Customer may sue AT&T for breach of privacy

The highly publicised breach of President Obama’s mobile phone records last year raised alarm and renewed debate  as to the level of protection the average citizen has over data privacy breaches involving their mobile phone records.

Verizon employees were found to have  improperly accessed Obama’s phone records, resulting in their employment contracts being terminated.

Information Privacy laws differ from country to country, however as a general principle under data handling laws,  agencies and organisations have obligations  to keep information entrusted to them secure from improper access and disclosure.

Celebrities and other high profile targets have been the subject of relentless attacks and are obviously at higher risk for privacy breaches. However there have been many incidents where damage has been caused to businesses and individuals due to security breaches. Some of these are due to  internal security breaches whilst others have arisen from external threats.

There have been instances reported of business  competitors impersonating other businesses and having their business phones switched off by requesting account cancellation, a form of identity theft.

Mobile phone records and wireless laptops often contain a goldmine of sensitive personal, business and financial data which can be be used by criminals, disgruntled spouses and rival traders, the unauthorised disclosure of which can have an enormous impact on an individual or business.

The higher profile incidents raise broader concerns about how common such breaches are,  and how safe it is to assume that information on a wireless network can ever be completely secured from a range of  security threats.

Kevin Mitnick, former hacker and present Security Consultant, sought damages from AT&T for allowing his wireless account to be breached.  Mitnick had served a jail sentence for  computer hacking. He has  become such a  high-profile target that his own Web-hosting firm Hostedhere.net wouldn’t host Web pages for him anymore,  due to the number of  previous attacks upon his website.

Mitnick claims that his personal information, namely his address, land and mobile phone numbers, email address, instant messenger handles, PIN number and the last four digits of his Social Security number appeared on the web in hacking forums.

Mitnick claims he had  told AT&T of a pending breach however the company  failed to respond,  leading to improper access and disclosure of his personal information.  Instead of investigating how the security breach which  occurred with respect to the $2,000 a month customer, AT&T  elected to cancel Mitnick’s contract.

Mitnick had been a customer of AT&T for a period of ten years and requested damages for the breach of his privacy for the failure to adequately maintain the security of his account information.

AT&T assert that his claims have been investigated fully and were found to have lacked foundation.

Mitnick says this is a tacit admission that  AT&T are  unable or unwilling  to secure the personal information of their customers, and are taking the easy way out by simply terminating their accounts when breaches occur.

Mitnick now proposes to sue AT&T for breach of privacy at common law for failing to adequately protect his personal information. He claims that he called AT&T and asked them to take extra precautions to protect the security of his account, putting them on notice of a potential breach.  Mitnick asked that if someone tried to change his account in any way,   they be required to change the password verbally, not just provide a social security number. Mitnick had experienced a number of attacks upon his account, and had taken a number of measures to counter the attacks, for instance memorising his password, and not disclosing it or recording it.

The incident raises the legal question of what level of safeguards telecommunication companies have to implement to keep their  networks, servers and customer information secure from misuse and unauthorised access, whether by it’s own employees or persons seeking to unlawfully obtain access to customer’s information.

It is an important question given the number of organisations which have been besieged by security breaches and credit card thefts over the years.

AT&T would argue of course that their contract or terms of service state that they have  absolute discretion to terminate a user’s account without notice.  However, even if this is true,  where a user’s rights have been breached prior to the termination of their contract, it is questionable as to whether they could merely avoid any liability for their acts or omissions   prior to such termination.   It would seem an odd result for customers to be required to forfeit any rights they have under the terms of their contract or at law by simply having their account cancelled after the damage was done.

Social engineering scams, employee fraud and negligence are not uncommon in causing privacy breaches. Telecommunication companies have obligations under information privacy legislation and regulations to keep customer information secure by using reasonable safeguards.

The US Federal Trade Commission have developed privacy enforcement programs to make sure companies abide by their promises to consumers regarding their privacy, including taking reasonable measures to secure their personal information.

In Australia the Office of the Privacy Commissioner is responsible for investigating breaches of the National Privacy Principles contained within the Privacy Act 1988 (Cth).  There is legislation and industry codes specific to the telecommunications industry. Consumers can also lodge complaints about providers to the   Telecommunications Industry Ombudsman .

