The Infamous Ashley Madison Online Data Breach Scandal
In 2015, hackers unsheathed 36 million accounts on the infamous extra-marital dating site AshleyMadison.com. The fallout was epic — and, at times, tragic; two people took their own lives, divorce proceedings skyrocketed, and the company’s CEO resigned amidst the maelstrom.
Scandal Leads To Online Class Action Lawsuit
The scandal also spawned several legal battles.
Exposed users questioned the platform’s security safeguards. Clients who paid extra for account deletion services took particular umbrage. And beyond the breach, Ashley Madison patrons decried the website’s use of fake profiles to lure clients. Ultimately, the company broke enough proper protocols and client promises to catch an online class action.
A U.S. District Court in Missouri will decide whether or not to affirm the settlement offer — which, by the way, doesn’t include a fault admission on Ashley Madison’s part. If accepted, affected parties can claim up to $3,500, depending on how the breach impacted their lives. For example, people targeted by identity thieves because of the incident will get more than someone who was embarrassed but suffered no material harm as a direct result of the hack. Moreover, amounts will depend on the number of claims submitted.
This class action is not the first legal hurdle AshleyMadison.com has cleared in the wake of the scandal. Thirteen state attorneys general and the Federal Trade Commission also lodged formal complaints against the company.
Connect With An Online Privacy Lawyer
Was your business the target of a data hack? If so, and you’re unsure of subsequent legal obligations, get in touch. Most states require that companies inform affected parties in a particular way. Our team has helped numerous parties navigate the aftermath of a hack. We’ll assist with state and federal notification requirements, plus provide guidance on how to put the incident behind you and continue to grow.
The Legal Lowdown On Pokémon Go Lawsuits & Marketing Tactics
Originally Posted: Tuesday, August 30th, 2016
The micropayment miracle, Pokémon Go (PoGo), currently holds the prize belt for “most popular game of all time,” and in short few months, it’s raked in over $210,000,000. Market experts expect revenues to hit $1.1 billion by year’s end, and savvy brick-and-mortar businesses are PoGo promoting — to huge success.
But, dear reader, don’t be lulled into submission! The Pokémon Go story is NOT all smiles and profits. [DUN, DUN, DUN!]
Oh yes, there’s the dark side of Pokémon Go. The side that’s spawned a PoGo disaster map; the side that’s raised get-off-my-lawn stakes to lawsuit level; the side that has people wondering, “Can I sue Pokémon or Nintendo for injuries sustained in the line of PoGo battling!?”
Is Pokémon Go ushering innocents down a dangerous personal injury path? And if so, can the game’s maker be held liable? Moreover, what legal aspects must be considered when promoting a business through PoGo?
Let’s examine this mobile gaming phenomenon, with legal scalpels.
Pokémon Go Lawsuits
Nintendo aims to “put smiles on people’s faces.” Yet, not every civilian is grinning over Pokémon Go. In fact, two households have definitely NOT caught the PoGo craze; instead…they’re filing Pokémon Go lawsuits — alleging nuisance and unfair enrichment.
Get Of My (St. Claire Shores, Michigan) Lawn
The Place: Wahby Park, St. Claire Shores, MI. A point of pride in a middle class enclave, Wahby is a public recreation area that doubles as a Pokéstop and Poke gym.
The Problem: People who live near Wahby aren’t happy. They claim Poké players are driving on private lawns, parking on public streets, tearing up gardens, and…looking at them! One resident lamented, “I don’t feel safe sitting on my porch!” Another referred to the situation as “a nightmare.” Someone else said she was “afraid to go to sleep,” and a man cursed his lack of prescience, lamenting: “If I knew [Pokémon Go] was coming, I’d have sold my place two months before it got here!”
An online anti-PoGoer warned the game was “ruining the quality of life for many Americans,” and a seemingly committed jingoist, who clearly isn’t a free market proponent, cautioned, “It’s a form of destrictive [sic] society, designed by the Chinese. And it’s a shame [Pokémon Go Players] have the power to vote, because it seems that they are easily brain washed. Which could lead this country to it’s [sic] destruction.”
Local Solutions?: Several residents near Wahby Park did seek redress with the city council — and the council did take steps to remedy the situation, like increasing signage, blocking off private roads, and increasing nightly police patrols. Apparently, however, the measures didn’t satisfy one couple who is moving forward with a Pokémon Go lawsuit.
The Lawsuit: One of the disrupted homeowners is suing Niantic, Inc., The Pokémon Company, and Nintendo Co. Ltd. for “nuisance and unjust enrichment.” Why unjust enrichment? Well, the plaintiffs feel that their lawn, being so close to a public park, has helped PoGo become a financial phenomenon. Plus, the lawsuit “seeks to stop designating GPS coordinates on or near private properties without permission.”
Local Opposition: Some Whaby Park Pokémon players are side-eyeing the plaintiffs. One young father interviewed for a local television station explained his viewpoint:
“For the majority, for the mass populous that comes here to play Pokémon, they’re here to have fun and enjoy the nature and meet cool people. We’re not trying to trespass anybody.”
Likely Outcome: Will the homeowners win? Believe it or not, they have a sliver of a shot. There’s a legal standard known as the “attractive nuisance doctrine,” which says homeowners can be held liable for a child’s death or injury if:
The landowner keeps something potentially dangerous on their property (i.e., broken car on lawn, trampoline, pool without fence (in some jurisdictions)).
