Businesses that are considering using social media often spend an inordinate amount of time worrying about what can go wrong. From the disgruntled customer, to the misguided employee, to the inarticulate spokesperson, there are indeed many things that can go "wrong" when using social media, however, the mere possibility that something could go wrong does not mean your company should go running for the exits.
In truth, things can go "wrong" in almost any area of your business and the mere fact that it occurs on social media has little to do with the media itself. When an employee goes AWOL and posts inappropriate or unflattering content, it has been said that "you don't have a social media problem, you have a hiring problem." Similarly, staying off of social media due to concerns that a customer may say something unflattering is really akin to stating that your business is unwilling to address complaints. (Thanks to Amber Naslund and Jay Baer authors of The Now Revolution, and a TWISML Hat tip preview). In reality, these issues are human resource and customer service problems which every business must address in one form or another. Social media just serves to magnify the problems.
An interesting area where these issues find an interplay with the law is what you do with "bad" posts once they are out there. While at first, it may seem reflexive to delete the post (if you are able), in many instances it might not be that simple.
A recent tragic case arising out of a dorm room incident at Rutgers University has brought about some potentially significant developments in this area of social media law. The case out of Rutgers arose when Dharun Ravi allegedly videoed his roommate Tyler Clementi's relationship with another student via webcam and distributed a link to that webcam via social media. After Clementi learned that his relationship had been broadcast he tragically took his own life. Charges were initially brought against Mr. Ravi alleging counts related to invasion of privacy. While these facts are tragic, what is particularly interesting when considering the application to social media law is that Ravi was also recently charged with tampering with evidence. (For a more detailed account of the incident, see article by Beth DeFalco of the AP Roommate charged with hate crime in N.J. Suicide).
While on its face, this case may seem unrelated to a business' use of social media, the tampering with evidence charges may provide a window into future developments. As with the evidence in this criminal case, a business that knows civil litigation is likely to arise has a duty to refrain from destroying relevant evidence. While, initially, it may seem perfectly reasonable for a business to delete offensive posts, or remove client complaints, this duty to preserve evidence makes it advisable to consider whether the post potentially relates to a larger legal issue.
Although these evidentiary considerations present potential problems, they do not mean that troublesome posts must be left up indefinitely. Even though the law directly relating to this kind of material is in many respects still being written, a business can provide itself with an added layer or protection through the use of a properly crafted social media policy. Addressing how your business will deal with this sort of material, setting up procedures on how to retain/store relevant posts, training employees on how to deal with these issues, and taking proper measures to ensure that you do not run afoul of the evidence tampering laws are all fairly easy ways to protect your business. As with many other legal issues, proper planning on the front end can help minor legal problems from developing in to major legal disasters.
Let me know what you think.
Showing posts with label Social Media Discovery. Show all posts
Showing posts with label Social Media Discovery. Show all posts
Monday, April 25, 2011
Monday, April 18, 2011
Is Social Media information "valuable property"?
An interesting question was raised last week Claridge v. Rockyou, Inc. ((2011 WL 1361588 (N.D.Cal.)): Is the personally identifiable information ("PII") submitted to social media sights "valuable property"? Assuming the answer to this question is yes, an interesting corollary to the question, from a privacy perspective is: What are you doing to protect this valuable property? How your company answers both of these questions could have serious consequences.
THE CASE:
Here's what happened: RockYou develops and distributes applications and services for use on social media sites. Among the applications developed by RockYou are Gourmet Ranch and Zoo World. When customers sign up to use RockYou's applications, they are asked to provide an e-mail address, and registration password which RockYou stores. In certain instances, RockYou also requires customers to provide user names and password information necessary for accessing social media sites.
The Plaintiff, a registered account holder with RockYou, brought suit alleging that RockYou failed to secure and safeguard Plaintiffs PII, including email, passwords, and social media login credentials. Plaintiff alleged that while RockYou promised to safeguard user sensitive PII through a policy which stated that "RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your information..." RockYou instead stored PII in clear or plain text which provided no encryption and easily allowed intruders to read and remove the information. Plaintiffs PII was therefore easily accessible to anyone with a minimal amount of hacking ability (of which this author has none).
