Category: cybersecurity

Federal Trade Commission (FTC) Recommends Privacy Practices for Mobile Apps

The National Law Review recently published an article, Federal Trade Commission (FTC) Recommends Privacy Practices for Mobile Apps, written by Daniel F. GottliebRandall J. Ortman, and Heather Egan Sussman with McDermott Will & Emery:

McDermottLogo_2c_rgb

On February 1, 2013, the Federal Trade Commission (FTC) released a report entitled “Mobile Privacy Disclosures: Building Trust Through Transparency” (Report), which urges mobile device application (app) platforms and developers to improve the privacy policies for their apps to better inform consumers about their privacy practices.  This report follows other recent publications from the FTC concerning mobile apps—including “Mobile Apps for Kids: Disclosures Still Not Making the Grade,” released December 2012 (December 2012 Report), and “Mobile Apps for Kids: Current Privacy Disclosures are Disappointing,” released February 2012 (February 2012 Report)—and the adoption of the amended Children’s Online Privacy Protection Act (COPPA) Rule on December 19, 2012.  (See “FTC Updates Rule for Children’s Online Privacy Protection” for more information regarding the recent COPPA amendments.

Among other things, the Report offers recommendations to key stakeholders in the mobile device application marketplace, particularly operating system providers (e.g., Apple and Microsoft), application developers, advertising networks and related trade associations.  Such recommendations reflect the FTC’s enforcement and policy experience with mobile applications and public comment on the matter; however, where the Report goes beyond existing legal requirements, “it is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.”  Nevertheless, such key stakeholders should take the FTC’s recommendations into account when determining how they will collect, use and transfer personal information about consumers and preparing privacy policies to describe their information practices because they reflect the FTC’s expectations under its consumer protection authorities.

At a minimum, operating system providers and application developers should review their existing privacy policies and make revisions, as necessary, to comply with the recommendations included within the Report.  However, all key stakeholders should consider the implications of recommendations specific to their industry segment, as summarized below.

Operating System Providers

Characterized within the Report as “gatekeepers to the app marketplace,” the FTC states that operating system providers have the “greatest ability to effectuate change with respect to improving mobile privacy disclosures.”  Operating system providers, which create and maintain the platform upon which mobile apps run, promulgate rules that app developers must follow in order to access the platform and facilitate interactions between developers and consumers.  Given their prominent role within the app marketplace, it is not surprising that the FTC directs numerous recommendations toward operating system providers, including:

  • Just-In-Time Disclosures.  The Report urges operating system providers to display just-in-time disclosures to consumers and obtain express, opt-in (rather than implied) consent before allowing apps to access sensitive information like geolocation (i.e., the real world physical location of a mobile device), and other information that consumers may find sensitive, such as contacts, photos, calendar entries or recorded audio or video.  Thus, operating system providers and mobile app developers should carefully consider the types of personal information practices that require an opt-in rather than mere use of the app to evidence consent.
  • Privacy Dashboard.  The Report suggests that operating system providers should consider developing a privacy “dashboard” that would centralize privacy settings for various apps to allow consumers to easily review the types of information accessed by the apps they have downloaded.  The “dashboard” model would enable consumers to determine which apps have access to different types of information about the consumer or the consumer’s device and to revisit the choices they initially made about the apps.
  • Icons.  The Report notes that operating system providers currently use status icons for a variety of purposes, such as indicating when an app is accessing geolocation information.  The FTC suggests expansion of this practice to provide an icon that would indicate the transmission of personal information or other information more broadly.
  • Best Practices.  The Report recommends that operating system providers establish best practices for app developers.  For example, operating system providers can compel app developers to make privacy disclosures to consumers by restricting access to their platforms.
  • Review of Apps.  The Report suggests that operating system providers should also make clear disclosures to consumers about the extent to which they review apps developed for their platforms.  Such disclosures may include conditions for making apps available within the platform’s app marketplace and efforts to ensure continued compliance.
  • Do Not Track Mechanism.  The Report directs operating system providers to consider offering a “Do Not Track” (DNT) mechanism, which would provide consumers with the option to prevent tracking by advertising networks or other third parties as they use apps on their mobile devices.  This approach allows consumers to make a single election, rather than case-by-case decisions for each app.

