Seven Summer Updates in Privacy Law
With all the summer’s buzz about leaks, you’d be forgiven for thinking data breaches are mostly a Trump story. But off the Hill, there’s plenty of turmoil over the issue of personal privacy. As we fight for personal privacy in the age of big data and bigger hacks, it’s clear that tech-savvy plaintiff-side attorneys are going to be in heavy demand.
This summer has been a busy one for hackers, privacy violators, and the legal teams pushing back. The kick-off was the WannaCry clusterhack, a malware epidemic that spread faster than a zombie-virus released by misguided animal rights activists in a b-grade movie. Hundreds of thousands of computers across 150 countries were held ransom – many of them in highly sensitive locations, such as hospitals. Nearing summer’s end, as I write, the WannaCry perpetrators are starting to shuffle their ransom funds around in a cyber-laundering attempt; and the everyday hero who accidentally stopped the megaworm’s spread was just arrested in Vegas for allegedly creating his own malware.
Even for those who follow all the best practices to keep their info safe, more and more of our daily activities require handing over delicate information to third parties — companies who may neglect e-security and leave themselves vulnerable to cyberattacks. Fortunately, more plaintiff-side lawyers are bringing data breach tort cases into their practice, so at least those harmed by the hack can push back.
Here are 7 key updates in this long hot summer of cybersecurity:
Life’s Short: Have an Affair Attorney
Ashley Madison, a website where would-be adulterers can find each other, won’t admit they did anything wrong. Sure, in July 2015 hackers got hold of personal info for 37 million users — people who, once again, were likely using the site to coordinate their philandering — and blasted it out on the dark internet, where users were then subject to a kind of cyber public flogging for their supposed sexual misconduct. Marriages ended, several people listed committed suicide, and 1,200 of the emails listed were linked to Saudi Arabia, where adultery is punishable by death.
Also, though Ashley Madison requires users to pay $19 for a ‘full delete’ of their accounts, those deleted accounts were still included in the hack, proving that the company had held onto the data. As technology law partner at InfoLawGroup LLC Scott Blackmer told Bloomberg BNA: “Getting hacked because of poor security is bad, but coupling that with deceptive practices is what really makes judges, juries or regulators want to hit you with a stick.”
It seems Ashley Madison would like to dodge that stick. So last month, without admitting wrongdoing, the parent company Ruby Corp. agreed to pay a $11.2 million settlement to users injured by the hack. $3.7 million will go to attorneys fees and costs, with the rest parceled out to victims who come forward (one potential hurdle: you’ve gotta use your real name to get the money).
Legal tech experts are looking to the high settlement amounts in this case as a sign of what’s to come, noting that as we place increasingly sensitive data in the hands of online corporations, data breach settlement figures are likely to grow.
Big Brother Vizio
When Charlie Brooker made his TV series on technological dystopia, he named it ‘Black Mirror,’ noting “the ‘black mirror’ of the title is the one you’ll find on every wall, on every desk, in the palm of every hand: the cold, shiny screen of a TV, a monitor, a smartphone.”
A ‘black mirror’ can also be a one-way mirror, peering in on the unsuspecting. The latest Vizio lawsuit reminds us that the screen we watch can be secretly watching us in turn.
Earlier this year, Vizio agreed to a $2.2 million settlement to the Federal Trade Commission for essentially using its millions of TVs to spy on customers without their knowledge. Now a class action lawsuit has been brought against the company, alleging that Vizio has tracked users’ behavior by default, and then sold what it gleaned about their habits to third parties, which would then send targeted ads to their phones and tablets.
This case will also be interesting to see how judges deal with mandatory arbitration agreements. Vizio recently moved to dismiss the wiretapping lawsuit by arguing its viewers all signed a mandatory arbitration agreement. But late last month, the judge asserted the lawsuit would go forward, so questions about the nature of those agreements could be settled.
Honey I Tracked the Kids
In the app ‘Disney Princess Palace Pets,’ children learn the proper care and grooming of doe-eyed creatures like Cinderella’s bichon frise. But while they are feeding acorns to Pocahontas’s pet raccoon, they’re also feeding a stream of sophisticated information to Disney and its software partners, which is then sold to third parties for targeted advertising. The same is true for a whole host of Disney children’s apps.
