According to the ICO, the massive fine was ultimately based on the harvesting of personal data of approximately 500,000 customers only one month after GDPR became enforceable. The ICO investigation uncovered that “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”
Given that the ICO’s final decision will take into consideration a formal response from British Airways and other data protection authorities, the fine will likely be modified in same way – this is also likely given there were new security procedures implemented by British Airways, there is no present evidence of fraud, and British Airways has already threatened an appeal.
At the time of the attack, British Airways provided very little information regarding how it was accomplished other than to say it impacted website and app bookings from August 21 to September 5, 2018 and that it was the victim of a “sophisticated, malicious criminal attack“. One security expert posited that malicious code was planted on the website’s payments page using a modified version of the Modernizr JavaScript library. Others have considered this attack caused by a cross-site scripting exploit. No matter what the attack vector or exploit, this was clearly the sort of security lapse that has dogged many companies over the years. To now have a potential $229 million fine waiting on the sidelines can only be considered yet another massive motivation to get one’s security house in order as soon as possible.
Facebook’s crypto advertising ban and duopolistic reach pretty much sums up why potential users should be careful before jumping on the Libra bandwagon. In what can only be considered ironic, the “Libra Coin” is not even a true cryptocurrency or even built on a blockchain – it is apparently the token for a permissioned payment network that is partially decentralized while requiring the disclosure of sensitive authentication data as well as use of the Calibra wallet owned and operated by Facebook itself. Most importantly, as a node on the network Facebook will also have access to all consumer transaction data flowing on the network. Like icing on a global cake, by being part owner of a de facto bank, Facebook will also get to share in any float interest.
Those premier venture firms and companies who have anted up to align with Facebook’s project may believe in the collective end game but to align now with Facebook simply because of its tremendous reach will likely be a mistake for them as well as the consuming public.
On June 6, 2019, Maine joined a chorus of state legislatures moving on data privacy – this time requiring providers of broadband Internet services to obtain express consent before using a consumer’s personal information. Specifically, the new Maine law reads: “A provider may use, disclose, sell or permit access to a customer’s customer personal information if the customer gives the provider express, affirmative consent to such use, disclosure, sale or access. A customer may revoke the customer’s consent under this paragraph at any time.”
Maine’s law is even more restrictive than California’s Consumer Privacy Act which will deploy an “opt out” mechanism requiring the consumer to inform data processors of their preference. Both Californians and Mainers will have to wait until 2020 to benefit from their respective data privacy laws – with the Maine statute taking effect on July 1, 2020.
As reported in The Hill, tech lobbyists are now exerting their best efforts on obtaining a federal law that will moderate this and other consumer privacy state gains – which is not surprising given even stricter data privacy laws percolating in other states. Whether or not certain data privacy provisions die in a preemption skirmish, data rights will continue their reimagination by market forces so lobbyists alone can never prevail in their clients’ war against true individual data ownership.
New York now is now moving on a bill, S5642, that is even more protective than the California Consumer Privacy Act while New Jersey is in the process of merging two proposed bills that may lead in the same direction. There has been opposition to these proposed laws by those companies who have the most to lose by stringent data privacy controls.
If passed, however, these new laws may actually prod Congress to finally move on a comprehensive privacy framework – one that might preempt aggressive laws such as the ones proposed by New York and New Jersey and the one already passed in California, in favor of a much more tempered approach.
In other words, the Internet Association and its lobbying partners may actually win the war if these bills are enacted and it can just get Congress to act in a preemptive manner. Thankfully, the momentum has been consistently on the side of consumer protection and any hope of bipartisan action on the part of Congress remains a long-shot given the current political environment.
On May 6, 2019, the Office for Civil Rights (OCR) announced that Tennessee-based Touchstone Medical Imaging agreed to pay $3,000,000 and adopt a corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and additional comprehensive policies and procedures applying HIPAA Rules. Touchstone – which provides diagnostic medical imaging services, was notified in May 2014 by the FBI that one of its FTP servers allowed uncontrolled access to protected health information (PHI). This uncontrolled access “permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.”
During OCR’s investigation, Touchstone acknowledged that the PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses. OCR’s investigation found that Touchstone “did not thoroughly investigate the security incident until several months after notice of the breach”. As a result, Touchstone’s notification to individuals affected by the breach was considered untimely.
Given last year’s summary judgment win by OCR and the facts presented by the Touchstone incident, it is not surprising that this significant settlement – which was one of the largest to date, was reached. FTP servers have long been a threat vector – even if set up and run properly, so not unlike the clarion calls initiated for encryption and social engineering training, back office IT support should be sophisticated enough to adopt a means of file transfer that applies state of the art security.
Whether Facebook survives as a social media platform may eventually hinge on a metric that has not been widely reported – which is ironic given what has recently been reported is hardly good news.
Almost comically, on April 29, 2019, Facebook, Inc. announced what it likely thought was a successful PR coup, namely the funding of privacy research shepherded by two partner organizations, Social Science One and the Social Science Research Council. Not surprisingly, there was no mention that Facebook would be provided specific recommendations from these organizations let alone have such recommendations eventually adopted by the company.