App Developers

Although some practices may be imposed upon app developers by operating system providers, as discussed above, app developers can take several steps to adopt the FTC’s recommendations, including:

  • Privacy Policies.  The FTC encourages all app developers to have a privacy policy, and to include reference to such policy when submitting apps to an operating system provider.
  • Just-In-Time Disclosures.  As with the recommendations for operating system providers, the Report suggests that app developers provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information.
  • Coordination with Advertising Networks.  The FTC argues for improved coordination and communication between app developers and advertising networks and other third parties that provide certain functions, such as data analytics, to ensure app developers have an adequate understanding of the software they are incorporating into their apps and can accurately describe such software to consumers.
  • Participation in Trade Associations.  The Report urges app developers to participate in trade associations and other industry organizations, particularly in the development of self-regulatory programs addressing privacy in mobile apps.

Advertising Networks and Other Third Parties

By specifically including advertising networks and other third parties in the Report, the FTC recognizes that cooperation with such networks and parties is necessary to achieve the recommendations outlined for operating system providers and app developers.  The recommendations for advertising networks and other third parties include:

  • Coordination with App Developers.  The Report calls upon advertising networks and other third parties to communicate with app developers to enable such developers to provide accurate disclosures to consumers.
  • DNT Mechanism.  Consistent with its recommendations for operating system providers, the FTC suggests that advertising networks and other third parties work with operating system providers to implement a DNT mechanism.

Trade Associations

The FTC states that trade associations can facilitate standardized privacy disclosures.  The Report makes the following recommendations for trade associations:

  • Icons.  Trade associations can work with operating system providers to develop standardized icons to indicate the transmission of personal information and other data.
  • Badges.  Similar to icons, the Report suggests that trade associations consider developing “badges” or other visual cues used to convey information about a particular app’s data practices.
  • Privacy Policies.  Finally, the FTC suggests that trade associations are uniquely positioned to explore other opportunities to standardize privacy policies across the mobile app industry.

Children and Mobile Apps

Commenting on progress between the February 2012 Report and December 2012 Report, both of which relied on a survey of 400 mobile apps targeted at children, the FTC stated that “little or no progress has been made” in increasing transparency in the mobile app industry with regard to privacy practices specific to children.  The December 2012 Report suggests that very few mobile apps targeted to children include basic information about the app’s privacy practices and interactive features, including the type of data collected, the purpose of the collection and whether third parties have access to such data:

  • Privacy Disclosures.  According to the December 2012 Report, approximately 20 percent of the mobile apps reviewed disclosed any privacy-related information prior to the download process and the same proportion provided access to a privacy disclosure after downloading the app.  Among those mobile apps, the December 2012 Report characterizes their disclosures as lengthy, difficult to read or lacking basic detail, such as the specific types of information collected.
  • Information Collection and Sharing Practices.  The December 2012 Report notes that 59 percent of the mobile apps transmitted some information to the app developer or to a third party.  Unique device identifiers were the most frequently transmitted data point, which the December 2012 Report cites as problematic, suggesting that such identifiers are routinely used to create user “profiles,” which may track consumers across multiple mobile apps.
  • Disclosure Practices Regarding Interactive App Features.  The FTC reports that nearly half of the apps that stated they did not include advertising actually contained advertising, including ads targeted to a mature audience.  Similarly, the December 2012 Report notes that approximately 9 percent of the mobile apps reviewed disclosed that they linked with social media applications; however, this number represented only half of the mobile apps that actually linked to social media applications.  Mobile app developers using a template privacy policy as a starting point for an app’s privacy policy should carefully tailor the template to reflect the developer’s actual privacy practices for the app.

Increased Enforcement

In addition to the reports discussed above and the revisions to the COPPA Rule, effective July 1, 2013, the FTC has also increased enforcement efforts relating to mobile app privacy.  On February 1, 2013, the FTC announced an agreement with Path Inc., operator of the Path social networking mobile app, to settle allegations that it deceived consumers by collecting personal information from their mobile device address books without their knowledge or consent.  Under the terms of the agreement, Path Inc. must establish a comprehensive privacy program, obtain independent privacy assessments every other year for the next 20 years and pay $800,000 in civil penalties specifically relating to alleged violations of the COPPA Rule.  In announcing the agreement, the FTC commented on its commitment to continued scrutiny of privacy practices within the mobile app industry, adding that “no matter what new technologies emerge, the [FTC] will continue to safeguard the privacy of Americans.”

