Did the Georgia Secretary of State release the social security numbers, driver’s license numbers, and dates of birth of every registered Georgia voter?  Those are the allegations first made by putative class representatives, Elise Piper and Yvette Sanders, in a recently filed Fulton County Superior Court lawsuit and confirmed by recent statements by the Secretary of State.  For its part, the Secretary of State attributes the data leak to a “clerical error,” which it alleges involved the dissemination of CD-ROMs containing extraneous data to only 12 recipients and that the disks are in the process of being recovered.  Piper and Sanders also allege that, despite being on notice of the leak, the state failed to notify the affected voters, or credit reporting agencies, in violation of the Georgia Personal Identity Protection Act of 2007 (GPIPA).  Nonetheless, as troubling as the release of this information may be to voters – who may be dubious that the leak has been contained and concerned about the risk of identity theft or fraud – as a legal matter, it is unclear what, if any, remedy is available to plaintiffs.

The Data Leak

Per the complaint, the social security and driver’s license numbers were collected as part of the voter registration process. However, the suit alleges that although the voter registration process only required the last four digits of each voter’s social security number, the Secretary of State nonetheless maintained “each voter’s complete social security and driver’s license number.”

Some voter identification information, such as names and addresses – but not social security and driver’s license numbers – is regularly maintained in a “Voter File” which is routinely provided on CD-ROM to media members and political parties free of charge. The Voter File was also available to the general public for a $500 fee.  However, plaintiffs allege, when the October 2015 Voter File was distributed, it not only contained standard voter identification information but also the social security number, driver’s license number, and date of birth for all 6,184,281 registered Georgia voters.

The Georgia Personal Identity Protection Act

Legally, the type of data released is a distinction with a difference. The GPIPA – like many similar state data breach notification statutes – defines “Personal Information,” in relevant part, as “an individual’s first name or first initial and last name in combination with any one or more of the following data elements” including a “social security number” or “driver’s license number.”  Thus, while the dissemination of the standard Voter File containing voters’ names and addresses alone likely did not constitute a release of protected “personal information,” the alleged release of that information in conjunction with social security and driver’s license numbers could be deemed a breach.

Of course, even if the information was – as it appears to be – “Personal Information,” that is not the end of the inquiry. Other key questions include whether the Georgia Secretary of State is an “information broker or data collector” subject to the Act, whether the release of the information was a “breach of the security of the system” within the meaning of the Act, and whether the state failed to comply with the notice requirements of GPIPA.

Based on what we know, it would appear the answers to the first two questions are “yes.”  The GPIPA defines a “data collector” to include state agencies and actors as long as they are not maintaining records “primarily for traffic safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information.”  Assuming the Secretary of State cannot meet any of these exceptions – as seems likely – they are a “data collector.”  Likewise, the act defines “breach of the security of the system” to mean “unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information.” Again, based on the available information, this definition would appear to have been met by the dissemination of the personal information to media and political parties. That said, the Secretary of State may argue that the release of the information to a mere dozen people, followed by prompt efforts to recover the disks and contain the leak, did not jeopardize  “the security, confidentiality, or integrity of personal information.”  Of course, the fact that plaintiffs’ counsel apparently ended up with one of the disks undermines these arguments.

Turning to the next question,
Continue Reading Class Action Exposes Massive Data Leak Of Social Security and Drivers’ License Numbers of Every Registered Georgia Voter; Secretary of State Admits “Clerical Error”

Once again, Facebook is in the spotlight. On November 9, following the Recommendation 04/2015 of May 13, 2015, issued by the Belgian Data Protection Authority (Belgian DPA) that we mentioned in a previous blog post, a Belgian court sentenced Facebook, under high penalties, to stop profiling data subjects when they simply navigate on third

Draft Kings and Fan Duel, competing daily fantasy sports (DFS) sites, have been vying for attention by flooding the airwaves with a reported 60,000 commercials this year. However, a recent data leak has resulted in less desirable attention from lawmakers, regulators and – most recently – the class action plaintiffs’ bar. (Read more about the class action and related issues after the break.)

Daily Fantasy Sports – A Brief Primer

Before getting to the lawsuit, it’s helpful to understand how DFS work. We’ll use NFL football for our example. Like traditional auction league fantasy football, team “owners” work within a pre-set salary cap to draft the team of NFL players they expect to put up the gaudiest stats. At the end of the contest (typically an NFL weekend), the highest score wins the grand prize, but, depending on the number of participants in the pool and payment structure, many more might also win cash prizes. Contest entry fees range from 25 cents to over $5,000 and prizes can reach seven figures. If this sounds like gambling, it isn’t – legally. At the urging of the NFL, MLB and others, who understood that fantasy sports drove interest in their products, fantasy sports were expressly exempted from the Unlawful Internet Gambling Enforcement Act of 2006 as “games of skill.”

A crucial difference between DFS and traditional fantasy is that in DFS many different teams can own the same player(s). In other words, having Gronk at tight end in week one didn’t separate you from the pack because thousands of other teams also had Gronk. Thus, the key to success in DFS, as explained by a source familiar with the game, is “to differentiate your lineup from the competition with players that have good value but low ownership.”

The Data Leak and the Big Score

Because of the proprietary and valuable nature of the data, DFS sites do not release stats on player popularity until after lineups are “locked.” Thus, managers are left to their own devices to determine player value – with casual owners relying on ESPN and intuition while more sophisticated players employ custom algorithms to set thousands of complementary lineups. However, entering week three of the NFL season, a Draft Kings employee privy to proprietary roster statistics posted that data online before it was supposed to be publicly available – information that could help owners identify potential value players in multimillion-dollar contests. The employee and Draft Kings maintain that the leak was inadvertent.

While the leak alone might not have caused much of a stir, that same week, the same employee came in 2nd in a Fan Duel contest, winning $350,000 – raising skepticism regarding the security and use of valuable and proprietary data. Although Draft Kings and Fan Duel promptly issued a joint press release stating that the employee did not have access to the leaked data at the time he set his Fan Duel lineup, the confluence of events was a wake-up call to consumers and lawmakers that (1) DFS employees were playing on competitors’ sites, (2) DFS employees had access to data that could be used to create an unfair advantage, and (3) this valuable data may not be adequately protected.
Continue Reading Draft Kings Class Action Argues Data Leak Revealed “Insider Trading” – But Can Case Survive Arbitration Clause?

As anticipated in our previous discussion of the Ashley Madison data breach litigation, lawyers representing the various putative classes have begun sparring over their preferred venues. The Missouri Jane Doe – who filed the first putative class action – pushed the Judicial Panel on Multidistrict Litigation to consolidate all of the Ashley Madison litigation before

Retail data breaches are multi-victim crimes, with the retailer, consumers and affected third parties all having legitimate claims to “victimhood” – and each left squabbling as the hacker vanishes into the digital ether. Moreover, the most powerless victims – individual consumers – may be foreclosed from class litigation because retailers, banks and credit card companies