When Did You Last Think About Your Privacy Policy? FTC And Class Action Plaintiffs Take Aim In Data Breach Actions

Author:Mr Michael Thurman, Michael Mallow and Leuan Jolly
Profession:Loeb & Loeb LLP

Almost daily, headlines announcing data breaches exposing consumer personal information to identity thieves are becoming more and more common. Recent regulatory and consumer class actions filed on the heels of these breaches illustrate that while the risk of a cyberattack from outside the company is real, a more insidious danger may lurk within:  the company's own privacy policy.

Both the Federal Trade Commission and private plaintiffs' class action attorneys have filed actions against companies that experienced data breaches, claiming that the companies' privacy policies misrepresented the adequacy of their security measures and that the defendants are liable for violating the terms of their own policies.

This tactic highlights the importance of the disclosures in the privacy policy and begs the question: "When was the last time you thought about your privacy policy?"

Many companies assemble their privacy policy in a somewhat disorderly fashion, usually in response to someone's recognition that "we need to have one."  A company often copies, partially or completely, a privacy policy from another company's website (typically a competitor), and the policy may have little or nothing to do with the company's business and or procedures.

As two recently filed lawsuits make clear, however, companies will be forced to live with the representations contained in their privacy policies when (not if) a data breach occurs.

In Szpyrka v. LinkedIn Corporation, in the Northern District of California, hackers allegedly compromised the company's security system, accessing the passwords of approximately 6.5 million users, and uploading them to a hacking forum.  Adding potential liability to reputational injury, the California plaintiff filed a federal class action lawsuit against the company in June seeking damages in excess of $5 million.

Among other things, the complaint alleges that LinkedIn "deceived consumers by providing in its Privacy Policy that its users would be 'protected with industry standards protocols...

To continue reading