A
precedent for Clearview?
LinkedIn
Appeals Important CFAA Ruling Regarding Scraping Public Info Just As
Concerns Raised About Clearview
Last
fall we were happy to see the 9th Circuit rule
against LinkedIn in
its CFAA case against HiQ. If you don't recall, the CFAA is the
"anti-hacking" law that has been widely abused over the
years to try to shut down perfectly reasonable activity. At issue is
whether "scraping" information violates a terms of service,
and thus, the CFAA. A few years back, the same court ruled
in favor of Facebook against
Power Ventures, saying that even though Power's users gave
permission to
Power and handed over their login credentials, Power was violating
the CFAA in scraping Facebook, because the information was behind a
registration wall -- and because Facebook had sent a
cease-and-desist.
In
the HiQ case, despite what seemed to be a similar fact pattern, the
court ruled against LinkedIn, saying it could not block HiQ's
scraping via a CFAA claim, with the main "difference" being
that LinkedIn information
was publicly viewable, and therefore should be open to scraping.
… Of
course, one thing that's notable since the 9th Circuit ruling came
down -- all of the attention that Clearview AI has received over the
last few months, for its frightening facial recognition app, built of
of scraping "public" social media images and profiles.
This use of scraping has convinced some -- even some who seemed to
support the HiQ ruling -- that perhaps there should be limits on
scraping. I think that's a kneejerk reaction, and focusing in too
narrowly on the wrong issue. The issue there is not with scraping,
but with the specific use of the data as an attack on privacy going
well beyond the internet itself (i.e., tracking and identifying
people out in the real world). It's one thing to focus on that
issue, as opposed to saying that's an argument against free scraping.
A
good ‘bad example?’
Sunshine
Behavioral Health Group Faces Class Action Under CCPA After Data
Breach Affecting 3,500 Patients
Linn
F. Freedman of Robinson & Cole LLP writes
that
Sunshine Behavioral Health Group is facing a potential class action
lawsuit. The case is Fuentes
v. Sunshine Behavioral Health Group LLC and
it was filed this week in the Central District of California. The
case is drawing some attention because it it one
of the first suits to be filed under California’s new Consumer
Privacy Act
(CCPA). As Freedman explains, if the plaintiff can show he was
injured and the injury was due to the defendant violating the law,
the plaintiff might survive a motion to dismiss.
The
plaintiff, Hector Fuentes, claims that since the data breach, which
the complaint alleges began on March 1, 2017:
someone has attempted to fraudulently open a credit card in Mr. Fuentes’ name. Since the Data Breach, Mr. Fuentes has begun receiving magazine subscriptions in his name that he did not purchase and receiving invoices for those magazine subscriptions. Since learning of the Data Breach, Mr. Fuentes has become worried that he will become a victim of identity theft or other fraud which is causing him stress and anxiety. Since learning of the Data Breach, Mr. Fuentes has spent in excess of 10 hours of his own time trying to make sure he has not and does not become victimized because of the Data Breach.
So
Fuentes is alleging damages, and claims that the damages were due to
Sunshine not having adequate security in place, despite having been
put on notice by federal law enforcement and HHS about the risk of
hacks. As Freedman notes, however, it is not clear from the
complaint whether Fuentes provided 30 days notice to Sunshine to
implement security measures before he filed suit seeking to require
them to implement security measures.
But
there also appear to be other problems with the plaintiff’s
complaint.
As
regular readers may recall, DataBreaches.net broke
the story of the data leak after
being tipped to it by a researcher. This site first notified
Sunshine of their leak on September 4, 2019 and followed up when they
did not take immediate action. The second phone call resulted in
them taking some steps to protect the data. But when Sunshine did
not disclose the breach by 60 days after this site notified them,
DataBreaches.net
went public about the leak and what this site found in the data.
This
site also reported the fact that in November, it notified Sunshine
again after realizing that their files were still available for
download without any login required if one had already noted the urls
for the files during the initial leak. Given that Sunshine
Behavioral Health deals with the treatment of alcohol and drug
addiction, its patient population and patient records are very
sensitive.
Was
the exposed data exfiltrated, as the Fuentes’s complaint alleges?
Certainly it must have been
exfiltrated by at least one party, as this site had been provided a
copy of the data by the whitehat researcher who had discovered the
leak. But how many other entities accessed, viewed,
and/or exfiltrated their data? Sunshine Behavioral Health did not
respond to inquiries by DataBreaches.net until their external counsel
got involved and contacted this site to inquire as to whether we
would destroy any data and certify that we had destroyed it. It was
only then that this site was able to get statements confirming that
Sunshine Behavioral Health had reported the incident to HHS/OCR and
to affected patients, but no other information was provided.
From
a quick skim of the complaint, it appears that a lot of the complaint
seems to be premised on treating this as a hacking case resulting
from the defendant’s’s negligence, but this wasn’t a hacking
case. Not to minimize the seriousness of a leak of sensitive
information, but this was a data leak or help yourself situation, and
the risk of becoming a fraud victim or identity theft victim from a
leak may not be the same as the risks of those outcomes from a hack
situation.
The
complaint also
raises the issue that Sunshine’s notification to patients was not
timely under either HIPAA or California’s Confidentiality of
Medical Information Act (CMIA). And also of concern to the
plaintiff, Sunshine allegedly did not offer those affected any fraud
insurance or mitigation for those who might become fraud victims.
According to the complaint, Sunshine (only) offered those affected 24
months of credit monitoring, which is not the same thing.
The
complaint is confusing in that regard, because Sunshine’s
notification on their website dated January 21 (well before the
complaint was filed), includes this statement:
If we have confirmed that your personal information was affected by the incident, we are offering MyIDCare protection through ID Experts for 24 months at no cost.
MyIDCare
does appear to include the kind of mitigation help the plaintiff is
asking for– identity
recovery and assistance and $1 million ID theft insurance.
Sunshine
Behavioral Health was asked if they wished to comment on the
litigation but did not respond at all by publication time.
Some
exemptions will become commonplace?
Privacy
Advocates and Businesses Take Issue With India’s New Data
Protection Law
India’s
long-awaited national data protection law, the Personal Data
Protection Bill, is under inspection by a joint parliamentary
committee. The bill has yet to be adopted as a law, and could
potentially change in form before it is, but at the moment looks to
become one of the world’s strongest pieces of legislation of this
nature. At least in terms of the way it regulates private companies;
privacy advocates are voicing opposition to the fact that it makes
broad exceptions for
government agencies, such that they would have essentially
unfettered access to personal data with little oversight. Private
companies are also objecting to the terms, which stipulate fines and
costs they feel are too high.
Nice
to know China is taking care of its US customers.
Chinese
billionaire Jack Ma to send 500K coronavirus test kits, 1 million
face masks to US
(Related)
It would be nice if our most famous (just ask him) billionaire also
did something useful. “I know more than the Google!”
Trump
says Google is building a site to help people find coronavirus tests
… messaging
from Alphabet reps, after President Donald Trump and others described
the effort at a White House press conference, stressed that the
project the company is working on is in its early stages and will
initially be offered to residents in and around San Francisco and
Silicon Valley.
At
the press conference, Trump said Google had “1,700 engineers
working on this right now.”
Anything
to get rid of my students find my students jobs!
Future-Proof
Your Career With This FREE Ebook
… In
this free copy of Career
Leap,
worth $16, Michelle Gibbings answers these questions, showing you
“what you need to know, how you need to change and how you can
prepare for the inevitable tides of change.”
This
free offer expires 24 March 2020.