Key Takeaways

App developers and other key stakeholders should consider the following next steps:

  • Review existing privacy policies to confirm they accurately describe current privacy practices for the particular app rather than merely following the developer’s preferred template privacy policy
  • Where practical, update actual privacy practices and privacy policies to be more in line with the FTC’s expectations for transparency and consumer choice, including use of opt-in rather than opt-out consent models
  • Revisit privacy practices in light of heightened FTC enforcement under COPPA and its other consumer protection authorities

© 2013 McDermott Will & Emery

Estate Planning with Digital Assets in Mind

McBrayer NEW logo 1-10-13

“It’s ‘Bosco’!!”  Seinfeld fans will recall from “The Secret Code” episode that George Costanza created a good deal of chaos by being reluctant to share his secret code.  By the same token, failing to share the secret codes to your digital assets could put a wrench in your best laid estate plans.  This article will discuss various measures that you can implement to insure that your digital assets will pass in accordance with your desires.

Whether we like it or not, the world is changing at warp speed.  Paper statements for bank accounts and the like are going to the way of the dodo bird.  Those dusty old books that used to gobble up shelf space can now be stored on a device that fits in the palm of your hand.  Same goes for the vinyl records you bought with money from mowing lawns.  And who would have ever thought that you’d be able to share pictures of your children or grandchildren with your friends and family by posting them on Facebook?

As the world becomes more and more digital, so too do the assets which comprise your estate.  Digital assets encompass a wide variety of items.  The website www.digitalestateresourse.com defines digital assets to include the following:

  1. files stored on digital devices, including but not limited to, desktops, laptops,    tablets, peripherals, storage devices, mobile telephones, smartphones, and any    similar digital device which currently exist or may exist as technology develops;    and
  2. e-mails received, e-mail accounts, digital music, digital photographs, digital    videos, digital books, software licenses, social network accounts, file sharing    accounts, financial accounts, banking accounts, tax preparation service accounts,    online stores, affiliate programs, other online accounts, and similar digital items    which currently exist or may exist as technology develops, regardless of the    ownership of the physical device upon which the digital item is stored.”

Failing to properly catalogue your digital assets could have a variety of negative consequences.  By way of example, that rainy day savings account that you never told anyone about could go undetected by the executor of your estate; and those vacation photos which your family would so enjoy could be forever locked in a Shutterfly account.

So what needs to be done to insure that your digital assets are properly accounted for and that they go to their intended beneficiaries?  Taking the following steps will go a long way towards accomplishing your objectives: (1) keep a master list of your digital assets; (2) keep the master list current; (3) tell someone where you keep the master list; (4) determine whether your digital assets are transferable; and (5) consider making specific provisions for them in your Will.

(1) KEEPING A LIST.  The most important step in properly handling your digital assets is to create a master list of such assets.  I find Excel spreadsheets to be a helpful tool for creating and maintaining such lists.  For each of your digital assets, consider including the following information: (i) a description of the asset (e.g., TD Ameritrade Brokerage Account); (ii) where the asset is located (e.g.,www.tdameritrade.com); (iii) any account number or user name associated with the asset; and (iv) any password that is necessary to gain access to the asset.

(2)  CURRENT INFORMATION.  Creating a list of digital assets without keeping the information current is about as useful as having an ashtray on a motorcycle.  It doesn’t do your executor any good to know that the brokerage account you opened in 2004 was with TD Ameritrade.  Rather, he really needs to know that you transferred the assets to Fidelity Investments in 2009 and that is where the assets are currently located.  Ideally you should update the master list every time you change the location of the assets, change a password or make a similar change.  Short of that, you should review your master list at least once every three months and after you have done so, make a notation to that effect on the master list.  Something such as “Current as of 12/1/12” would work nicely.

(3)  LOCATION OF THE LIST.  Creating and maintaining the master list does your heirs no good unless you share its location with someone you trust.  As a best practice, you should tell your executor where the master list is located and you should keep a copy of the master list with your other valuable papers and documents.

(4)  NOT ALL DIGITAL ASSETS ARE TRANSFERABLE.  Unless you are the one person in 10,000 who actually reads the user agreement when you establish an online account, you should revisit each user agreement for your online accounts to determine which of your digital assets are transferrable upon your death.  By way of example, not all airlines permit the transfer of frequent flyer miles upon the death of the account holder.  Upon making such a determination, you should update your master list accordingly.