The landowner knows children are around who might trespass.
The landowner knows that something on their property may endanger trespassing children.
The children are too young to recognize the risk.
The landowner can fix the problem at a reasonable cost.
The landowner does nothing.
Now, this lawsuit isn’t directly related to children harmed by Pokémon Go, but attorneys could argue that Niantic and Nintendo should have foreseen PoGo’s negative consequences. It’s a stretch, but not an impossibility.
That said, PoGo’s terms of service includes an arbitration clause that, in part, reads:
“[D]isputes between you and Niantic will be resolved by binding individual arbitration, and you are waiving your right to trial by jury or to participate as a plaintiff or class member in any purported class action or representative proceeding.”
Does that mean nobody can ever sue Niantic or Nintendo? Nope. Because also embedded in the ToS is a stipulation allowing customers to opt out of the arbitration clause, via email, within 30 days of downloading.
So, bottom line: who will likely win this Pokémon Go lawsuit? If we’re hypothetically trading Vegas odds, then sure, Niantic and Nintendo probably win this one. But you never know. At this point, we cab only be sure that the Courts and clerks are tackling the issue.
Pokémon Go Marketing: Ideas & Legal Considerations
Marketing gurus agree: If you’re a brick-and-mortar business that isn’t using PoGo to lure customers (pun intended), then you’re missing out on…well…money. As one Reddit user urged, “[Using Pokémon Go to promote] is the greatest investment you can make right now.”
So, how are business owners putting PoGo to work?
Bars, pubs and restaurants are becoming Poké gyms, then offering discounted drinks for members of the team that holds the gym.
Animal shelters are encouraging people to pick up dogs to walk while they’re out for Poké play, which has led to an increase in pet adoptions (Nice!).
Creating power stations for “phone refueling.”
Following the game and using social media to advertise when a rare Pokémon is in an establishment.
Are the promotions working? Heck yeah! As another Reddit user succinctly said, “[Pokémon promotions brought him] SO. MUCH. FOOT. TRAFFIC.”
“Put down a lure and watch the customers flow in,” advised another.
Tips To Avoid Pokémon Marketing Pitfalls
Account Security: Pokémon Go registration means handing over access to your entire Google account. Though Niantic does a wonderful job at keeping secure, the threat of a breach still lurks. Consider creating a new e-mail for your Pokémon Go marketing efforts in case disaster does strike.
Malware Concerns: Malware is starting to spread throughout the Pokéverse. Avoid risk by downloading from a reputable source.
Play Nice: Don’t try to sabotage a competitor’s PokéMojo. What do we mean? The app includes a Pokéstop and Poké gym removal form. So, let’s say Frank is in direct competition with Mary. They both own and operate ice cream parlors on Main Street. Being a gamer, Mary adopted Pokémon Go early and started using it to promote her business. It didn’t take long for her shop to become both a Pokéstop and a Poke gym. Frank, saw the amount of foot traffic Mary’s Poké-efforts garnered — and he didn’t like it. One day, when feeling particularly spiteful, Frank decided to sabotage Mary’s success by submitting a Pokéstop / Poké Gym removal request for Mary’s business. Frank’s actions could be considered unfair and deceptive marketing, and he could be fined — heavily — by the FTC. (And so can you, if you “pull a Frank.”)
Expect to read a lot about Pokémon Go lawsuits over the next several months. But the question remains: will the PoGo craze outlasts the lawsuits it spawns? Only time has the answer.
Internet Law 101: Virus Spoofing Can Cost Millions
Originally Posted: Wednesday, August 24th, 2016
Is virus spoofing against regulations? You bet your spam it is. What are the consequences for getting caught? The FTC could force you to fork over millions, which has the power to extinguish an operation.
What Is Virus Spoofing?
Virus spoofing is the act of tricking someone into thinking their computer is infected. Spoofers typically dispatch pop-up warnings onto machines.
The pop-ups can be convincing and usually direct people to buy anti-virus programs. Sometimes the program is completely worthless; other times it works, but is needless. Whichever the case, it’s considered unfairly manipulative and contravenes marketing regulations.
Who Has The Authority To Sue Over Virus Spoofing?
The Federal Trade Commission (FTC) is the nation’s consumer watchdog. Established in 1914, the agency initiates marketing investigations against businesses and individuals — a privilege outlined in the Federal Trade Commission Act.
Attorneys general can also sue over such scams.
Why Is It An Actionable Offense?
The Federal Trade Commission considers Virus spoofing unfair and deceptive marketing, and therefore actionable under the FTC Act. In a recent case, the FTC explained that the defendant “subjected [consumers] to high-pressure deceptive sales pitches for tech support products and services.”
State of Federal Offense?
Deceptive spoofers can face both federal and state punishments.
Accused Of Virus Spoofing?
Has someone accused you of virus spoofing? Next question: “Did you do it?” If yes, contact a lawyer and explain the situation. (Don’t worry; he or she isn’t going to judge you.)
In the best case scenario, your lawyer will be able to loophole you out of the predicament. If not, he or she may be able to diminish the financial blow. Lawyers in this niche know how to negotiate with the FTC, navigate the investigation, and secure settlements with little fanfare (to reduce negative press).
Ready To Consult With An Internet Law Attorney Who’s Dealt With Virus Spoofing Investigations?
If you’re reading this post, there’s a chance you may be on the FTC’s radar. A word of advice: ignoring the issue won’t make it disappear.
But we can help.
