The Following Blog Posts Contain Information Related To:
Facebook Law: Consequences of Hacking Into Another Person’s Account
Originally Posted: Monday, September 28th, 2015
You wake up one day, power on your phone, and BOOM! Life exploded overnight. An enemy successfully hacked your Facebook account and sent outrageous emails to your friends and family — emails which appear to be coming from you!
Nightmare, right? And one that that a woman named “Steph” (not real name) says she endured at the hands of her former paramour.
In response to the incident, Steph filed a lawsuit, but the court dismissed the claim because the statute of limitations had expired. Recently, though, an appeals panel reversed the lower court’s decision; Steph can now move forward with her online defamation case.
The lawsuit is significant because it could further define the scope of the Computer Fraud and Abuse Act. In non-legal terms, the case is important because it highlights the very real – and very damaging – consequences for seeking “digital revenge” – against a person or business rival.
The lawsuit is significant because it has the potential to further define the Computer Fraud and Abuse Act’s scope.
Example Incident: Ex-Lover Allegedly Hacks Facebook Account & Sends Messages
One day, in the not so distant past, a woman named “Steph” suddenly couldn’t access her email and social media accounts. The logins just weren’t working. Frustrated, she enlisted an attorney to investigate the issue. And guess what: the lawyer found a treasure trove of potential illegality, in the form of emails sent from the account during the time Steph was locked out.
At first, Steph believed the Culprit to be her ex-lover’s wife and filed a lawsuit against the woman. But it turned out that the wife was innocent; instead, the alleged culprit was Steph’s former paramour, who allegedly confessed.
Lower Court Tossed Facebook Law Case
A lower-court initially tossed the case, claiming Steph waited too long to bring charges. But a three-judge appeals bench disagreed, in part, with the lower court’s decision, ruling that even though the statute of limitations had expired for the email account claims, Steph could move forward with the Facebook ones.
Why the discrepancy between the two courts? The appeals judges considered the persistent realities of present-day digital life.
Judges Starting To Consider Digital Culture In Social Media Rulings
In the initial ruling, the court – for lack of a better term –considered Steph’s online accounts as one entity. But the appeals court wisely reasoned that people no longer have a single email address or account; between Facebook, Twitter, Instagram, your favorite blog, news portals – you name it – the average person has upwards of 15 to 25 different digital accounts.
Since Steph hadn’t discovered her hacked Facebook till 2012, the statute of limitations for the Computer Fraud and Abuse Act and the Stored Communications Act had yet to expire.
Potential Consequences of Hacking, Defaming or Otherwise Misappropriating
Although it’s tempting and oh-so-easy (the keyboard is right there!), seeking digital revenge by either a) hacking into another person’s online accounts or b) pretending to be someone else on the Internet is a monumentally stupid idea. These acts aren’t only a violation of the Computer Fraud and Abuse Act, but breaches of an inordinate amount of state impersonation, privacy, and Internet law statutes. If Steph wins, her former flame could, in theory, go to jail. He could also find himself in bankruptcy court on account of massive fines.
Hacking is a violation of the Computer Fraud and Abuse Act, and also violates an inordinate amount of various state impersonation, privacy, and Internet law statutes.
Hacking is a violation of the Computer Fraud and Abuse Act, and also breaches an inordinate amount of various state impersonation, privacy, and Internet law statutes.
All because of a little churlish social media tomfoolery.
Even If You Don’t Hack, Legal Consequences Abound
Let’s say you buy a URL that features someone’s name. Then you take it upon yourself to litter said website with lies; the person whose name you co-opted could successfully sue for online defamation or false light invasion of privacy.
An Online Alias May Not Protect You From Being Found
What about anonymous online reputation attacks, you ask?An online alias isn’t an invisibility cloak. All that’s required to denude an anonymous defamer is a court order compelling an ISP to hand over identifying information. If a judge believes that a plaintiff has a shot at winning their case, there’s a good chance they’ll issue a court order.
“What about a VPN to hide your IP?” Also discoverable.
When faced with the taste for revenge, the best thing to do is step AFK and engage in something you enjoy. Zen out, because that one “muwahahahahaha” could, in theory, land you on Skid Row – or behind bars.
Neumeister, L. (2015, August 4). Woman can go ahead with lawsuit alleging Facebook defamation. Retrieved September 28, 2015, from http://finance.yahoo.com/news/woman-ahead-lawsuit-alleging-facebook-203809655.html
Ashley Madison Hack: Can People Sue?
Originally Posted: Wednesday, August 26th, 2015
Online purveyor of pro-paramour lifestyles, AshleyMadison.com, encouraged users to “have an affair,” because “life is short.” Well, the company’s lifespan may now be in jeopardy thanks to a possible litigation tsunami heading its way.
Who can exposed Ashley Madison users sue? The website or the hackers? What can “victims” legally claim? What are the chances of Ashley Madison successfully defending themselves? Will the business survive a litigation onslaught?
Let’s deconstruct the scandal and possible legal aftermaths.
The AshleyMadison.com Hacking Scandal Basics
What is AshleyMadison.com?
From its website: “Have an Affair today on Ashley Madison. Thousands of cheating wives and cheating husbands signup everyday looking for an affair…With Our affair guarantee package we guarantee you will find the perfect affair partner.”
Who owns AshleyMadison.com?
