The Infamous Ashley Madison Online Data Breach Scandal
In 2015, hackers unsheathed 36 million accounts on the infamous extra-marital dating site AshleyMadison.com. The fallout was epic — and, at times, tragic; two people took their own lives, divorce proceedings skyrocketed, and the company’s CEO resigned amidst the maelstrom.
Scandal Leads To Online Class Action Lawsuit
The scandal also spawned several legal battles.
Exposed users questioned the platform’s security safeguards. Clients who paid extra for account deletion services took particular umbrage. And beyond the breach, Ashley Madison patrons decried the website’s use of fake profiles to lure clients. Ultimately, the company broke enough proper protocols and client promises to catch an online class action.
A U.S. District Court in Missouri will decide whether or not to affirm the settlement offer — which, by the way, doesn’t include a fault admission on Ashley Madison’s part. If accepted, affected parties can claim up to $3,500, depending on how the breach impacted their lives. For example, people targeted by identity thieves because of the incident will get more than someone who was embarrassed but suffered no material harm as a direct result of the hack. Moreover, amounts will depend on the number of claims submitted.
This class action is not the first legal hurdle AshleyMadison.com has cleared in the wake of the scandal. Thirteen state attorneys general and the Federal Trade Commission also lodged formal complaints against the company.
Connect With An Online Privacy Lawyer
Was your business the target of a data hack? If so, and you’re unsure of subsequent legal obligations, get in touch. Most states require that companies inform affected parties in a particular way. Our team has helped numerous parties navigate the aftermath of a hack. We’ll assist with state and federal notification requirements, plus provide guidance on how to put the incident behind you and continue to grow.
Amazon Censured Over Kids’ Apps That Encourage Spending
Originally Posted: Monday, July 17th, 2017
Amazon settled an FTC COPPA case. Federal regulators charged the online retailer with improperly billing parents for purchases made by their children.
Amazon’s marketplace is filled with apps and games aimed at children, but some didn’t have protections to prevent underage in-game purchases for virtual “stars” and “coins.”
The problem has persisted for years, and in 2014, FTC Chairwoman Edith Ramirez touched on the issue. At the time, she explained: “Even Amazon’s own employees recognized the serious problem its process created.” Another related event sparked in May 2016. But it took until April 2017 for Amazon and the FTC to settle on an agreement.
Last Tuesday an Amazon spokesman explained:
“Since the launch of the Appstore in 2011, Amazon has helped parents prevent purchases made without their permission by offering access to parental controls, clear notice of in-app purchasing, real-time notification for every in-app purchase and refund assistance for unauthorized purchases. The court here affirmed our commitment to customers when it ruled no changes to current Appstore practices were required.
“To continue ensuring a great customer experience, we are happy to provide our customers what we have always provided: refunds for purchases they did not approve. We have contacted all eligible customers who have not already received a refund for unauthorized charges to help ensure their refunds are confirmed quickly.”
Amazon set up a Web page where affected parties can request refunds: https://www.amazon.com/gp/mas/refund-orders/in-apprefund.
If you have an Amazon account, use the platform’s Message Center to find additional information about refunds. The FTC recommends that specific questions about this matter be directed to Amazon by phone at 866-216-1072.
Maine: The Next State To Secure Residents’ Online Privacy?
Originally Posted: Tuesday, May 30th, 2017
Online privacy is becoming a major state’s rights issue. Illinois lawmakers are well on their way to passing a digital data privacy law, and now it looks like Maine is following in The Prairie State’s footsteps.
Maine’s New Online Privacy Bill
A bipartisan proposal marshaled by state Sen. Shenna Bellows of Manchester, L.D. 1610 — a.k.a. “An Act To Protect Privacy of Online Customer Personal Information” — would require Internet Service Providers to secure consent before releasing users’ browsing data.
“This bill prohibits a provider of broadband Internet access service from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access.”
Not only does the bill force providers to secure consent before sharing user data, but it also forbids discount for consent programs.
In March, the United States Congress voted to trash incoming FCC rules prohibiting ISPs and websites from selling user data. Since then, digital privacy has quickly become a “state’s rights” issue. In fact, many jurisdictions are in the process of drafting their own versions of the now-defunct FCC rules.
Keen to avoid more administrative requirements, most ISPs breathed a sigh of relief when Congress killed the browsing privacy rules. Many residents, however, disagreed. In defense of constituents, state Sen. Bellows chastised federal lawmakers, lamenting that the “reckless vote” put “Mainers’ privacy up for sale.” In support of her bill, Bellows remonstrated:
“Most people are rightfully appalled by the idea that their Internet service provider could be watching their every move online and selling their information to the highest bidder. We owe it to our constituents to protect their privacy.”
Maine has a long way to go before L.D. 1610 becomes law — if it even makes it. But the first step on the ratification journey was a public hearing on May 24th.