Get in touch today; and together, we’ll start solving problems, instead of letting them fester. Let’s talk.
ATTN BUSINESS OWNERS: THE FTC NOW FINES FOR BEING HACKED!
Originally Posted: Monday, October 19th, 2015
Is your online security house in order? If not, stop what you’re doing and contact a digital security guru, pronto – especially if you collect and store customers’ personal and financial information. Why? A U.S. court recently ruled that the Federal Trade Commission can pursue companies that fail to sufficiently protect consumer data.
In other words: If someone hacks into your business, YOU could be held responsible and fined into submission. Yes, the FTC can now fine for being hacked!
Wyndham Hotel Hack
The Appeals Court ruling was a result of Wyndham Hotels and Resorts’ data breach from a few years back. The high-profile hack exposed approximately 619,000 records and allegedly resulted in $10.6 million in “fraudulent charges.”
FTC’s Argument In Hacking Case: Company Did Not Do Enough To Protect Consumer Data
When pursuing the case, FTC staffers identified four points of protest. According to available reports, Wyndham allegedly:
Wasn’t using an appropriate firewall at the time of the breach;
Maintained a poorly managed network – so much so that staffers weren’t aware which computers were connected to it.
The FTC Can Now Fine For Being Hacked
Though the FTC has been granted new leeway in regards to punishing companies that are hacked, the agency is still murky on what constitutes the “reasonable steps” a company should follow to prevent a security breach.
It’s wise to work with an attorney who handles online privacy and security issues. The mere act of working with a firm looks good in the eyes of the law.
“But, Wait! It’s Not The Company’s Fault!” The FTC Doesn’t Care
In its defense, Wyndham argued that the company “does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.” But the court disagreed, reasoning:
“It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Get An Online Privacy Lawyer, Who Deals With Hacking Incidents, On Speed Dial
Some business owners may be peeved about the FTC’s new authority regarding hacks. Understandably. But as they say: there’s no use crying over spilled milk the long arm of the Federal Trade Commission. Instead, it’s best to get your digital security house in order and have a hacking lawyer on speed dial, in the event of a breach.
If you’re ready to speak with an attorney well versed in online privacy and hacking law, please get in touch. We look forward to sorting out any legal challenges you may be facing.
And remember, the FTC can now fine for being hacked, so make sure you have an online privacy lawyer on speed dial.
Bloomberg, J. (2015, August 25). Company Breached By Hackers? You’re Being Deceptive, According to FTC And The Court. Retrieved October 19, 2015, from http://www.forbes.com/sites/jasonbloomberg/2015/08/25/company-breached-by-hackers-youre-being-deceptive-according-to-ftc-and-the-court/
Ashley Madison Hack: Can People Sue?
Originally Posted: Wednesday, August 26th, 2015
Online purveyor of pro-paramour lifestyles, AshleyMadison.com, encouraged users to “have an affair,” because “life is short.” Well, the company’s lifespan may now be in jeopardy thanks to a possible litigation tsunami heading its way.
Who can exposed Ashley Madison users sue? The website or the hackers? What can “victims” legally claim? What are the chances of Ashley Madison successfully defending themselves? Will the business survive a litigation onslaught?
Let’s deconstruct the scandal and possible legal aftermaths.
The AshleyMadison.com Hacking Scandal Basics
What is AshleyMadison.com?
From its website: “Have an Affair today on Ashley Madison. Thousands of cheating wives and cheating husbands signup everyday looking for an affair…With Our affair guarantee package we guarantee you will find the perfect affair partner.”
Who owns AshleyMadison.com?
Avid Life Media (“ALM”), a Canadian company that also operates websites called Cougar Life and Established Men.
Who hacked the site and when?
An ostensibly ethical hacking collective known as the Impact Team claimed responsibility for the breach. Impact Team announced its coup mid-July; at that time, it made demands of ALM, offering a month-long compliance window. ALM didn’t comply with the demands, so Impact Team leaked the data mid-August.
What reason did Impact Team give for its act of hacktivism?
Impact Team targeted two of Avid Life’s properties. Excerpts from its public statement regarding the hack:
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
How did Avid Life Media respond to the initial hack?
The company behind Ashley Madison did not comply with Impact Team’s initial requests. Instead, ALM told users it had augmented security on the site. When the initial data dump hit, ALM speculated that the information wasn’t real. After its forensic team had explored the matter, however, the company acknowledged the breach.
What information did Impact Team eventually release?
Via two giant data dumps, initially only accessible with a Tor browser, Impact Team divulged around 32 million accounts. Some accounts are bogus; some are legit. Currently, most people aren’t paying much attention to email addresses not attached to payment accounts. And even for accounts that do include credit card info, there is no guarantee that the card holder’s identity wasn’t hijacked.
We should note that Impact Team didn’t release full credit card information, only the last four digits.
Did Impact Team explain why it eventually released the data?
Yes. According to Impact Team:
We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data … Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters. …
“Too bad for ALM, you promised secrecy but didn’t deliver.”
Impact Team also urged the exposed to “make amends” and encouraged: even though it is “embarrassing now,” Ashleymadison.com users will “get over it.”
Did Ashleymadison.com make any effort to secure user data?
Yes. The site used a PHP bcrypt algorithm to store passwords, which is considered an acceptable method among digital security specialists. However, as Robert Graham, CEO of Erratasec explained, “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.”