(5)  SPECIFIC BEQUESTS OF DIGITAL ASSETS.  Now that your executor knows your digital assets exist, they should pass in accordance with your overall estate plan.  Without making specific provisions for your digital assets, they will pass pursuant to the residuary clause of your Will.  So, while it is not necessary to make specific bequests of your digital assets, as a practical matter it may be advisable to do so.  For example, I know that my wife would love to have the family photos stored on my laptop, but I can promise you that she has no interest in the Alex Cross novels I’ve purchased for my Kindle Fire or the Johnny Cash albums I’ve purchased for my iPhone.

Digital assets are often an overlooked component of even the most complicated estate plans.  However, with proper planning you can make sure that all of your digital assets are properly accounted for and that they pass according to your wishes.  To assess the current health of your estate plan, including a determination of whether your digital assets are properly accounted for, consider scheduling an appointment with your estate planning attorney.

© 2013 by McBrayer, McGinnis, Leslie & Kirkland, PLLC

Trade Secret Misappropriation: When An Insider Takes Your Trade Secrets With Them

Raymond Law Group LLC‘s Stephen G. Troiano recently had an article, Trade Secret Misappropriation: When An Insider Takes Your Trade Secrets With Them, featured in The National Law Review:

RaymondBannerMED

While companies are often focused on outsider risks such as breach of their systems through a stolen laptop or hacking, often the biggest risk is from insiders themselves. Such problems of access management with existing employees, independent contractors and other persons are as much a threat to proprietary information as threats from outside sources.

In any industry dominated by two main players there will be intense competition for an advantage. Advanced Micro Devices and Nvida dominate the graphics card market. They put out competing models of graphics cards at similar price points. When played by the rules, such competition is beneficial for both the industry and consumers.

AMD has sued four former employees for allegedly taking “sensitive” documents when they left to work for Nvidia. In its complaint, filed in the 1st Circuit District Court of Massachusetts, AMD claims this is “an extraordinary case of trade secret transfer/misappropriation and strategic employee solicitation.” Allegedly, forensically recovered data show that when the AMD employees left in July of 2012 they transferred thousands of files to external hard drives that they then took with them. Advanced Micro Devices, Inc. v. Feldstein et al, No. 4:2013cv40007 (1st Cir. 2013).

On January 14, 2013 the District Court of Massachusetts granted AMD’s ex-parte temporary restraining order finding AMD would suffer immediate and irreparable injury if the Court did not issue the TRO. The TRO required the AMD employees to immediately provide their computers and storage devices for forensic evaluation and to refrain from using or disclosing any AMD confidential information.

The employees did not have a non-compete contract. Instead the complaint is centered on an allegation of misappropriation of trade secrets. While both AMD and Nvidia are extremely competitive in the consumer discrete gpu market involving PC gaming enthusiasts, there are rumors that AMD managed to secure their hardware to be placed in both forthcoming next-generation consoles, Sony PlayStation 4 and Microsoft Xbox 720. AMD’s TRO and ultimate goal of the suit may therefore be to preclude any of their proprietary technology from being used by its former employees to assist Nvidia in the future.

The law does protect companies and individuals such as AMD from having their trade secrets misappropriated. The AMD case has only recently been filed and therefore it is unclear what the response from the employees will be. What is clear is how fast AMD was able to move to deal with such a potential insider threat. Companies need to be aware of who has access to what data and for how long. Therefore, in the event of a breach, whether internal or external, companies can move quickly to isolate and identify the breach and take steps such as litigation to ensure their proprietary information is protected.

© 2013 by Raymond Law Group LLC

Italian Data Protection Authority’s Guide on Cloud Computing

The National Law Review recently published an article, Italian Data Protection Authority’s Guide on Cloud Computing, written by Martino Sforza of McDermott Will & Emery:

 

The Italian Data Protection Authority (DPA) has published a guide on cloud computing, “How to Protect Your Data Without Falling From a Cloud,” which contains useful recommendations on how to select and appoint cloud providers and vendors of data management and storage services. This is the first official guidance issued by the Italian DPA in response to the fast growing use of cloud services in Italy and it might be of particular interest to employers who outsource their data systems to cloud service providers. The guide offers an overview of the potential issues linked to the various types of cloud services, whether they are managed on public, private or hybrid clouds. Under Italian law, cloud providers are appointed as a data processors while employers act as data controllers and will be liable for any wrongdoing committed by the data processors. Employers are therefore well advised to negotiate appropriate terms for the management of the “cloud-based” data and make sure that adequate technical and organizational measures are in place in order to avoid possible loss or unauthorized disclosure.