Connect With An Internet Law Attorney
Kelly / Warner is a boutique Internet law firm that helps clients with various online privacy issues. To learn more about the practice, please start at the “About Us” section of the website.
Facebook Law: Consequences of Hacking Into Another Person’s Account
Originally Posted: Monday, September 28th, 2015
You wake up one day, power on your phone, and BOOM! Life exploded overnight. An enemy successfully hacked your Facebook account and sent outrageous emails to your friends and family — emails which appear to be coming from you!
Nightmare, right? And one that that a woman named “Steph” (not real name) says she endured at the hands of her former paramour.
In response to the incident, Steph filed a lawsuit, but the court dismissed the claim because the statute of limitations had expired. Recently, though, an appeals panel reversed the lower court’s decision; Steph can now move forward with her online defamation case.
The lawsuit is significant because it could further define the scope of the Computer Fraud and Abuse Act. In non-legal terms, the case is important because it highlights the very real – and very damaging – consequences for seeking “digital revenge” – against a person or business rival.
The lawsuit is significant because it has the potential to further define the Computer Fraud and Abuse Act’s scope.
Example Incident: Ex-Lover Allegedly Hacks Facebook Account & Sends Messages
One day, in the not so distant past, a woman named “Steph” suddenly couldn’t access her email and social media accounts. The logins just weren’t working. Frustrated, she enlisted an attorney to investigate the issue. And guess what: the lawyer found a treasure trove of potential illegality, in the form of emails sent from the account during the time Steph was locked out.
At first, Steph believed the Culprit to be her ex-lover’s wife and filed a lawsuit against the woman. But it turned out that the wife was innocent; instead, the alleged culprit was Steph’s former paramour, who allegedly confessed.
Lower Court Tossed Facebook Law Case
A lower-court initially tossed the case, claiming Steph waited too long to bring charges. But a three-judge appeals bench disagreed, in part, with the lower court’s decision, ruling that even though the statute of limitations had expired for the email account claims, Steph could move forward with the Facebook ones.
Why the discrepancy between the two courts? The appeals judges considered the persistent realities of present-day digital life.
Judges Starting To Consider Digital Culture In Social Media Rulings
In the initial ruling, the court – for lack of a better term –considered Steph’s online accounts as one entity. But the appeals court wisely reasoned that people no longer have a single email address or account; between Facebook, Twitter, Instagram, your favorite blog, news portals – you name it – the average person has upwards of 15 to 25 different digital accounts.
Since Steph hadn’t discovered her hacked Facebook till 2012, the statute of limitations for the Computer Fraud and Abuse Act and the Stored Communications Act had yet to expire.
Potential Consequences of Hacking, Defaming or Otherwise Misappropriating
Although it’s tempting and oh-so-easy (the keyboard is right there!), seeking digital revenge by either a) hacking into another person’s online accounts or b) pretending to be someone else on the Internet is a monumentally stupid idea. These acts aren’t only a violation of the Computer Fraud and Abuse Act, but breaches of an inordinate amount of state impersonation, privacy, and Internet law statutes. If Steph wins, her former flame could, in theory, go to jail. He could also find himself in bankruptcy court on account of massive fines.
Hacking is a violation of the Computer Fraud and Abuse Act, and also violates an inordinate amount of various state impersonation, privacy, and Internet law statutes.
Hacking is a violation of the Computer Fraud and Abuse Act, and also breaches an inordinate amount of various state impersonation, privacy, and Internet law statutes.
All because of a little churlish social media tomfoolery.
Even If You Don’t Hack, Legal Consequences Abound
Let’s say you buy a URL that features someone’s name. Then you take it upon yourself to litter said website with lies; the person whose name you co-opted could successfully sue for online defamation or false light invasion of privacy.
An Online Alias May Not Protect You From Being Found
What about anonymous online reputation attacks, you ask?An online alias isn’t an invisibility cloak. All that’s required to denude an anonymous defamer is a court order compelling an ISP to hand over identifying information. If a judge believes that a plaintiff has a shot at winning their case, there’s a good chance they’ll issue a court order.
“What about a VPN to hide your IP?” Also discoverable.
When faced with the taste for revenge, the best thing to do is step AFK and engage in something you enjoy. Zen out, because that one “muwahahahahaha” could, in theory, land you on Skid Row – or behind bars.
Neumeister, L. (2015, August 4). Woman can go ahead with lawsuit alleging Facebook defamation. Retrieved September 28, 2015, from http://finance.yahoo.com/news/woman-ahead-lawsuit-alleging-facebook-203809655.html
Ashley Madison Hack: Can People Sue?
Originally Posted: Wednesday, August 26th, 2015
Online purveyor of pro-paramour lifestyles, AshleyMadison.com, encouraged users to “have an affair,” because “life is short.” Well, the company’s lifespan may now be in jeopardy thanks to a possible litigation tsunami heading its way.
