An interesting question was raised last week Claridge v. Rockyou, Inc. ((2011 WL 1361588 (N.D.Cal.)): Is the personally identifiable information ("PII") submitted to social media sights "valuable property"? Assuming the answer to this question is yes, an interesting corollary to the question, from a privacy perspective is: What are you doing to protect this valuable property? How your company answers both of these questions could have serious consequences.
THE CASE:
Here's what happened: RockYou develops and distributes applications and services for use on social media sites. Among the applications developed by RockYou are Gourmet Ranch and Zoo World. When customers sign up to use RockYou's applications, they are asked to provide an e-mail address, and registration password which RockYou stores. In certain instances, RockYou also requires customers to provide user names and password information necessary for accessing social media sites.
The Plaintiff, a registered account holder with RockYou, brought suit alleging that RockYou failed to secure and safeguard Plaintiffs PII, including email, passwords, and social media login credentials. Plaintiff alleged that while RockYou promised to safeguard user sensitive PII through a policy which stated that "RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your information..." RockYou instead stored PII in clear or plain text which provided no encryption and easily allowed intruders to read and remove the information. Plaintiffs PII was therefore easily accessible to anyone with a minimal amount of hacking ability (of which this author has none).
Plaintiff alleged that instead of leaving the barn door open (to steal a phrase from Gourmet Ranch) RockYou could have followed any one of a number of commonly used methods of protecting PII.
While after reading the opinion, one wonders whether this initial security failure would have been enough to let the matter move forward, if Plaintiff's allegations are true, RockYou likely did not help itself when it delayed in responding to the warnings of a noted online security firm that there was a problem with its database. Specifically, the firm informed RockYou of a SQL injeciton flaw which would allow a hacker to introduce malicious code into a company's network. At some point it was alleged that at least one known hacker accessed the database and copied the email and social networking login credentials of approximately 32 million users.
Plaintiff alleged nine separate causes of action: 1) Violation of the Stored Communications Act 18 U.S.C. Section 2702; 2) Violation of California's Unfair Competition Law, Cal. Bus. & Prof. Code Section 17200; 3) Violation of California's computer Crime Law, Cal. Penal Code Section 502; 4) Violation of the California Consumer Legal Remedies Act, Cal. Civ. code Section 1750; 5) Breach of Contract; 6) Breach of implied covenant of good faith and fair dealing; 7) Breach of implied contracts; 8) negligence; and 9) negligence per se. The Court dismissed the majority of these claims, but allowed Plaintiff's breach of contract, implied contract, and negligence based counts to survive.
In allowing these counts to survive, the Court recognized the issue as whether the plaintiff had sufficiently alleged any actionable harm or concrete loss. Plaintiff's general allegations were that defendant's customers paid for its products and services by providing their PII, and that the PII constitutes valuable property that is exchanged not only for defendant's products and services, but also in exchange for defendant's promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant's role in allegedly contributing to the breach of plaintiff's PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data. See Claridge *4-5.
While the Court recognized that this theory was novel, it declined to hold as a matter of law that Plaintiff failed to allege an injury. Moreover, the Court specifically noted that the unauthorized disclosure of personal information via the Internet is itself relatively new, and likely to raise issues of law not yet settled by the courts. Finding that the Plaintiff's allegations of harm were sufficient to allege a generalized injury in fact, the case was allowed to move forward.
WHY IS THIS IMPORTANT?:The reason that I find this case particularly interesting is the potential messages that it sends to those companies who possess customer PII. While it is unquestionable that it is a good business practice to protect all client data, did RockYou open itself up to additional exposure by expressly promising to do so? Would the Court have found the same potential liability without the express provisions cited by the Plaintiff?(The breach of contract claim surely would have been more difficult to prove.) Would the claim have been different if RockYou had heeded the warnings of the security firm? What if it had basic protections that were nonetheless breached? An even more interesting question is whether the negligence claims would have been allowed to move forward even without the express promises of safety.
Another emerging issue which this case, and those that will surely follow behind it, could have an impact on is how the log on and user information for social media accounts is considered in the employee/employer environment. If this sort of PII is found to be valuable property does that have an effect upon who retains it when an employer/employee relationship ends? What about "personal" blogs which are directly business focused? Is the lined blurred?
Once again, its important to note that as this is still a rapidly developing area, many of these questions have not been definitively answered by the Courts. While they may not solve every problem, having policies and procedures can provide you with a leg up if and when the issue heads before a Court. (Imagine if RockYou had also had a line in their disclosures which said something along the lines of "PII Submitted to this site is NOT valuable property for the purposes of calculating legal damages...would that have helped?) The intersection of Privacy law and Social Media is sure to be a hot area for litigation for years to come.
Let me know what you think.
Looks like this is going to continue to be a hot topic. Sony was hit with a suit today. http://www.abajournal.com/news/article/first_lawsuit_filed_over_sony_playstation_data_breach_affecting_up_to_75m/
ReplyDeleteProvides a reminder that there may be international ramifications in these matters even if the company didn't originally consider overseas sales.