PRIVACY REGULATION IN AUSTRALIA

Privacy regulation has been subject to extensive review in Australia.  The legal regime for protection of privacy in Australia is fragmented and requires harmonisation and standardisation across States and the Commonwealth.

There is a recognised need for privacy rights to be streamlined  to promote uniformity and consistency in the application of standards.  For instance,  there are inconsistencies in the application of privacy laws,  with telecommunication companies  able adhere to a  lower standard of privacy than the principles embodied in the Privacy Act 1988 (Cth).

Providers can elect to be bound by the National Privacy Principles or can develop and be bound by an industry specific privacy code.  Telecommunication companies have obligations to take all reasonable steps to protect a customer’s personal information from misuse and loss and from unauthorised access, modifications or disclosure both under the Privacy Act 1988 and the Telecommunications Act 1997.

In relation to online transactions, a company may stipulate what it believes a reasonable level of encryption is. The important question seems to be how one defines what  ‘reasonable steps’  are in relation to various risks relating to the storage, retention and security in the data handling process.   What  reasonable safeguards or measures does a telecommunications company have to implement in ensuring access to this information is appropriately secured and that staff  are adequately recruited, screened and trained to prevent fraud and misuse?

The recently released Australian Law Reform Commission Report ‘For your Information’ contains a discussion in relation to ‘data security’.   There was widespread support expressed for guidelines to as to what ‘reasonable steps‘ means in the context of the ‘data security‘ principle contained in NPP 4.1.

Neither the Telecommunications Industry Ombudsman or the Privacy Commissioner have the ability to award compensation beyond   certain limits to customers who have suffered privacy violations.

It is recognised by customers that there are  security risks involved in wireless technology and that conversations can be intercepted, although with less ease with respect to digital phones. Encrypted digital communications afford the highest level of security, and there are several digital technologies available such as CDMA,* TDMA,* and GSM.*

Mobile phone records which are not secure pose obvious risks to particular groups of people. These people are left vulnerable by websites trading  mobile phone records for small fees. Despite legal imperatives, companies continue to offer the name and address connected to mobile phone numbers, an individual’s phone number, or a complete record of outgoing and incoming phone calls.

The ease with which a person can obtain this information is disturbing to the majority of the public concerned about privacy, and can be life threatening to persons such as victims of crime or other persons concerned about their personal safety.

Unfortunately there are a myriad of ways unscrupulous people can obtain access to  personal records through commercial vendors who treat information as a commodity to be bought and sold.  Using rudimentary privacy enhancing technologies doesn’t stop either dishonest or negligent employees  from sharing records with online information brokers.

Positive obligations are imposed on organisations to keep  information entrusted to them secure,  and implement safeguards to protect the data they collect and handle. The level of safeguards should be appropriate from a risk management perspective, depending on the likelihood of unauthorised access, and gravity of the consequences an individual may encounter as a result of a violation of their privacy.  Organisations and agencies should be prepared to address physical, computer, network,  personnel and security aspects of privacy.

The issue of security is particularly important in an electronic environment and the onus should be on organisations and agencies to ensure that their databases and electronic transfers or transactions are secure.  Organisations and agencies should have a positive obligation to report breaches which could result in an interference with the privacy of an individual,  financial  loss, or other significant harm.  The obligation should be proportionate to the extent of the breach and the possible harm it could cause.

Tort of Privacy

It is important to distinguish between Information privacy and physical or territorial privacy.

Whatever the merits of Mitnick’s claim against AT&T,  being based in the US ,  he has an entitlement to bring an action pursuant to an independent tort of privacy. The US Courts have created this right from existing actions for breach of confidence, defamation and property law cases.   As in Australia,  there are statutes in the US which purport to protect communications privacy, and the common law has features that protect dimensions of privacy beyond information privacy.

Information privacy is a term that generally applies to privacy of personal data, and regulates the data handling processes of an individual’s personal data by organisations.  It also extends to identification and identity, authentication technologies,  identity theft, the use of digital signatures, and specific aspects of internet privacy.