Avid Life’s Statement About The Data Revelation
“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of Ashleymadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the company said in a statement. “The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”
Two Important Things to Consider About the AshleyMadison.com Hack That Could Impact Potential Legal Actions Stemming From the Incident
Fake Accounts: Countless Ashley Madison accounts are fake and created by bots.
No Verification Required: AshleyMadison.com doesn’t require email verification to create an account. As such, an innocent person’s address could have landed in the data scrum if:
The email address is publicly available online, and a bot picked it up in an automated profile creation scrape;
Someone else used the email of an enemy – or friend – to set up an Ashley Madison account;
A reporter or investigator set up an account to get a peek behind the curtain for research purposes.
Legitimate accounts are most likely attached to credit card information – like reality TV’s Josh Duggar’s account.
Ashley Madison Hack: What Can People Sue Over?
According to statements issued by the collective, one of the main reason’s Impact Team targeted Avid Life Media’s sites was the company’s paid security option.
“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life.”
Which raises a question: Can “hack victims” (i.e., Ashley Madison users) successfully sue Ashley Madison and Avid Life Media? It’s an insanely complicated question.
An ocean’s worth of individual details would factor into the fitness of any potential claim. That said, let’s take a look at some potential types of lawsuits that could be brought, then deconstruct the likelihood of success.
Hypothetical Ashley Madison Lawsuit Category: Defamation / False Light Invasion of Privacy
Can Ashley Madison users sue the website for defamation or false light invasion of privacy – a tort very similar to defamation which is on the law books in some states? On a scale from one to ten, the chances are about a .5. Why? Two reasons:
Though there are rare exceptions (like in Massachusetts), “truth” is a rock-solid defense against slander and libel claims. And in the case of the Ashley Madison hack, Impact Team covered its proverbial “butt” by pointing out that not all of the accounts are necessarily real.
Due to Section 230 of the Communications Decency Act, Internet service providers and certain social media platforms enjoy a considerable amount of third-party defamation immunity protection.
Now let’s look at some hypothetical scenarios.
Hypothetical Ashley Madison Defamation Lawsuit: Individual User v. Ashleymadison.com / ALM
Again, the likelihood of an individual user successfully suing Avid Life Media for defamation is between slim and none. Under U.S. law, to win a defamation claim, plaintiffs must prove that the defendants made false statements of fact. In this case, though Impact Team hacked and leaked data, AshleyMadison.com – nor its employees – made false statements of fact about users.
Intention also plays a primary part in state-side slander and libel suits. In this case, Ashley Madison executives didn’t act with actual malice, neither did they act with reckless disregard for the truth.
HOWEVER, Ashleymadison.com’s website featured verbiage that promised a premium account option – and option that included information “deletion.” This program could be the basis of a solid breach of contract claim, which we’ll get to below.
Hypothetical Ashley Madison Defamation Lawsuit: Individual User v. Impact Team
Like ALM, it’s unlikely that individual users can bring successful defamation lawsuits against the Impact Team. Firstly, the collective didn’t spread lies; it leaked information. Even in instances where an automated bot scraped an email address from the Web and amended it to Ashley Madison’s database, the hackers, in theory, should be immune from libel liability. Why? Because in the collective’s release statement, Impact Team admitted that a large chunk of the user data was most likely false. The team even highlighted an ongoing class action, over fake profiles, against ALM.
Hypothetical Ashley Madison Lawsuit Category: Individual User v. Individual Online Shame Spreader
Theoretically, one type of Ashley Madison defamation lawsuit that has a shot at success is between an individual whose information was falsely leaked and a person who publicly makes assertions based on the presence of that false information. Huh? This scenario is best explained in an example.
Example of a Potentially Successful Ashley Madison Defamation Lawsuit
John and James are co-workers and rivals for a job position. Turns out that John’s email address was among those leaked in the Ashley Madison data breach. John, however, has never used Ashley Madison and is happily married. His email landed in the website’s records on account of a bot that scraped the Web for addresses to make fake profiles – a subversive online marketing technique. In fact, John had no idea his email was even in the leak.
Now let’s cut to James, John’s work rival. He searches through the Ashley Madison data dump and comes across John’s email. Teeming with schadenfreude, James immediately takes to Twitter and scolds:
“John Doe is an adulterous CHEATER! He’s slept with the entire office and probably has a disease!!”
A tweet like this could be deemed defamatory (or at least false light). For starters, James makes a false statement of fact by asserting that John is a cheater and has a disease. Arguably, this is a reckless statement because the Impact Team explained the probability of false-positive accounts and highlighted the ongoing lawsuit involving fake profiles. Moreover, James extrapolated an entire story based on one piece of information.
There is no guarantee that John would win our hypothetical case, but of all the possible Ashley Madison defamation conflicts, a scenario like his has the best chance of success. But again, all online libel lawsuits depend on the details of the case, so it’s best to speak with an attorney about specifics.
Hypothetical Ashley Madison Lawsuit Category: Data Breach / Online Privacy
Hypothetical Ashley Madison Lawsuit Category: Individual U.S. User v. Ashleymadison.com / ALM
“Ashley Madison users can surely sue for violations of online privacy, right?”
Believe it or not, the United States doesn’t have a universal online privacy law. California’s online privacy statute comes the closest, but as of this writing, it doesn’t appear that ALM has violated it. After all, the company did take steps to secure passwords; the hackers were just smarter.
And though ALM at first questioned the validity of the data, the company did “fess up” in an appropriate amount of time. Moreover, ALM is working with law enforcement officials to find the culprits — all of which is in accordance with California’s – and other states’ – online privacy laws.