Click here to read the full guide on the Italian DPA website.

© 2012 McDermott Will & Emery

Cyber Attacks Hit Major Banks. Is Your Business Next?

Roy E. Hadley, Jr. and Joan L. Long of Barnes & Thornburg LLP recently had an article regarding Cyber Attacks published in The National Law Review:

Over the past week, several websites belonging to some of the largest banks in the country have been hacked in what experts are calling one of the “biggest cyber attacks they’ve ever seen.” As this CNN Money article points out, the websites “have all suffered day-long slowdowns and been sporadically unreachable for many customers.”

According to security experts, the “denial of service” attacks, which began on Sept. 19, are the largest ever recorded.

For all businesses, denial of service attacks are a growing and more menacing threat.  Your customers can’t access your website and can’t buy your goods and services. This can be catastrophic to your company. So the question remains: What have you done to protect your business?

The CNN Money article can be read in its entirety clicking on the link below.

CNN Money – “Major banks hit with biggest cyberattacks in history

© 2012 BARNES & THORNBURG LLP

AntiSec Hackers Strike Again

An article by Cynthia J. Larose of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. regarding AntiSec Hackers was recently published in The National Law Review:

 

AntiSec – the hacker group that is the “merger” of Anonymous and Lulzsec – claims to have obtained the unique device identifiers (UDIDs) from 12 million Apple iPhone and iPad users by breaching an FBI computer, and have published more than 1 million of them.

Details of the hack can be found at ZdNet , Slateand The Washington Post.According to the hackers, the alleged hack was intended to publicize the existence of some kind of secret FBI tracking project, also raising an embarrassing question of security for the FBI.

If you want to check whether your Apple UDID was in the compromised file, The NextWeb has developed a nifty quick check tool that you can see here.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

New York Enhances Employee and Consumer Privacy Rights Under its Social Security Number Protection Law

Four years ago, New York enacted a Social Security Number Protection Law, N.Y. Gen. Bus. Law, §399-dd, aimed at combating identity theft by requiring employers to better safeguard employee social security numbers in their possession.  (Click here for our summary of the law).  Now, New York is going one step further with its passage of two new Social Security Number Protection laws.

First a note: as of November 12, 2012, §399-dd – the original Social Security Protection Law – will be re-codified as new §399-ddd, and it will also add the statutory language of the first of these two new laws, which prohibits employers from hiring inmates for any job that would provide them with access to social security numbers of other individuals.

The second law, which is codified as a separate new §399-ddd, enhances the requirements for safeguarding employee social security number while also adding similar protections for consumers.  This law prohibits companies from requiring employees and consumers to disclose their social security numbers or to refuse any service, privilege or right to the employee or customer for refusing to make that disclosure, unless (i) required by law, (ii) subject to one of its many exceptions, or (iii) encrypted by the employer.  This law also applies to any numbers derived from the individual’s social security number, which means that it extends, for example, to situations where the company asks the individual for the last four digits of their number.  It is unclear whether this law will prove effective in accomplishing its objectives.

First, it contains an exception with the potential to swallow the rule – where the individual consents to the use of the social security number, which many individuals may freely provide absent knowledge of this law’s protections.  Even with an employee’s consent, however, employers must still be mindful that other provisions of the original Social Security Number Protection Law requires them to institute certain safeguards to protect against the number’s disclosure.  And further, even if the employer obtains the employee’s consent, the original law still prohibits employers from utilizing an employee’s social security account number on any card or tag required for the individual to access products, services or benefits provided by the employer.

Second, the penalties for violations are minimal – up to $500 for the first violation and $1,000 for each violation thereafter, and can be avoided where the employer shows the violation was unintentional and occurred notwithstanding the existence of procedures designed to avoid such violations.  Further, there is no private right of action, and only the Attorney General can enforce the law.

Governor Cuomo signed the acts into law on August 14, 2012.  The inmate law will take effect on November 12, 2012 and the disclosure law will take effect thirty days later on December 12, 2012.  Now if he would only sign the recently passed wage deduction law.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

FTC Proposes New Rules on Children’s Online Privacy Issues

Michelle Cohen of Ifrah Law recently had an article regarding Children’s Online Privacy published in The National Law Review:

On August 1, 2012, the Federal Trade Commission announced that is issuing a Supplemental Notice of Proposed Rulemaking to modify certain of its rules under the Children’s Online Privacy Protection Act (COPPA). Industry has been waiting on FTC action regarding COPPA, as the agency previously undertook a COPPA rulemaking in September 2011 and proposed modifying certain COPPA rules to account for changes in technology, particularly mobile technology.

