Privacy & Information Security Law Blog

On April 26, 2011, Sony Computer Entertainment America (“Sony”) disclosed an information security breach that may affect up to 77 million consumers.  On Sony’s PlayStation blog, Patrick Seybold, Senior Director of Corporate Communications and Social Media, wrote that an unauthorized person intruded into Sony’s PlayStation Network and Qriocity streaming music and video service between April 17 and April 19, 2011, and may have obtained users’ names, addresses, email address, birthdates, passwords and logins.  Mr. Seybold wrote that “out of an abundance of caution” Sony was advising its users that their credit card information also may have been obtained.  The blog post also noted that Sony is taking steps to address the breach, which include (1) turning off PlayStation Network and Qriocity services, (2) engaging an external security firm to investigate the incident, and (3) enhancing information security and strengthening its network infrastructure.  Sony further advised users to “review your account statements and to monitor your credit reports,” and provided the contact information for the three major credit bureaus in the United States.

On April 11, 2011, the United States District Court for the Northern District of California declined to dismiss four of the nine claims in a class action lawsuit filed against RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites.  The suit stems from a December 2009 security breach caused by an SQL injection flaw that resulted in the exposure of unencrypted user names and passwords of approximately 32 million RockYou users.  RockYou subsequently fixed the error and acknowledged in a public statement that “one or more individuals had illegally breached its databases” and that “at the time of the breach, the hacked database had not been up to date with industry standard security protocols.”  After receiving notification of the security breach from RockYou in mid-December, on December 28, 2009, a RockYou user who had signed up for a photo-sharing application filed a complaint seeking injunctive relief and damages for himself and on behalf of all other similarly-situated individuals.

As reported in BNA’s Privacy Law Watch, on March 29, 2011, South Korea’s president approved the Act on the Protection of Personal Data.  This comprehensive privacy law will require nearly all businesses and government agencies to provide data breach protection, mandate the use of privacy assessments before establishing certain new databases, and establish a right to file class actions in court over alleged violations of the law.  The implementing rules will be worked out before the law is due to take effect on September 30, 2011.  South Korea first attempted to enact a comprehensive privacy law in 2004; however, for the past seven years, omnibus privacy bills sponsored by the government and lawmakers have stalled in Parliament.

As reported in Hunton & Williams' Employment & Labor Perspectives blog:

An employer who allegedly posted to an employee’s Facebook and Twitter accounts without her consent may face liability for its actions, according to a federal judge in Illinois.  The case is Maremont v. Susan Fredman Design Group, Ltd., in the U.S. District Court for the Northern District of Illinois (2011 U.S. Dist. LEXIS 26441, March 15, 2011).

The Plaintiff, Jill E. Maremont, worked as the Director of Marketing, Public Relations and E-Commerce for an interior designer and her company, Susan Fredman and the Susan Fredman Design Group, Ltd. (Defendants).  Maremont contends she created a “popular personal following” on Facebook and Twitter, and she also created a company blog called “Designer Diaries: Tales from the Interior.”

On March 11, 2011, Virginia resident Peter Comstock filed a class action complaint against Netflix, Inc. in the United States District Court for the Northern District of California.  According to the complaint, Netflix “tracks its users’ viewing habits with respect to both videos watched over the Internet...and physical movies ordered through the Internet and watched at home,” while encouraging “subscribers to rank the videos they watch.”  The complaint alleges that Netflix’s practice of maintaining customer movie rental history and recommendations, “long after subscribers cancel their Netflix subscription,” violates the federal Video Privacy Protection Act (“VPPA”), and California’s Customer Records Act and Unfair Competition Law.  In addition, the complaint alleges that Netflix’s failure to properly store user information and its sale of customer data to third parties led to its unjust enrichment and a breach of its fiduciary duty.  Comstock and the putative class are seeking both an injunction to stop Netflix’s current practices and monetary damages.

In late December 2010, consumers filed two class action lawsuits against Apple Inc., claiming that several applications they downloaded from Apple’s App Store sent their personal information to third parties without their consent.  Specifically, the consumers claim that Apple allowed third party advertising networks to follow user activity through the Unique Device Identifiers that Apple assigns each device that downloads applications.  The complaint, filed in the U.S. District Court for the Northern District of California, also named several application developers such as Pandora and The Weather Channel as co-defendants.

On August 18, 2010, a complaint was filed in the U.S. District Court for the Central District of California, alleging that Specific Media, Inc. violated the Computer Fraud and Abuse Act, as well as state privacy and computer security laws, by failing to provide adequate notice regarding its online tracking practices.  The suit, brought by six web users, seeks class action status and over $5 million in damages, and cites Specific Media’s use of Flash cookies to re-create deleted browser cookies as one of the offending practices.

A class action complaint filed on December 9, 2009, in Illinois federal court alleges that WideOpen West, Finance, LLC ("WOW"), an Internet service provider, violated its users' privacy by "installing spyware devices on its broadband networks."  Valentine v. WideOpen West (N.D. Ill., No. 1:09-cv-07653).  This action against WOW follows the October 6, 2009, dismissal by a district court in California of similar claims against six out-of-state ISP defendants (including WOW) filed in November 2008 by the same lead plaintiff.  The court in Valentine v. NebuAd, Inc. et al. (N.D. Cal., No. 3:08-cv-05113) found that the ISP defendants were not subject to personal jurisdiction in California, leaving the now-defunct NebuAd as the only defendant in that case.  Plaintiff Valentine has now brought this action against WOW in the Northern District of Illinois.

The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million payment card numbers.  The plaintiffs argued that Heartland’s statements to the effect that it had adequate security systems and that it took the issue of computer network security very seriously were fraudulent because Heartland knew it had poor data security and failed to remedy critical problems soon enough to prevent the theft.

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.  Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

Plaintiff Joel Ruiz brought a putative class action against Gap, Inc. and its service provider Vangent, Inc. after a thief stole a laptop computer from Vangent containing unencrypted Social Security numbers and other personal information of Ruiz and approximately 750,000 other Gap job applicants.  Shortly after the theft, Gap notified Ruiz and the other applicants of the breach and offered them 12 months of free credit monitoring and fraud assistance.  Ruiz sought damages under various theories, including negligence (failure to exercise due care to protect the data) and breach of contract (breach of the security provisions of Gap’s contract with Vangent, under the theory that Ruiz was a third-party beneficiary of the contract).

A recent federal court decision offers a detailed analysis of several theories of liability for violations of a privacy policy.  Pinero v. Jackson Hewitt Tax Service Inc., No. 08-3535, 2009 WL 43098 (E.D. La. January 7, 2009). 

Plaintiff Pinero visited Jackson Hewitt Tax Service in Louisiana to have her tax returns prepared.  During her visit, she provided Jackson Hewitt with confidential information such as her Social Security number, date of birth and driver’s license number.  Pinero signed Jackson Hewitt’s privacy policy, which stated that Jackson Hewitt had policies and procedures in place, including physical, electronic, and procedural safeguards, to protect customers' private information.  Pinero alleged that she relied on this statement in her decision to turn over her information.

A California state Court of Appeal has ruled that a California law barring merchants from collecting “personal identification information” in connection with certain credit card transactions does not prohibit the collection of a five-digit ZIP Code alone. Party City Corp. v. Superior Court of San Diego County, No. D053530, 2008 WL 5264023 (Cal. Ct. App. Dec. 19, 2008).