Of course, there may be extenuating circumstances that affect the validity of any given AshleyMadison.com User v. ALM online privacy lawsuit.
Hypothetical Ashley Madison Online Privacy Lawsuit: Individual E.U. User v. AshleyMadison.com / ALM
Though European Union online privacy laws are stricter than those in the United States, the probability of a successful Internet privacy claim in an E.U. court is equally as low as it is state-side. Mostly because the overseas digital privacy laws have more to do with acknowledging certain types of tracking (which you can read about here [link]) as opposed to punishing instances of data breaches.
Hypothetical Ashley Madison Online Privacy Lawsuit: Individual User v. Impact Team
Can individual users sue Impact Team for invasion of privacy? Highly Doubtful. Again, the word “privacy” isn’t even in the U.S. Constitution, and Capitol Hill has yet to pass a universal online privacy law.
Besides, finding the members of Impact Team is probably a longshot.
Hypothetical Ashley Madison Lawsuit Category: Breach of Contract
Hypothetical Ashley Madison Breach of Contract Lawsuit: Individual User v. AshleyMadison.com / ALM
“Breach of contract” lawsuits – or a breach of contract class action – may be the legal straw that breaks Avid Life Media’s back.
As a pay option, AshleyMadison.com offered members a deletion service for $19.99. And as the world now knows, it looks as if those promised deletions never happened.
Even if ALM included some tricky language in its terms about “deletion” not really meaning “deletion,” the company could still be in trouble. How? Because the language used to promote the service led the average user to believe that his or her data would be expunged completely; that was the conspicuous message.
Besides, the law, in many ways, no longer allows for “fine print” gotcha clauses, which are buried behind hyperlinks, in agate-font text. Hiding important information like that is considered underhanded and judges ordinarily don’t grant absolution for those types of tactics.
Other Possible Lawsuits: False Advertising and Fraud
In addition to breach of contract, it’s possible that the government may sue for false advertising – on account of the $19.99 deletion promise. Others will argue that it was fraud to take the money and then not fulfill the promise made. Whether or not either of these types of actions will be pursued or successful, time will tell.
Can ALM Sue Impact Team For The Hack?
Another possible Ashley Madison hack lawsuit that, theoretically, has a chance of success? ALM v. Impact Team.
The Computer Fraud and Abuse Act is the main hacking law in the United States. And, it’s controversial. Some people feel the penalties are way too steep, and it only serves in over-punishing the “little guy” instead of the true masterminds who know how to properly cover their tracks.
Even if law enforcement agents were to unearth members of the Impact Team, it’s doubtful that ALM would prevail in the end…or that the case would even see a courtroom.
Make Sure Your Legal House Is In Order
The fallout of this Ashley Madison scandal will be long in the making. And if any claims do arise, like a Phoenix out of a murky legal quagmire, rest assured that it will take years to litigate.
In the meantime, if you run a business and have an e-tail presence, be sure you’re up-to-date with the latest online privacy and data breach laws and standards.
Estes, A. (2015, August 19). The Ashley Madison Hackers Just Released a Ton of Stolen Data [Updated]. Retrieved August 25, 2015, from http://gizmodo.com/the-ashley-madison-hackers-just-released-all-of-their-s-1724920693
Ragan, S. (2015, August 18). Ashley Madison hackers publish compromised records. Retrieved August 25, 2015, from http://www.csoonline.com/article/2973036/vulnerabilities/ashley-madison-hackers-publish-compromised-records.html
Doctorow, C. (2015, August 20). Ashley Madison commits copyfraud in desperate bid to suppress news of its titanic leak. Retrieved August 25, 2015, from https://boingboing.net/2015/08/20/ashley-madison-commits-copyfra.html
Kim, Z. (2015, August 18). Hackers Finally Post Stolen Ashley Madison Data. Retrieved August 25, 2015, from http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/
FTC Favors Companies With Data Breach Contingency Plans
Originally Posted: Wednesday, July 15th, 2015
A couple of months ago, Mark Eichorn quietly posted a significant post on the Federal Trade Commission’s blog. In it, he gives an overview of how the FTC approaches breach and data security investigations.
The post advises:
“We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion. In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.”
In other words, when deciding on punitive measures in data security cases, the Federal Trade Commission is often more lenient with businesses that report breaches to the proper authorities promptly. Or, conversely, if you try to hide a data breach from authorities, and the FTC discovers your deception, the commissioners may – and are legally allowed to – dole out a larger fine.
Three Data Privacy Best Practices For SMBs
Have a “privacy officer” on speed dial. Privacy officers are usually attorneys; they’re the people businesses can call in the wake of a data breach to determine their legal responsibilities based on the nature of the data attack. Your privacy officer, depending on the information you provide, will let you know what you need to do to satisfy local, state, federal, and international data breach regulations. On occasion, contingent on the circumstances, you may not have to report the incident.
Don’t ignore security issues. Digital hacking is a serious reality. Laboring under the assumption that “it will never happen to you” or “only the big guys get hit” is erroneous. Implement certain data security measures at your office. Also, establish data security rules for employees – the most fundamental being that they’re forbidden from accessing files remotely without authorization and instruction.
Have data security, maintenance and breach procedures in place. Moreover, companies should make a habit of corporate-wide password changes on regular intervals. Additionally, like a fire drill, businesses should establish a data breach drill. Not only will it be helpful in the event of an attack, but being able to prove that you did take precautions may mitigate eventual punishments handed down by the FTC or other government agencies.