Avid Life Media (“ALM”), a Canadian company that also operates websites called Cougar Life and Established Men.
Who hacked the site and when?
An ostensibly ethical hacking collective known as the Impact Team claimed responsibility for the breach. Impact Team announced its coup mid-July; at that time, it made demands of ALM, offering a month-long compliance window. ALM didn’t comply with the demands, so Impact Team leaked the data mid-August.
What reason did Impact Team give for its act of hacktivism?
Impact Team targeted two of Avid Life’s properties. Excerpts from its public statement regarding the hack:
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
How did Avid Life Media respond to the initial hack?
The company behind Ashley Madison did not comply with Impact Team’s initial requests. Instead, ALM told users it had augmented security on the site. When the initial data dump hit, ALM speculated that the information wasn’t real. After its forensic team had explored the matter, however, the company acknowledged the breach.
What information did Impact Team eventually release?
Via two giant data dumps, initially only accessible with a Tor browser, Impact Team divulged around 32 million accounts. Some accounts are bogus; some are legit. Currently, most people aren’t paying much attention to email addresses not attached to payment accounts. And even for accounts that do include credit card info, there is no guarantee that the card holder’s identity wasn’t hijacked.
We should note that Impact Team didn’t release full credit card information, only the last four digits.
Did Impact Team explain why it eventually released the data?
Yes. According to Impact Team:
We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data … Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters. …
“Too bad for ALM, you promised secrecy but didn’t deliver.”
Impact Team also urged the exposed to “make amends” and encouraged: even though it is “embarrassing now,” Ashleymadison.com users will “get over it.”
Did Ashleymadison.com make any effort to secure user data?
Yes. The site used a PHP bcrypt algorithm to store passwords, which is considered an acceptable method among digital security specialists. However, as Robert Graham, CEO of Erratasec explained, “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.”
Avid Life’s Statement About The Data Revelation
“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of Ashleymadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the company said in a statement. “The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”
Two Important Things to Consider About the AshleyMadison.com Hack That Could Impact Potential Legal Actions Stemming From the Incident
Fake Accounts: Countless Ashley Madison accounts are fake and created by bots.
No Verification Required: AshleyMadison.com doesn’t require email verification to create an account. As such, an innocent person’s address could have landed in the data scrum if:
The email address is publicly available online, and a bot picked it up in an automated profile creation scrape;
Someone else used the email of an enemy – or friend – to set up an Ashley Madison account;
A reporter or investigator set up an account to get a peek behind the curtain for research purposes.
Legitimate accounts are most likely attached to credit card information – like reality TV’s Josh Duggar’s account.
Ashley Madison Hack: What Can People Sue Over?
According to statements issued by the collective, one of the main reason’s Impact Team targeted Avid Life Media’s sites was the company’s paid security option.
“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life.”
Which raises a question: Can “hack victims” (i.e., Ashley Madison users) successfully sue Ashley Madison and Avid Life Media? It’s an insanely complicated question.
An ocean’s worth of individual details would factor into the fitness of any potential claim. That said, let’s take a look at some potential types of lawsuits that could be brought, then deconstruct the likelihood of success.
Hypothetical Ashley Madison Lawsuit Category: Defamation / False Light Invasion of Privacy
Can Ashley Madison users sue the website for defamation or false light invasion of privacy – a tort very similar to defamation which is on the law books in some states? On a scale from one to ten, the chances are about a .5. Why? Two reasons:
Though there are rare exceptions (like in Massachusetts), “truth” is a rock-solid defense against slander and libel claims. And in the case of the Ashley Madison hack, Impact Team covered its proverbial “butt” by pointing out that not all of the accounts are necessarily real.
Due to Section 230 of the Communications Decency Act, Internet service providers and certain social media platforms enjoy a considerable amount of third-party defamation immunity protection.
Now let’s look at some hypothetical scenarios.
Hypothetical Ashley Madison Defamation Lawsuit: Individual User v. Ashleymadison.com / ALM
Again, the likelihood of an individual user successfully suing Avid Life Media for defamation is between slim and none. Under U.S. law, to win a defamation claim, plaintiffs must prove that the defendants made false statements of fact. In this case, though Impact Team hacked and leaked data, AshleyMadison.com – nor its employees – made false statements of fact about users.
Intention also plays a primary part in state-side slander and libel suits. In this case, Ashley Madison executives didn’t act with actual malice, neither did they act with reckless disregard for the truth.
HOWEVER, Ashleymadison.com’s website featured verbiage that promised a premium account option – and option that included information “deletion.” This program could be the basis of a solid breach of contract claim, which we’ll get to below.
Hypothetical Ashley Madison Defamation Lawsuit: Individual User v. Impact Team
Like ALM, it’s unlikely that individual users can bring successful defamation lawsuits against the Impact Team. Firstly, the collective didn’t spread lies; it leaked information. Even in instances where an automated bot scraped an email address from the Web and amended it to Ashley Madison’s database, the hackers, in theory, should be immune from libel liability. Why? Because in the collective’s release statement, Impact Team admitted that a large chunk of the user data was most likely false. The team even highlighted an ongoing class action, over fake profiles, against ALM.
Hypothetical Ashley Madison Lawsuit Category: Individual User v. Individual Online Shame Spreader
Theoretically, one type of Ashley Madison defamation lawsuit that has a shot at success is between an individual whose information was falsely leaked and a person who publicly makes assertions based on the presence of that false information. Huh? This scenario is best explained in an example.