Who can exposed Ashley Madison users sue? The website or the hackers? What can “victims” legally claim? What are the chances of Ashley Madison successfully defending themselves? Will the business survive a litigation onslaught?
Let’s deconstruct the scandal and possible legal aftermaths.
The AshleyMadison.com Hacking Scandal Basics
What is AshleyMadison.com?
From its website: “Have an Affair today on Ashley Madison. Thousands of cheating wives and cheating husbands signup everyday looking for an affair…With Our affair guarantee package we guarantee you will find the perfect affair partner.”
Who owns AshleyMadison.com?
Avid Life Media (“ALM”), a Canadian company that also operates websites called Cougar Life and Established Men.
Who hacked the site and when?
An ostensibly ethical hacking collective known as the Impact Team claimed responsibility for the breach. Impact Team announced its coup mid-July; at that time, it made demands of ALM, offering a month-long compliance window. ALM didn’t comply with the demands, so Impact Team leaked the data mid-August.
What reason did Impact Team give for its act of hacktivism?
Impact Team targeted two of Avid Life’s properties. Excerpts from its public statement regarding the hack:
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
How did Avid Life Media respond to the initial hack?
The company behind Ashley Madison did not comply with Impact Team’s initial requests. Instead, ALM told users it had augmented security on the site. When the initial data dump hit, ALM speculated that the information wasn’t real. After its forensic team had explored the matter, however, the company acknowledged the breach.
What information did Impact Team eventually release?
Via two giant data dumps, initially only accessible with a Tor browser, Impact Team divulged around 32 million accounts. Some accounts are bogus; some are legit. Currently, most people aren’t paying much attention to email addresses not attached to payment accounts. And even for accounts that do include credit card info, there is no guarantee that the card holder’s identity wasn’t hijacked.
We should note that Impact Team didn’t release full credit card information, only the last four digits.
Did Impact Team explain why it eventually released the data?
Yes. According to Impact Team:
We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data … Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters. …
“Too bad for ALM, you promised secrecy but didn’t deliver.”
Impact Team also urged the exposed to “make amends” and encouraged: even though it is “embarrassing now,” Ashleymadison.com users will “get over it.”
Did Ashleymadison.com make any effort to secure user data?
Yes. The site used a PHP bcrypt algorithm to store passwords, which is considered an acceptable method among digital security specialists. However, as Robert Graham, CEO of Erratasec explained, “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.”
Avid Life’s Statement About The Data Revelation
“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of Ashleymadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the company said in a statement. “The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”
Two Important Things to Consider About the AshleyMadison.com Hack That Could Impact Potential Legal Actions Stemming From the Incident
Fake Accounts: Countless Ashley Madison accounts are fake and created by bots.
No Verification Required: AshleyMadison.com doesn’t require email verification to create an account. As such, an innocent person’s address could have landed in the data scrum if:
The email address is publicly available online, and a bot picked it up in an automated profile creation scrape;
Someone else used the email of an enemy – or friend – to set up an Ashley Madison account;
A reporter or investigator set up an account to get a peek behind the curtain for research purposes.
Legitimate accounts are most likely attached to credit card information – like reality TV’s Josh Duggar’s account.
Ashley Madison Hack: What Can People Sue Over?
According to statements issued by the collective, one of the main reason’s Impact Team targeted Avid Life Media’s sites was the company’s paid security option.
“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life.”
Which raises a question: Can “hack victims” (i.e., Ashley Madison users) successfully sue Ashley Madison and Avid Life Media? It’s an insanely complicated question.
An ocean’s worth of individual details would factor into the fitness of any potential claim. That said, let’s take a look at some potential types of lawsuits that could be brought, then deconstruct the likelihood of success.
Hypothetical Ashley Madison Lawsuit Category: Defamation / False Light Invasion of Privacy
Can Ashley Madison users sue the website for defamation or false light invasion of privacy – a tort very similar to defamation which is on the law books in some states? On a scale from one to ten, the chances are about a .5. Why? Two reasons:
Though there are rare exceptions (like in Massachusetts), “truth” is a rock-solid defense against slander and libel claims. And in the case of the Ashley Madison hack, Impact Team covered its proverbial “butt” by pointing out that not all of the accounts are necessarily real.
Due to Section 230 of the Communications Decency Act, Internet service providers and certain social media platforms enjoy a considerable amount of third-party defamation immunity protection.
Now let’s look at some hypothetical scenarios.
Hypothetical Ashley Madison Defamation Lawsuit: Individual User v. Ashleymadison.com / ALM
Again, the likelihood of an individual user successfully suing Avid Life Media for defamation is between slim and none. Under U.S. law, to win a defamation claim, plaintiffs must prove that the defendants made false statements of fact. In this case, though Impact Team hacked and leaked data, AshleyMadison.com – nor its employees – made false statements of fact about users.
Intention also plays a primary part in state-side slander and libel suits. In this case, Ashley Madison executives didn’t act with actual malice, neither did they act with reckless disregard for the truth.
