Facebook Data Dump Likely to Bring Lawsuits

in which Facebook fixed. My guest is Andream, a twition professor, an Associate Dean of Innovation and Technology at Penn State Law. So was this a dump a redump? What exactly was it? So that's an excellent question. And it's still early enough in the investigations around the forensics that will explain to us the events leading up to this most recent identification of large numbers of user personal identifiable information being available

in hat performs. The forensics are really what we need to acquire here because the extent to which this is part of a prior problem, the extent to which this is a new problem, whether things have in fact been corrected at this point, but also to what extent users were notified in accordance with data brenotification obligations. Those are all questions that are going to the contingent um the

specifics of those forensics. Additionally, because we have a complicated regulatory relationship between the FTC and Facebook, the date of knowledge by Facebook, but also what exactly they disclosed to the STC in ten at the point of the second round of consent decrees will be operative in whether potentially the data control law will give rise to basis for a new FTC enforcement action under the twelve consent decree. What will the FTC be investigating and I assume they're

going to investigate yes. So in twelve, the STC and Facebook agreed to a set of terms that included ongoing self supervision obligations and assessments going forward due to some

of facebook prior practices around privacy and data security. So the extent to which those promises that were voluntarily agreed to by Facebook in twelve has been broken for a second time will be on the table for discussions I expect between the FTC and Facebook when the forensics of the particular incidents or maybe more than one incident we don't even know exactly whether it was one set of

leagus or multiple scraping. And it's bound up with some other questions, particularly around the phone numbers, because in Facebook publicly acknowledged that they were using phone numbers that users provided for two factor authentication purposes and security as a functionality enhancement to allow for user look up of other users, and so there was a profuscilist of time around that choice by Facebook to repurpose information that for many users

would have been provided with an expectation of a narrow security related use, but not necessarily a use repurposing for helping other Facebook users find them. So there are a bundle of various practices that will potentially be implicated in these conversations, as well as the context of what was disclosed by Facebook to the SEC at the time of the June Does Facebook know what happened? I would hope so. Um,

but this is the first question. So the issue of the extent of forensic analysis internally and what the company knew when and how much of it was a design choice, how much of it was a well executed incident response, was the point at which they found out about it, or how much of the conduct around this incident was a response that some regulators, for example the EU or Australian regulators may deem to not reflect the expectations that

they have for companies in possession of their residents information. So the details and the forensics here are going to be this positive. So that's a little bit of a wait and see right now. But EU regulators have already

announced that they will be conducting further inquiries. I would expect the FT set of fellow suits in the US, and it's possible that the spec will take a look depending on what the nature of the disclosures were by the company and the relevant tent case statements, because there are securities to exchange Commission guidance documents around disclosure of

security incidents and um. Obviously, public companies have reporting duties around material risks to business and material litigation risks on an ongoing basis under thirty four. Book has made privacy settlements with the FTC twice once in and once in. In light of that, how much credibility do they have when they say they want to protect users privacy? Critics of Facebook have certainly raised that point. UH that in

UH this point in the history of the company. Critics would argue there has been so many sequential problems that there is a broader story potentially being told of a company that is very interested in public face and statements, but not necessarily interested in creating a culture of data

protection and stewardship. And critics haven't founding this alarms since really the UH creation of the company, UH, particularly circa two thousands seven two D they're started to be material modifications and the privacy default and Facebook um, and so there's been a constant UH set of concerns raised by privacy advocates, m consumers as well UM, dating back to the early days of the company. So your point is

well taken. Well state attorneys general look into this, It's entirely possible that state attorneys general will also inquire as

to the specifics of these incidents. State attorneys general would have authority to potentially engage in state love enforcement action under the Mini FTC Acts, meaning the state specific Unfair and Deceptive Trade Practices statutes that are a matter of state law and generally tend to parallel the structure of the FTC Act Section five on the federal level, So it would be entirely unsurprising if some state regulators who already have Facebook in their cross hairs from previous incidents

of data stewardships, UM suboptimal incidents, and the concerns over tech concentration and competition hindrance that are in the ether now both on the state and the federal level, as well as UH formal legal proceedings in some cases against large technology companies. That environment is one of greater regulatory and state attorneys general scrutiny. So I would not at all be surprised if the more tech savvy tech engage to state attorneys general do indeed have some tough questions

on this point. What about class action lawsuits? What kind of class action lawsuits could we see? So depending on the extent to which data Breach no Applications statutes were UH complied with or potentially not fully UH followed, there may be an individual level positive action in the state with more aggressively drafted data breach notifications statutes and Massachusetes being one of the UM California potentially giving rise to

individual level suits. At least some of these cases may end up being class actions, and the jurisdictions that are more friendly to class actions. In particular, the nature of the data that was released will be relevant because some of those data breach notification statutes are contingent in the rights that they grant based on the nature of the information that was disclosed about consumers residing in their states.

