business owner (hopefully) can trust that her mother-in-law will not use the information to commit fraud, this sort of breach does not trigger mandatory notification. The breach neither caused identity theft or fraud, nor would a person reasonably suspect that identity theft had or would happen.

  1. “To any resident of Virginia”

Importantly, mandatory notice does not apply to persons or entities who are not residents of Virginia.[23] However, forty-eight states have mandatory disclosure statutes similar to the one in Virginia (all but Alabama and South Dakota).[24] If personal data concerning a resident of a state other than Virginia has been compromised, it is important to check the laws of that state to determine whether notice is required. For a complete list of similar state statutes, refer to appendix.

II. What happens if no notice is given?

If a company fails to give notice when it is required, the Attorney General may bring an action against it for up to $150,000 per breach. [25]

It is also possible that an individual could sue a company for damages arising out of a failure to give notice of theft of personal information.[26] This remains an unresolved legal question.[27]

III. To Whom Must Notice be Given, When, and What Must it Include?

If a data breach has occurred and it satisfies the above criteria, notice must be given “without unreasonable delay” following the discovery of the breach.[28] If the data is owned or licensed by the company where the breach occurred, notice must be given to 1) the Attorney General of Virginia; and 2) any resident of Virginia affected by the breach.[29]

Notice may be delayed if, after notifying a law enforcement agency, that agency determines that notification would impede a criminal or civil investigation, or homeland or national security.[30]

If the company where the breach occurred does not own or license the data that was compromised, that company must notify the owner or licensee of the data “without unreasonable delay” following discovery of the breach.[31]

  1. Notice to the Attorney General

Notice to the Attorney General of Virginia must include:[32]

  1. A cover letter on official letterhead notifying the VA Attorney General of the breach
  2. Approximate date of the incident and how the incident was discovered
  3. The cause of the breach
  4. The number of Virginia residents affected by the breach
  5. The steps taken to remedy the breach; and
  6. A sample of the notification made to the affected parties, to include any possible offers of free credit monitoring.

Notice to the Attorney General may be addressed to:[33]

Computer Crime Section

Virginia Attorney General’s Office

202 North 9th Street

Richmond, Virginia 23219

  1. Notice to affected persons

            Notice to affected persons must include:[34]

  1. A description of the incident in general terms
  2. The type of personal information that was accessed by the unauthorized person
  3. A description of what the company has done to prevent further unauthorized access
  4. A telephone number that the person may call for further information and assistance, if one exists; and
  5. Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

Notice to affected persons may be: 1) written to the last known postal address of the person in the records of the company where the breach occurred; 2) telephone notice; or 3) Electronic notice.[35]

If the cost of providing notice exceeds $50,000, or the number of Virginia residents to be notified is more than 100,000, or the company where the breach occurred does not have adequate contact information or consent to use the contact information, substitute notice can be used.[36] Substitute notice includes:[37]

  1. E-mail notice
  2. Conspicuous posting of the notice on the company website of the individual or the company
  3. Notice to major statewide media