Plaintiff alleged that instead of leaving the barn door open (to steal a phrase from Gourmet Ranch) RockYou could have followed any one of a number of commonly used methods of protecting PII.
While after reading the opinion, one wonders whether this initial security failure would have been enough to let the matter move forward, if Plaintiff's allegations are true, RockYou likely did not help itself when it delayed in responding to the warnings of a noted online security firm that there was a problem with its database. Specifically, the firm informed RockYou of a SQL injeciton flaw which would allow a hacker to introduce malicious code into a company's network. At some point it was alleged that at least one known hacker accessed the database and copied the email and social networking login credentials of approximately 32 million users.
Plaintiff alleged nine separate causes of action: 1) Violation of the Stored Communications Act 18 U.S.C. Section 2702; 2) Violation of California's Unfair Competition Law, Cal. Bus. & Prof. Code Section 17200; 3) Violation of California's computer Crime Law, Cal. Penal Code Section 502; 4) Violation of the California Consumer Legal Remedies Act, Cal. Civ. code Section 1750; 5) Breach of Contract; 6) Breach of implied covenant of good faith and fair dealing; 7) Breach of implied contracts; 8) negligence; and 9) negligence per se. The Court dismissed the majority of these claims, but allowed Plaintiff's breach of contract, implied contract, and negligence based counts to survive.
In allowing these counts to survive, the Court recognized the issue as whether the plaintiff had sufficiently alleged any actionable harm or concrete loss. Plaintiff's general allegations were that defendant's customers paid for its products and services by providing their PII, and that the PII constitutes valuable property that is exchanged not only for defendant's products and services, but also in exchange for defendant's promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant's role in allegedly contributing to the breach of plaintiff's PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data. See Claridge *4-5.
While the Court recognized that this theory was novel, it declined to hold as a matter of law that Plaintiff failed to allege an injury. Moreover, the Court specifically noted that the unauthorized disclosure of personal information via the Internet is itself relatively new, and likely to raise issues of law not yet settled by the courts. Finding that the Plaintiff's allegations of harm were sufficient to allege a generalized injury in fact, the case was allowed to move forward.
WHY IS THIS IMPORTANT?:The reason that I find this case particularly interesting is the potential messages that it sends to those companies who possess customer PII. While it is unquestionable that it is a good business practice to protect all client data, did RockYou open itself up to additional exposure by expressly promising to do so? Would the Court have found the same potential liability without the express provisions cited by the Plaintiff?(The breach of contract claim surely would have been more difficult to prove.) Would the claim have been different if RockYou had heeded the warnings of the security firm? What if it had basic protections that were nonetheless breached? An even more interesting question is whether the negligence claims would have been allowed to move forward even without the express promises of safety.
Another emerging issue which this case, and those that will surely follow behind it, could have an impact on is how the log on and user information for social media accounts is considered in the employee/employer environment. If this sort of PII is found to be valuable property does that have an effect upon who retains it when an employer/employee relationship ends? What about "personal" blogs which are directly business focused? Is the lined blurred?
Once again, its important to note that as this is still a rapidly developing area, many of these questions have not been definitively answered by the Courts. While they may not solve every problem, having policies and procedures can provide you with a leg up if and when the issue heads before a Court. (Imagine if RockYou had also had a line in their disclosures which said something along the lines of "PII Submitted to this site is NOT valuable property for the purposes of calculating legal damages...would that have helped?) The intersection of Privacy law and Social Media is sure to be a hot area for litigation for years to come.
Let me know what you think.
THE CASE:
Here's what happened: RockYou develops and distributes applications and services for use on social media sites. Among the applications developed by RockYou are Gourmet Ranch and Zoo World. When customers sign up to use RockYou's applications, they are asked to provide an e-mail address, and registration password which RockYou stores. In certain instances, RockYou also requires customers to provide user names and password information necessary for accessing social media sites.
