New Developments in the Law on Data Breaches

In what it called "one of the latest setbacks for the social-media giant," the Wall Street Journal reported on October 17, 2008, that Facebook believes that the hackers who recently gained access to the private information of 30 million Facebook users were "a group of Facebook and Instagram spammers that present themselves as a digital marketing company."  For 14 million of the users, the hackers were able to access phone numbers, email addresses, and other personal information.  The acquisition of phone numbers in particular has the potential to dampen Facebook's reputation, in that Facebook has recently been urging its users to disclose their phone numbers to it, for security reasons, specifically, to enable two-factor authentication for the users' accounts.  The users who went along may now find themselves less secure than if they hadn't.  Facebook has also admitted that it uses the phone numbers it had acquired, ostensibly for security purposes, to help it target advertisements to users.  (Click for article)

Whether Facebook will suffer legal consequences from its recent mishap is a different matter.  In litigation arising out of an earlier breach, In re Facebook Inc. Consumer Privacy User Profile Litigation, No. 3:18-MD-02843 (N.D. Cal.), Facebook recently (Nov. 2) filed a motion to dismiss that raises a host of colorable defenses, including lack of cognizable injury, consent, and waiver.

The legal landscape, though, will soon be changing.  California has passed a Consumer Privacy Act that goes into effect in 2020, and, while applicable only to California residents, it of course has to be taken seriously by data-collecting companies due to California's large population.  The law (A. B. 375, codified at Title 1.81.5, Sec. 1798.100ff.) provides that California consumers will have the right to request that a company delete their personal information, and personal information is broadly defined to include, among other items, geographic location, internet browsing history, and "inferences" that a company draws based on the consumer's information to create a profile of the consumer (Sec. 1798.140(o)(F), (G), (K)).  The Act also requires that companies maintain "reasonable security procedures" (Sec. 1798.156(a)).

The most interesting -- and from an industry standpoint, threatening -- provision is the requirement that personal information be kept in a "readily usable format" that users can port to an alternative service provider (Sec. 1798.100(d)).  Basically, the law requires a data-collecting company to share with direct competitors its means of organizing and exploiting consumer data.  The portability requirement is therefore a threat to the business model because the proprietary data mining work that the company has accomplished on its users for its own commercial purposes -- i.e., for being able to target specific ads to specific users -- can end up in the hands of a competitor, which dilutes the competitive advantage of assembling such information in the first place.

There is also speculation that a California-type privacy law will be proposed in the new Congress, which would put even more pressure on the business model of data-collecting companies, although nothing concrete is on the table at the moment.