The National Association of Attorneys General requested “immediate action” from Facebook and Instagram for the “dramatic increase in user account takeovers and lockouts” on the social media platforms, said their Tuesday letter to Meta Platforms Chief Legal Officer Jennifer Newstead. The letter came on the same day both platforms experienced disruptions when users weren’t able to log in to their accounts for over two hours. Meta issued a cursory tweet on X Tuesday acknowledging the outage but not giving a reason for it: “We know some people were having trouble accessing our apps earlier. Apologies for any inconvenience this may have caused, and thank you for your patience while our teams worked quickly to resolve!” The Tuesday letter, signed by 41 AGs, cited a “dramatic and persistent spike in complaints in recent years concerning account takeovers that is not only alarming for our constituents but also a substantial drain on our office resources.” In account takeovers, threat actors compromise Facebook and Instagram user accounts and change passwords so the rightful owner can’t access the account, the AGs said. The hackers can then “usurp personal information, read private messages, scam contacts, post publicly, and take other nefarious actions,” the letter said. There’s risk of financial harm to those users who use Facebook Marketplace for their business and those who have credit cards tied to their accounts, it said, referencing complaints of hackers “fraudulently charging thousands of dollars to stored credit cards.” In 2019, the New York Attorney General’s office received 73 account takeover complaints on Meta platforms; the number rose to 783 last year, and in January alone, the office received 128 complaints, it said. “While we may not be completely certain of any connection, we note that the increase in complaints occurred around the same time Meta announced a massive layoff of around 11,000 employees in November 2022, which reportedly focused on the 'security and privacy and integrity sector,'” the letter said. The AGs urged Meta to “substantially increase its investment in account takeover mitigation tactics, as well as responding to users whose accounts were taken over.” The AGs “refuse to operate as the customer service representatives of your company,” it said, saying “proper investment in response and mitigation is mandatory." In addition, they requested materials on the number of account takeovers over the past five years; suspected causes of the increase in account takeovers; safeguards in place to prevent account takeovers; current policies and procedures related to Meta’s response to account takeovers; and staffing related to safeguarding the platforms against account takeovers and responding to complaints. A Meta spokesperson emailed Wednesday: "Scammers use every platform available to them and constantly adapt to evade enforcement. We invest heavily in our trained enforcement and review teams and have specialized detection tools to identify compromised accounts and other fraudulent activity." Meta regularly shares tips and tools people can use "to protect themselves, provide a means to report potential violations, work with law enforcement and take legal action," she said. AGs from Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Illinois, Iowa, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming signed the letter.

The plaintiffs have shown injury and have “more than adequately pled" their data breach claims, said their opposition Tuesday (docket 1:23-cv-01168) in U.S. District Court for Colorado in Denver to Dish Network’s motion to dismiss their consolidated complaint in its entirety. The case involves a February 2023 ransomware attack in which the personally identifiable information (PII) of Dish employees and family members was compromised. Dish employees and their family members have suffered financial, reputational and other cognizable injuries, the opposition said. Some plaintiffs’ have experienced actual harm with bank accounts opened illegally in their names, were denied jobs or discovered attempts to apply for unemployment in their names, said the filing. It’s not just “theoretical” that plaintiffs’ PII may be misused by criminals, said the opposition: “It already has been -- and the door is wide open now for all of them to experience increased misuse going forward.” Article III standing requires that plaintiffs’ injuries are fairly traceable to the challenged action of the defendant, it said. Plaintiffs “easily satisfy this standard" by alleging the data breach occurred as a result of Dish’s “misconduct,” allowing cybercriminals to access their private information, including Social Security numbers, and that the stolen data was misused, it said. Without Dish’s “misconduct,” the plaintiffs wouldn’t have been harmed, it said. Dish argued that one injury related to a plaintiff’s debit card number being used for unauthorized charges was insufficient because the consolidated amended complaint didn’t provide details about the purchase or that he provided a particular debit card number. “But so what?” said the opposition, saying it’s unnecessary to allege debit card numbers in a pleading. Dish asserted the plaintiffs haven’t alleged any facts suggesting a future data breach is likely, but it has already been breached once “due to inadequate data security – and it is foreseeable another breach will occur,” the opposition said. Plaintiffs' claim for injunctive relief doesn’t rely solely on past conduct but also relies on protecting their PII still backed up in Dish’s possession, it said. Class members are largely past and current employees of Dish, and the company is obligated, under the Fair Labor Standards Act, to maintain their PII for up to three years, post severance, said the opposition. Without better cybersecurity going forward, class members’ information is “vulnerable to another hack and, if and when it does happen, the results would likely be devastating,” giving plaintiffs standing to seek injunctive relief, it said. Dish concluded it had no duty to protect plaintiffs’ PII, but an employer’s duty to protect employees’ PII has been recognized in circuit courts across the country, it said. Dish argued that a claim for breach fails because it made no representations regarding an agreement to provide data security to plaintiffs, but an express communication regarding the agreement doesn’t need to be made, the opposition said. As a condition of being employed, current and former employees were required to provide their PII to Dish, it said. Dish accepted the PII with the understanding it would take “appropriate steps to safeguard” it; otherwise, plaintiffs would not have provided it, said the filing.