APPENDIX: A List of State Notice Statutes

Alaska Alaska Stat. § 45.48.010 et seq.
Arizona Ariz. Rev. Stat. § 18-545
Arkansas Ark. Code §§ 4-110-101 et seq.
California Cal. Civ. Code §§ 1798.291798.82
Colorado Colo. Rev. Stat. § 6-1-716
Connecticut Conn. Gen Stat. §§ 36a-701b, 4e-70
Delaware Del. Code tit. 6, § 12B-101 et seq.
Florida Fla. Stat. §§ 501.171, 282.0041, 282.318(2)(i)
Georgia Ga. Code §§ 10-1-910, -911, -912; § 46-5-214
Hawaii Haw. Rev. Stat. § 487N-1 et seq.
Idaho Idaho Stat. §§ 28-51-104 to -107
Illinois 815 ILCS §§ 530/1 to 530/25
Indiana Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq.
Iowa Iowa Code §§ 715C.1, 715C.2
Kansas Kan. Stat. § 50-7a01 et seq. 
Kentucky KRS § 365.732, KRS §§ 61.931 to 61.934 
Louisiana La. Rev. Stat. §§ 51:3071 et seq.
Maine Me. Rev. Stat. tit. 10 § 1346 et seq.
Maryland Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308
Massachusetts Mass. Gen. Laws § 93H-1 et seq.
Michigan Mich. Comp. Laws §§ 445.63, 445.72
Minnesota Minn. Stat. §§ 325E.61, 325E.64
Mississippi Miss. Code § 75-24-29
Missouri Mo. Rev. Stat. § 407.1500
Montana Mont. Code §§ 2-6-1501 to -1503, 30-14-1701 et seq., 33-19-321
Nebraska Neb. Rev. Stat. §§ 87-801 et seq.
Nevada Nev. Rev. Stat. §§  603A.010 et seq., 242.183
New Hampshire N.H. Rev. Stat. §§ 359-C:19 et seq.
New Jersey N.J. Stat. § 56:8-161 et seq.
New Mexico 2017 H.B. 15, Chap. 36 (effective 6/16/2017)
New York N.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208
North Carolina N.C. Gen. Stat §§ 75-61, 75-65
North Dakota N.D. Cent. Code §§ 51-30-01 et seq.
Ohio Ohio Rev. Code §§ 1347.121349.19, 1349.191, 1349.192
Oklahoma Okla. Stat. §§ 74-3113.1, 24-161 to -166
Oregon Oregon Rev. Stat. §§ 646A.600 to .628
Pennsylvania 73 Pa. Stat. §§ 2301 et seq.
Rhode Island R.I. Gen. Laws §§ 11-49.3-1 et seq.
South Carolina  S.C. Code § 39-1-90
Tennessee Tenn. Code §§  47-18-2107; 8-4-119
Texas Tex. Bus. & Com. Code §§ 521.002, 521.053
Utah Utah Code §§ 13-44-101 et seq.
Vermont Vt. Stat. tit. 9 §§ 2430, 2435
Virginia  Va. Code §§ 18.2-186.6, 32.1-127.1:05
Washington Wash. Rev. Code §§ 19.255.010, 42.56.590
West Virginia  W.V. Code §§ 46A-2A-101 et seq.
Wisconsin Wis. Stat. § 134.98
Wyoming Wyo. Stat. §§ 40-12-501 et seq.
District of Columbia D.C. Code §§ 28- 3851 et seq.
Guam  9 GCA §§ 48-10 et seq.
Puerto Rico 10 Laws of Puerto Rico §§ 4051 et seq.
Virgin Islands  V.I. Code tit. 14, §§ 2208, 2209


[1] Herb Weisbaum, More Than 4 Billion Data Records Were Stolen Globally in 2016, NBC (Oct. 31, 2017, 10:43 AM),

[2] Jose Pagliery, Half of American Adults Hacked This Year, CNN tech, (Oct. 31, 2017, 10:47 AM),

[3] Matt Burgess, That Yahoo Data Breach Actually Hit Three Billion Accounts, Wired (Oct. 31, 2017, 10:51 AM),; Chris Morris, 14 Million US Businesses Are at Risk of a Hacker Threat, CNBC (Oct. 31, 2017, 10:53 AM),

[4] Va Code Ann. § 18.2-186.6 (2017).

[5] § 18.2-186.6 (I)

[6] § 18.2-186.6 (B).

[7] Id.

[8] Lee Bell, Encryption Explained: How Apps and Sites Keep Your Private Data Safe (and Why That’s Important), Wired, (Oct. 31, 2017, 11:18 AM),

[9] Id.

[10] Rick Borstein, Redaction in a Digital World, Law Practice Today (Oct. 31, 2017, 11:39 AM),

[11] § 18.2-186.6 (A).

[12] Id.

[13] Id.

[14] § 18.2-186.6 (B)

[15] Id.

[16] Id.

[17] The only record of § 18.2-186.6 being brought before a court is in regards to a private suit. The case was dismissed for lack of standing. Corona v. Sony Pictures Entm’t, Inc., 2015 U.S. Dist. LEXIS 85865 (C.D. Cal. 2015).

[18] § 18.2-186.6 (B).

[19] § 18.2-186.6 (B).

[20] Va Code Ann. § 18.2-168-246.15 (2017).

[21] § 18.2-186.6 (B).

[22] Id.

[23] § 18.2-186.6 (B).

[24] Refer to Appendix.

[25] § 18.2-186.6 (I).

[26] Id.

[27] Supra note 17.

[28] § 18.2-186.6 (B).

[29] Id.

[30] Id.

[31] Id.

[32] Office of the Attorney General of Virginia, Database Breach Notification Requirements Updated July 1, 2017 (2017),

[33] Id.

[34] § 18.2-186.6 (A).

[35] Id.

[36] Id.

[37] Id.

Image Source:

Page 1 of 18

Powered by WordPress & Theme by Anders Norén