Example of a Potentially Successful Ashley Madison Defamation Lawsuit
John and James are co-workers and rivals for a job position. Turns out that John’s email address was among those leaked in the Ashley Madison data breach. John, however, has never used Ashley Madison and is happily married. His email landed in the website’s records on account of a bot that scraped the Web for addresses to make fake profiles – a subversive online marketing technique. In fact, John had no idea his email was even in the leak.
Now let’s cut to James, John’s work rival. He searches through the Ashley Madison data dump and comes across John’s email. Teeming with schadenfreude, James immediately takes to Twitter and scolds:
“John Doe is an adulterous CHEATER! He’s slept with the entire office and probably has a disease!!”
A tweet like this could be deemed defamatory (or at least false light). For starters, James makes a false statement of fact by asserting that John is a cheater and has a disease. Arguably, this is a reckless statement because the Impact Team explained the probability of false-positive accounts and highlighted the ongoing lawsuit involving fake profiles. Moreover, James extrapolated an entire story based on one piece of information.
There is no guarantee that John would win our hypothetical case, but of all the possible Ashley Madison defamation conflicts, a scenario like his has the best chance of success. But again, all online libel lawsuits depend on the details of the case, so it’s best to speak with an attorney about specifics.
Hypothetical Ashley Madison Lawsuit Category: Data Breach / Online Privacy
Hypothetical Ashley Madison Lawsuit Category: Individual U.S. User v. Ashleymadison.com / ALM
“Ashley Madison users can surely sue for violations of online privacy, right?”
Believe it or not, the United States doesn’t have a universal online privacy law. California’s online privacy statute comes the closest, but as of this writing, it doesn’t appear that ALM has violated it. After all, the company did take steps to secure passwords; the hackers were just smarter.
And though ALM at first questioned the validity of the data, the company did “fess up” in an appropriate amount of time. Moreover, ALM is working with law enforcement officials to find the culprits — all of which is in accordance with California’s – and other states’ – online privacy laws.
Of course, there may be extenuating circumstances that affect the validity of any given AshleyMadison.com User v. ALM online privacy lawsuit.
Hypothetical Ashley Madison Online Privacy Lawsuit: Individual E.U. User v. AshleyMadison.com / ALM
Though European Union online privacy laws are stricter than those in the United States, the probability of a successful Internet privacy claim in an E.U. court is equally as low as it is state-side. Mostly because the overseas digital privacy laws have more to do with acknowledging certain types of tracking (which you can read about here [link]) as opposed to punishing instances of data breaches.
Hypothetical Ashley Madison Online Privacy Lawsuit: Individual User v. Impact Team
Can individual users sue Impact Team for invasion of privacy? Highly Doubtful. Again, the word “privacy” isn’t even in the U.S. Constitution, and Capitol Hill has yet to pass a universal online privacy law.
Besides, finding the members of Impact Team is probably a longshot.
Hypothetical Ashley Madison Lawsuit Category: Breach of Contract
Hypothetical Ashley Madison Breach of Contract Lawsuit: Individual User v. AshleyMadison.com / ALM
“Breach of contract” lawsuits – or a breach of contract class action – may be the legal straw that breaks Avid Life Media’s back.
As a pay option, AshleyMadison.com offered members a deletion service for $19.99. And as the world now knows, it looks as if those promised deletions never happened.
Even if ALM included some tricky language in its terms about “deletion” not really meaning “deletion,” the company could still be in trouble. How? Because the language used to promote the service led the average user to believe that his or her data would be expunged completely; that was the conspicuous message.
Besides, the law, in many ways, no longer allows for “fine print” gotcha clauses, which are buried behind hyperlinks, in agate-font text. Hiding important information like that is considered underhanded and judges ordinarily don’t grant absolution for those types of tactics.
Other Possible Lawsuits: False Advertising and Fraud
In addition to breach of contract, it’s possible that the government may sue for false advertising – on account of the $19.99 deletion promise. Others will argue that it was fraud to take the money and then not fulfill the promise made. Whether or not either of these types of actions will be pursued or successful, time will tell.
Can ALM Sue Impact Team For The Hack?
Another possible Ashley Madison hack lawsuit that, theoretically, has a chance of success? ALM v. Impact Team.
The Computer Fraud and Abuse Act is the main hacking law in the United States. And, it’s controversial. Some people feel the penalties are way too steep, and it only serves in over-punishing the “little guy” instead of the true masterminds who know how to properly cover their tracks.
Even if law enforcement agents were to unearth members of the Impact Team, it’s doubtful that ALM would prevail in the end…or that the case would even see a courtroom.
Make Sure Your Legal House Is In Order
The fallout of this Ashley Madison scandal will be long in the making. And if any claims do arise, like a Phoenix out of a murky legal quagmire, rest assured that it will take years to litigate.
In the meantime, if you run a business and have an e-tail presence, be sure you’re up-to-date with the latest online privacy and data breach laws and standards.