The 9th U.S. Circuit Court of Appeals is considering for an upcoming oral argument calendar in San Francisco in July or August the appeal of six Chrome users against Google, said a text-only docket entry Monday (docket 22-16993). The six plaintiff-appellants seek to reverse a December 2022 district court order granting summary judgment for Google in a class action that alleged Google improperly collects the personal information of users who opt not to sync their browsers to their Google accounts (see 2212290037).

The Feb. 27 decision in the Northern District of California in Massel v. Successfulmatch.com (docket 23-cv-02389) provides supplemental authority to support Indira Falcon’s opposition to TelevisaUnivision Digital’s motion to compel her claims to arbitration, said Falcon’s notice Friday (docket 8:23-cv-02340) in U.S. District Court for Middle Florida in Tampa. Falcon’s class action alleges TelevisaUnivision knowingly violated the Video Privacy Protection Act by embedding the Meta Pixel tool on its website to track users’ video viewing history and then reporting that history to Facebook (see 2310170001). Falcon’s opposition contends that TelevisaUnivision failed to give her and her class members proper “inquiry notice” of its terms and arbitration provision. The judge in Massel found that because the defendant’s links to its terms didn’t appear in a contrasting color, the court must conclude that they weren’t reasonably conspicuous enough to put Massel on notice of the terms and that the plaintiff therefore can’t be said to have assented to them, said Falcon’s notice. “This conclusion is bolstered by the fact that other links on the signup page appear in all capital letters,” while the links to the service agreement and privacy policy are in “title case,” it said. These distinctions “may seem picayune,” but website operators “have ultimate control over their design decisions,” it said. Nothing requires them to present terms as “subtle hyperlinks” to separate pages instead of requiring users to scroll through the actual terms before signing up, it said.

Jessica Carey, who sued Comcast and Citrix in January involving the cloud platform provider’s October data breach (see 2401030066), filed a notice of voluntary dismissal without prejudice Friday (docket 0:24-cv-60008) in U.S. District Court for Southern Florida in Fort Lauderdale. Carey’s negligence class action was one of a dozen named in a January motion before the Judicial Panel on Multidistrict Litigation for transfer to the Eastern District of Pennsylvania in Philadelphia for coordinated or consolidated pretrial proceedings (see 2401120011). Carey's negligence suit alleges she was required to give Comcast her personal information as a condition of receiving internet service, and she has since suffered emotional distress and lost time associated with mitigating the breach's impact.

Publishers Clearing House (PCH) seeks the dismissal of James Camoras’ Dec. 15 class action under Utah’s Notice of Intent to Sell Nonpublic Personal Information Act (NISNPIA) because the statute “explicitly forbids” class actions, said PCH’s motion Friday (docket 4:23-cv-00118) in U.S. District Court for Utah in St. George. Camoras bought a tripod and a book from PCH in December 2022 and February 2023, and he alleges that PCH didn’t notify him that it discloses customers' private purchase information to third parties (see 2312180014). Without Camoras’ class claims, the court doesn’t have jurisdiction over the plaintiff's individual claim, as it’s not sufficient to meet the amount in controversy required by statute, said PCH’s motion. He also has failed to allege the “essential elements” of a claim under NISNPIA, it said. Even if the court did have jurisdiction over this matter, the complaint fails to allege that PCH itself “maintains an office in Utah, which is a required element under NISNPIA,” it said. The complaint also fails to adequately allege that PCH disclosed Camoras’ nonpublic personal information to any third party, it said.