A comparative analysis of the judicial protection of privacy afforded by different  jurisdictions reveals that the tort of invasion of privacy by the publication of private facts is available in the majority of States in America as well as New Zealand. (See Bradley v Wingnut Films and  P v D [2000] Therefore,  at least  in the United States and New Zealand, the tort of ‘public disclosure of private facts’ ‘enables individuals to pursue a remedy for non-consensual publications of personal information.

Great Britain has also recognised the existence of  privacy rights, although the formulation of privacy rights differs, being acknowledged under the equitable action for breach of confidence. (See Campbell v MGN)  This distinction in the conceptualisation of  privacy rights can be significant when an individual seeks vindication for privacy violations through the Courts.

It is only recently that Australian courts been receptive to recognising a general tort of privacy.  There are only two decisions which have recognised the existence of actionable tort of privacy at common law in Australia.  The first decision is the decision of the District Court of Queensland in Grosse v Purvis , the offending conduct in this case being stalking by the defendant, also a crime under s 359B of the Criminal Code (Qld).

More recently, in a case on appeal to the High Court,  the County Court of Victoria held that the media disclosure of the identity of a rape victim in Australia was a breach of the tort of privacy in respect of disclosure of private facts. Doe v Australian Broadcasting Corporation & Ors [2007] VCC 281. Two ABC journalists subsequently pleaded guilty to breaches of  s4(1A) of the Judicial Proceedings Reports Act 1958 (Vic) which prohibits identification of rape victims.  Doe subsequently sued both the journalists, their Employer and the ABC.  The tort, as framed by the Court, is a narrowly defined one, being confined to the unjustified disclosure of private facts.  The emergent tort of privacy articulated by the County Court in the Doe case could prove to be significant as an alternative avenue for individuals to enforce their privacy rights in specific circumstances.  Privacy threats are increasing with rapidly evolving communication and surveillance technologies and an invasive media industry.

The case of Giller V Procopets includes a discussion as to whether the publication of a videotape of sexual activity involving the plaintiff can give rise to an action for a breach of privacy recognised by Australian law.  The Plaintiff claimed that in distributing the offending videos and threatening to continue to do so, the defendant had engaged in conduct which was intended to degrade and humiliate her.  She claimed damages for the ‘tort of intentional infliction of emotional distress‘.  As stated above, these kinds of claims have been recognised by US Courts.  Maxwell P,   in his judgement in Giller v Procopets,  recognised the need for the development of such a tort in Australian law.

Even in ordinary parlance, there have been perennial problems in defining privacy, which is a nebulous term.  Privacy means different things to different people.  It is a truism to say that privacy is a private matter.

In terms of it’s legal scope,  the tort or privacy in Australia only applies to natural persons, and there is no corporate right to privacy even where a business suffers damage to its reputation.  The legal reasoning  is that, unlike an individual, a corporation isn’t capable of emotional suffering.

There is also a right to prevent the unlawful and arbitrary interference with an individual’s privacy and reputation enshrined in S13 of the Charter of Human Rights and Responsibilities Act 2006. However there is a consensus that this legislation is inadequate in preventing privacy intrusive behaviours.

As stated above there is legislation dealing with information privacy both at the Commonwealth and State level. (eg  in the State of Victoria, the Information Privacy Act 2000 (Vic). and the  Health Records Act 2000 (Vic).) These statutes focus on the protection of  information privacy, with principles regulating the standards for the collection, storage, access and disclosure of private and sensitive information by various agencies and organisations.

There is also legislation  regulating devices which enable different forms of surveillance, including listening devices, optical surveillance devices, tracking devices and data surveillance devices;  Surveillance Devices Act 1999.

The area of privacy law is a complex one in today’s era of communication technologies where advances in information technology facilitate the transmission of  information across national borders with speed and efficiency.

Organisations are increasingly operating  on an international scale and transmitting data across borders. The Privacy Act 1988 (Cth) seeks to regulate transborder data flows through NPP 9, setting out the conditions for the sending of data overseas.  The principles prevent organisations disclosing information to someone in a foreign country unless they are subject to information privacy schemes comparable to the NPPs, or where the individual has consented to such disclosure.