Estes, A. (2015, August 19). The Ashley Madison Hackers Just Released a Ton of Stolen Data [Updated]. Retrieved August 25, 2015, from http://gizmodo.com/the-ashley-madison-hackers-just-released-all-of-their-s-1724920693
Ragan, S. (2015, August 18). Ashley Madison hackers publish compromised records. Retrieved August 25, 2015, from http://www.csoonline.com/article/2973036/vulnerabilities/ashley-madison-hackers-publish-compromised-records.html
Doctorow, C. (2015, August 20). Ashley Madison commits copyfraud in desperate bid to suppress news of its titanic leak. Retrieved August 25, 2015, from https://boingboing.net/2015/08/20/ashley-madison-commits-copyfra.html
Kim, Z. (2015, August 18). Hackers Finally Post Stolen Ashley Madison Data. Retrieved August 25, 2015, from http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/
FTC Favors Companies With Data Breach Contingency Plans
Originally Posted: Wednesday, July 15th, 2015
A couple of months ago, Mark Eichorn quietly posted a significant post on the Federal Trade Commission’s blog. In it, he gives an overview of how the FTC approaches breach and data security investigations.
The post advises:
“We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion. In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.”
In other words, when deciding on punitive measures in data security cases, the Federal Trade Commission is often more lenient with businesses that report breaches to the proper authorities promptly. Or, conversely, if you try to hide a data breach from authorities, and the FTC discovers your deception, the commissioners may – and are legally allowed to – dole out a larger fine.
Three Data Privacy Best Practices For SMBs
Have a “privacy officer” on speed dial. Privacy officers are usually attorneys; they’re the people businesses can call in the wake of a data breach to determine their legal responsibilities based on the nature of the data attack. Your privacy officer, depending on the information you provide, will let you know what you need to do to satisfy local, state, federal, and international data breach regulations. On occasion, contingent on the circumstances, you may not have to report the incident.
Don’t ignore security issues. Digital hacking is a serious reality. Laboring under the assumption that “it will never happen to you” or “only the big guys get hit” is erroneous. Implement certain data security measures at your office. Also, establish data security rules for employees – the most fundamental being that they’re forbidden from accessing files remotely without authorization and instruction.
Have data security, maintenance and breach procedures in place. Moreover, companies should make a habit of corporate-wide password changes on regular intervals. Additionally, like a fire drill, businesses should establish a data breach drill. Not only will it be helpful in the event of an attack, but being able to prove that you did take precautions may mitigate eventual punishments handed down by the FTC or other government agencies.
Consult A Data Breach Lawyer
Lawyers at Internet law firm Kelly Warner act as the privacy officers for several startups and businesses. We’d be happy to help you establish a data security and / or data breach program or procedure that satisfies all state, federal, and international regulations.
Media chatter suggests that the Federal Trade Commission has turned its gaze towards “native ads” – a.k.a., sponsored content. At an industry conference, FTC director Mary Engle outlined the agency’s core apprehension regarding native advertising. She explained:
“For us [the FTC], the concern is whether consumers recognize what they’re seeing is advertising or not.”
Is It Enough To Use A “Sponsored” Label?
A lot of websites demarcate promotional sections with a “Sponsored Stories” headline. Does that satisfy FTC guidelines? Not anymore.
Some marketers label native advertising in fine print. Think: sponsored (don’t worry, you’re not the only one who can’t read it). At the event, FTC’s Engle reminded attendees that the commission had won cases in which the word “advertorial” was so small the average person didn’t notice it.
If It Misleads, Your Business May Bleed
A journalism axiom instructs: “If it bleeds, it leads!” In other words, gory stories get front-page coverage. Call it “rubbernecking syndrome.” As a variation on the theme, native advertisers should remember: “If it misleads, a business may bleed!”
And remember: Advertisers, designers, and even marketers can all be held responsible in a “native advertising” sting.
Native Advertising and Marketing Audits: A Business’ Best Friend
U.S. brands courting overseas customers must adhere to both domestic and foreign advertising laws.
Are you positive you understand – and follow – every state, federal, and international marking law, regulation, and guideline? Ask yourself:
Do you know how EU and UK privacy laws affect digital marketing campaigns?
Can You Be Prosecuted For “Inappropriate” Things You Say Online?
Originally Posted: Thursday, June 4th, 2015
Do you treat Google as a confessional or a digital counter spy? If someone stumbled upon your private searches, would they think: “Dear Authorities: I have convincing proof that the hybrid of Patrick Bateman and Omen Damien now walks among us. Can you get on that, quickly? K? Thanks. Signed, Everyone Ever.”
In our digital world, where is line between “deviant fantasy” and “attempted criminality”? A post-modern meditation on free speech and individual freedom, HBO’s new documentary, Thought Crimes: The Case of the Cannibal Cop, forces each of us to consider our relationship with the swami search engine, Google. The film begs us to debate questions like:
Should online searches be a factor in harassment and other criminal cases?
Can you be prosecuted for things you say online?
Can you be prosecuted for things you say on a “fantasy forum”?
Is there a right answer?
Thought Crimes: The Case of the Cannibal Cop: A Summary
HBO (now also known as: high-brow Court TV) debuted another true crime documentary that will leave you disturbed for days. Entitled Thought Crimes: The Case of the Cannibal Cop, the film lures you into the world of Gilberto Valle, a cop-turned-convict whose “fantasies” veered in the yikes-omgwtf direction.
Bottom Line: Gilberto Valle was a New York State police officer who spent off duty time trolling the darkest parts of the Web. Parts where men talked about kidnapping, raping, and then eating women. Yes, Valle was allegedly an active member of a purported online cannibal community.