Plaintiffs in two privacy lawsuits vs. Forward Bank voluntarily dismissed their cases without prejudice, said a notice (docket 3:23-cv-00844) Friday in U.S. District Court for Western Wisconsin in Madison. The negligence actions, bought by Matthew Hamilton and Ethan Rohland (docket 3:23-cv-00852), asserted Forward Bank handled their personally identifiable information in a reckless manner during a September data breach (see 2312110012).

Sellers International, the parent company of Quimbee, a website tailored to law students, seeks the dismissal of Isaac Shapiro’s Jan. 4 Video Privacy Protection Act class action for failure to state a claim on which relief may be granted, said its motion Thursday (docket 4:24-cv-00079) in U.S. District Court for Northern California in Oakland. Shapiro alleges Sellers knowingly disclosed his personally identifiable information (PII), including a record of case brief videos he watched on the Quimbee website, without his consent (see 2401110045). He alleges that Quimbee installed the HubSpot tracking code on its website, which tracks and records visitors’ private video consumption. But the plaintiff’s complaint “lacks crucial allegations” to bring a VPPA claim against Quimbee, said the defendant’s memorandum of points and authorities in support of its motion to dismiss. Shapiro fails to allege Quimbee is a videotape service provider under the VPPA, “or that an ordinary person would be able to glean video viewing history from the information allegedly shared with HubSpot,” it said. Quimbee also didn’t disclose any PII, as HubSpot “is merely the tool that Quimbee uses to collect information about Quimbee’s own customers, exclusively for Quimbee’s own use,” it said. If the VPPA is interpreted in the manner that Shapiro “advocates,” the VPPA violates due process and the First Amendment, it said. Shapiro’s California Invasion of Privacy Act claim also fails because Quimbee didn’t “aid or abet its software vendor,” and Shapiro has failed to allege that HubSpot violated the CIPA, it said.

HopSkipDrive should have known it was responsible for protecting plaintiff Tara McIntosh’s and class members' personal information, alleged McIntosh’s data breach negligence class action Thursday (docket 2:24-cv-01676) in U.S. District Court for Central California in Los Angeles. The ride-hailing service waited over three months after being notified of a May 31-June 10 data breach, discovered “one to two months afterward,” to notify McIntosh of the incident, said the complaint. The Spokane, Washington, resident received a letter from HopSkipDrive Nov. 14, notifying her that her personally identifiable information had been improperly accessed, it said.

Meta is violating the EU data protection law by requiring users to pay for ad-free service or consent to the use of their personal data, eight European consumer groups alleged Thursday. Meta didn't immediately comment. The groups, from the Czech Republic, Denmark, Greece, France, Norway, Slovakia, Slovenia and Spain, are European Consumer Organisation (BEUC) members. In complaints filed with their national data protection authorities (DPAs), they charged the tech giant with failing to comply with GDPR principles of fair processing, data minimization and purpose limitation. Moreover, they said Meta has no valid legal basis to justify the massive data sweep it carries out on Facebook and Instagram users because the choice it gives them can't lead to free and informed consent. "Meta has tried time and time again to justify the massive commercial surveillance it places its users under," said BEUC Deputy Director-General Ursula Pachl. "Its unfair 'pay-or-consent' choice is the company's latest effort to legalise its business model." In recent years several DPAs have tried to force Meta to change the legal basis for collecting and processing people's data, and the company's "last resort" is to obtain users' consent for those activities by offering them the choice to either pay to see a supposedly ad-free service or consent to the company's full commercial surveillance with ads, BEUC said. Asked why BEUC didn't file the complaint with the DPA in Ireland, where Meta is headquartered, a spokesperson said the organization wanted to involve national data protection authorities that can then take ownership of the issue when those authorities transfer the matter to the Irish authority. In addition, he said, BEUC wanted to involve its members because they know the procedural rules of their own DPAs and to maximize coverage of the issue to show that it affects all Europeans.