A different sort of threat to Facebook can be found in the decentralized Internet currently being built by start-ups such as Blockstack– which recently filed a SEC Reg A+ offering for $50 million by way of a subsidiary. Blockstack looks to leapfrog centralized platforms such as Facebook by building tools for a “decentralized computing network and app ecosystem” that includes decentralized storage allowing for porting of app data across social media platforms as well as self-sovereign user IDs that would allow for single user identities and passwords across every online application.
More than likely, however, the most damaging threat to Facebook in the near term is the platform’s continued drop in customer engagement. As recognized by Lou Kerner: “On April 24th, 2019, Facebook reported Q1 ’19 earning, and once again, Wall street applauded, sending the shares up 8%, adding another $45 billion in value. While some saw triumph, and others saw further reason to break Facebook up, all I saw was continued decline in the only metric that matters, engagement.”
Kerner’s graphic on the steady decline of daily and monthly active Facebook users is ominous:
Notwithstanding its many privacy transgressions and current regulatory/litigation challenges as well as the future advent of a decentralized Internet, what likely will be the most direct cause of Facebook’s downfall as a platform stems from the simple fact users have been steadily moving away from using it.
Apparently, users have taken the advice of WhatsApp co-founder Brian Acton and have chosen to “delete Facebook.” Even though Facebook, Inc.’s present cash reserve and its other popular applications would likely allow the company to continue as a viable entity for many years even without its eponymous platform, those present users who spend hours each day on Facebook – and have no desire to ever abandon it, might just not be enough to sustain the Facebook platform in the long term.
Simply put, with shrinking levels of engagement the Facebook platform may eventually go from a MySpace to Vine.
On March 20, 2019, the Supreme Court deferred ruling on the settlement of a class action brought against Google. The underlying action was based on Google’s transmission of a users’ search terms, i.e., “referrer headers”, to its actual clients. Class counsel argued that the transmission and storage of these referrer headers was in violation of both federal and state law given those conducting the searches never gave proper consent.
In remanding the case to address a potential lack of standing, the Court ruled “[b]ecause there remain substantial questions about whether any of the named plaintiffs has standing to sue in light of our decision in Spokeo, Inc. v. Robins, 578 U. S. ___ (2016), we vacate the judgment of the Ninth Circuit and remand for further proceedings.” This was obviously the correct ruling given a court cannot even hear a matter unless there is proper standing to sue. Given that the Supreme Court only decides matters properly on appeal and the question of standing was not put before it, the matter required a remand.
As pointed out by one of the attorneys who appealed this Google case to the Supreme Court, today’s ruling likely “simply delays the day of reckoning for this unfair practice.” Justice Thomas recognized today that there was something particularly odious about a settlement that only benefited lawyers and those third-party organizations acceptable to the Defendant. Hopefully, in the near future the full Court will reach the same conclusion and put an end to this unsavory practice of rewarding a defendant’s “non-profit partners” rather than the actual litigants.
On February 22, 2019, an amendment to the CCPA – S.B. 561, was proposed that would do away with a cure provision, expand the statutory damages provision to any violation of the law, and limit the role of the Attorney General in policing violations by directly passing along greater rights to consumers. If passed, these changes will significantly alter the reach of the law by making the plaintiff’s bar’s arsenal even wider and the law’s penalties that much stronger. Previously, the California Consumer Privacy Act – which will come online in 2020, was the first major privacy initiative to provide for statutory damages in the event of a data breach.
California’s Governor also recently said that he was “now convening a team to look into the creation of a new law requiring technology giants to kick back some of their billions in earnings in the form of a Data Dividend for Californians.” California is not waiting around for federal privacy action – it is outright looking to lead the world when it comes to the creation of statutory privacy rights.
UPDATE: April 4, 2019
On April 4, 2019, Senate Bill 753 was proposed to amend CCPA and provide for a major new exception to the law’s reach. If passed, “a business does not sell personal information” under CCPA if the following applies:
(E) (i) Pursuant to a written contract, the business shares, discloses, or otherwise communicates to another business or third party an online identifier, an Internet Protocol address, a cookie identifier, a device identifier, or any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer. (ii) The contract specified in clause (i) shall prohibit the other business or third party from sharing, selling, or otherwise communicating the information except as necessary to deliver, show, measure, or otherwise serve or audit an advertisement from the business.
In effect, there would be a Google and Facebook exception to CCPA.
It remains to be seen whether this amendment proposed by State Senator Henry Stern will ever be enacted but the mere fact it was proposed is a stark reminder that those companies with the most to lose have not stopped fighting this battle – whether by way of this proposed amendment to CCPA or by way of a broad preemption quest in Congress.
UPDATE: April 24, 2019
In opposition to S.B. 753, a coalition of privacy advocates wrote: “In sum, this new exception would remove the ability of consumers to prevent the dissemination of their personal information from the website they are visiting to any third party, allowing their personal information to flow unchecked into the ad-exchange system, after which a consumer can never regain future control. ”
As reported by DLA’s Jim Halpert, during the Senate Judiciary Committee Meeting of April 23, 2019, State Sen. Stern apparently bowed to the pressure and withdrew S.B. 753 from further consideration.