So this is another situation where the specifics of the Facebook response at the time that they found out whenever that was, and the extent of the data loss of control and the extent of response, forensic analysis and overall conduct around the incident response will be in play. So I would not be surprised to see class actions UM they are becoming increasingly frequent in parallel situations to this one.

It is also possible that, depending on the nature of the disclosure in the ten K annual reports that I mentioned previously, where Facebook has an obligation under the thirty four Acts file periodic reports with the SEC, if the disclosure did not extend with um adequate specificity and notice in the opinion of securities litigators UH, there is an active securities class action bar. It is possible that we may see class action attempted based on the tent K

disclosures or lack thereof. Particularly if this does result in a new fine from the FTC, the EU or another national regulator. Do the fines effect Facebook at all? Their massive fines but there are just a drop in the bucket compared to what Facebook is worth it makes. This is a critique that has been the topic of discussion, certainly the STCs last fine, which was in the neighborhood of five billion dollars. The approach that the US regulators

take is a more constrained one than European regulators. The amounts of any subsequent finds may be more aggressive under a g d PR based approach because g d p R authorizes sign that are contingent on corporate earnings. So this question of the proper construction of signs in a way to send a message companies is one that that

has been definitely discussed. It's a fair critique if you can, in essence plan and to your business model the amount of the fine and the fine is maturely less than the revenue generated in UH, say a single quarter, then the business incentives UH, some whould argue, are to simply view that fine as the cost of doing business, particularly when you have waivers by enforcers of finding any personal responsibility on the part of officers and directors for oversight failures,

you set up potentially a situation where that kind of cost benefit calculation is more likely, and particularly if a company does tend to have a history of repeating kinds of problems, you may not be some whould argue creating the incentive for an ethical internal self evaluation as to whether the current management structures are optimally calibrated to identify these kinds of problems early enough in the process and

correct them quickly enough. Some of the data sharing decisions that were made internally may have facilitated the aggregation and availability of data that then create a more attractive target for attackers. So, assuming that there was a malicious intrusion, which we don't know, then the way that you build and design your products makes them more or less attractive targets.

And if there was no intrusion, but instead this was the aggressive use of an API or or an interface of other sorts that's designed to share information, for example, allowing for data scraping, then the question again comes back to products design and whether the threat modeling was done in a way that accurately legally modeled the risk down the road in terms of regulatory action and loss of consumer truck arising from problems that may happen because of

the design choices in the way that the products works. And is this data breach particularly problematic in that in the amount of information that was given out on person you know, for example, you mentioned the phone number that's related to two fact authentication. In particular, could that disclosure of the phone number be problematic for consumers depending on whether the consumer volunteers the phone number or limited purpose,

or whether it was a generally shared phone number. Those specifics I think are relevant to regulators determinations business conduct. The question of, say a phone number being published, some consumers would certainly view it as at least a material inconvenience that their phone numbers are now available for public use, potentially leading some consumers to want to change their phone number.

The consequences of sharing a phone number are potentially less direct in some ways than sharing, say birthday or other put a personally and unifiable information that can't be changed. You can change your phone number, but you can't change your birthday. So the nature of the information that is included in these exposed databases will be relevant. The way that the information was shared originally by consumers will be

relevant as a matter of privacy. The extent of security practices, the product design and data stewardship choices as a matter of security will be relevant to the security increase that regulators will undertake. Uh So, you know, again, the specifics here of what exactly happens and which ss of data and how they're integrated will become very relevant. Thanks Andrea. That's Professor Andrea ma Tuition, Associate Dean of Innovation and

