Don’t store users’ passwords in cleartext. Really.

It’s not a good idea. Also, it may be deemed a ‘knowing violation’ of the EU General Data Protection Regulation (GDPR) requirement to adequately protect personal data.

That is one key takeaway from the GDPR enforcement action by the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg, Germany (LfDI), against social media company, after a data breach that impacted 800,000 users.

Other takeaways from the enforcement action include:

  • contact your data protection authority (DPA) directly and quickly after a breach
  • inform users immediately and comprehensively about the breach
  • cooperate with your DPA
  • improve your IT security after a breach, even if this requires a significant monetary investment (6 digits’ worth in this case).

Due to the above, the company received a relatively low fine of €20,000.

“As a DPA it is not important for the LfDI to compete for the highest possible fines. What counts in the end is the improvement of data protection and data security for the users concerned.” – says the head of the LfDI, Stefan Brink.

The IAPP has more on the decision.

Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.

Copyright: argus456 / 123RF Stock Photo
Copyright: argus456 / 123RF Stock Photo

Fox Rothschild partner Scott L. Vernick was quoted in The New York Times article, “Hacking Victims Deserve Empathy, Not Ridicule.” Full text can be found in the September 2, 2015, issue, but a synopsis is below.

While some data breach victims may face only minor frustrations – changing a password or getting a new credit card – it is a different story for the more than 30 million Ashley Madison users who had their accounts for the infidelity website compromised.

Many of the victims of this latest massive data breach have been plunged into despair, fearing they could lose jobs and families, and expecting to be humiliated among friends and colleagues.

“It’s easy to be snarky about Ashley Madison, but just because it’s unpopular or even immoral, it doesn’t mean this sort of activity shouldn’t be protected,” said Scott L. Vernick, a noted privacy attorney. “This gets at fundamental issues like freedom of speech and freedom of association – today it’s Ashley Madison, tomorrow it could be some other group that deserves protection.”

According to a press release issued yesterday, November 29, 2011, by the Federal Trade Commission, Facebook settled charges that Facebook “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”

The complaint (PDF link) lists a litany of bad practices by Facebook. One allegation that stands out, largely because of the media firestorm that it created at the time, was Facebook’s change in privacy settings to users’ accounts in December 2009. The foregoing settings change was, in the FTC’s opinion, particularly egregious because Facebook undertook the changes without any notice or consent from users.

Another allegation that stands out, again both because of the media firestorm and the falsehood, was Facebook’s assertion that information from deactivated user accounts would not be accessible.

And what grueling punishment must Facebook endure for its privacy-related bad acts? According to Jon Leibowitz, Chairman of the FTC, "Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users." Rough justice.

In all seriousness, there is some substance to the settlement. Facebook must not make any further deceptive privacy claims. Facebook must also get consumers’ approval before it changes the way it shares their data. Finally, Facebook must obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

Frankly, the foregoing requirements on Facebook are all steps that a company like Facebook, if not substantially all companies handling consumer personal information, should be undertaking.

Specifically, under the proposed settlement, Facebook is:

  • barred from making misrepresentations about the privacy or security of consumers’ personal information;
  • required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
  • required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
  • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
  • required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.

The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.

The proposed settlement is not yet final. The proposed settlement will be open to public comment for thirty days, ending on December 30, 2011. The terms of the proposed settlement is published in the Federal Register shortly. After the close of the comment period, the FTC will decide whether to make the proposed consent order final.

Interested in submitting your comments to the FTC? According to the press release: Interested parties can submit comments online or in paper form by following the instructions in the "Invitation To Comment" part of the "Supplementary Information" section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

Boing Boing has an excellent how-to located here on how to opt out of being included in LinkedIn’s social media advertising.  Briefly, LinkedIn assumes that you consent to LinkedIn’s use of your image in the adverstising of its sponsor’s products.  If you recommend your CPA firm, and your CPA firm purchases advertising on LinkedIn, your photo may appear in that advertising.

This approach may be fine in certain cases. However, besides just the general creepiness of it, employers should be aware that it creates a potential association between your company (not just the individual) and that third party. I can imagine a scenario where a company is suing its former CPA firm and an advertisement appears with the Controller’s image in a LinkedIn advertisement for the same CPA firm.

If your company’s social media policy allows employees to participate in LinkedIn and other social media sites, consider whether the policy needs an update to require opting-out of this social media advertising.

I have written about the problems arising when jurors post comments on Facebook and other social networking sites during a trial. Now a survey from Reuters Legal reveals some troubling statistics regarding the extent of the problem. According to the survey, since 1999, at least 90 verdicts have been challenged due to internet-related juror conduct, with at least half of those challenges occurring in the past two years. Courts granted new trials or overturned verdicts in 28 of the cases, and in the majority of the cases where a court did not declare a mistrial, it nonetheless found internet-related misconduct on the part of jurors.

