On September 5, the Federal Trade Commission published its first guide specifically with mobile app developers in mind. Entitled “Marketing Your Mobile App: Get It Right From the Start,” the guide is not legally binding, but it does set out guidelines to help mobile app developers comply with truth-in-advertising and privacy laws. In particular, the guide lays out seven principles for complying with federal data privacy requirements under statutes like the Graham-Leach-Bileley Act, the Fair Credit Reporting Act, the Child Online Privacy Protection Act, and the Federal Trade Commission Act. Click here for the press release and a link to the guide.
Tag: data security
Narrow Loss
A civil CFAA claim for damages requires damage to computers, systems, or data — Schatzki v. Weiser Capital Mgmt, LLC, 2012 WL 2568973 (S.D.N.Y. July 3, 2012)
As I said in a previous post, we are seeing more activity dealing with the Computer Fraud and Abuse Act (CFAA). The CFAA is both a criminal and civil statute. The CFAA imposes criminal penalties on someone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” or “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.” A civil claim is available if, in addition to establishing the elements of a criminal violation, the plaintiff can show “damage or loss” as a result of the violation. The damage or loss must be at least $5,000.00.
Schatzki is the latest case to read the terms “damage” and “loss” narrowly. The defendants in the case allegedly obtained information from plaintiff’s computer systems without authorization and trafficked in computer passwords. This access enabled the defendants to obtain valuable private and confidential information about the plaintiff’s clients, the plaintiffs said. As a result, the plaintiffs had to hire consultants and incur legal fees.
The court said that the plaintiffs did not show the required “damage” or “loss,” and here’s why. The plaintiffs failed to allege that the defendants’ access to the computer system damaged the data accessed or the system itself, or that the costs to recover the system/data exceeded $5,000. The court also would not allow the plaintiffs to base their CFAA claim on other kinds of damages like lost profits, invasion of privacy, trespass to personal property, or misappropriation of confidential data.
LegalTXT Lesson: Quantify your damages if you are bringing a civil claim under the CFAA. Also, remember that the CFAA is more in the nature of an anti-hacking statute than an anti-misappropriation statute. Attempts to seek damages under the CFAA on a theory that someone gained access to electronic information and used it for improper purposes might not go very far.
LinkedIn Sued
LinkedIn announced on June 6 that it experienced a data breach compromising the passwords of some of its members. Ten days later, LinkedIn got hit with a class action lawsuit. The lawsuit was filed in a California federal district court. You can read the complaint here.
A few key points about the lawsuit:
- The plaintiffs consist of two classes — (1) anyone in the U.S. who had a LinkedIn account on or before June 6, 2012, and (2) anyone in class #1 who paid for a premium account.
- The lawsuit alleges that LinkedIn did not comply with industry standard encryption protocols, contrary to its Privacy Policy. Specifically, the plaintiffs contend that LinkedIn stored member passwords in “unsalted SHA1 hashed format.”
- In simple terms, adding “salt” to a password means assigning random values to a password to make it more difficult to decipher. For example, if the password were “JohnDoe,” you could salt it by adding the characters “5a6b7c,” giving you “JohnDoe5a6b7c.”
- Hashing refers to the process of running a password into a cryptographic function to convert it into an unreadable and encrypted format. The plaintiffs say that LinkedIn used an outdated hashing function that was first published by the NSA in 1995.
- The plaintiffs say that LinkedIn should have at least salted the passwords before running them through the hash function. Better yet, LinkedIn should have salted the passwords, input them into the hash function, salt the resulting hash value, and then run the hash value through a hash function. Then, LinkedIn should have stored the fully encrypted password on a separate and secure server apart from all other user information.
- The lawsuit brings claims based on California’s unfair competition law, California’s Consumers Legal Remedies Act, breach of contract, breach of implied covenant of good faith and fair dealing, breach of implied contract, and negligence.
- The plaintiffs in the first class (all LinkedIn users) say they were in the form of loss of value in their personal information. (Whether the court will accept that damage theory is questionable.) Those in the second class (premium members who paid fees) say they were injured in the form of the fees they paid to LinkedIn for premium membership.