Technology at Penn State Law. This week, the Supreme Court denied the US Solicitor General's request to argue in an upcoming case, something the Court has done just three times in the past two decades, but twice now in under a year. Joining me is Bloomberg Law. Supreme Court reporter Kimberly Strawbridge Robinson explain the Solicitor General's role and how this listener general requests to argue in cases where the

government is not a party. Well, the Solicitor General is the federal government's top lawyer at the U s. Supreme Court, and while they do some work in the lower appellate courts as well, really their focus is on the Supreme Court, and they have a really unique place as a litigant. They're they're not only the most frequent litigant in the Supreme Court by far, but they also hold a special

place of trust within the Supreme Court. And the office is sometimes known as the tenth Justice because of that special role. And so we can see that play out in many different ways that the Solicitor General interact with the justices. But one that we noticed recently is when the Solicitor General requests to argue in the case and which is not really a party, but in which there's some kind of federal interests. So this is what it requests argue as a friend of the court rather than

as a party. And do the justices always honor this listener general's request to argue? Well in modern history, yes, there's a forthcoming law review article out that looked at a period of ten years starting in uh, you know, the two thousand and tents that said that when other organizations requested argument time as a friend of the court, the court only granted it, uh, you know, less than half of the time, fourteen out of forty one time.

But when it was the federal government asking they granted it three hundred and eleven, three hundred and twelve times, so basically every time. But that's you know, something that's very small when they deny it, and so it really makes court watchers notice when the justices actually rebuffs a solicitor general in this way. So the solicitor General was delta rejection recently tell us about that, Well, recently the

Justices did just that. They told the Solicitor General, no, thank you, we don't uh want to give you precious argument time in a case about a pellet cost. And it's notable because it is one of these rare times where they were turned away, but also because it's happened twice now in just under a year or something that you know, if you look over three hundred and eleven out of three hundred and twelve time versus something happening twice in one year, you know, that's that's a noticeable

up chick. Of course, it's too small of a sample size to really say that, you know, it's an increasing trend, but it's something to watch for sure. Is there something similar in the two cases that were denied, Well, you know, all we can really do is speculate I've said before um on the show that the Supreme Court, you know, doesn't really explain a lot. It's a very kind of secretive institution. And so it didn't tell us why it turned away the solicitor general here, but we can guess that.

You know, normally the cases where the Solicitor General is seeking to argue as a friend of the court, there's a pretty strong federal interest. And so there was a case earlier this term where we saw a regulated party challenging a state law that's that it was preempted by another federal law. And you can see, you know, the federal interests there and sending, uh, what the federal law means. It is pretty strong, and so the Solicitor General was

allowed to argue in that case. In these other cases, the solicitor general stated interest is is really one as kind of like a general litigant. Um. So one was about jurisdiction and state courts, and this current latest one is about appellate cost and so there really isn't an explanation about how the United States is situated any differently, um than any other litigant would be. So you talked

to several experts, what did they say about this. Do they see it as the courts sending a message to the s G. Well, again, it's too few instances right now to make any generalized terms. I think, you know, with just this, before we had this latest rebuff, you know, there was some speculation that the justices are just going

to do this every once in a while. It's a token measure to remind the Solicitor generals that they don't get to argue as of course, but you know, there is some idea um that perhaps the justices are picking up this practice because the Solicitor General has is really asking to argue in more cases, uh than it ever has before. And so we see them, I think it was last term they were in you know, something like

eighty of the cases. And you know that can really skew the you know, the policy arguments that are put in front of the justices and ultimately the way that they come out. So that's right now a lot of speculation and something to watch. But it could be a signal that the justices are sending to the Solicitor General to kind of be more cautious about when you asked for time. Does giving the Solicitor General time cut into

the time of the other parties who are arguing. It can, but it really depends on a case by case basis. And and so you know, we saw sometimes the solicitor General will be given uh, you know, ten of the thirty minutes that decides that they're arguing on it has to make their argument. In in a case, the same day that they turned away the solicitor general in that appellate cost case, they actually granted the solicitor general ten extra minutes on top of us thirty minutes that the

party who they're supporting has. So it really depends. But yes, typically it does actually take away from the party's time. And you know that's pretty significant when you consider that often the solicitor General they're coming down on the side of that party, but they're making for an argument and putting forth different ways that the justices should decide the case.

In your story, you talk about a case involving California's rule requiring charities to disclose the biggest donors, and in that case, the court is refusing to divide the argument time among the petitioners. So these are actually two cases

that have the same issue, but they involved different parties. UH. And the Supreme Court has consolidated those cases for just one hour of argument since they involved you know, the same legal issues, and the parties had asked if they could divide the time between you know, both sets of petitioners and then give you know, additional time to the respondent, but the Supreme Court notably said no, YouTube petitioners have to decide one attorney to represent both of your arguments.

And at the same time it allowed the Solicitor General to step in as a friend of the court um. So you can see how, you know, there are really small differences between the arguments that the petitioners are making, but that's pretty significant that the justices told them no, they can't have separate time, but at the same time gave extra time to the Solicitor General and has the SGS record in arguments last term, well, the Solicitor General has a pretty good record as a friend of the court.