When Online Talk Starts Getting Real
Eventually, Valle started chatting with another user; talked turned to taking their fantasies AFK. Around this time, Valle allegedly accessed a police database to gather personal information about a woman he mentioned in his “cannibal chat community.” Obviously, this was a big no no.
Investigation & Arrest
In time, Valle’s wife uncovered his secret; she ran to authorities. Law enforcement investigated, unearthed Valle’s online cannibal activity, and discovered his questionable access of police records.
In 2013, police arrested Valle. A jury found him guilty of kidnapping conspiracy; he served a year behind bars; then, a judge overturned the guilty verdict.
Can You Be Prosecuted For Things You Say Online?
Sure, the film is a bit salacious, snarky, and sometimes cringe-worthy, but Thought Crimes is more than mindless true crime fodder. It’s a brain teaser that delves into the philosophical and legal quagmire stewed by the 21st century. Should online searches ever be admissible evidence? What level of criminal intention can a Google search legally convey?
Throughout the documentary, Valle’s mindset is poked and probed – by the filmmakers and us, the audience. The film juxtaposes his conversations about cannibalism with videos of him eating or cooking. We jump to conclusions, only to have those suppositions questioned a frame later. We waiver between two poles: Were Valle’s actions simply, as he insists, an online-only “sick fantasy”? Or did the prosecutors have it right, and use next-level police work to stop a violent criminal before he took his “sick fantasies” to actual streets?
A Minority Report Warning?
In retrospect, perhaps the only message Thought Crimes makes clear it is this:
Be careful what you search for online. Very careful. Because Phillip K. Dick’s prescient Minority Report seems to be playing out right before our very eyes — and “PreCrime” seems to be a real thing.
Kelly / Warner: The Digital Communication Litigation
Explained: The Arizona Data Breach Notification Law
Originally Posted: Wednesday, June 3rd, 2015
By the end of this post, you’ll understand Arizona’s “data breach notification law” and what you’re legally required to do in the wake of a hack, leak, or manual data breach. Ready to speak to a lawyer about your situation? Get in touch.
Arizona businesses – and websites accessible to Arizonians – are legally required to inform users and customers of data breaches. In this blog post, we’ll review § 44-7501 of the Arizona Revised Statutes – a.k.a., the Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions law. For brevity’s sake, we’ll call the regulation 44-7501.
What is “personal information” under the Arizona data breach notification law?
Arizona’s data security law only applies when personal information is compromised, which raises the question: What constitutes “personal information” under Arizona State law?
Answer: Any person’s first name or first initial and last name, coupled with:
A social security number;
Driver’s license or official ID information; or
Credit or debit card numbers, with password or security code data that could grant access to accounts.
Who Must follow Arizona’s Data Breach Law?
Any person, group, or business, operating within the State of Arizona, that owns, maintains or licenses unencrypted user data, must follow 44-7501. Examples include (but are not limited to):
Companies headquartered in Arizona;
Commercial websites that permit Arizona residents to access or interact with their sites; and
Large companies with offices or customers in Arizona.
Uncertain if Arizona’s data breach law applies to you? Consult with an Internet law attorney to find out.
What constitutes a “breach” under Arizona’s Data Breach Law?
Not all leaked or stolen information is a notification-triggering breach. For an incident to qualify, personal data (described above) must have been compromised – or fell into unauthorized hands – and the potential exists for user / consumer economic loss. Examples of possible breaches:
Loss of laptop, memory stick, computer or hard drive;
Employment misconduct with digital records and accidental emails;
The above examples aren’t the only models that require notification, but simply an overview of things that have previously been deemed breaches under Arizona law.
What is the general purpose of 44-7501 – Arizona’s Data Breach Notification Law?
Passed in 2006, 44-7501 outlines the required notification process in the event of an unauthorized data breach.
When are you required to launch a data security breach investigation?
Under Arizona’s data breach law, the moment business operators become aware of a potential security issue, they are obligated to launch a “prompt investigation.” If it’s discovered that you looked afoul when the signs pointed to a potential breach, you’ll be fined – heavily.
How long do companies have to notify the affected users / people?
If your investigation concludes that a third party could have gained access to records, you’re required, by law, to alert the affected parties:
“…in the most expedient manner possible and without unreasonable delay.”
What are allowable notification methods according to Arizona’s data breach notification rules?
If you’re responsible for alerting affected consumers about an Arizona data breach, acceptable contact methods include:
Email, only if the person has indicated email as their preferred contact medium.
If more than 100,000 people are affected by a breach, or if the cost of notification would exceed $50,000, businesses can use so-called “substitute notification methods,” which include:
Email (some restrictions apply; consult with an Internet lawyer about the details of your case.)
Conspicuous notification on company website; or
Notification to major, statewide media outlets.
Law enforcement agencies can delay notification if the incident affects a larger investigation.
What is the penalty for breaking Arizona’s data breach law?
What happens if you don’t comply with Arizona’s data breach law? A huge fine. Violators are responsible for actual damages caused by the ignored breach, plus $10,000 per breach.
Who is allowed to sue for violations of Arizona’s Data Breach Notification Law?
Only the Arizona Attorney General can bring breach notification violation charges against a defendant. Additionally, State law supersedes municipal and county laws addressing the issue. This would not, however, preclude private citizens from bringing causes of action for other claims.
