How can your data use get you in trouble?

One area where developers can gain from the expertise of an attorney on their team is coming to understand the nature of privacy actions (lawsuits, investigations, and settlements) that result from breaches of privacy. An attorney’s understanding of how those legal actions tend arise, and their knowledge of how those actions are brought to resolution, can be helpful information for a developer.

By way of summary and set in layman’s terms for general use, breaches tend to occur in the following scenarios:

  • You use data in a way you’re not allowed
  • You use data in a way you didn’t say you were going to
  • You violated the data subject’s rights (e.g. you didn’t let the data subject know what you intended to do with the data, or you did not provide them access to their data [if required by law])
  • You didn’t protect the data
  • You did any of the above repeatedly
  • You took little or no steps to mitigate damage

Researchers and developers alike may ask, “but what is the outcome if a breach should occur?” As always in the legal field, the answer is, “it depends”. Privacy actions can be sorted into general categories, including:

  1. Regulatory investigations (like HHS/OCR for HIPAA) resulting in enforcement
  2. Individual lawsuits
  3. Class action lawsuits

The outcome of these actions is varied but in recent history has included the following:

  1. $17M USD in payments to customers whose health information (including HIV status) was viewable through the windows of envelopes (Aetna)
  2. Payment of $2.3M USD in regulatory fines when patient health information was illegally obtained by an unauthorized third party (21st Century Oncology)
  3. The enhancement of privacy notices, increased app security, and purging of questionable elements obtained as data points by a Canadian sex toy company which was secretly collecting and transmitting highly sensitive information about consumers without their knowledge and consent (We Vibe)
  4. The requirement for a connected toy company to implement a comprehensive data security program and to undergo third party audit every two years (VTech Electronics)
  5. The requirement that Google allow users to delete information about them when they could show good cause for such deletion, created after a Spanish citizen sued Google for making access to documents regarding his prior financial struggles readily accessible. Google had to create a mechanism for data deletion and hire staff to review such requests; they received over 12,000 requests the first day of the service, 31 May 2014. (This right is only available for EU subjects as of 26 Jan 2018; it will apply to all data collected on subjects in the European Union as of 25 May 2018). (Google)