Consult A Data Breach Lawyer
Lawyers at Internet law firm Kelly Warner act as the privacy officers for several startups and businesses. We’d be happy to help you establish a data security and / or data breach program or procedure that satisfies all state, federal, and international regulations.
ATTENTION WEB DEVELOPERS & DESIGNERS: Scammers developed a new scheme targeting Web designers and developers. We’ve outlined the con below. Take 2 minutes to make sure you’re not a target.
Web-Designer-Scam Red Flags
Initial Contact: Perpetrators of the web-designer-scam usually initiate contact via an email originating outside the United States. The sender usually inquires about services and includes a link to an example website.
Air of Legitimacy: What makes this scam particularly lucrative is that the initial inquiry seems legitimate.
Poor Grammar: Though the emails may seem valid, people who’ve been duped noted that the emails were grammatically questionable.
No Direct Response: One of the biggest red flags is the inquirers’ refusals to return your emails or address any questions. They’ll only initiate emails, dictating parameters. This is probably because it’s a semi-automated scam.
Inquirer Controls Terms: They may tell you a money order is coming as a deposit and that they’ll pay the balance on completion.
Large Money Order Arrives: Money orders do arrive. And here’s the rub: they’re usually for more than agreed upon.
Asks You To Refund: The way the scammers make money is by getting you to Western Union money to them. So, the “closer” is almost always a request to send the overage amount to a) them or b) some specified intermediary in the U.S.
Generally speaking, all web developers and designers should be wary of inquiries that ask them to send money to someone else – especially if you’re being paid by credit card or money order.
Speak With A Design and Developer Attorney
Kelly Warner is an Internet law firm that represents Web developers and graphic designers. To learn more about our firm, click here. To get in touch, please use one of the methods presented on our contact page. We look forward to speaking with you soon.
Can You Be Prosecuted For “Inappropriate” Things You Say Online?
Originally Posted: Thursday, June 4th, 2015
Do you treat Google as a confessional or a digital counter spy? If someone stumbled upon your private searches, would they think: “Dear Authorities: I have convincing proof that the hybrid of Patrick Bateman and Omen Damien now walks among us. Can you get on that, quickly? K? Thanks. Signed, Everyone Ever.”
In our digital world, where is line between “deviant fantasy” and “attempted criminality”? A post-modern meditation on free speech and individual freedom, HBO’s new documentary, Thought Crimes: The Case of the Cannibal Cop, forces each of us to consider our relationship with the swami search engine, Google. The film begs us to debate questions like:
Should online searches be a factor in harassment and other criminal cases?
Can you be prosecuted for things you say online?
Can you be prosecuted for things you say on a “fantasy forum”?
Is there a right answer?
Thought Crimes: The Case of the Cannibal Cop: A Summary
HBO (now also known as: high-brow Court TV) debuted another true crime documentary that will leave you disturbed for days. Entitled Thought Crimes: The Case of the Cannibal Cop, the film lures you into the world of Gilberto Valle, a cop-turned-convict whose “fantasies” veered in the yikes-omgwtf direction.
Bottom Line: Gilberto Valle was a New York State police officer who spent off duty time trolling the darkest parts of the Web. Parts where men talked about kidnapping, raping, and then eating women. Yes, Valle was allegedly an active member of a purported online cannibal community.
When Online Talk Starts Getting Real
Eventually, Valle started chatting with another user; talked turned to taking their fantasies AFK. Around this time, Valle allegedly accessed a police database to gather personal information about a woman he mentioned in his “cannibal chat community.” Obviously, this was a big no no.
Investigation & Arrest
In time, Valle’s wife uncovered his secret; she ran to authorities. Law enforcement investigated, unearthed Valle’s online cannibal activity, and discovered his questionable access of police records.
In 2013, police arrested Valle. A jury found him guilty of kidnapping conspiracy; he served a year behind bars; then, a judge overturned the guilty verdict.
Can You Be Prosecuted For Things You Say Online?
Sure, the film is a bit salacious, snarky, and sometimes cringe-worthy, but Thought Crimes is more than mindless true crime fodder. It’s a brain teaser that delves into the philosophical and legal quagmire stewed by the 21st century. Should online searches ever be admissible evidence? What level of criminal intention can a Google search legally convey?
Throughout the documentary, Valle’s mindset is poked and probed – by the filmmakers and us, the audience. The film juxtaposes his conversations about cannibalism with videos of him eating or cooking. We jump to conclusions, only to have those suppositions questioned a frame later. We waiver between two poles: Were Valle’s actions simply, as he insists, an online-only “sick fantasy”? Or did the prosecutors have it right, and use next-level police work to stop a violent criminal before he took his “sick fantasies” to actual streets?
A Minority Report Warning?
In retrospect, perhaps the only message Thought Crimes makes clear it is this:
Be careful what you search for online. Very careful. Because Phillip K. Dick’s prescient Minority Report seems to be playing out right before our very eyes — and “PreCrime” seems to be a real thing.
Kelly / Warner: The Digital Communication Litigation
Explained: The Arizona Data Breach Notification Law
Originally Posted: Wednesday, June 3rd, 2015
By the end of this post, you’ll understand Arizona’s “data breach notification law” and what you’re legally required to do in the wake of a hack, leak, or manual data breach. Ready to speak to a lawyer about your situation? Get in touch.