Got Arizona Data Breach Notification Questions? We’ve Got Answers.
Social Media’s Stand Against Revenge Porn
Originally Posted: Thursday, April 16th, 2015
Twitter is taking a stand against “revenge porn.” Perhaps the “Fappening” drove them to change. Or maybe the social media platform is falling in line with legislators across the country who are eagerly passing laws the punish people who engage in the act.
From Denial to Action
Twitter’s stand against revenge porn comes after a leaked internal correspondence by CEO Dick Costolo made its way to the Internet. In it, Costolo admitted:
“we [Twitter] suck at dealing with abuse and trolls on the platform and we’ve sucked at it for years.”
The Exact Twitter Revenge Porn Rule Change
So, how, exactly, did Twitter address the revenge porn problem on its platform? The site amended the “private information” and “abusive behavior” sections of its terms of service policy. Now, according to the TOS:
You may not post intimate photos or videos that were taken or distributed without the subject’s consent.
Yeah, But, Is Twitter’s New Anti-Revenge Porn Stance Really Going To Help?
If you’re a skeptic, you may be thinking, “So what. This is all just lip service. Nothing will change.” And you’re not alone. Many people think Twitter’s announcement was simply a PR effort that won’t result in change, because “banning” revenge porn on a social media platform would ultimately result in an everlasting game of whack-a-mole.
Facebook Is Also Making Noise About Indecency Issues
Twitter isn’t the only social media platform publicly addressing the revenge porn issue in recent months. Facebook has also made changes to its use policy to read:
“You may not post intimate photos or videos that were taken or distributed without the subject’s consent.”
The ‘threats and abuse’ section of Facebook’s terms now also read:
“In addition, users may not post intimate photos or videos that were taken or distributed with the subject’s consent.”
Further Reading & Attorney Contact Information
To find out if your state has a specific revenge porn law, click here.
To set up a consultation with a lawyer that handles Internet law issues, click here.
List of California Online Privacy Laws
Originally Posted: Monday, February 9th, 2015
California rung in 2015 with a slew of new online privacy laws. If you run a commercial website – or otherwise collect personal data about users – there’s a good chance you’re beholden to California’s online privacy laws.
But why? You don’t operate out of California, right?
California’s online privacy laws aren’t only for websites and companies based in California. They apply to any and all commercial websites or apps available for use in California.
Below is a list of the Golden State’s latest digital privacy statutes. The state’s original online privacy law is still in effect, also. To speak with an Internet lawyer about an online privacy matter, head over here.
List of California Online Privacy Bills That Became Law In 2015
Privacy Rights for California Minors in the Digital World Senate Bill No. 568
Digitally marketing firearms, tobacco, or alcoholic beverages to California’s minors is no longer allowed. Neither is compiling personally identifiable information about people aged 17 and younger, nor enabling other people to do so. Think of SB 568 as “COPPA for teenagers.”
Data Breach Notification Amendments Assembly Bill No. 1710
Assembly Bill No. 1710 broadened the liability for data brokers holding information on California residents. Specifically, the new law requires data brokers to:
“…implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
Patient Medical Breach Notification Period Extension Assembly Bill 1755
Most of the 2015 California online privacy laws tighten restrictions, but AB 1755 does the opposite. Known as the Medical Information Breach Notification Bill – it extended the notification grace period for patient data breaches from 5 to 15 days.
In addition, AB 1755 allows for email as an acceptable method of patient contact and notification. The law does stipulate, however, that email cannot be used unless the patient gives consent. https://legiscan.com/CA/text/AB1755/id/1038495
Pupil Records Privacy; 3rd-party contracts; digital storage services and digital educational software Assembly Bill No. 1584
Assembly Bill No. 1584 allows “educational agencies” (e.g., school districts, universities, etc.) to put both feet in the 21st century by granting leeway to contract cloud computing programs on a mass scale.
Pupil Records and Social Media Assembly Bill No. 1442
Another online privacy law protecting students, AB 1442 focuses on social media data. If school representatives collect information about students’ social media accounts, they’re not allowed to sell it, rent it or use it in an unauthorized manner. The law goes so far as to give “destruction instructions” for information inadvertently (or purposefully) collected.
Student Online Personal Information Protection Act Senate Bill No. 1177
Another student-focused online privacy law, Senate Bill No. 1177 addresses advertising in educational software. Essentially, the new law prohibits marketers from a) using in-app, targeted advertising and b) building student profiles using information gathered via platforms used in schools and other educational institutions. The law also calls for on-demand information deletion under certain circumstances.
Kelly / Warner attorneys intimately understand the parameters of both state and federal online privacy regulations. If you run a website in the U.S., there’s a significant chance you’re beholden to not only California online privacy laws – but foreign (yep, foreign) statutes, too. If you have an online business presence, get a privacy audit with an experienced Internet lawyer.
Do Foreign Companies Have To Follow FTC COPPA Regulations?
Originally Posted: Tuesday, January 20th, 2015
Do Foreign Companies Have To Follow FTC COPPA Rules? (Yes!)
Can the U.S. Federal Trade Commission fine foreign websites and apps for not following state-side online marketing regulations? It sure can. Here’s the Internet marketing legal line: All commercial products and services available to U.S. citizens are subject to FTC regulations.