HOWEVER, Ashleymadison.com’s website featured verbiage that promised a premium account option – and option that included information “deletion.” This program could be the basis of a solid breach of contract claim, which we’ll get to below.
Hypothetical Ashley Madison Defamation Lawsuit: Individual User v. Impact Team
Like ALM, it’s unlikely that individual users can bring successful defamation lawsuits against the Impact Team. Firstly, the collective didn’t spread lies; it leaked information. Even in instances where an automated bot scraped an email address from the Web and amended it to Ashley Madison’s database, the hackers, in theory, should be immune from libel liability. Why? Because in the collective’s release statement, Impact Team admitted that a large chunk of the user data was most likely false. The team even highlighted an ongoing class action, over fake profiles, against ALM.
Hypothetical Ashley Madison Lawsuit Category: Individual User v. Individual Online Shame Spreader
Theoretically, one type of Ashley Madison defamation lawsuit that has a shot at success is between an individual whose information was falsely leaked and a person who publicly makes assertions based on the presence of that false information. Huh? This scenario is best explained in an example.
Example of a Potentially Successful Ashley Madison Defamation Lawsuit
John and James are co-workers and rivals for a job position. Turns out that John’s email address was among those leaked in the Ashley Madison data breach. John, however, has never used Ashley Madison and is happily married. His email landed in the website’s records on account of a bot that scraped the Web for addresses to make fake profiles – a subversive online marketing technique. In fact, John had no idea his email was even in the leak.
Now let’s cut to James, John’s work rival. He searches through the Ashley Madison data dump and comes across John’s email. Teeming with schadenfreude, James immediately takes to Twitter and scolds:
“John Doe is an adulterous CHEATER! He’s slept with the entire office and probably has a disease!!”
A tweet like this could be deemed defamatory (or at least false light). For starters, James makes a false statement of fact by asserting that John is a cheater and has a disease. Arguably, this is a reckless statement because the Impact Team explained the probability of false-positive accounts and highlighted the ongoing lawsuit involving fake profiles. Moreover, James extrapolated an entire story based on one piece of information.
There is no guarantee that John would win our hypothetical case, but of all the possible Ashley Madison defamation conflicts, a scenario like his has the best chance of success. But again, all online libel lawsuits depend on the details of the case, so it’s best to speak with an attorney about specifics.
Hypothetical Ashley Madison Lawsuit Category: Data Breach / Online Privacy
Hypothetical Ashley Madison Lawsuit Category: Individual U.S. User v. Ashleymadison.com / ALM
“Ashley Madison users can surely sue for violations of online privacy, right?”
Believe it or not, the United States doesn’t have a universal online privacy law. California’s online privacy statute comes the closest, but as of this writing, it doesn’t appear that ALM has violated it. After all, the company did take steps to secure passwords; the hackers were just smarter.
And though ALM at first questioned the validity of the data, the company did “fess up” in an appropriate amount of time. Moreover, ALM is working with law enforcement officials to find the culprits — all of which is in accordance with California’s – and other states’ – online privacy laws.
Of course, there may be extenuating circumstances that affect the validity of any given AshleyMadison.com User v. ALM online privacy lawsuit.
Hypothetical Ashley Madison Online Privacy Lawsuit: Individual E.U. User v. AshleyMadison.com / ALM
Though European Union online privacy laws are stricter than those in the United States, the probability of a successful Internet privacy claim in an E.U. court is equally as low as it is state-side. Mostly because the overseas digital privacy laws have more to do with acknowledging certain types of tracking (which you can read about here [link]) as opposed to punishing instances of data breaches.
Hypothetical Ashley Madison Online Privacy Lawsuit: Individual User v. Impact Team
Can individual users sue Impact Team for invasion of privacy? Highly Doubtful. Again, the word “privacy” isn’t even in the U.S. Constitution, and Capitol Hill has yet to pass a universal online privacy law.
Besides, finding the members of Impact Team is probably a longshot.
Hypothetical Ashley Madison Lawsuit Category: Breach of Contract
Hypothetical Ashley Madison Breach of Contract Lawsuit: Individual User v. AshleyMadison.com / ALM
“Breach of contract” lawsuits – or a breach of contract class action – may be the legal straw that breaks Avid Life Media’s back.
As a pay option, AshleyMadison.com offered members a deletion service for $19.99. And as the world now knows, it looks as if those promised deletions never happened.
Even if ALM included some tricky language in its terms about “deletion” not really meaning “deletion,” the company could still be in trouble. How? Because the language used to promote the service led the average user to believe that his or her data would be expunged completely; that was the conspicuous message.
Besides, the law, in many ways, no longer allows for “fine print” gotcha clauses, which are buried behind hyperlinks, in agate-font text. Hiding important information like that is considered underhanded and judges ordinarily don’t grant absolution for those types of tactics.
