Governance & Risk Management , Privacy , Standards, Regulations & Compliance
Holding Websites Liable for False Data
Supreme Court to Take Up Case Involving Search-Engine FirmWebsite operators should pay close attention to a case the U.S. Supreme Court has agreed to hear in its next term, which begins in October, involving the search-engine company Spokeo.
See Also: How Enterprise Browsers Enhance Security and Efficiency
In the case known as Spokeo vs. Robins, the high court will decide if websites, search engines and others that amass personal information from public sources could be sued under federal law for publishing inaccurate information, even if the errors do not cause the plaintiff actual harm.
If the Supreme Court should allow such suits, website operators could be held liable for millions if not billions of dollars in damages as well as other costs. A ruling in favor of Robins could mean a lot of work for online organizations. "Companies should prepare to address the increased litigation risks, and improve significantly their practices, operations, designs, monitoring, training, etc., in order to reduce their exposure to errors, and their exposure to litigation," says IT security and privacy lawyer Françoise Gilbert, founder and managing director of the IT Law Group, who is not involved in the case.
The case involves Spokeo, which promotes itself as a "people search engine" that organizes white pages listings, public records and social network information to help individuals safely find and learn about people.
Job Prospects Harmed?
Thomas Robins of Virginia sued Spokeo after he read his online profile that contained numerous mistakes, including incorrectly listing his age and inaccurately stating that he holds a graduate degree, is wealthy and is married with children. When he filed the suit, Robins was unemployed and seeking work, and claimed the incorrect information harmed his job prospects.
The case will be determined on the narrow grounds of whether Robins has standing - simply, the right to sue - under the Fair Credit Reporting Act, or FCRA, which ensures credit reporting agencies don't compile inaccurate information that could threaten an individual's ability to obtain a loan or pass a job-related background check.
"In general, in the case of a lawsuit of this type, the plaintiff must prove that he was injured by the actions of the defendant, that he suffered specific damages," Gilbert says. "In this particular case, the plaintiff could not point to a particular injury. Instead, the plaintiff argued that the fact that the defendant violated the plaintiff's rights under the Fair Credit Reporting Act was sufficient harm for the lawsuit to proceed."
A federal district court ruled against Robins, citing that he had not suffered harm from the mistakes in the published search result. The Ninth U.S. Circuit Court of Appeals in San Francisco reversed that ruling, saying Spokeo violated the Fair Credit Reporting Act.
Billions of Dollars at Stake
Because Robins' suit is a class action case that could include thousands of other plaintiffs similarly affected, Spokeo could be liable for billions of dollars in damages because each violation could cost the company up to $1,000.
Internet firms such as eBay, Facebook, Google and Yahoo side with Spokeo, and contend that if the court rules in favor of Robins "floodgates will open for class action litigation for no injury violations," says Linn Foster Freedman, a lawyer with Robinson and Cole.
A ruling in favor of Robins could clog the courts with similar cases. "Why saddle companies with the threat of huge awards with little benefit to consumers?" asks privacy and IT security lawyer Ronald Raether, a partner at Faruki Ireland & Cox, who, like Freedman, is not involved in the case.
But U.S. Solicitor General Donald Verrilli Jr., representing the Obama administration, sides with Robins. "Public dissemination of inaccurate personal information about the plaintiff is a form of 'concrete harm' that courts have traditionally acted to redress, whether or not the plaintiff can prove some further consequential injury," according to a brief he filed with the Supreme Court.
The Potential Impact
Though the case isn't about a website or search engine per se, it has greater applications to organizations that operate online.
"The fact a website is involved is in line with how data aggregators and other service providers work, but the specific allegations could occur as easily in a paper format, although the likelihood of access by others may be a mitigating factor if paper-based," says Christopher Pierson, general counsel and chief security officer of Viewpost, an online electronics payment service.
Why is this case important to IT security and privacy practitioners? It's a further example of a growing trend in business in which IT security and privacy cannot be segregated from other corporate operations for an enterprise to function effectively. "We are still in the infancy of understanding the best uses of all the information and data being created and available," Raether says.
If Robins prevails, Pierson says chief privacy officers would need to re-examine how their companies vet the accuracy of the reports they receive from credit reporting agencies by establishing controls to mitigate potential errors.
But if the court rules against Robins and in favor Spokeo, Raether sees Congress potentially examining the issue to address the right of an individual to sue and collect damages. "It is likely that courts and the legislature will lose patience for companies failing to implement sound data security regimes," he says.