BabyBus COPPA Violations: Example of a Foreign Businesses Being Investigated By The FTC
Recently, Chinese app developer BabyBus Network Technology Co. (“BabyBus”) learned the answer to the question, “Do foreign companies have to follow FTC rules?,” when the Asia-based developer got a Children’s Online Privacy Protection Act (COPPA) violation warning:
“Because you are collecting precise geolocation information, which is considered ‘personal information’ under the rule, you must provide notice and obtain verifiable parental consent before collecting, using, or disclosing this information. Your failure to do so appears to violate COPPA and its implementing rule.”
Exhibiting a bit of Internet law diplomacy, the Federal Trade Commission gave BabyBus a month to review its product to make necessary changes.
The next time someone answers “no,” to the question: “Do foreign companies have to follow FTC COPPA regulations,” set them straight using the BabyBus example.
What Are The Main Things To Remember About The Children’s Online Privacy Protection Act (COPPA):
Without parental/guardian consent, it’s against regulations for commercial websites, apps, and platforms to collect personally identifiable information about people younger than 13.
There are specific COPPA rules regarding acceptable parental consent. For example, simply collecting a credit card number doesn’t meet standards. To make compliance easier, the FTC recently approved a program in which developers can submit their “parental consent gathering” apps for COPPA safe harbor certification. If the FTC accepts an app or platform for the program, said app or platform can be incorporated into websites and software. It’s akin to blogs using a program like “Disqus” as a commenting engine.
Even if minors aren’t your target demographic, if you have “actual knowledge” that they’re using your commercial site or software, platform or application, then you’re beholden to COPPA regulations. You’re best bet is to consult an FTC marketing lawyer to make sure you’re in the legal clear.
What Does ‘Commercial’ Mean In Regards To The Children’s Online Privacy Protection Act?
Unsure if your website would legally be considered “commercial” by a court? Have an Internet lawyer look at it. You may not think your website is “commercial,” but a plugin or process may deem it so in the eyes of the Federal Trade Commission.
Get An FTC Marketing Audit
Do you run a commercial website or app that a child may use? Have you developed an app, platform or plugin that could be deployed on a commercial website that a kid might visit? If yes, then you should be aware of regulations laid out in the Children’s Online Privacy Protection Act. An FTC marketing lawyer can review your operation and let you know if your product or service is beholden to COPPA.
The next time someone answers “no” to the question: “Do foreign companies have to follow FTC COPPA regulations,” you can set them straight using the BabyBus example.
FTC Mobile Payment App Report: Disclose and Ask More Questions!
Originally Posted: Thursday, August 21st, 2014
The Federal Trade Commission has been earning their keep lately. Hearings, investigations and workshops, oh my! One of its latest efforts is a report and recommendations on mobile payment and coupon apps/plugins.
The commission’s two main conclusions:
Developers and app companies aren’t doing enough to alert consumers about the liabilities associated with payment apps; and
Consumers should stop using mobile payment apps that don’t feature clear and concise disclosures that appear before they download the program.
The FTC’s 2014 Review of Mobile Payment Apps and Plugins
The Federal Trade Commission concentrated on three categories of apps in both the Google Play and iTunes App stores:
Price comparison apps,
Deal and coupon redemption apps, and
Mobile payment apps.
What Did The FTC Consider?
Whether or not the app had pre-download disclosures on:
Procedures for fraudulent transactions,
Billing errors, and
Privacy Policies – Since multiple users can participate in a group buys, FTC investigators examined associated privacy policies.
What Did The FTC Discover After Reviewing Mobile Payment Apps?
Most mobile payment apps didn’t feature pre-download disclosures about “issues that are important to consumers.”
After downloading the apps, investigators noticed that nearly all of the associated terms “placed all liability for unauthorized charges on the consumer.”
Nearly all of the reviewed apps had “strong security promises and linked to privacy policies.”
Most of the apps’ privacy policies used “vague language” and allowed for the collection and third-party use of consumer data.
What The FTC Wants Mobile Payment App Developers To Do Moving Forward; A New Mobile Payment App Law?
Create pre-download disclosures regarding “consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions.”
Clean up the language in privacy policies and use plain English to explain what data is collected and what is done with it.
“Companies should ensure that their strong data security promises translate into strong data security practices.”
What The FTC Wants Consumers To Do Regarding Mobile Payment Apps
Start “asking questions” about the mobile payment apps they use.
“Consumers should look for services that tell them upfront how the payment service works and what they can do if they encounter a problem. If the information is not available, consumers should consider taking steps to minimize their liability by choosing a different payment app or funding such payments with low-dollar amounts.”
So, there you have it folks, after months of researching, debating, analyzing, and then writing a 40-page report on the top 25 most downloaded mobile payment apps, the FTC says:
Do not try to cheat people! Follow the Dot Com Disclosures! Oh, and consumers, start asking more questions!
And this concludes our latest installment of “How the FTC Turns.”
Do you have a mobile payment app law question? Get in touch with all your questions. We have answers.
The top European Union court announced a landmark ruling furthering the discussion about “right to be forgotten” Internet laws. We’ll explain the meat of the ruling and explore how it could affect online defamation victims.
What Is The Best Way To Get Defamatory Material Removed From The Internet?
The best way to mitigate the effects of online defamation is to get the offending material removed from the Web. But, if you can’t expunge it completely, the second best option is getting libelous info erased from search engines. That way, if someone pumps your name or business into Google, Yahoo! or Bing, the reputation damaging webpage won’t show up in the results.