Last week angry parents filed a class action lawsuit. The lawsuit claims the tracking violates the Children’s Online Privacy Protection Act (COPPA), which outlaws developers from collecting personal information about children under the age of 13 without verifiable consent from their parents.
Disney has been charged with violating COPPA before, with its subsidiary Playdom handing out $3 million to the FTC for similar behavior. However, the company currently asserts that its latest bout of app-tracking is legal, and says it plans to fight the lawsuit in court.
Courts Give Thumbs-up to Facebook Tracking
Other lawsuits against tracking and wiretapping have gained less traction this summer. A lawsuit against Facebook, alleging the company gathered info about users’ internet activity even when they weren’t logged into the site, has just been dismissed. This is the second time Facebook has dodged a case of this nature.
In this case, U.S. District Judge Edward Davila in San Jose, California found that plaintiffs were unable to show either a reasonable expectation of privacy, or that they suffered any realistic economic harm or loss by being tracked. He left open the possibility of plaintiffs suing Facebook for a breach of contract claim.
What’s worse than an open-plan office where your every move is visible to your boss? I might answer: implanted chips that could be used to track your every move, on or off the job.
This summer, a Wisconsin tech company is promising that implanted chips will make security access, computer log-ins, and even break-room food purchases much more efficient. And surprisingly, more than 50 of their 80 employees have already signed up for the voluntary procedure. Though the implant has been done at a workplace in Sweden, this would be the first of its kind in the U.S.
But privacy attorneys are warning them to slow down.
Worker privacy advocates fear that once the chip is implanted, it could be impossible to stop its purpose from spreading. It may be used at first only to quickly buy Twinkies from the breakroom, but in the future it might track exactly how long you take to eat those Twinkies, or how much time you’re spending in the bathroom.
Biometrics and Bosses
Speaking of creepy workplace tracking:
Companies increasingly require personal identification info — fingerprints, iris scans, even DNA samples — from their employees. Some jurisdictions are pushing back.
In 2008, Illinois created the country’s toughest biometrics law, which curbs the way companies can collect, store, and use biometric information. Now workers are using this law in an attempt to bring class action lawsuits against several Illinois businesses that required biometric data from current and former employees — and offered scant information about the storage and use of that information.
Some legal experts estimate high damages if the lawsuits prevail — as much as $10 million possible for just one of them.
Lawsuits against biometrics in workplaces are cropping up in other jurisdictions as well. A West Virginia mining worker felt forced to quit his job rather than use a hand scanner — which he feared would brand him with an apocalyptic “Mark of the Beast.” In June, a federal appeals courtupheld a $587,000 judgement that the company violated the worker’s religious beliefs
Keep your eyes open for other biometrics lawsuits involving consumers as well—such as the $1.5 million settlement made by L.A. Tan Enterprise in Illinois, after they allegedly sold customers’ fingerprint scans to out-of-state vendors.
E-Discovery: A Cautionary Tale
Sometimes when it comes to leaks, lawyers are the problem.
Look at the latest Wells Fargo data breach, which spilled personally identifiable financial information about its wealthy customers. This isn’t the work of nefarious anti-bank hackers, but of Wells Fargo’s own lawyer, who didn’t understand her own e-discovery software.
Angela Turiano believed she had reviewed all of the discovery information before sending it off to a litigation adversary. However, her e-discovery software had only shown her the first batch of 1,000 documents — the rest went unseen. Her mistake may have violated a range of privacy protection laws.
Commenting on the situation, another attorney said: “Errors through e-discovery are becoming more pronounced because the volume of document production is multiplying every year.”
The embarrassment and potential malpractice charges from this gaffe is a reminder to all attorneys that while technology can be a massive time-saver, you’ve got to take the time to fully understand how it functions.
Looking forward to this summer, we’re likely to see more tech fails and malware maelstroms. As more of our lives are conducted through bits and bytes, there are more bad actors looking to hack their way in, whether it’s for wealth or merely (as in the Ashley Madison case) the schadenfreude of seeing someone squirm from being outed.
Dealing with their own privacy crises in the White House, Attorney General Jeff Sessions shook a finger and scolded: “I have this warning for would-be leakers: Don’t do it.”
But if we’re skeptical that stern words will stop the hacks and privacy-pryers that affect the rest of us, there are fortunately some forward-thinking attorneys fully prepared to fight for redress when privacy is violated.