Other Possible Lawsuits: False Advertising and Fraud
In addition to breach of contract, it’s possible that the government may sue for false advertising – on account of the $19.99 deletion promise. Others will argue that it was fraud to take the money and then not fulfill the promise made. Whether or not either of these types of actions will be pursued or successful, time will tell.
Can ALM Sue Impact Team For The Hack?
Another possible Ashley Madison hack lawsuit that, theoretically, has a chance of success? ALM v. Impact Team.
The Computer Fraud and Abuse Act is the main hacking law in the United States. And, it’s controversial. Some people feel the penalties are way too steep, and it only serves in over-punishing the “little guy” instead of the true masterminds who know how to properly cover their tracks.
Even if law enforcement agents were to unearth members of the Impact Team, it’s doubtful that ALM would prevail in the end…or that the case would even see a courtroom.
Make Sure Your Legal House Is In Order
The fallout of this Ashley Madison scandal will be long in the making. And if any claims do arise, like a Phoenix out of a murky legal quagmire, rest assured that it will take years to litigate.
In the meantime, if you run a business and have an e-tail presence, be sure you’re up-to-date with the latest online privacy and data breach laws and standards.
Estes, A. (2015, August 19). The Ashley Madison Hackers Just Released a Ton of Stolen Data [Updated]. Retrieved August 25, 2015, from http://gizmodo.com/the-ashley-madison-hackers-just-released-all-of-their-s-1724920693
Ragan, S. (2015, August 18). Ashley Madison hackers publish compromised records. Retrieved August 25, 2015, from http://www.csoonline.com/article/2973036/vulnerabilities/ashley-madison-hackers-publish-compromised-records.html
Doctorow, C. (2015, August 20). Ashley Madison commits copyfraud in desperate bid to suppress news of its titanic leak. Retrieved August 25, 2015, from https://boingboing.net/2015/08/20/ashley-madison-commits-copyfra.html
Kim, Z. (2015, August 18). Hackers Finally Post Stolen Ashley Madison Data. Retrieved August 25, 2015, from http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/
FTC Favors Companies With Data Breach Contingency Plans
Originally Posted: Wednesday, July 15th, 2015
A couple of months ago, Mark Eichorn quietly posted a significant post on the Federal Trade Commission’s blog. In it, he gives an overview of how the FTC approaches breach and data security investigations.
The post advises:
“We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion. In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.”
In other words, when deciding on punitive measures in data security cases, the Federal Trade Commission is often more lenient with businesses that report breaches to the proper authorities promptly. Or, conversely, if you try to hide a data breach from authorities, and the FTC discovers your deception, the commissioners may – and are legally allowed to – dole out a larger fine.
Three Data Privacy Best Practices For SMBs
Have a “privacy officer” on speed dial. Privacy officers are usually attorneys; they’re the people businesses can call in the wake of a data breach to determine their legal responsibilities based on the nature of the data attack. Your privacy officer, depending on the information you provide, will let you know what you need to do to satisfy local, state, federal, and international data breach regulations. On occasion, contingent on the circumstances, you may not have to report the incident.
Don’t ignore security issues. Digital hacking is a serious reality. Laboring under the assumption that “it will never happen to you” or “only the big guys get hit” is erroneous. Implement certain data security measures at your office. Also, establish data security rules for employees – the most fundamental being that they’re forbidden from accessing files remotely without authorization and instruction.
Have data security, maintenance and breach procedures in place. Moreover, companies should make a habit of corporate-wide password changes on regular intervals. Additionally, like a fire drill, businesses should establish a data breach drill. Not only will it be helpful in the event of an attack, but being able to prove that you did take precautions may mitigate eventual punishments handed down by the FTC or other government agencies.
Consult A Data Breach Lawyer
Lawyers at Internet law firm Kelly Warner act as the privacy officers for several startups and businesses. We’d be happy to help you establish a data security and / or data breach program or procedure that satisfies all state, federal, and international regulations.
Media chatter suggests that the Federal Trade Commission has turned its gaze towards “native ads” – a.k.a., sponsored content. At an industry conference, FTC director Mary Engle outlined the agency’s core apprehension regarding native advertising. She explained:
“For us [the FTC], the concern is whether consumers recognize what they’re seeing is advertising or not.”
Is It Enough To Use A “Sponsored” Label?
A lot of websites demarcate promotional sections with a “Sponsored Stories” headline. Does that satisfy FTC guidelines? Not anymore.
Some marketers label native advertising in fine print. Think: sponsored (don’t worry, you’re not the only one who can’t read it). At the event, FTC’s Engle reminded attendees that the commission had won cases in which the word “advertorial” was so small the average person didn’t notice it.
If It Misleads, Your Business May Bleed
A journalism axiom instructs: “If it bleeds, it leads!” In other words, gory stories get front-page coverage. Call it “rubbernecking syndrome.” As a variation on the theme, native advertisers should remember: “If it misleads, a business may bleed!”