Arizona businesses – and websites accessible to Arizonians – are legally required to inform users and customers of data breaches. In this blog post, we’ll review § 44-7501 of the Arizona Revised Statutes – a.k.a., the Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions law. For brevity’s sake, we’ll call the regulation 44-7501.
What is “personal information” under the Arizona data breach notification law?
Arizona’s data security law only applies when personal information is compromised, which raises the question: What constitutes “personal information” under Arizona State law?
Answer: Any person’s first name or first initial and last name, coupled with:
A social security number;
Driver’s license or official ID information; or
Credit or debit card numbers, with password or security code data that could grant access to accounts.
Who Must follow Arizona’s Data Breach Law?
Any person, group, or business, operating within the State of Arizona, that owns, maintains or licenses unencrypted user data, must follow 44-7501. Examples include (but are not limited to):
Companies headquartered in Arizona;
Commercial websites that permit Arizona residents to access or interact with their sites; and
Large companies with offices or customers in Arizona.
Uncertain if Arizona’s data breach law applies to you? Consult with an Internet law attorney to find out.
What constitutes a “breach” under Arizona’s Data Breach Law?
Not all leaked or stolen information is a notification-triggering breach. For an incident to qualify, personal data (described above) must have been compromised – or fell into unauthorized hands – and the potential exists for user / consumer economic loss. Examples of possible breaches:
Loss of laptop, memory stick, computer or hard drive;
Employment misconduct with digital records and accidental emails;
The above examples aren’t the only models that require notification, but simply an overview of things that have previously been deemed breaches under Arizona law.
What is the general purpose of 44-7501 – Arizona’s Data Breach Notification Law?
Passed in 2006, 44-7501 outlines the required notification process in the event of an unauthorized data breach.
When are you required to launch a data security breach investigation?
Under Arizona’s data breach law, the moment business operators become aware of a potential security issue, they are obligated to launch a “prompt investigation.” If it’s discovered that you looked afoul when the signs pointed to a potential breach, you’ll be fined – heavily.
How long do companies have to notify the affected users / people?
If your investigation concludes that a third party could have gained access to records, you’re required, by law, to alert the affected parties:
“…in the most expedient manner possible and without unreasonable delay.”
What are allowable notification methods according to Arizona’s data breach notification rules?
If you’re responsible for alerting affected consumers about an Arizona data breach, acceptable contact methods include:
Email, only if the person has indicated email as their preferred contact medium.
If more than 100,000 people are affected by a breach, or if the cost of notification would exceed $50,000, businesses can use so-called “substitute notification methods,” which include:
Email (some restrictions apply; consult with an Internet lawyer about the details of your case.)
Conspicuous notification on company website; or
Notification to major, statewide media outlets.
Law enforcement agencies can delay notification if the incident affects a larger investigation.
What is the penalty for breaking Arizona’s data breach law?
What happens if you don’t comply with Arizona’s data breach law? A huge fine. Violators are responsible for actual damages caused by the ignored breach, plus $10,000 per breach.
Who is allowed to sue for violations of Arizona’s Data Breach Notification Law?
Only the Arizona Attorney General can bring breach notification violation charges against a defendant. Additionally, State law supersedes municipal and county laws addressing the issue. This would not, however, preclude private citizens from bringing causes of action for other claims.
Got Arizona Data Breach Notification Questions? We’ve Got Answers.
Online Privacy Law: Renew Your Safe Harbor Certification
Originally Posted: Wednesday, May 27th, 2015
If you operate a website or app that collects personal user information, read on.
What are the International Safe Harbor Provisions and TRUSTe?
International Safe Harbor Certification Program
First things first: what, exactly, is a “Safe Harbor” provision?
In 1995, the European Union (“E.U.”) ratified rules regarding the digital transfer of personal information. In 2006 – in conjunction with the U.S. Department of Commerce – the E.U. created the Safe Harbor Framework, which allows U.S. businesses to demonstrate compliance with European standards.
U.S. and Swiss officials also rolled-out a separate, but near identical, program around the same time.
The Safe Harbor Frameworks are self-certification processes, but participants are required to comply with associated paperwork to maintain official compliance recognition.
True Ultimate Standards Everywhere Inc. (a.k.a., TRUSTe) is a private firm that offers security certifications. Primarily, businesses that want to demonstrate a commitment to international data laws use the company’s services. Businesses can apply for universally recognized TRUSTe licenses. Like the Safe Harbor Frameworks, license renewal is required every few years.
Two Companies Busted For Not Renewing Safe Harbor and TRUSTe Commitments
TES Franchising LLC (“TES”) and American International Mailing Inc (“AIM”) both self-certified under the U.S.-E.U. and U.S.-Swiss Safe Harbor Frameworks. The former first completed the process in 2011, the latter in 2006. TES also held a TRUSTe license.
Both companies, however, failed to renew the required paperwork – and the FTC found out. As a result, the commission saddled both TES and AIM with 20-years of FTC-sanctioned, time-consuming bookkeeping — the non-completion of which could trigger a legally enforceable fine.
Even If You Don’t Change Your Website or Procedures, Safe Harbor Renewal Is Mandatory
TES and AIM didn’t violate any Safe Harbor certification standards, they simply forgot to renew on-time. So, despite neither company committing a security abuse, not fulfilling the proper paperwork put them on regulators’ radars.
