Recourse for Hacked Data – Part 1

What is an ‘Information Fiduciary’?

Fiduciaries are people who “hold a legal or ethical relationship of trust with one or more other parties” [1]. The parties that a fiduciary enters into business with are known as the principal. A fiduciary manages different types of resources for the principal, including money, assets, or information, and has the duty to act in the best interests of the principal. As such, they must not exploit their position of trust for personal gain at the expense of the principal. Similarly, an “information fiduciary” is described by Yale University Law professor Jack Balkin as “online service providers and cloud companies who collect, analyze, use, sell, and distribute personal information” and “have special duties to act in ways that do not harm the interests of the people whose information they collect, analyze, use, sell, and distribute” [2].

“Information Fiduciaries have special duties to act in ways that do not harm the interests of the people whose information they collect, analyze, use, sell, and distribute” – Balkin, 2016, p.1186

Which parties possesses your personal information?

What organizations do you willingly share your data with, and hope that it remains safeguarded? Banks, telecommunications, schools, and doctor’s offices all hold sensitive information about their client’s lives and personal details. Do you trust the organizations you picked for these services to keep your data safe, to not view your data, or to not abuse their possession of  your data?

In 2014, the ride sharing company Uber was investigated by the Federal Communications Commission after Josh Mohrer, the head of Uber’s New York office at the time, abused the data of Johana Bhuiyan, a customer who was also a journalist for Buzzfeed News [3]. Mohrer had allegedly tracked Bhuiyan through an internal tool called ‘God View’, which enabled Uber employees to track all drivers and customers on a map-based view. Responding to this incident, Uber published its Privacy Policy for the first time [4], and conducted an ‘internal investigation’. Mohrer retained his role as general manager of Uber for three more years [5] after Uber took ‘disciplinary action’ [6] for his abuse of Bhuiyan’s data.

Consider businesses that provide services to you in exchange for the collection, use, and abuse of your data, such as Google and Facebook. These companies are engaged in both the sale of the access to your attention as well as the sale of the information you store with each company.

On the surface, Facebook explains that it targets users based on categorizing users into ‘audience groups’ based on information they provide to Facebook, such as their age, location, income, relationship status, family size, Likes, and behavior on other sites [7]. Google has explained since 2012 that it customizes user’s search experience by enhancing its search algorithm with data gathered from scanning the content of its users e-mails [8]. Recently, Google has expanded this access to the content of a user’s inbox to ‘approved’ third-party applications, such as vacation planning and customer relationship management tools as well [9][10].

“For example, if you’re a shoe shop you can target people who’ve recently purchased shoes.” – Facebook Business [11].

Aside from the official descriptions of what kinds of data Facebook and Google collect and use from its customers, users have reported instances of additional data collection outside the scope of officially stated data collection practices. Users have reported that Facebook’s friend suggestion algorithm ‘People You May Know’, or PYMK, made connections between people who intentionally interacted outside the scope and reach of Facebook’s data mining network. An attorney told Gizmodo [12] that they received a recommendation to connect with a client that had never interacted with the attorney through his e-mail that was associated with his Facebook account, causing the attorney to suspect that Facebook was tracking his web activity even outside Facebook’s networks [13].

“I deleted Facebook after it recommended as PYMK a man who was defense counsel on one of my cases. We had only communicated through my work email, which is not connected to my Facebook, which convinced me Facebook was scanning my work email.” – testimony from Facebook user on Gizmodo

While it may seem like online services such as Facebook, Google, Amazon, Twitter, Uber, or any other site that receives and stores the personal information of its customers should be held accountable as an information fiduciary, in actuality, they do not perceive themselves as such, and act in profit-seeking ways that risk the privacy of its customers.

If Facebook and Google do not act like Information Fiduciaries, who does?

In the United Kingdom, there is legislation known as the Data Protection Act 1998 which states that parties that possess the personal information of others are data controllers. In  2018, the Information Commissioner’s Office fined the University of Greenwich for failing to act as an information fiduciary for its students. In their report, the ICO stated that the school had contravened its duty to ‘take appropriate technical and organizational measures against the unauthorized or unlawful processing of personal data”.  However, it was the fact that the UK has laws such as the DPA and GDPR to enforce the fiduciary requirements of information fiduciaries, and not an internal initiative of any single organization.

What do I do when an Information Fiduciary I trust gets hacked?