And remember: Advertisers, designers, and even marketers can all be held responsible in a “native advertising” sting.
Can You Be Prosecuted For “Inappropriate” Things You Say Online?
Originally Posted: Thursday, June 4th, 2015
Do you treat Google as a confessional or a digital counter spy? If someone stumbled upon your private searches, would they think: “Dear Authorities: I have convincing proof that the hybrid of Patrick Bateman and Omen Damien now walks among us. Can you get on that, quickly? K? Thanks. Signed, Everyone Ever.”
In our digital world, where is line between “deviant fantasy” and “attempted criminality”? A post-modern meditation on free speech and individual freedom, HBO’s new documentary, Thought Crimes: The Case of the Cannibal Cop, forces each of us to consider our relationship with the swami search engine, Google. The film begs us to debate questions like:
Should online searches be a factor in harassment and other criminal cases?
Can you be prosecuted for things you say online?
Can you be prosecuted for things you say on a “fantasy forum”?
Is there a right answer?
Thought Crimes: The Case of the Cannibal Cop: A Summary
HBO (now also known as: high-brow Court TV) debuted another true crime documentary that will leave you disturbed for days. Entitled Thought Crimes: The Case of the Cannibal Cop, the film lures you into the world of Gilberto Valle, a cop-turned-convict whose “fantasies” veered in the yikes-omgwtf direction.
Bottom Line: Gilberto Valle was a New York State police officer who spent off duty time trolling the darkest parts of the Web. Parts where men talked about kidnapping, raping, and then eating women. Yes, Valle was allegedly an active member of a purported online cannibal community.
When Online Talk Starts Getting Real
Eventually, Valle started chatting with another user; talked turned to taking their fantasies AFK. Around this time, Valle allegedly accessed a police database to gather personal information about a woman he mentioned in his “cannibal chat community.” Obviously, this was a big no no.
Investigation & Arrest
In time, Valle’s wife uncovered his secret; she ran to authorities. Law enforcement investigated, unearthed Valle’s online cannibal activity, and discovered his questionable access of police records.
In 2013, police arrested Valle. A jury found him guilty of kidnapping conspiracy; he served a year behind bars; then, a judge overturned the guilty verdict.
Can You Be Prosecuted For Things You Say Online?
Sure, the film is a bit salacious, snarky, and sometimes cringe-worthy, but Thought Crimes is more than mindless true crime fodder. It’s a brain teaser that delves into the philosophical and legal quagmire stewed by the 21st century. Should online searches ever be admissible evidence? What level of criminal intention can a Google search legally convey?
Throughout the documentary, Valle’s mindset is poked and probed – by the filmmakers and us, the audience. The film juxtaposes his conversations about cannibalism with videos of him eating or cooking. We jump to conclusions, only to have those suppositions questioned a frame later. We waiver between two poles: Were Valle’s actions simply, as he insists, an online-only “sick fantasy”? Or did the prosecutors have it right, and use next-level police work to stop a violent criminal before he took his “sick fantasies” to actual streets?
A Minority Report Warning?
In retrospect, perhaps the only message Thought Crimes makes clear it is this:
Be careful what you search for online. Very careful. Because Phillip K. Dick’s prescient Minority Report seems to be playing out right before our very eyes — and “PreCrime” seems to be a real thing.
Kelly / Warner: The Digital Communication Litigation
Explained: The Arizona Data Breach Notification Law
Originally Posted: Wednesday, June 3rd, 2015
By the end of this post, you’ll understand Arizona’s “data breach notification law” and what you’re legally required to do in the wake of a hack, leak, or manual data breach. Ready to speak to a lawyer about your situation? Get in touch.
Arizona businesses – and websites accessible to Arizonians – are legally required to inform users and customers of data breaches. In this blog post, we’ll review § 44-7501 of the Arizona Revised Statutes – a.k.a., the Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions law. For brevity’s sake, we’ll call the regulation 44-7501.
What is “personal information” under the Arizona data breach notification law?
Arizona’s data security law only applies when personal information is compromised, which raises the question: What constitutes “personal information” under Arizona State law?
Answer: Any person’s first name or first initial and last name, coupled with:
A social security number;
Driver’s license or official ID information; or
Credit or debit card numbers, with password or security code data that could grant access to accounts.
Who Must follow Arizona’s Data Breach Law?
Any person, group, or business, operating within the State of Arizona, that owns, maintains or licenses unencrypted user data, must follow 44-7501. Examples include (but are not limited to):
Companies headquartered in Arizona;
Commercial websites that permit Arizona residents to access or interact with their sites; and
Large companies with offices or customers in Arizona.
Uncertain if Arizona’s data breach law applies to you? Consult with an Internet law attorney to find out.
What constitutes a “breach” under Arizona’s Data Breach Law?