The Takeaway: If you want to keep officials off your back, make sure you’re up-to-date with the latest international, national, and regional Internet laws — especially Safe Harbor certification paperwork.
For Maximum Profit, Enlist an Experienced Internet Law Attorney
Kelly / Warner attorneys are masters of Internet law. Pioneers in the field, we’re recognized as a leading tech law firm. Kelly / Warner consistently delivers better-than-big-firm results, for a fraction of the price.
Cybersquatting Cases: Criminal Domain Seizure On The Rise
Originally Posted: Thursday, April 9th, 2015
Cybersquatting cases are making a comeback! And this time around, the stakes are higher. Instead of holding domains ransom for a big pay day, today’s cybersquatters are using stolen domains for more nefarious means.
Is Cybersquatting Legal?
To set the record straight: cybersquatting is a civil offense. During the dawn of the Web, a class of enterprising early adopters and out-of-the-box thinkers made a killing by buying up, then selling back, trademarked and common phrase domains.
But corporations quickly called their representatives – and K Street connections – which resulted in the Anticybersquatting Consumer Protection Act. An extension of the Lanham Act, and passed in 1999, the ACPA essentially extended trademark rights to domain names. To wit, it’s the bill that made nike.com the automatic property of Nike, Inc.
Why is there an uptick in the amount of cybersquatting cases in recent months?
Both the Internet Corporation for Assigned Names and Numbers (ICANN) and the FBI have noted an increase in criminal cybersquatting cases over the past two years.
For starters, in the last decade, the price of domain names has increased. As such, it’s not cost effective, for criminals, to purchase URLs. Couple that with the “virus industry” – and you’ve got a perfect storm for malicious cybersquatting.
What are the new generation of cybersquatters doing with the stolen domains?
In the past, most cybersquatters were just looking to make money. These days, many of them are looking to wreak havoc. Victims have reported acts of:
Malware Distribution; and
Advanced cybersquatters are also hijacking domains and re-routing URLS to china, Russia, and Eastern Europe, where they are then used for nefarious financial transactions and other types of cyber criminality. There have even been reports that overseas “organized crime” organizations are hiring cybersquatters.
Authority Squabbles: Who Has Authority?
This new wave of cybersquatting may last quite some time. Why? Because nobody can agree on who is responsible for combating the problem. Law enforcement officials say the Internet Company of Assigned Names and Numbers (ICANN) has the international authority to combat this type of cybersquatting, but ICANN disagrees. Basically, officials are playing a game of hot potato when it comes to enforcement.
Speak with a cybersquatting Attorney
Cybersquatting can take a huge toll on a business and cause considerable financial strain for attacked companies.
California rung in 2015 with a slew of new online privacy laws. If you run a commercial website – or otherwise collect personal data about users – there’s a good chance you’re beholden to California’s online privacy laws.
But why? You don’t operate out of California, right?
California’s online privacy laws aren’t only for websites and companies based in California. They apply to any and all commercial websites or apps available for use in California.
Below is a list of the Golden State’s latest digital privacy statutes. The state’s original online privacy law is still in effect, also. To speak with an Internet lawyer about an online privacy matter, head over here.
List of California Online Privacy Bills That Became Law In 2015
Privacy Rights for California Minors in the Digital World Senate Bill No. 568
Digitally marketing firearms, tobacco, or alcoholic beverages to California’s minors is no longer allowed. Neither is compiling personally identifiable information about people aged 17 and younger, nor enabling other people to do so. Think of SB 568 as “COPPA for teenagers.”
Data Breach Notification Amendments Assembly Bill No. 1710
Assembly Bill No. 1710 broadened the liability for data brokers holding information on California residents. Specifically, the new law requires data brokers to:
“…implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
Patient Medical Breach Notification Period Extension Assembly Bill 1755
Most of the 2015 California online privacy laws tighten restrictions, but AB 1755 does the opposite. Known as the Medical Information Breach Notification Bill – it extended the notification grace period for patient data breaches from 5 to 15 days.
In addition, AB 1755 allows for email as an acceptable method of patient contact and notification. The law does stipulate, however, that email cannot be used unless the patient gives consent. https://legiscan.com/CA/text/AB1755/id/1038495
Pupil Records Privacy; 3rd-party contracts; digital storage services and digital educational software Assembly Bill No. 1584
Assembly Bill No. 1584 allows “educational agencies” (e.g., school districts, universities, etc.) to put both feet in the 21st century by granting leeway to contract cloud computing programs on a mass scale.
Pupil Records and Social Media Assembly Bill No. 1442
Another online privacy law protecting students, AB 1442 focuses on social media data. If school representatives collect information about students’ social media accounts, they’re not allowed to sell it, rent it or use it in an unauthorized manner. The law goes so far as to give “destruction instructions” for information inadvertently (or purposefully) collected.
Student Online Personal Information Protection Act Senate Bill No. 1177
Another student-focused online privacy law, Senate Bill No. 1177 addresses advertising in educational software. Essentially, the new law prohibits marketers from a) using in-app, targeted advertising and b) building student profiles using information gathered via platforms used in schools and other educational institutions. The law also calls for on-demand information deletion under certain circumstances.
Kelly / Warner attorneys intimately understand the parameters of both state and federal online privacy regulations. If you run a website in the U.S., there’s a significant chance you’re beholden to not only California online privacy laws – but foreign (yep, foreign) statutes, too. If you have an online business presence, get a privacy audit with an experienced Internet lawyer.