How Easy Is It To Get Libelous Content Removed From Search Engine Indexes in the United States?
How easy is it to get defamatory content removed from search engines? It depends on the situation. It’s possible to get a court order compelling a search engine to remove material, but in order to do so, one must first prove defamation.
If your lawsuit is in the beginning stages, you can sometimes get a temporary restraining order compelling website operators to remove material during the course of litigation.
How Easy Is It To get Libelous Content Removed From Search Engine Indexes in the European Union?
The United States may enjoy eviable free speech rights, but EU online privacy laws are a lot stricter than ours.
In May 2014, the European Court of Justice announced a landmark search engine defamation ruling. In 1998, a man living in Spain suffered a reversal of fortune. But, over the past several years, he’s turned things around. Unfortunately, when you pump his name into Google, his 2–year-old blunders are still front and center.
The man’s woes, though, will soon be over, because the EU Court said Google must remove the information about his old financial troubles.
The Right to Be Forgotten v. The Right To Erasure
People on the “legal beat” are calling the new European online privacy stance “the right to be forgotten.” Officials in Europe, however, are taking it one step further and calling for a “right to erasure” law, which would allow individuals control over personal online information that is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.”
Will The EU Right To Be Forgotten Ruling Affect The U.S. Tech Industry?
The EU’s right to be forgotten ruling will cost search engines money – lots of it. Why? They’ll have to implement new procedures to comply with the legal standard, as well as hire a slew of attorneys to focus on related issues.
And there’s another concern: censorship. According to the Computer & Communications Industry Association, whose membership ranks include Facebook Inc., Yahoo, Google, and Microsoft, said about the EU right to be forgotten ruling:
“[It] opens the door to large scale private censorship in Europe,” adding that “our concern is it could also be misused by politicians or others with something to hide who could demand to have information taken down.”
Can U.S. Businesses ‘Take Advantage’ of the new EU Right To Be Forgotten?
Are you wondering, “I wonder if I, a U.S. citizen, can somehow make the new EU ruling work for me? There is some unsightly information about me on the Web, and I’d really like it gone.”
Unfortunately, the answer isn’t simple and depends on whether or not you have any ties to Europe.
If you’re curious if you qualify to take action under the new European “right to be forgotten” standard, contact Kelly / Warner. We’ve successfully handled countless online defamation removal cases. Let’s talk.
Get in touch today to learn more about your legal options regarding the right to be forgotten laws.
An Update On Revenge Porn Laws Across The Country & Abroad
Originally Posted: Wednesday, May 14th, 2014
Anti-Revenge porn laws have gone viral. Most states in the union have a bill in the draft-to-ratification pipeline. Even Japan and Canada are crafting and passing revenge porn laws.
Quickly, Refresh My Memory, What Is Revenge Porn?
Revenge porn is the Internet law topic du jour. So, what is it? Basically, it describes the act of jilted ex-lovers posting intimate selfies of former paramours — without said paramours consent or knowledge.
In some instances, images or videos are used to humiliate or destroy professional reputations. In other instances, less stable – often dangerous — people use the threat of revenge porn to blackmail partners into continuing a bad relationship.
Is Revenge Porn Legal In The United States?
Last year, in response to the question: “Is revenge porn legal in the United States?” I would have said, “Yes.” But now, not so much. In just a few scant months, most states have, at the very least, begun drafting anti-revenge porn legislation. Some legislators –- like Arizona and California — have already passed bills criminalizing the act.
Prediction: Within two years, revenge porn will be illegal everywhere in the United States. Why commit? Bi-partisan support for revenge porn laws is unusually strong, and it provides politicians an easy way to “reach across the aisle.” Brass tacks, save for some arguably legitimate (albeit perhaps only theoretical) libertarian objections, revenge porn is an effective vehicle for politicians to garner support. And hey, why not. Anti-revenge-porn laws are a good thing, so long as they don’t inadvertently trample free speech rights.
Japan’s New Public Push For Revenge Porn Legislation
Last year, Japan’s National Police Agency reported approximately 300 cases involving explicit photos or videos of minors — a distressing 30 percent increase from 2012.
The significant increase in Japanese revenge porn cases has prompted legislators to draft a law criminalizing the act. The current political makeup of the Japanese Parliament, though, is not what one could call “copacetic,” and analysts predict it will take years to pass a bill that all parties can agree on. (Hmmmmmm, sound familiar?)
Junko Mihara, the current secretary-general of the Liberal Democratic Party, was asked to comment on the seriousness of these incidents. He explained that revenge porn is nothing less than “… sexual violence and an offense that could very well haunt its victims for the rest of their lives.”
The public face of Canada’s C-13 Act, or Protecting Canadians from Online Crime Act, is cyberbullying. Speculation is that the new law could be amended to cover revenge porn, too.
Bill C-13 has several distinct components. Aside from provisions dealing with cyber-sexual assault, the bill contains troubling privacy elements. It allows, for example, the police to request information about any person from any company or Internet service provider — without warrants nor customer consent.
Advocates argue that C-13 is not the ideal way to combat cyber-bullying, but some think it’s the perfect revenge porn legal tool.
Speak With A Revenge Porn Lawyer
If you are dealing with a revenge porn situation and looking to take legal action, get in touch with Kelly / Warner Law.