Not all leaked or stolen information is a notification-triggering breach. For an incident to qualify, personal data (described above) must have been compromised – or fell into unauthorized hands – and the potential exists for user / consumer economic loss. Examples of possible breaches:
Loss of laptop, memory stick, computer or hard drive;
Employment misconduct with digital records and accidental emails;
The above examples aren’t the only models that require notification, but simply an overview of things that have previously been deemed breaches under Arizona law.
What is the general purpose of 44-7501 – Arizona’s Data Breach Notification Law?
Passed in 2006, 44-7501 outlines the required notification process in the event of an unauthorized data breach.
When are you required to launch a data security breach investigation?
Under Arizona’s data breach law, the moment business operators become aware of a potential security issue, they are obligated to launch a “prompt investigation.” If it’s discovered that you looked afoul when the signs pointed to a potential breach, you’ll be fined – heavily.
How long do companies have to notify the affected users / people?
If your investigation concludes that a third party could have gained access to records, you’re required, by law, to alert the affected parties:
“…in the most expedient manner possible and without unreasonable delay.”
What are allowable notification methods according to Arizona’s data breach notification rules?
If you’re responsible for alerting affected consumers about an Arizona data breach, acceptable contact methods include:
Email, only if the person has indicated email as their preferred contact medium.
If more than 100,000 people are affected by a breach, or if the cost of notification would exceed $50,000, businesses can use so-called “substitute notification methods,” which include:
Email (some restrictions apply; consult with an Internet lawyer about the details of your case.)
Conspicuous notification on company website; or
Notification to major, statewide media outlets.
Law enforcement agencies can delay notification if the incident affects a larger investigation.
What is the penalty for breaking Arizona’s data breach law?
What happens if you don’t comply with Arizona’s data breach law? A huge fine. Violators are responsible for actual damages caused by the ignored breach, plus $10,000 per breach.
Who is allowed to sue for violations of Arizona’s Data Breach Notification Law?
Only the Arizona Attorney General can bring breach notification violation charges against a defendant. Additionally, State law supersedes municipal and county laws addressing the issue. This would not, however, preclude private citizens from bringing causes of action for other claims.
Got Arizona Data Breach Notification Questions? We’ve Got Answers.
Social Media’s Stand Against Revenge Porn
Originally Posted: Thursday, April 16th, 2015
Twitter is taking a stand against “revenge porn.” Perhaps the “Fappening” drove them to change. Or maybe the social media platform is falling in line with legislators across the country who are eagerly passing laws the punish people who engage in the act.
From Denial to Action
Twitter’s stand against revenge porn comes after a leaked internal correspondence by CEO Dick Costolo made its way to the Internet. In it, Costolo admitted:
“we [Twitter] suck at dealing with abuse and trolls on the platform and we’ve sucked at it for years.”
The Exact Twitter Revenge Porn Rule Change
So, how, exactly, did Twitter address the revenge porn problem on its platform? The site amended the “private information” and “abusive behavior” sections of its terms of service policy. Now, according to the TOS:
You may not post intimate photos or videos that were taken or distributed without the subject’s consent.
Yeah, But, Is Twitter’s New Anti-Revenge Porn Stance Really Going To Help?
If you’re a skeptic, you may be thinking, “So what. This is all just lip service. Nothing will change.” And you’re not alone. Many people think Twitter’s announcement was simply a PR effort that won’t result in change, because “banning” revenge porn on a social media platform would ultimately result in an everlasting game of whack-a-mole.
Facebook Is Also Making Noise About Indecency Issues
Twitter isn’t the only social media platform publicly addressing the revenge porn issue in recent months. Facebook has also made changes to its use policy to read:
“You may not post intimate photos or videos that were taken or distributed without the subject’s consent.”
The ‘threats and abuse’ section of Facebook’s terms now also read:
“In addition, users may not post intimate photos or videos that were taken or distributed with the subject’s consent.”
Further Reading & Attorney Contact Information
To find out if your state has a specific revenge porn law, click here.
To set up a consultation with a lawyer that handles Internet law issues, click here.
List of California Online Privacy Laws
Originally Posted: Monday, February 9th, 2015
California rung in 2015 with a slew of new online privacy laws. If you run a commercial website – or otherwise collect personal data about users – there’s a good chance you’re beholden to California’s online privacy laws.
But why? You don’t operate out of California, right?
California’s online privacy laws aren’t only for websites and companies based in California. They apply to any and all commercial websites or apps available for use in California.
Below is a list of the Golden State’s latest digital privacy statutes. The state’s original online privacy law is still in effect, also. To speak with an Internet lawyer about an online privacy matter, head over here.
List of California Online Privacy Bills That Became Law In 2015
Privacy Rights for California Minors in the Digital World Senate Bill No. 568
Digitally marketing firearms, tobacco, or alcoholic beverages to California’s minors is no longer allowed. Neither is compiling personally identifiable information about people aged 17 and younger, nor enabling other people to do so. Think of SB 568 as “COPPA for teenagers.”