The FTC received over 350 comments during that time. After reviewing those comments, the FTC has decided to propose certain additional changes to its COPPA rule definitions.

In summary, COPPA gives parents control over the information websites can collect from their kids. It applies to websites designed for children under 13 – or those that have reason to know they are collecting information from a child. It requires a specific privacy notice and that consent be obtained from parents in many circumstances before children’s information may be collected and/or used.

The FTC has proposed several changes that are of interest. Some are meant to “tighten” the COPPA rule, others are meant to provide some additional flexibility to operators.

  • The proposed change would make clear that an operator that chooses to integrate the services of third parties that collect personal information from visitors (like ad networks or plug-ins) would itself be considered a covered “operator” under the Rule.
  • The FTC is also proposing to allow websites with mixed audiences (e.g., parents and over 13) to age-screen visitors to provide COPPA’s protections only to those under 13. However, kid-directed sites or services that knowingly target under-13s as their primary audience or whose overall content is likely to attract kids under that age could not use that method.
  • Also, the FTC has proposed modifying the definition of what constitutes “personal information” relating to children to make it clear that a persistent identifier falls within that definition if it can be used to recognize a user over time or across different sites or services. The FTC is considering whether activities like site maintenance and analysis, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual ads, and protecting against fraud and theft should not be considered the collection of “personal information” as long what’s collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising.

Comments on the FTC’s proposed rule changes are due by September 10, 2012.

© 2012 Ifrah PLLC

Illinois Employers Beware: New Law Prohibits Employers from Seeking Social Media Password Information

The National Law Review recently published an article regarding Social Media Passwords and Illinois Employers written by Norma W. Zeitler of Barnes & Thornburg LLP:

Employers in Illinois will be prohibited from seeking social networking password information from employees and applicants starting Jan. 1, 2013, now that Illinois Governor Pat Quinn has signed into law Public Act 097-0875, which is an amendment to the Right to Privacy in the Workplace Act, 820 ILCS 55/10.

As we previously reported , the legislation makes it unlawful for an employer to require an employee or applicant to disclose passwords or other related social networking account information in order for the employer to access information that might otherwise be considered private by the employee or applicant. However, employers are not barred from accessing information that is in the public domain

Illinois becomes the second state, after Maryland, to enact such a law, according to a press release from Governor Quinn’s office announcing that he signed the legislation into law on August 1. The new law does not limit an employer’s right to promulgate and maintain otherwise lawful workplace policies regarding the use of the employer’s computer equipment, Internet use, social networking site use, and electronic mail use.

Illinois employers should consider reviewing existing policies and practices with an eye toward ensuring compliance with this new law.

© 2012 BARNES & THORNBURG LLP

LinkedIn Password Theft Results in Class Action Lawsuit: Privacy and Security Law Matters

The National Law Review recently published an article by Kevin M. McGinty of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. regarding The Recent Hacking of LinkedIn:

Nearly as predictable as the sun coming up in the morning, the recent theft of 6.5 million LinkedIn user passwords has resulted in the filing of a class action lawsuit in a California federal court.  In her complaint, a LinkedIn premium subscriber asserts claims on behalf of all LinkedIn users for breach of implied and express contractual obligations, negligence and violation of California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200.

Although the attack affected the passwords of just over 5% of LinkedIn’s approximately 120 million users, plaintiff purports to assert claims on behalf of all LinkedIn users.  Although plaintiff alleges classwide damages in excess of $5,000,000 (the jurisdictional threshold for federal court jurisdiction over the state law claims advanced in the complaint) it is unclear what damages plaintiff alleges that the class actually sustained by reason of merely losing passwords.  Some commentators have hypothesized that the propensity to use a single password for multiple online accounts could result in losses where non-LinkedIn accounts are accessed using an individual’s LinkedIn password.

Proving that such losses have occurred, however, would require highly individualized showings that would likely preclude adjudicating plaintiff’s claims as a class action.  Even less clear is what conceivable damages were allegedly sustained by LinkedIn users whose passwords were not stolen.  Thus, as with most privacy class actions, damages issues appear to pose the greatest obstacle to the success of the claims against LinkedIn.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.