The Plaintiff, a registered account holder with RockYou, brought suit alleging that RockYou failed to secure and safeguard Plaintiffs PII, including email, passwords, and social media login credentials. Plaintiff alleged that while RockYou promised to safeguard user sensitive PII through a policy which stated that "RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your information..." RockYou instead stored PII in clear or plain text which provided no encryption and easily allowed intruders to read and remove the information. Plaintiffs PII was therefore easily accessible to anyone with a minimal amount of hacking ability (of which this author has none).
Plaintiff alleged that instead of leaving the barn door open (to steal a phrase from Gourmet Ranch) RockYou could have followed any one of a number of commonly used methods of protecting PII.
While after reading the opinion, one wonders whether this initial security failure would have been enough to let the matter move forward, if Plaintiff's allegations are true, RockYou likely did not help itself when it delayed in responding to the warnings of a noted online security firm that there was a problem with its database. Specifically, the firm informed RockYou of a SQL injeciton flaw which would allow a hacker to introduce malicious code into a company's network. At some point it was alleged that at least one known hacker accessed the database and copied the email and social networking login credentials of approximately 32 million users.
Plaintiff alleged nine separate causes of action: 1) Violation of the Stored Communications Act 18 U.S.C. Section 2702; 2) Violation of California's Unfair Competition Law, Cal. Bus. & Prof. Code Section 17200; 3) Violation of California's computer Crime Law, Cal. Penal Code Section 502; 4) Violation of the California Consumer Legal Remedies Act, Cal. Civ. code Section 1750; 5) Breach of Contract; 6) Breach of implied covenant of good faith and fair dealing; 7) Breach of implied contracts; 8) negligence; and 9) negligence per se. The Court dismissed the majority of these claims, but allowed Plaintiff's breach of contract, implied contract, and negligence based counts to survive.
In allowing these counts to survive, the Court recognized the issue as whether the plaintiff had sufficiently alleged any actionable harm or concrete loss. Plaintiff's general allegations were that defendant's customers paid for its products and services by providing their PII, and that the PII constitutes valuable property that is exchanged not only for defendant's products and services, but also in exchange for defendant's promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant's role in allegedly contributing to the breach of plaintiff's PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data. See Claridge *4-5.
While the Court recognized that this theory was novel, it declined to hold as a matter of law that Plaintiff failed to allege an injury. Moreover, the Court specifically noted that the unauthorized disclosure of personal information via the Internet is itself relatively new, and likely to raise issues of law not yet settled by the courts. Finding that the Plaintiff's allegations of harm were sufficient to allege a generalized injury in fact, the case was allowed to move forward.
WHY IS THIS IMPORTANT?:The reason that I find this case particularly interesting is the potential messages that it sends to those companies who possess customer PII. While it is unquestionable that it is a good business practice to protect all client data, did RockYou open itself up to additional exposure by expressly promising to do so? Would the Court have found the same potential liability without the express provisions cited by the Plaintiff?(The breach of contract claim surely would have been more difficult to prove.) Would the claim have been different if RockYou had heeded the warnings of the security firm? What if it had basic protections that were nonetheless breached? An even more interesting question is whether the negligence claims would have been allowed to move forward even without the express promises of safety.
Another emerging issue which this case, and those that will surely follow behind it, could have an impact on is how the log on and user information for social media accounts is considered in the employee/employer environment. If this sort of PII is found to be valuable property does that have an effect upon who retains it when an employer/employee relationship ends? What about "personal" blogs which are directly business focused? Is the lined blurred?
Once again, its important to note that as this is still a rapidly developing area, many of these questions have not been definitively answered by the Courts. While they may not solve every problem, having policies and procedures can provide you with a leg up if and when the issue heads before a Court. (Imagine if RockYou had also had a line in their disclosures which said something along the lines of "PII Submitted to this site is NOT valuable property for the purposes of calculating legal damages...would that have helped?) The intersection of Privacy law and Social Media is sure to be a hot area for litigation for years to come.
Let me know what you think.
Subscribe to:
Posts (Atom)