Hey, all. Ian Lopez here this week with the latest and greatest (or important) news at law’s crossroads with technology. First up, we dive into the legal ramifications of Google’s decision to keep its mouth shut in the face of its breach of social media giant Google+. Also in store: the state law that might keep the IoT in check (or not), and Fitbit’s latest feature on the investigators’ stage (hint: murder is involved).
➤➤ Would you like to receive What’s Next as an email? Sign up here for a trial.
Is Google’s Hush-Hush Approach to Breach a Gateway to Litigation?
“Immediate regulatory interest.” That’s what Google’s legal and policy team saidin an internal memo would be sparked if the company disclosed a breach exposing the data of Google+ users this past spring.
Now the cat’s out of the bag, thanks to the Wall Street Journal, which reported that Google’s internal lawyers advised the company it “wasn’t legally required to disclose the incident to the public.” But when it comes to legal liabilities, deciding to disclose isn’t black and white. As Stanford’s Albert Gidari tells Corporate Counsel, “the lack of potential for harm” may justify a company’s clandestine approach to handling a breach. What’s more, the hodgepodge of state breach laws, absent a federal standard, sets different requirements for lifting the seal for the public.
But as with all things social media, there’s no consensus over whether to disclose. Wiley Rein’s Kirk Hanra says that even absent a legal requirement, disclosure is “a factor of business consideration.” As he tells CC, “There are lots of times I’ve worked with companies who don’t have a legal obligation to disclose and disclose anyways.”
Indeed, the decision not to disclose can be viewed as a gateway to legal action. That internal Google document itself says disclosure “almost guarantees Sundar [Pichai, Google’s CEO] will testify before Congress”—something he’s already doing regarding the company’s work with China and privacy matters in the weeks ahead—while warning of comparisons to Facebook’s Cambridge Analytica scandal, which broke around the same time and resulted in a rush of legal action.
The parallels are notable. Shook Hardy’s Al Saikali tells WSJ: “The story here that the plaintiffs will tell is that Google knew something here and hid it. That by itself is enough to make the lawyers salivate,” and this may already be proving true. A plaintiff team out of California that recently sued Facebook dropped a lawsuit against Google and Alphabet Monday over their handling of the Google+ breach. And in the team’s telling, Google should have learned its lesson from Facebook’s own troubles.
“Given that Google+ was launched to challenge Facebook, the recent data security incidents suffered by Facebook users should have made defendants more sensitive to the necessary protection of Google+ users’ data,” the Morgan & Morgan attorneys wrote in their complaint. “Instead, defendants allowed this vulnerability in its system to endure for nearly three years, all the while leaking private information to unauthorized third parties.”
➤ Looking Ahead: If Cambridge Analytica and other recent breaches are any indication, Google will likely be addressing this incident in the courts in the months ahead.
On the Radar: Three Things to Know
➤ Neutering Net Neutrality. Remember last week when I wrote about California signing its own net neutrality provisions into law? A handful of telecom titans filed suit to bring a halt to the threat to throttling, though that’s not the way they’re spinning their motivation. They’re claiming not only does the California law threaten “to negatively affect services for millions of consumers,” but that it’s “preempted by federal law.” Now, a handful of telecom providers in a statement claim they believe “the courts will continue to uphold that fundamental principle.” This lawsuit joins one brought against California by the SEC. Meanwhile, in the D.C. Circuit, a challenge to the FCC’s repeal of federal net neutrality rules could determine the legality of California’s law.
➤ Internet of Too Many Things. Net Neutrality isn’t the only tech-related legal issue making waves in California. ICYMI, the state last week became the first to pass a law requiring that IoT devices be built with “reasonable security features” by 2020. Yet the law, which in bill form had security requirements that were scaled down because of tech industry opposition, is without any private right of action, andleaves enforcement decisions up to state AGs. But the IoT law isn’t the only dystopian dispatch from the state. California also passed a new “bot law,” which, as my colleague Frank Ready writes, outlaws the use of “undeclared bots to incentivize a sale or influence an election.”
➤ On the Grid. Speaking of dabbling in data for influence, seven Russian military officers were indicted by a grand jury in the Western District of Pennsylvania. They’re accused of engineering a disinformation campaign promoting the Russian government’s “strategic interest.” The defendants allegedly used social media to launch disinformation campaigns against anti-doping groups, along with hacking into the networks of a nuclear power company and other corporations. As MP McQueen reports for The Legal Intelligencer, the supposed hackers are accused of wire fraud, identity theft and money laundering, among other charges.
Darkside of Data: Fitbit’s Quiet Role in a Murder Investigation
Keeping tabs on steps is one thing, but law enforcement may have found a convenient tool in Fitbit for a murder investigation. The wearable device was used last week in charging a 90-year-old man with the murder of his stepdaughter after it recorded the uptick and slowing of her heart rate around the time the defendant was pegged as being at the house by a surveillance video.
That a host of modern, everyday devices can be used in investigations is a controversial topic, though it’s interesting how ubiquitous the practice is becoming. Audio recorded via Amazon Echo was requested in 2017 as evidence in a murder trial. Fitbit itself is no stranger to such summons, having been used as integral evidence in another murder case that same year. Likewise, an Apple Watch was used for similar purposes in Spring 2018.
That such data is revealing is an understatement. As Forbes’ David Phelan so nicely puts it, the device turned the case against the 90 year old “from suspected suicide to suspected murder.” Yet the granular detail that can be extracted from this information has some warnings. As University of Toronto’s John Scott-Railton tells Inverse, “With every successful investigation that is conducted with Fitbit data, what it also shows [is] that data is generating an extremely revealing transcript of human behavior. … This data is going to be used more and more, and then the question becomes what kind of oversight will that use have?”
➤ Looking Ahead: If wearables are here to stay, it appears they and other devices are going to become reliable witnesses into the details of our everyday lives.
That’s it for this week! Stay tuned for What’s Next!