Although we have seen that a majority of companies that possess sensitive information on its customers do not perceive that they have a responsibility to protect and not abuse this capacity, the fact remains that in order to access services that are essential for routine activities such as banking, air travel, investment services, and booking hotels, we have to provide sensitive information such as our contact information, passport number, income, or social insurance number for organizations to possess.

What happens when these companies who possess your information are attacked by intruders and fail to protect your sensitive information? Instances of unauthorized access to customer information are not infrequent occurrences: in 2018 alone, companies such as Marriott (hotel chain) [14], Orbitz (travel agency) [15], and Quora (website) [16] have all been targets of data breaches, that combined, have exposed sensitive information of over 600 million users. Considering that the Earth has a population of 7.5 billion, the hacks in 2018 alone have exposed the data of 8% of the world!

What may cause situations where my data gets used improperly?

Misuse of data can occur in situations with malicious intent to abuse your data, errors in data handling, and unauthorized external access to user data.

Malicious Intent to Abuse User Data Access

Misuse of data can occur when the information fiduciaries themselves overstep in their relationship with your user data. As in the example with Uber and it’s ‘God View’ software, which enabled Uber employees to “stalk ex-girlfriends, and were even able to access trip information for celebrities like Beyoncé” [17].

In 2015, AT&T employees in Mexico, Colombia and the Philippines accessed and sold the data of over 68,000 customers, including the names and social security numbers of AT&T customers to third parties [18].

Also in 2015, an employee at Morgan Stanley accessed and posted the financial details of 900 clients onto Pastebin, a publicly accessible website [19].

These three examples demonstrate that the people employed by the companies that possess the sensitive data about our lives have the ability to access and potentially misuse our data.

Errors in Data Handling

Glitches, and other unintended software behaviour may also result in the misuse of user data by an information fiduciary. In December 2018, Facebook disclosed that a “security issue” in September 2018 had provided third party developers with unauthorized access to the photos of 6.8 million user accounts [20]. The issue allowed developers to access photos that were not yet posted, and photos set on ‘Only Me’ privacy settings.

In October 2018, Google disclosed that a software issue also provided third party developers with unauthorized access to non-public profile data of over 450,000 Google+ users, including a user’s name, email, occupation, gender, relationship status, and other information since 2015 [21][22]. This software issue led to the announcement of the planned shutdown of this service by Google.

These two examples highlight the susceptibility and responsibility of information fiduciaries to produce and use secure code in software that does not accidentally expose sensitive user data, as any vulnerability may affect the lives of a large number of people before being discovered.

Unauthorized External Access to User Data

Aside from malicious intent or programming negligence, misuse and exposure of user data may also occur due to unauthorized external access of a company’s database. These attacks may be a result of vulnerable software, stolen access credentials, or by injecting malware into a company’s computer system [23].

In 2016, two years after Josh Mohrer used ‘God View’ to track Johana Bhuiyan’s movements across New York, Uber’s user data was compromised again, but by hackers instead of by executives within the company. Hackers obtained the personal information of 57 million users and drivers [24]. Information obtained includes driver’s license numbers, names, e-mails, and mobile phone numbers [25].

In March 2018, data from a fitness app by Under Armour, called MyFitnessPal, was accessed by hackers to obtain the usernames, emails, and hashed (encrypted) passwords of 150 million users [26].

In November 2018, Starwood Hotels, a subsidiary of Marriott Hotels, was compromised by hackers who gained access to the names, phone numbers, email addresses, passport numbers, date of birth, credit card information, or travel schedules of 500 million travelers [27].

These are just some of the cases of unauthorized external access to user data that have occurred in recent years.

What actions can I take if a company loses my data?

Regardless if your personal information is exposed from insider abuse, software glitches, or an external data breach, here are five actions you can take in response to undesired exposure of your sensitive data.

1. Change Your Password

The first action you should take after realizing that your information may have been compromised by a company is to change the password associated to your account with that company. Even though this action will not prevent the hackers from possessing the information they have already stolen, as in the case of passport numbers and payment information of users in the 2017 Cathay Pacific data breach [28] or the 2018 British Airways data breach [29], it will prevent future access to your account from the original attackers, or other hackers attempting to use your old password they found on Pastebin [30].