While courts and attorneys struggle with the best ways to prevent and curb jurors from researching legal issues on line or commenting on active trials, other suggest that it’s unrealistic to do so when so many people can’t seem to get through their day without posting something on Facebook. As usage of social networking sites continues to explode, and shows no sign of slowing down, these issues will continue to plague the judicial system for years to come.

 With the ever-growing popularity of social networking sites, and with so many employees exercising poor judgment online, it’s easy to understand why employers are concerned about the messages and images that that their employees are disseminating on these websites.

For employers, the costs are real: Poor choices by their employees can bring with it not only bad publicity but the loss of confidential information and the risk that the employer and employee will be sued by a third party for a wide range of legal claims, including defamation, invasion of privacy, negligence, discrimination, false light publicity, public disclosure of private facts, infliction of emotional distress and violations of state and federal data breach laws.

Employees seem to comprehend the potential effect of their online rants. According to the 2009 Deloitte Ethics and Workplace Survey, 74 percent of employees believe it is easy to damage a company’s reputation on social media sites. Yet, many conduct themselves as they have a right to do so. Fifty three percent of the employees surveyed believe that an employee’s social networking page is not their employer’s business, and nearly one third said they never consider what their boss would think before posting material online. 

Social media content is also becoming a new source of evidence in employment cases. Employers view such material as a unique way to identify false statements employees make in these cases.  Employees, however, often view their employer’s interest in such content as an invasion of their privacy.

These divergent viewpoints are creating new tensions in the workplace and new issues for the courts to address.  I have written an article in the New Jersey Law Journal this week discussing these issues and trends.   To view the article, click this link.



As more courthouses offer wireless Internet access, trial attorneys and those assisting them now have the ability to hop on the internet during jury selection and check out the potential jurors in front of them. Legal Productivity has an interesting article offering tips for trial lawyers on using information on jurors’ social networking sites to disqualify jurors. As the author points out, a juror’s posts and tweets on Facebook and Twitter, for example, can provide attorneys with a wealth of real-time information that may help them knock out bad juror candidates.

However, those attorneys who don’t come to court with laptops or Smartphones may not appreciate their adversary’s ability to quickly get this information and may challenge their right to do so. That was an argument raised by defense counsel in Carino v. Muenzen, a recent medical malpractice case from New Jersey. Before the trial, the New Jersey court sent out a press release advising that the court now offered wireless Internet access to “maximize productivity for attorneys.” and other court users. Taking advantage of that access, the plaintiff’s counsel searched the Internet for information about potential jurors during jury selection. Defense counsel objected, and the trial judge directed the plaintiff’s counsel to close his laptop. Since plaintiff’s counsel had had not told defense counsel before the trial that he intended to use his laptop for this purpose, the trial judge believed that plaintiff’s counsel had an unfair advantage during jury selection. 


Plaintiff’s counsel appealed, and the appellate court reversed the trial court’s ruling. Its rationale? Because the court had announced the availability of wireless Internet access in the courthouse before trial, and there was no state court rule requiring a lawyer to notify the court or an adversary about its use of the Internet at  trial, the appellate court found that plaintiff’s counsel did not have an unfair advantage during jury selection.


Lessons learned: First, when trial is approaching, check whether the court offers wireless Internet access as well as any rules regarding jury selection and trial computer use.  If it’s permitted, search away!

Despite explicit instructions from judges to jurors that they are not to comment about a case or do outside research, here’s the latest example of jurors posting comments on Facebook during a trial.   In this instance, the conviction of a teenager for rape hangs in the balance. Lawyers for the defense seek to subpoena the jury foreperson’s Facebook records to determine if the jurors had outside information that influenced their decision to convict the teen.

We just wrote about the recent privacy SNAFU by Facebook and other mega-social media site that was reported on by the Wall Street Journal.  If you want to hear some really smart people, plus me, talk about the issue, you should check out this brief podcast.

Description:    According to a Wall Street Journal investigation, many of the public’s favorite Facebook applications like Farmville, Texas HoldEm Poker and FrontierVille, are allegedly sharing users’ personal information with third-party advertisers and Internet tracking companies.  Attorneys and co-hosts Bob Ambrogi and J. Craig Williams  welcome Kimberley Isbell, a Fellow at the Berkman Center for Internet and Society and Mark G. McCreary from the firm Fox Rothschild LLP, to discuss this matter.  They look at the potential impact of this privacy breach, the legal issues and how this breach could affect the business of Facebook.

Page URL:

MP3 Link: 
Click Here