As the internet is now a mainstream source of public information and interaction, there are unique challenges involved in protecting privacy, particularly with the emergence of new tracking technologies and information storage mediums. The principles embodied in the Privacy Act  for example are based on the OECD data protection guidelines which were developed over 30 years ago at a time when personal computers were scarce, and everyday modern day phenomena such as mobile and camera phones were only on the horizon.

The OECD also has issued Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002), which responds to security issues arising from networked information systems.

The principles have already  become outdated due to new technologies such as biometric technology, and the proliferation of surveillance systems, eg Closed Circuit Television, RFID, GPS navigation technologies, and DNA based technologies.

No related posts.

This entry was posted in Privacy and tagged , , , , , . Bookmark the permalink.

45 Responses to Customer may sue AT&T for breach of privacy

  1. Great information! I’ve been looking for something like this for a while now. Thanks!

  2. Hy, I bought this psp 2000 with a pandora battery and custom firmware already on it. But the analoge stick could only move up and down and not left and right (I didnt care because I didnt need it for the games I played :p) For about a month the psp worked fine en this one day he didnt work anymore :s – The green light is always on unless the battery is empty or out the psp. – I cant turn the psp on or of. – I cant see anything on the screen it is just black. – I cant hear anything. Well that are all the details I can think of for now. I hope somebody can help or atleast try to help me.

  3. dmoz says:

    Nothing better than getting what you want from a post, kudos to you for this. OH by the way, feel free to submit your blog to my free web directory. It will boost your visitors and backlinks!

  4. I have been to your blog before. The more I take in, the more I keep coming back! 😉

  5. pacelegal says:

    Thanks. Nice to have people return!

  6. Audrey Bruno says:

    Well, I am quite interest in your domain. If I set up one website using this domain, I can earn 100-200 USD daily. Your domain is really good. If you don’t want to sell this domain, I can cooperate with you on the condition that you share 50% revenue with me. 🙂

  7. pacelegal says:

    Hi P. Butzlaff,

    Certainly, if you find any content just grab it.
    I applaud you on being able to do a website on azimmigrationlaw.org by the way.
    You have to be a very special person to be able to tolerate listening to and trying to assimilate Politicians’ ever changing views on immigration law or as good at mental gymnastics as they are.
    It always seems to be one of the top issues for the electorate and politicians therefore have to be very flexible.
    Having watched the ‘O’Reilly Factor’ and Hannity and Colmes for a while I have some inkling as to what their views might be.

  8. Ovel Inad says:

    If what I ultimately have to offer is half as much as what you now have to offer, I’ll be able to consider it a job well done.

  9. Harlan Iman says:

    Thank you for keeping us updated. I really appreciate it and find all the information very useful.

  10. pacelegal says:

    Firstly, I am not in a position to give you or your friend legal or financial advice, so I’d recommend he seek advice from someone with expertise in the area.

    However my understanding is that a balance transfer credit card allows you to transfer your existing credit card balances and repay them at a much lower rate, sometimes even 0% over a set term. As there is a lot of competition amongst banks I’d imagine that there are a lot of different kinds of low rate balance transfer credit cards available, and your friend is making informed choices based on evaluating annual fees applicable (if any), balance transfer handling fee (if any), low usage and dormancy fees for unused credit cards he has open (if any).

    Maybe you could even ‘make’ money if you think of the excess money you save normally used to pay off your credit card as a future investment. If you can find any investment with a greater return than the promotional rate you are getting. If you have a 0% return for 6 months as an introductory rate on your credit card you could always put that excess money in a cash deposit at 6% for 6 months and get 6% interest?

    I’d imagine he is taking advantage of the introductory advantages, has managed his repayments responsibly before the expiry of the promotional period, is disciplined, and is aware of all the fees mentioned above.

    When you say he HAS 30 credit cards I am assuming that he still hasn’t closed them. One possible downside is that having open credit cards could cause him to be rejected for credit depending on the total limits of all of the credit cards (his credit capacity could be seen by the banks as part of his debt load). The question is what does he do with them? Does he close them altogether? How will this affect his credit history? On the other hand will leaving them open affect his credit history? Of course he isn’t using them at the present time, but each time you apply for a credit card it appears on your file.

