Hartford Business & Commercial Law Blog

By Bruce Raymond, Esq.

It doesn't matter if you're Paris Hilton, Hulk Hogan, or a previously unknown teacher's aide, private, intimate moments can be thrown into the public by those with ill motive. In fact, as in the case of Hollie Toups, the teacher's aide, nude, pornographic and/or obscene images that were not meant to be shared wound up being posted to a website dedicated to "revenge porn", whether by a spiteful partner or through a data breach (stolen images, hacked accounts, etc.). Some websites will post any of these images, no matter whether submitted with or without consent. Some will require personal identifying information to further embarrass the subject. [To avoid further embarrassment to the victims, those sites will not be named or direct-linked in this posting.]

Not only is this embarrassing, but it can interfere with one's personal life and even one's workplace. What can a victim of revenge pornography do? The legal system is divided between state and federal law. Each state has its own laws. The victim should consider the laws of the state in which they reside, the state in which the photographs were taken, the state in which the wrongdoer lives, and the state where the website operator resides. The laws of one or more of those states may apply, along with federal law. If Connecticut has an interest in the matter, there are four causes of action for invasion of privacy, being: (1) unreasonable intrusion upon the seclusion of another; (2) appropriation of the other's name or likeness; (3) unreasonable publicity given to the other's private life; and (4) publicity that unreasonably places the other in a false light before the public. See Venturi v. Savitt, 191 Conn. 588, 591, 468 A.2d 933 (1983); 3 Restatement (Second), Torts § 652A- E. A victim may assert one or more of these causes of action against the wrongdoer.

Whether or not a claim can be brought against the website operator is trickier. If the picture was a self portrait, either a picture in a mirror, with a timer, or at arm's length, the victim holds copyright in that image. The victim could also obtain an assignment of copyright from whomever took the photograph. A DMCA Takedown Notice, sent pursuant to 17 USC §512, to the website operator and/or their host may provide the swiftest response; failure to take down an infringing image upon a copyright holder's request subjects the operator or host to monetary liability for violation of copyright.

If the picture is not owned by the victim, it may be more difficult to sue the website operator or host for invasion of privacy. In 1996, the U.S. Congress passed the Communications Decency Act. Section 230 ( 47 U.S.C. § 230) may protect website operators and hosts from legal liability if they were not the source of the offending content. In other words, if your ex-boyfriend submits a naked photograph he took of you to a revenge porn website, that website is likely immune from any lawsuit against it, including suits both for injunctive relief and monetary damages. "Likely" immune, because in Ms. Toups's case, Judge Hahn, without explanation, denied Godaddy.com's motion to dismiss on the grounds of immunity under Section 230.

Additionally, the internet is global. While this has many benefits, it also means that the revenge porn website may be based in Europe or Asia. The laws and courts of the United States might not be able to reach the website operator. Careful forensics might discover, however, an American company or person who could be made a party to a lawsuit, leading to the prevention of further viewing of that image in the United States. Experienced counsel can work with these investigators to determine who may be brought into such a case. Unfortunately, in some instances there simply is no law that would cause the takedown of the image.

Victims who are minors (or were when the pictures were taken) should take extra precautions. Although the images may be child pornography and subject the website operator to federal prosecution, if the victim took a self-portrait, they too could be prosecuted for creating and distributing child pornography.

Finally, victims should be wary of third-party services advertised on revenge porn websites that claim to be able to remove the photographs. In at least one case, it is a widely held belief that the so-called takedown service is, in reality, an alter-ego of the website operator itself, engaging in extortion of the victims to profit from its operations.

If you are a victim, you should consult with an attorney. Some cases may be taken by some attorneys on a contingent fee basis, but otherwise, full scale litigation could cost tens of thousands of dollars that you might not be able to recover. Even winning an award of attorneys' fees may not cover costs if the website operator lacks funds to pay it. Knowledgeable, experienced counsel can help plan a strategy to reduce embarrassment in as economically feasible a manner as possible. Senior Associate Jay Wolman contributed to this post.

A data breach resulting in the theft and use of customer credit card numbers results in significant expenses and penalties for the victim company. Many companies still do not have specific cyber liability coverage and thus can be on the hook for all expenses related to such a breach. The Sixth Circuit Court of Appeals recently held that such losses resulting from the cyber theft of customer data were recoverable under a commercial crime policy. Retail Ventures, Inc. v. Nat'l Union Fire Ins. Co., 691 F. 3d 821 (6th Cir. 2012).

In 2005, hackers used an apparently unlocked wireless network at a DSW Shoe Warehouse store to obtain unauthorized access to DSW's computer systems and downloaded credit card and bank account information from over 1.4 million DSW customers. Subsequently, fraudulent transactions using the stolen customer payment information occurred. DSW incurred millions of dollars of expenses for customer communications, public relations, customer claims and lawsuits, and attorney fees in connection with investigations by seven State Attorneys General and the Federal Trade Commission (FTC).