Data Breach Notification Amendments Assembly Bill No. 1710
Assembly Bill No. 1710 broadened the liability for data brokers holding information on California residents. Specifically, the new law requires data brokers to:
“…implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
Patient Medical Breach Notification Period Extension Assembly Bill 1755
Most of the 2015 California online privacy laws tighten restrictions, but AB 1755 does the opposite. Known as the Medical Information Breach Notification Bill – it extended the notification grace period for patient data breaches from 5 to 15 days.
In addition, AB 1755 allows for email as an acceptable method of patient contact and notification. The law does stipulate, however, that email cannot be used unless the patient gives consent. https://legiscan.com/CA/text/AB1755/id/1038495
Pupil Records Privacy; 3rd-party contracts; digital storage services and digital educational software Assembly Bill No. 1584
Assembly Bill No. 1584 allows “educational agencies” (e.g., school districts, universities, etc.) to put both feet in the 21st century by granting leeway to contract cloud computing programs on a mass scale.
Pupil Records and Social Media Assembly Bill No. 1442
Another online privacy law protecting students, AB 1442 focuses on social media data. If school representatives collect information about students’ social media accounts, they’re not allowed to sell it, rent it or use it in an unauthorized manner. The law goes so far as to give “destruction instructions” for information inadvertently (or purposefully) collected.
Student Online Personal Information Protection Act Senate Bill No. 1177
Another student-focused online privacy law, Senate Bill No. 1177 addresses advertising in educational software. Essentially, the new law prohibits marketers from a) using in-app, targeted advertising and b) building student profiles using information gathered via platforms used in schools and other educational institutions. The law also calls for on-demand information deletion under certain circumstances.
Kelly / Warner attorneys intimately understand the parameters of both state and federal online privacy regulations. If you run a website in the U.S., there’s a significant chance you’re beholden to not only California online privacy laws – but foreign (yep, foreign) statutes, too. If you have an online business presence, get a privacy audit with an experienced Internet lawyer.
Do Foreign Companies Have To Follow FTC COPPA Regulations?
Originally Posted: Tuesday, January 20th, 2015
Do Foreign Companies Have To Follow FTC COPPA Rules? (Yes!)
Can the U.S. Federal Trade Commission fine foreign websites and apps for not following state-side online marketing regulations? It sure can. Here’s the Internet marketing legal line: All commercial products and services available to U.S. citizens are subject to FTC regulations.
BabyBus COPPA Violations: Example of a Foreign Businesses Being Investigated By The FTC
Recently, Chinese app developer BabyBus Network Technology Co. (“BabyBus”) learned the answer to the question, “Do foreign companies have to follow FTC rules?,” when the Asia-based developer got a Children’s Online Privacy Protection Act (COPPA) violation warning:
“Because you are collecting precise geolocation information, which is considered ‘personal information’ under the rule, you must provide notice and obtain verifiable parental consent before collecting, using, or disclosing this information. Your failure to do so appears to violate COPPA and its implementing rule.”
Exhibiting a bit of Internet law diplomacy, the Federal Trade Commission gave BabyBus a month to review its product to make necessary changes.
The next time someone answers “no,” to the question: “Do foreign companies have to follow FTC COPPA regulations,” set them straight using the BabyBus example.
What Are The Main Things To Remember About The Children’s Online Privacy Protection Act (COPPA):
Without parental/guardian consent, it’s against regulations for commercial websites, apps, and platforms to collect personally identifiable information about people younger than 13.
There are specific COPPA rules regarding acceptable parental consent. For example, simply collecting a credit card number doesn’t meet standards. To make compliance easier, the FTC recently approved a program in which developers can submit their “parental consent gathering” apps for COPPA safe harbor certification. If the FTC accepts an app or platform for the program, said app or platform can be incorporated into websites and software. It’s akin to blogs using a program like “Disqus” as a commenting engine.
Even if minors aren’t your target demographic, if you have “actual knowledge” that they’re using your commercial site or software, platform or application, then you’re beholden to COPPA regulations. You’re best bet is to consult an FTC marketing lawyer to make sure you’re in the legal clear.
What Does ‘Commercial’ Mean In Regards To The Children’s Online Privacy Protection Act?
Unsure if your website would legally be considered “commercial” by a court? Have an Internet lawyer look at it. You may not think your website is “commercial,” but a plugin or process may deem it so in the eyes of the Federal Trade Commission.
Get An FTC Marketing Audit
Do you run a commercial website or app that a child may use? Have you developed an app, platform or plugin that could be deployed on a commercial website that a kid might visit? If yes, then you should be aware of regulations laid out in the Children’s Online Privacy Protection Act. An FTC marketing lawyer can review your operation and let you know if your product or service is beholden to COPPA.
The next time someone answers “no” to the question: “Do foreign companies have to follow FTC COPPA regulations,” you can set them straight using the BabyBus example.