    I would recommend a credit history check as people should do it anyway, given the fact that there are a lot of instances where people only become aware of mistakes or incorrect information on their credit history accidentally. Applying multiple times could increase the potential for errors occurring. I don’t know how much information credit bureaus see when they view a credit history. If they only see the applications they could draw adverse inferences based on limited information.

    Identity theft and privacy invasions (spam, unsolicited mail etc) from the regular exchange of data that occurs between financial institutions and their partners. This is one of the problems with opt out based privacy regimes, although even with opt-in breaches of privacy occur.

  11. News2All says:

    shares utilize a great site decent Gives with thanks for the working hard to help me

  12. Hi, found google to your this blog and it appeard funny but after refresh site displayed fine. Just thought id let you know and keep up the good work.

  13. I’m not aware of any books like your idea, but I’m not exactly a librarian. Regardless, you can but your thoughts together for your own benefit as well as others. Quite often our identity could be wrapped up in our careers, when there is really a change there can be emptiness left. Fortunately, it is not to late to fill that void as lengthy as we are nevertheless alive. One of the best methods to get your phone to ring is to dial it very. Just like everything else in existence that is worthwhile it will consider time. Good Luck

  14. pacelegal says:

    Hi, thanks for letting me know. I am surprised you found my site using google as I havn’t done any SEO. I take your point about the rendering of the website. I understand it depends on many things, such as browser and OS used. I suppose a professional website should be concerned with ensuring uniformity but I am really just am amateur.
    Thanks for your encouragement

  15. pacelegal says:

    Hi there, I didn’t exactly plan to build a site like this so it must seem like a strange concept. I suppose a lot of people just enjoy writing although I must admit I enjoy writing fiction and do this elsewhere! I don’t really have a career in this. I am just a disenchanted lawyer who believes that there is a lot of promise for those engaging in e-commerce. There is plenty of information out there along the same lines, assembled in a better way. However I am kind of in between careers at the moment so it is just an additional outlet for me.
    Thanks for your thoughts.

  16. I would like to say, nice webpage. Im not sure if it has been addressed, however when using Firefox I can never get the entire page to load without refreshing alot of times. Could just be my modem.

  17. Thanks for good news!

  18. Although I would’ve wanted if you went into a little bit more detail, I still got the gist of what you intended. I agree with it. It might not be a great idea, but it makes sense. Will definitely come back for more info.

  19. pacelegal says:

    Hi,

    Agree. There is a lot more detail to go into especially with respect to privacy. It is such a vast area. Do you mean with respect to Mitnick’s proposed lawsuit or privacy law in the financial sphere or in general? I don’t think any lawsuit ever transpired, and if I recall there was a bit of skepticism about his claim and a lot made of the fact that he was a former hacker turned ‘security consultant’.

    Appreciate your comments.

  20. Congratulations! You have just won a new feed reader 🙂 .. really nice blog.

  21. easter decor says:

    thanks! very advantageous post!! love the template btw

  22. It seems that the folks at HP are pretty serious about bringing their game to the smart phone industry. With the buyout of Palm already well and done, the time to start focusing on new projects is at hand, and as predicted, HP will need some pretty strong players on their team to keep up with the competition.Former Nokia-MeeGo head Ari Jaaski and Samsung’s Victoria Coleman (who was previously the head of the R&D for the Korean phone maker) are reportedly joining in the ranks of HP’s top ranking officials. Right now, HP has not yet given a public statement regarding their long terms plans for the smart phone industry.But with some rather impressive people on their side, the patents and technologies of Palm (including the famous WebOS), and HP’s long experience in the tech industry, we can expect nothing but some of the best mobile phones ever conceived.

  23. These articles are great, rich contents and a help to me.I expect to see your new content

  24. Legalsounds says:

    I just couldnt leave your website before letting you know that we really enjoyed the quality information you offer to your visitors… Will be back soon to check up on new stuff you post!