In addition to S.B. 561, the other amendment most likely to see success is State Assemblywoman Jacqui Irwin’s A.B. 873 – which places parameters on de-identified information and limits the present potentially unbounded scope of “personal information”. Thankfully, given the attention being placed on these issues, it is very likely that the ambiguities rushed into the statute’s initial draft will be sorted out and corrected before CCPA comes online in 2020.
UPDATE: September 16, 2019
On September 13, 2019, the California Legislature adjourned with significant amendments to the California Consumer Privacy Act firmly ready for the signature of Gov. Gavin Newsom. There were two noteworthy amendment bills that ultimately passed, AB 25 – which provides a one-year moratorium on CCPA’s application to employee, beneficiary and emergency contact information, and AB 1355. One proposed amendment was withdrawn for consideration until next session. Other changes to CCPA, including AB 1146, AB 874, and AB 1564 either do not alter in any material way the spirit or intent of the law or are redundant to changes found in AB 1355.
Three of the changes found in AB 1355 are noteworthy given in some very real ways they cut away from the meat of the law. First, by modifying the definition of “personal information” to mean “reasonably capable of being associated with” a particular consumer or household, instead of just “capable of being [so] associated”, CCPA now has a reasonableness component that gives companies a strong new argument that can be used when defending a breach claim brought in a private action. Moreover, the AB 1355 amendments clarify that deidentified and aggregate information are exempt from CCPA – in effect, giving most social media platforms their sought-after CCPA safety hatch.
And finally, the AB 1355 Amendment states that the reasonableness of charging a different price or rate or providing a different level or quality of goods or services for the use of data should be measured in relation to the value of the personal information to the business, not to the consumer as it was previously written. Given most social media platforms and data brokers actually place very low values on consumer data, this change is of obvious great significance. Overall, these and other minor changes only benefited data merchants to the detriment of consumers.
UPDATE: November 4, 2020
On November 3, 2020 – despite a significant late push by data oligarchs such as Google, the CPRA ballot initiative won by 56% of the vote. As stated by Alastair Mactaggart, Chair of Californians for Consumer Privacy and the Prop 24 sponsor: “With tonight’s historic passage of Prop 24, the California Privacy Rights Act, we are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data.”
Former Presidential candidate, Andrew Yang – who was the Chair of the Board of Advisors for Californians for Consumer Privacy, added: “I look forward to ushering in a new era of consumer privacy rights with passage of Prop 24, the California Privacy Rights Act. . . . It will sweep the country and I’m grateful to Californians for setting a new higher standard for how our data is treated.”
There is no denying this was a momentous vote. On the other hand, a lot can happen by the CPRA enforcement date of January 1, 2023 – including passage of a law via standard lobbying channels or a new ballot initiative launched by the data oligarchs either with either one trimming the gains made this last election cycle.
On February 7, 2019– in a devastating blow to global surveillance advertising, Germany’s antitrust arm, the Federal Cartel Office, ruled that Facebook’s tying of its data collection practices to usage of its services was unlawful. In the public announcement of this ruling, the FCO president Andreas Mundt said: “Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts.”
Interestingly, the FCO ruling considers the harm derived from Facebook’s data collection practices as the user’s “loss of control” rather than any specific pecuniary harm. If affirmed, this novel antitrust ruling could be a watershed in surveillance advertising sufficient to crack the existing digital ad ecosystem and allowing for new business models to finally take hold.
In its Annual Report filed on February 5, 2019, Google’s parent, Alphabet, Inc., emphasized in a more pronounced way the privacy regulatory and business headwinds it now faces. Specifically, on pages 9 and 10 of the report, Alphabet writes “as the focus on data privacy and security increases globally, we are and will continue to be subject to various and evolving laws. The costs of compliance with these laws and regulations are high and are likely to increase in the future.” It goes without saying, proper compliance will never be optional for the company given that Google’s surveillance advertising accounted for over 85% of its total revenues in 2018.
According to its 10-K, those laws and regulations that may subject Alphabet “to significant liabilities and other penalties” include:
The California Consumer Privacy Act of 2018 that comes into effect in January of 2020, and gives new data privacy rights to California residents and regulates the security of data in connection with internet connected devices.
Privacy laws, which could be interpreted broadly thereby limiting product offerings and/or increasing costs.
Alphabet also warns: “Changes to our data privacy practices, as well as changes to third-party advertising policies or practices may affect the type of ads and/or manner of advertising that we are able to provide which could have an adverse effect on our business.” As pointed out by Bloomberg, this wording is not merely reused boilerplate but represents new language.
Even though the duopoly of Google and Facebook are not going away anytime soon, Alphabet’s latest filing is an acknowledgement that upcoming regulatory and market changes may limit how these companies do business. In other words, the free reign they have had for so many years may finally be coming to an end.