That was a pretty good record um in general, even including cases whereas a party, you know, the Supreme Court usually takes cases to reverse them, so you don't see a lot of repeat players coming up with a lot of winning streaks at the court. But the Sluicitor General's office did prevail in, you know, more than the cases in which it was a party, But when you look at when it's a friend of the court, those numbers

are really skewed. Last term, it won twenty two of the cases where it weighed in as a friend of the court as opposed to a party, saying, so, you know, that's pretty significant given that you know, they're not really officially a party in the case. Had the justices really lean on what they have to say? There's an acting solicitor general right now, Is there any word about when or who Joe Biden my name as the next listener general. I have been paying sources and I haven't heard any

word on who may be the next solicitor general. The only thing that I really heard from the people that I've talked to is that they think that the acting Solicitor General Solicita's prologar and is doing a great job, and they hope that the Biden administration might actually nominate her to the top spot, something that's not really unheard of. Um that happened with Trump's acting solicitor general. But no, that's just I think speculationist point and the Biden administrations

keeping that s G position. Um, pretty quiet, right. Now, let's turn to a Texas judge who has gotten a lot of attention over the years. Judge Reid O'Connor. First of all, tell us a little bit about him. So, Judge O'Connor is really the go to Republican appointed judge

um for states who want to challenge Democratic administration policies. Um. He's based in Texas, and you know, we've seen Texas really lead a lot of red states, uh, red state coalitions challenging things like Obamacare, challenging immigration policies under Obama and now under Biden. Um. And he's really the judge and his court is really the court where Texas has filed those cases. Now, I want to be clear that this is not something that only red states do. Of course,

blue states do it. Um. It's not just uh, you know, political groups that do it. We see even international plaintiffs seeking to you know, find a plaintiff friendly judge here in the United States. So this idea, what we call form shopping, is not anything specific to this judge. Um, But this is the judge that's really the to judge for challenging democratic policies. And tell us about some a few of the cases that um, he drew a lot

of attention for, particularly the Obamacare decision. That's right. So the Obamacare case, which I'm sure your listeners are familiar with, is one that's actually in front of the Supreme Court right now. It's the case that looks at, you know, kind of a tweak that the Republican led Congress made to the Affordable Care Act, and the argument is that with that tweak, it kind of makes the whole Affordable Care Acts fall apart. And this judge actually agreed with

that argument, struck down the entire Affordable Care Act. And that's the decision that the justices are considering right now. Really, that decision has got a lot of criticism, not just from those on the left, but also those on the right. We people who filed in the original Affordable Care Act case on the side of those challenging UM that acts saying that it was unconstitutional, saying that that ruling now

just really doesn't follow the law, and it's a really outlier. UM. And I think most people expect after oral arguments that the Supreme Court is going to reverse that decision. UM. So it's decisions like that, you know, where we see a lot of criticism on both the right and the left that Judge O'Connor is known for. Explain this tweet, and you know the whole context of this tweet, how it came about. Well, you know, the administrative offices of the U. S. Court, they are kind of the policy

making arm of the judiciary. They often put out, you know, historical information on their tweets and social media sites. They put out a lot of educational information, and they just so fus small clips of Judge O'Connor saying that, you know, a judge's role is simply to interpret the law and if they have any disagreements with public policy, you know, that's not for a judge to say. It's something pretty innocuous, and I think it's something that most people learn about, um,

you know, an elementary of middle school, the role of judges. Um. But it was not well received, given that it was this particular judge making that statement. These tweets don't normally get very many responses, but this did. It did, and with a lot of mockery from academia and those who practice in the federal courts saying, regardless of whether or

not that's true for some judges. That's not particularly credible from Judge O'Connor, you know, whether that's fair or not, or criticism that people can wield at other judges, I think, you know, the point has taken that this particular judge doesn't always follow that rule, and that's something we can see not just in you know, our own personal opinions, but also the times that he's been reversed by the

Supreme Court and higher appellate Court. That's Bloomberg Law Supreme Court reporter Kimberly Strawbridge Robinson and that's it for the edition of the Bloomberg Law Show. Remember you can always the latest legal news by subscribing to our Bloomberg Law podcasts. You can find them on Apple Podcasts, Spotify, and at www dot Bloomberg dot com slash podcast Slash Law. I'm

June Grosso. Thanks so much for listening, and please tune into The Bloomberg Law Show every weeknight at ten pm Eastern right here on Bloomberg Radio.