  25. admin says:

    Jobdevelopers networking,
    Hewlett-Packard were pretty open that their decision to buy smartphone maker Palm Inc wasn’t to be a contender in the smartphone market. You won’t see the Palm Pre Plus anymore as HP wanted their patent portfolio and touch-oriented webOS. Their plans are to try to use it to connect HP’s consumer devices. They wanted to try to compete with Google Chrome’s OS by using webOS. Mobile developers continued to develop apps for webOS. Microsoft bought patents from Acacia Research Corp. and Access Co. Ltd. a company that acquired PalmSource, the firm behind the Palm operating system back in 2005. So when HP bought Palm they didn’t enquire into the status of these patents and ensure clean ownership. Microsoft recently licensed over 70 smartphone patents from HP (originally acquired through Palm), old PalmSource patents. There are seven unresolved patent cases in the smartphone patent wars. Microsoft just released their Mobile Windows 7 and is trying to take away Android’s advantage in being able to offer a handset with no patent fees or threat of litigation by using open source technology. Microsoft Windows Phone 7is really the only alternative available to the Android open source technology model. If handset makers don’t have access to Apple iOS, RIM Blackberry OS and can’t develop their own OS they are left with only two alternatives, Android or Microsoft Windows 7. The litigation between Microsoft and Motorola this month was therefore interesting when seen in this light. As for OEMs who want to develop their own software Google aren’t interested in this, and have threatened and instituted patent infringement litigation.

  26. admin says:

    Firefox 3.6 is such a slim browser, fastest and most advanced I think, with great features and 5000 add-ons. Support for HTML 5 audio and video support (no plugins required) Windows, Linux & Mac OS X all supported. I’m aware there are some pages that don’t display properly using Gecko based browsers like (Firefox, Opera, K-Meleon etc), but often it is more the result of badly designed sites not the software. I was actually reading a review on K-Melon recently and even though it’s been around since 2000, it was quite impressive. When pageload is slow it is hard to say what the problem could be in the abstract, as it could be potentially anything from your computer’s hard drive speed, internet connection, modem, network, spyware, viruses. I use Firefox and pageload seems fine to me. You can run an internet speed test. I assumed you have tuned up your browser by clearing your cache and have checked out other possibilities.

  27. i m glad to just join here hope i make good friends,learn something and give something back to community !

  28. video says:

    After reading you blog, I thought your articles is great! I am very like your articles. I bookmarked your blog!

  29. gps says:

    hi .. nice posting ..

  30. car navigator says:

    Good posting, thanks a lot!

  31. Interesting thoughts here. I appreciate you taking the time to share them with us all. It’s people like you that make my day 🙂

  32. I usually don’t post in Blogs but yours forced me to, awesome work… lovely

  33. sacramento homes for sale by owner says:

    Interesting information, may I use a part of it in my website?

  34. Web design is an art, I truly enjoy it. When reading posts like these, it makes me go back in time and think about when I started. It is amazing how much new concepts over the years. Great theme, congratulations.

  35. great blog appreciate you sharing this.

  36. Nike Dunk says:

    Nice one, there is actually some very nice points on this write-up some of my contacts will find this worth it, will send them a hyperlink, thanks

  37. Shoppen says:

    A very helpful article, Google is increasingly important in daily life.

  38. Netbook says:

    A very helpful article, Google is increasingly important in daily life.

  39. Hey. Great post… not sure what all the trolls are doing here though.

  40. Hey very nice blog!! Man .. Beautiful .. Amazing .. I will bookmark your blog and take the feeds also…I am happy to find so many useful information here in the post, we need develop more strategies in this regard, thanks for sharing. . . . . .

  41. Randy Veron says:

    Interesting and very very true. Bookmarked.

  42. I just discovered your website on yahoo and see that you have some fantastic thoughts in this post. I appreciate the way you’ve been able to stick so very much believed into a fairly short submit (comparitively) which creates a thoughtful post on your subject. IMHO you have great information without all the filler that most bloggers use just to make their posts look longer. I frequently get frustrated with the major search engines as the results are bland. If you don’t mind I am going to add this post and your weblog to my delicio favorites and look forward to coming back again to read your future posts.

  43. Pingback: Commonwealth Statutory Cause of Action for Serious Invasion Of Privacy | Pace Legal Online Business

Leave a Reply

Your email address will not be published. Required fields are marked *