Social Media Providers Prevail In Quashing Subpoenas In Criminal Proceedings

Derrick Hunter and Lee Sullivan were indicted and still await trial, on murder, weapons, and gang-related charges stemming from a drive-by shooting in California which occurred in 2013. Both Defendants served a subpoena duces tecum on Facebook, Instagram and Twitter, seeking public and private content from user accounts of the murder victim and a witness to the alleged crimes. As to Facebook, the subpoena stated “[a]ny and all public and private content,” including, but “not limited to user information, associated email addresses, photographs, videos, private messages, activity logs, posts, status updates, location data, and comments including information deleted by the account holder” for accounts belonging to the murder victim, Jaquan Rice and to the only witness Renasha Lee.

In January 2015, Facebook, Instagram and Twitter moved to quash the subpoenas as violative of the Stored Communications Act (SCA) (18 U.S.C. §§2701-2712). The SCA prohibits electronic communication service providers from releasing a customer’s data without the customer’s consent. (See 18 U.S.C. §§ 2702(a)(1), 2702(b)(3).) For this reason, just about every social networking service in America regularly refuses to produce records containing the content of electronic communications. There are a few exceptions, most notably for law enforcement officers who have a warrant. (See Flagg v. City of Detroit, 252 F.R.D. 346, 350 (E.D. Mich. 2008).)

The trial court denied the motions to quash. Facebook, Instagram and Twitter appealed arguing that disclosure of the information sought was barred by the SCA. The Defendants opposed, contending that their constitutional rights to present a complete defense, cross-examine witnesses, and a fair trial prevailed over the privacy rights of account holders under the SCA. In an offer of proof as to Lee’s social media records, defendant Sullivan alleged that the records would demonstrate Lee, the sole witness who could implicate him in the shootings, was motivated by jealous rage over Sullivan’s involvement with other women, and that Lee had repeatedly threatened others with violence. Sullivan cited examples of postings that included a photograph of Lee holding a gun and making threats. In his offer of proof as to victim Rice’s social media records, Sullivan said review of the records was required to “locate exculpatory evidence” and to confront and cross-examine the prosecution gang expert from the San Francisco Police Department Gang Task Force, who testified that he “relied on social media records in forming an opinion whether a particular crime is gang related.”

Carefully reviewing, but ultimately rejecting these arguments, the Court of Appeal held the SCA provides no direct mechanism for access by a criminal defendant to private communication content, and “California’s discovery laws cannot be enforced in a way that compels . . . disclosures violating the Act.”

Although the court’s holding is limited; it left open the possibility that entities such as Facebook, Twitter or LinkedIn may be obligated to produce evidence of a person’s social media content in a criminal trial, instead of pretrial, as here. This is a curious procedural distinction, perhaps reflecting some discomfort with the holding.

The full opinion is available here.

Illinois: Proposed Privacy Legislation Expands Protected Personal Information, Clarifies Notice Obligations to Include Theft of Encryption Keys, and Adds Notice Requirements To Attorney General

On March 25, the State of Illinois Legislature will hold a hearing and consider changes to an existing statute known as “The Personal Information Protection Act.” (815 ILCS 530/5)

The proposed legislation expands the scope of information to be protected in Illinois to expressly include and define medical, health insurance, biometric, consumer marketing and geolocation information as protected personal information. The proposed legislation also requires breaches of security to be provided to the Illinois Attorney General.

The legislation is remarkable in that it obligates breach disclosure in the event that defined personal information is acquired by unauthorized person in its encrypted form, where encryption keys are also acquired during a breach. This makes sense, and represents an acknowledgment that where encrypted information is stolen with the associated encryption keys, the effective result is quite likely unencrypted personal information, warranting notice to Illinois consumers. From a planning perspective, the retention of protected personal information should be separate and apart from the encryption keys, to reduce the likelihood of unauthorized disclosure to unauthorized third-parties. Where there is doubt as to whether both protected personal information and encrypted keys have been wrongfully acquired, the proposed language suggests that disclosure is required to the Attorney General where a single breach affects more than 100 Illinois residents.

Bringing Illinois in line with other jurisdictions, the statute would impose an obligation to post privacy policies conspicuously on commercial internet sites or sites that collect personal information, with specific instructions as to font size and spacing. Notably, an online service who receives notice of noncompliance has 30 days to cure, to avoid violation of the proposed statute.

For a copy of the proposed changes to Illinois’ Personal Information Protection Act, please contact our Privacy & Data Security Group.

20 Million Californians Impacted By Data Breaches in 2013

This week, California Attorney General Kamala Harris released the second annual Data Breach Report, which detailed the 167 data breaches reported to her office in 2013. These data breaches collectively impacted nearly 20 million Californians, reflecting the growing menace of cybercrime.

The AG’s Data Breach Report reflects an increase of over 600 percent in the number of affected Californians since the 2012 report. This was largely due to the high-profile Target and Living Social data breaches, which exposed more than 7.5 million Californians. More than half of the 2013 breaches (53 percent) were caused by computer intrusions, described in the report as “malware” and “hacking.” The remaining breaches resulted from the physical loss or theft of laptops (26 percent) or other devices containing unencrypted personal information as well as unintentional errors (18 percent) and intentional misuse by insiders (4 percent).

The AG’s office provides key recommendations to California retailers to prevent future data breaches. Retailers should:

  • update their point-of-sale systems to the safer “chip-enabled” technology;
  • implement appropriate encryption solutions to devalue payment card data; and
  • respond promptly to data breaches.

These recommendations are significant, as the AG report indicates that the retail sector is most heavily targeted by cybercriminals, with 88 percent of that sector’s data breaches the result of criminal enterprises.

Full details can be found in the AG’s report here at pages16-24.

Image courtesy of Wikipedia.

Dropbox Accounts Exposed

Business Insider and many others are reporting that hackers have acquired nearly 7 million account usernames and passwords. News coverage of the recent breach of Dropbox account security reveals that hackers have provided a “teaser” of 400 accounts and associated passwords on, which as of this writing shows that there have been more than 171,976 views.

Dropbox has explained that its services are fully encrypted, and denies responsibility for the leak of emails and passwords, pointing to third-party services that exposed the credentials. Dropbox also claims that all of the passwords that were hacked are expired. Dropbox, for its part, encourages users to enable two-step verification, which should harden account security.  In fact, the nice folks at Business Insider prepared a slideshow to assist in how to implement two-step verification security here.

Professionals who use cloud servers to provide medical, legal and financial services should understand that doing so may be at their own risk, as a cloud server provider or host may not provide indemnification or other recourse in the event of privacy and data breaches. Be sure to carefully read server or cloud provider contracts to assess the scope of any limitation of liability (typically a monetary limit and consequential damages disclaimer) that may be inadequate for a customer’s potential losses in the wake of a breach or other unauthorized disclosure of information.  As with all gathering, storage and use of personal and confidential information, there must be safeguards and risk assessment at each level to avoid being hit with the full liability of a data breach.

Image courtesy of Flickr by Dropbox In 30 Minutes