Both the Federal Trade Commission and private plaintiffs' class action attorneys have filed actions against companies that experienced data breaches, claiming that the companies' privacy policies misrepresented the adequacy of their security measures and that the defendants are liable for violating the terms of their own policies.
As two recently filed lawsuits make clear, however, companies will be forced to live with the representations contained in their privacy policies when (not if) a data breach occurs.
In Szpyrka v. LinkedIn Corporation, in the Northern District of California, hackers allegedly compromised the company's security system, accessing the passwords of approximately 6.5 million users, and uploading them to a hacking forum. Adding potential liability to reputational injury, the California plaintiff filed a federal class action lawsuit against the company in June seeking damages in excess of $5 million.
Although both the LinkedIn and Wyndham actions included other allegations contending that the defendants' failures to protect the consumer data were separately actionable, in each case the companies' privacy policies provided the basis for the "deception" claims against the defendants.
To avoid such claims, companies should periodically review their internal and external privacy and security policies for at least two distinct purposes: first, to confirm that public-facing privacy policies accurately reflect their use, sharing and protection of data; and second, to evaluate whether internal security policies and measures comply with applicable laws and current industry standards in the event of a cyberattack.
Otherwise, privacy policies intended to describe measures taken to protect consumers may be used as weapons against the company by plaintiffs and regulators.
For more information about the content of this alert, please contact Michael Thurman, Michael Mallow or Ieuan Jolly.