In this series of articles, we examined the challenges plaintiffs historically encountered in bringing privacy and data breach claims, and the recent attempts by plaintiffs’ counsel to overcome these obstacles by casting claims under alternate legal theories. In this final installment we now examine the impact these emerging trends may have on companies and how their own end-user agreements and privacy policies might, unintentionally, create an opening for similar claims.
Similarly, in the LinkedIn data breach case, misrepresentation claims survived based on allegations that plaintiff “purchased her premium subscription on the basis of LinkedIn’s statement that its users’ data will be secured with industry standards and technology, … that the statement was false when she read and relied on it, and … that she would not have made the purchase (or that she would have negotiated for a lower price) but for the misrepresentation.” The court concluded that plaintiff’s alleged injury — the very purchase induced by the misrepresentation — was “fairly traceable to LinkedIn’s conduct because LinkedIn made the misrepresentation ….”
These cases underscore that privacy policies and end-user agreements will be subject to increasingly intense scrutiny in the event of a data breach. Indeed, the language of those agreements may very well become pivotal in determining whether claims survive the pleadings stage. It is for this reason that companies should now examine their existing privacy policies and end-user agreements with a critical eye to determine whether they likewise might be vulnerable to misrepresentation and omission-style claims.
Second, companies should look beyond the language used in written policies and examine the actual practice of the company in providing security. Policy language that is clear and direct may nevertheless become misleading when compared against what the company actually does. If the company does not provide the very same level of security set forth in its written policy, or attempts to provide it by means that differ from those stated in its policy, one can be sure that those differences will be exploited by plaintiffs’ counsel. Therefore, if a careful assessment reveals discrepancies between the written policy and actual practice, companies should either revise the policy to conform as much as possible to their practice, or else revise the practice to conform to the policy.
Third, what is not stated in the company’s privacy policies and end-user agreements is just as important as what is stated explicitly. For instance, in the Sony case, the court found that plaintiffs had sufficiently pled fraud-based “omission” claims under California law. Those claims included allegations that Sony omitted material facts regarding the security of its network, including allegations that it failed to install and maintain firewalls and utilize industry-standard encryption. Any review of policy language, therefore, must include consideration of whether the policy, as written, paints an incomplete picture of the company’s actual capabilities or practices. Again, a candid assessment of the company’s day-to-day operations may reveal that additional disclosures should be made to avoid potentially misleading the consumer.
Fourth, and perhaps most importantly, companies should embark on a deliberate program of auditing written policies on a regular basis. Actual day-to-day operations may have a tendency to slip away from the policy over time, or may demonstrate that the language of the policy is unworkable or outdated. In either case, regularly scheduled formal audits may help to identify potential issues and give the company an opportunity to prevent gaps from developing between policy language and its practices.