DSW submitted a claim for coverage under a computer fraud rider to a "blanket Crime Policy" for losses related to the computer hacking. The rider provided coverage for Computer and Funds Transfer Fraud Coverage; specifically, any loss resulting from the theft of any insured property by computer fraud.

In subsequent litigation to determine whether the losses were covered by the commercial crime policy, DSW prevailed on summary judgment with respect to its claim that the hacking damages were covered under the policy. Defendant appealed arguing that the trial court erred by finding that the expenses incurred were a loss resulting directly from the theft of insured property by computer fraud. Defendant urged the Court to use the "direct means approach" which would require DSW to show the computer fraud to be the sole and immediate cause of the loss. DSW argued the District Court correctly utilized a traditional proximate cause standard.

The Appeals Court held that the District Court was correct in applying a proximate cause standard and did not err in finding that the loss was caused by the hacking. The Court also rejected the Defendant's argument that the theft of customer data was covered by an exclusion under the policy. The policy stated that coverage does not apply to any loss of proprietary information, trade secrets, confidential processing methods or other confidential information of any kind. The Court held that the stolen customer information was not proprietary information because it belonged to the customer and not DSW. Furthermore, the stolen information did not constitute trade secrets or confidential processing methods. Finally, the language "other confidential information of any kind" was held to be general and should apply only to secret information of DSW. Otherwise, it would swallow the entire coverage for computer fraud. Since the confidential information was credit card and bank account numbers which belonged to the customers themselves, no exclusion under the policy applied.

DSW did not have a specific cyber insurance policy yet was still able to obtain coverage based on language in its commercial crime policy. Businesses should review their existing coverage carefully and may find that coverage for data breach is not expressly covered.

Today the FTC announced a $800,000 settlement with Path, a social media network to settle allegations that it violated its own privacy policy and also illegally collected information on children under 13 in violation of COPPA(Children's Online Privacy Protection Act).
According to the complaint Path represented that personal information from the user's mobile device contacts would be collected only if the user clicked on "Add Friends" and then chose the "Find friends from your contacts" option. But despite that promise, Path automatically collected and stored personal data the first time the user launched the app and, if they signed out, each time they signed back in again. That, says the FTC, made Path's statement false.

The FTC offers the following take-aways for businesses:

• The main message comes as no surprise: Honor your privacy promises and be especially careful when it comes to kids' information. What's a little different is that the message is going out with ATTN: MOBILE APP DEVELOPERS across the top. Well-established consumer protection principles apply across the board, including to companies in the mobile market.

• The default mindset about data collection used to be to gather as much as possible whenever possible. We've said it before, but that approach is <Valley Girl voice> like soooo 20th Century </Valley Girl voice>. As savvy companies know, the wiser approach - and a central tenet of "Privacy by Design" - is to think through your needs and ask only for information you have a legitimate reason to collect. Gathering data "just 'cuz" doesn't cut ice with consumers anymore.

• Just because a platform gives you the technological capability to do something, doesn't mean it's the right thing for your business or your users. It's a mistake to assume that somebody else - for instance, a mobile operating system provider or a device manufacturer - has thought through the privacy implications. When it comes to your app and your users, the buck stops with you.

• COPPA isn't just for kids' sites. Yes, the rules apply when sites and online services are specifically designed for the under-13 set, but don't be too quick to assume you're not covered. The Rule also imposes legal responsibilities on operators who have actual knowledge they're collecting personal info from kids.

The FTC issued a new Staff Report on Mobile Privacy Disclosure's and a pamphlet for mobile app developers to assist with compliance with the law.

Companies are well advised to have experienced legal counsel review your privacy policies and applications.

See the full FTC Blog post here

Connecticut entrepreneurs need to remain mindful of anachronistic laws. Connecticut businesses used to be able to rely on laws passed in the 1970s, 1980s, and 1990s, but the technology and social media booms of the past ten or so years may cause those laws to be overlooked.

This problem is no more apparent than with the Video Privacy Protection Act (VPPA), 18 U.S.C. 2710. Passed by Congress and signed into law in 1988, the VPPA was an immediate reaction to the events surrounding the Robert Bork Supreme Court nomination.

While Judge Bork was waiting to receive confirmation from the Senate on his eventually unsuccessful nomination, a writer named Michael Dolan came across Judge Bork's video rental information and published it in the Washington D.C. City Paper. Though nothing embarrasing was found in his rental history, a debate over video rental privacy commenced, and the VPPA was passed. In simplest terms, the VPPA made the leaking of video rental history punishable by up to a $2500 fine.

In the midst of digital age of Netflix, Hulu, Facebook, and Twitter, however, action has been taken to reduce the VPPA's power with respect to social media. Ironically coinciding with Judge Bork's recent death on December 19, 2012, a Congressional bill was just passed amending the VPPA to allow social media sharing of Netflix and other video rental records.

On January 10, 2013, President Obama signed H.R. 6671 into law, allowing video rental companies like Netflix to post customer viewing preferences on social networking sites provided they obtain customer consent.

While the VPPA is limited to a specific industry, Connecticut business owners should remain cognizant of potentially outdated laws and should continually ensure their practices are lawful, no matter how technology develops.