Articles Posted in Data Breach

Increasingly, divorcing spouses are using data breach and privacy laws to sue each other in federal and state court.  This leads to “spillover” litigation, as the divorce proceeding spills over into another separate action.  Divorce lawyers would be well served to familiarize themselves and their clients with applicable data breach law.

The case of LaRocca v. LaRocca, 2014 WL 5040720 (E.D. La. Sept. 29, 2014) illustrated this trend in the context of claims under the Electronic Communications Privacy Act (“ECPA”).  This law prohibits unauthorized access to emails, among other things.  In the LaRocca case, Eloisa LaRocca accused her former husband of doing just that in order to gain an upper hand in the divorce.  The ex-husband moved for summary judgment on the grounds that she had no expectation of privacy.  The court denied the summary judgment, ruling that once LaRocca filed for divorce, her emails were off limits and that she had a reasonable expectation that they would not be reviewed by her soon to be ex husband.

Continue reading

2014 was an interesting year in data breach litigation in California at both the federal and state level.  As always is the case in data breach cases, the requirement of a cognizable harm or “standing” took center stage.  At the state level, data breach defendants scored a huge victory in the case of Sutter Health v. Superior Court.  In contrast, at the federal level, data breach plaintiffs scored big in the case of In re Adobe.

Sutter Health involved the increasingly common situation of a stolen computer from a hospital.  The computer contained millions of patient health records.  Patients filed a class action alleging violations of the Confidentiality of Medical Information Act (“CMIA”).  The Act prohibits the disclosure of patient records and provides for statutory damages of $1,000 per breach.  Doing the math, Sutter’s liability added up to $4 billion of exposure.  The trial court denied Sutter’s demurrer resulting in an immediate appeal.

Continue reading

As a follow up to my previous post, I now want to get into a liability analysis relating to the type of claims Sony could advance against media companies.  Though not addressed in the letter itself, liability is highly questionable because of robust First Amendment defenses that may be deployed by publishers in this case.  Sony and its executives could deploy a couple of conceivable legal claims in their fight against publishers.  First, there could be claims for violations of California’s Uniform Trade Secrets Act.  This Act ascribes liability to parties that disclose trade secrets information.  This requires that the disclosed Sony information actually constitute a trade secret.  In California, data can qualify as a trade secret if it derives economic value by virtue of being not generally known to the public.  Secondly, the owner of the trade secrets, in this case Sony, must have maintained reasonable efforts to keep the data secret.

Sony would likely have major difficulty qualifying much of the released data as trade secrets.  Thus far, the published data does not contain information that derives independent economic value by virtue of being a secret.  Much of the reported disclosed data is in the category of industry gossip and insults.  Similarly, data such as executive salaries lacks economic value.  Movie release date information and production expenses like actor salaries and profit participation likely would hold economic value by virtue of its secrecy.  However, Sony’s knowingly deficient data protection efforts may ensure that it fails to satisfy the element of reasonable efforts to maintain secrecy.  As a trade secrets litigator, I think Sony would be fighting an uphill battle on such claims.

Continue reading

After serving as an industry punching bag for the last month, Sony recently decided to punch back regarding its recent data breach and attendant publicity surrounding the incident.  The method chosen by Sony was to hire one of the country’s best known and expensive lawyers to send an aggressive cease and desist letter to various media companies reporting on the incident.  David Boies became famous, by among other things, representing Al Gore in the 2000 election case.  Among his media company targets, many internet companies such as Twitter feature prominently.  Not surprising given the SOPA battles waged between Silicon Valley tech companies like Google and old guard Hollywood and its mouth piece, the MPAA.

This action by Sony raises three questions.  First, as a practical matter, is the letter a wise strategic decision?  Second, is the letter effectively drafted to accomplish Sony’s strategic goals.   Third, do digital media publishers face a legitimate risk of liability if they do not comply with the letter’s demands?  For the last question, First Amendment doctrine plays a prominent role.

As a digital media attorney, I think the letter was probably a wise strategic decision in concept.  An offensive response was long overdue given that Sony’s brand has been so badly damaged because of its handling of employee private data.  Sony had to take some action to protect employee data beyond the formality of providing a data breach notice.  California law, and forty-six other states, requires prompt notice to victims of a data breach regarding disclosure of personally identifiable information.  See  California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a).

Continue reading