Tag Archives: security

Why be concerned with social media estate planning?

The headline of this recent blog post by the U.S. government promises to answer the question of why you should do some social media estate planning. But the post falls short of providing a compelling reason to plan for how your social media accounts and other digital assets should be handled in the event of your demise. So I’ve come up with my own list of reasons why this might be good both for the individual and for our culture:

Security. People commit identity theft on both the living and the dead. (See, for example, the story of the Tennessee woman who collected her dead aunt’s Social Security checks for 22 years.) While the living can run credit checks and otherwise monitor the use of their personal information, the deceased are not so diligent. Ensuring that the dataset comprising a person’s social media identity is accounted for and monitored should reduce the risk of that information being used nefariously.

Avoiding sad reminders. Spammers have no qualms with commandeering a dead person’s email account. As one Virginia family knows, putting a stop to that form of “harassment” can be painful and inconvenient.

Keeping social media uncluttered. This reason lies more in the public interest than in the interest of the deceased and his or her relatives. The advertising model for social media revenue generation relies on the accuracy and effectiveness of information about the user base. The presence of a bunch of dead peoples’ accounts, which are orphaned, so to speak, dilutes the effectiveness of the other data points in the social graph. So it is a good thing to prune the accounts of the deceased, or otherwise see that they are properly curated.

Preserving our heritage for posterity. Think of the ways you know about your family members that came before you. Stories and oral tradition are generally annotated by photo albums, personal correspondence and other snippets of everyday life. Social media is becoming a preferred substrate for the collection of those snippets. To have that information wander off into the digital ether unaccounted for is to forsake a means of knowing about the past.

How big a deal is this, anyway? This Mashable article commenting on the U.S. government post says that last year about 500,000 Facebook users died. That’s about 0.0006% of the user base. (Incidentally, Facebook users seem much less likely to die than the general population, as 0.007% of the world’s entire population died last year. Go here if you want to do the math yourself.)

I say it’s kind of a big deal, but a deal that’s almost certain to get bigger.

Computer Fraud and Abuse Act case against hard drive destroying director goes forward

Deloitte & Touche LLP v. Carlson, 2011 WL 2923865 (N.D. Ill. July 18, 2011)

Defendant had risen to the level of Director of a large consulting and professional services firm. (There is some irony here – this case involves the destruction of electronic data, and defendant had been in charge of the firm’s security and privacy practice.)

After defendant left the firm to join a competitor, he returned his work-issued laptop with the old hard drive having been replaced by a new blank one. Defendant had destroyed the old hard drive because it had personal data on it such as tax returns and account information.

The firm sued, putting forth a number of claims, including violation of the Computer Fraud and Abuse Act (CFAA). Defendant moved to dismiss for failure to state a claim upon which relief can be granted. The court denied the motion.

Defendant argued that the CFAA claim should fail because plaintiff had not adequately pled that the destruction of the hard drive was done “without authorization.” The court rejected this argument.

The court looked to Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) for guidance on the question of whether defendant’s alleged conduct was “without authorization.” Int’l Airport Centers held that an employee acts without authorization as contemplated under the CFAA if he or she breaches a duty of loyalty to the employer prior to the alleged data destruction.

In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the “without authorization” element to be adequately pled.

Negligence claim allowed in laptop theft case

Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D. Cal. March 24, 2008)

In 2006, Ruiz applied for a job at the Gap and was required to provide his Social Security number. A vendor hired by the Gap for recruiting stored Ruiz’s information on a laptop which, as luck would have it, was stolen.

Though he was not (at least yet) the victim of identity theft, Ruiz sued the Gap for negligence. The Gap moved for judgment on the pleadings which the court also treated as a motion to dismiss for failure to state a claim. The court denied the motion to dismiss as to negligence (and granted the motion as to claims for bailment, unfair competition and violation of the California constitutional right to privacy). But Ruiz’s standing to bring the claim was tenuous.

The Gap had argued that Ruiz lacked standing. His only alleged harm was that he was at an increased risk for identity theft. The court’s analysis of the Gap’s objection to standing focused on the first element of the Lujan test (Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992)), namely, whether Ruiz’s alleged injury was “concrete and particularized.”

The Ninth Circuit has held for allegations of future harm to confer standing, the threat must be credible, and the plaintiff must show that there is a “significant possibility” that future harm will ensue. The Lujan case (which is the leading Supreme Court authority on standing) essentially creates a “benefit of the doubt” for plaintiffs at the pleading stage — a court is to presume that general allegations embrace those specific allegations that are necessary to show a particularized injury. Ruiz’s general allegations of the threat of future harm were thus sufficient to confer standing.

But the court gave a warning to Ruiz that the threshold of standing does not apply only to pleadings, but is an indispensable part of a plaintiff’s case throughout. In other words, he’ll have to come up with more later to keep the case in court.

So in denying the motion to dismiss the negligence claim, the court incorporated its standing analysis. The only issue on the point of negligence was whether Ruiz had suffered an injury. Ruiz’s general allegations were sufficient.