2. Check When the Hack Happened

You may become surprised, or even angry, when a company that you conduct business with announces that it has been a target of a successful cyber attack, such as when Google announced its recognition of the vulnerability of Google+ in October 2018 [31]. However, be aware that a company may publish these announcements much later than when the security issue had actually occurred, if at all. In the case of Google+, the vulnerability was known internally since March 2018, but users were not provided the opportunity to act upon this knowledge until the public announcement in October, 7 months after Google knew of this issue.

In a well-publicized 2017 data breach, Equifax also came under criticism for not only using outdated software that enabled hackers to access the personal details of 145 million Americans, 19,000 Canadians, and 400,000 Britons [32], but also for waiting for six weeks to disclose the data breach to investigators and the public [33].

By checking when the hack happened, you can go back through your financial history or other important profiles to make sure that no cases of identity theft occurred between the time that your data was exposed and the time that the company decides to announce the exposure of your data.

3. Protect Yourself from Identity Theft

Once you are aware of a potential exposure of personal data, you can defend yourself from identity theft by placing fraud alerts on accounts related to the exposed data. For example, if your social security number is exposed, as was in the case of the 2017 Equifax breach, the RCMP advises to immediately file a police report [34] and to contact the Canadian Anti Fraud Center [35]. If your bank account information is exposed, you can contact the bank and place a fraud alert for credit cards and deposit accounts.

In addition, you are also able to sign up for identity theft monitoring services [36] and identity theft insurance [37] for a monthly fee, but be wary of the exact terms and conditions of such policies to ensure that they can provide assistance when you require it most.

The best way to protect yourself from identity theft is to monitor your accounts diligently on a weekly basis, and report any irregularities you see immediately.

4. Check for Class-Action Lawsuits

Class-action lawsuits are a type of legal action taken by a plaintiff against a defendant in representation of a group, or “class” of people [38]. Class-action lawsuits originated in the United States as a way to expedite the legal proceedings of a large number of similar cases, as stated in the 1842 Federal Equity Rules:

Where the parties on either side are very numerous, and cannot, without manifest inconvenience and oppressive delays in the suit, be all brought before it, the court in its discretion may dispense with making all of them parties, and may proceed in the suit, having sufficient parties before it to represent all the adverse interests of the plaintiffs and the defendants in the suit properly before it.  – Equity Rule 48, United States Federal Equity Rules 1842 [39]

People have attempted to litigate against companies in class-action lawsuits as a result of data breaches, but the results so far have been unsatisfactory for the plaintiffs. In 2015, hackers obtained the personal information, including social security numbers, birth dates, addresses, and names of  78.8 million customers of Anthem, an American health insurance provider [40]. A class-action lawsuit was brought against Anthem by attorneys from Altshuler Berzon, Cohen Milstein, Girard Gibbs and Lieff Cabraser law firms [41].

The plaintiffs claim that Anthem “failed to adequately protect its data systems” and sought damages to “recover for injuries suffered by Anthem’s customers including theft of personal and financial information” [42]. However, even though Anthem’s data was unencrypted, it was not in violation of any legal regulations, as the Health Insurance Portability and Accountability Act of the United States only recommends, but does not mandate that health insurance companies encrypt the data stored on their servers [43]. In the end, the parties decided on a $115 million settlement to end the case. On first glance, it may seem like a victory for the victims of the data breach, but after a $37.9 million fee payment to attorneys and dividing the remaining amount by those of the  78.8 million victims who filed a claim, victims of the data breach are compensated for the exposure of their data with an average of $0.97 each [44].

Importantly, before filing a claim to become a participant in a class-action lawsuit, always check to make sure that doing so does not void your ability to pursue other, independent legal action. The best way to be sure is to consult professional legal counsel.

5. Close Your Account

Lastly, you can take action by no longer doing business with a company that has exposed your data. If you no longer feel confident regarding a company’s security practices or ability to not abuse your data, you can choose to close your account with that company.

Be aware that closing an account with a company does not necessarily mean that previously existing data you provided will be deleted entirely. For example, Facebook, Instagram, and Twitter outlines that they retain licensing rights to data you provide to them, even after you delete your account. Find out more in this Digital Tattoo article about ownership rights on social media platforms [45].

 

In the second half of this article, we will look at:

• Are there adequate legal repercussions for losing customer data to hackers?
• Ways to assess the strength of a potential information fiduciary before doing business and creating an account

Disclaimer: The views and opinions expressed in this article are those of the author and do not constitute legal or financial advice.

Always do your own research for informed decisions.

edited by: Elyse Hill