Privacy issues are inherent in almost all facets of a business — from operations, employment, and technology to customer service, contracts, legal and compliance — all with varying degrees of risk. Most companies mitigate risk by standardizing processes and procedures to handle certain common or low-risk situations. This is helpful in streamlining repetitive inquiries that typically have the same or similar answers or action items.
One such area is a company’s response to validly issued subpoenas and warrants. When a U.S. company receives a court-issued subpoena or valid warrant, the process for responding is relatively clear and the risk of disclosing personal information is mitigated by the legal process involved (and further bolstered by the fact that most privacy laws provide exceptions to disclosure of personal information to law enforcement).
However, this process assumes that the law enforcement, or their subpoena or warrant, has valid authority. A new lawsuit against Verizon Communications, Inc. alleges in a North Carolina federal court complaint that the company violated federal privacy law by giving plaintiff’s personal information to an individual she met online and who later stalked and threatened to kill her, arriving at her house with a knife. The complaint alleges that the perpetrator pretended to be a police detective and provided Verizon with a fake search warrant. Although damages, cognizable injury, and even legal standing to bring a claim can be difficult to prove in privacy cases, this case presents unique facts where the victim was at risk of physical harm, and accordingly, could be rewarded significant, tangible damages. M.D., the victim, has brought claims alleging violations of the federal Stored Communications Act, as well as state tort causes of action for intentional and negligent infliction of emotional distress.
The Stored Communications Act prohibits Verizon from “knowingly divulg[ing]” the contents of communications to any person, or “a record or other information pertaining to a subscriber to or customer … to any governmental entity,” subject to certain exceptions, which include validly issued criminal subpoenas (18 U.S.C. § 2702). The harm that allegedly befell M.D. was purportedly caused by the disclosure of her personal information, not necessarily the “contents” of her communications, which might provide Verizon with a defense to the federal charge. It’s not clear on the face of the complaint that the “contents” of any communications were provided, and Verizon did not, in fact, disclose subscriber/customer information to a governmental entity — it disclosed M.D.’s information to her civilian stalker.
M.D.’s negligence claim, on the other hand, might cause Verizon more trouble. Similar to other types of fraud or online scams, the perpetrator’s email did not match any official government email, the “search warrant” was full of misspellings, typos, or other errors, and the judge that presumably signed the warrant was not even a judge in the county in which the “search warrant” was issued — according to the complaint. Damages may be different in this case, but the legal analysis could be analogous to email spoofing/phishing cases: Was Verizon negligent in failing to notice these common hallmarks of a fraud?
Few cases reach the point where courts or fact finders weigh in on the reasonableness of how a business handled spoofed/phishing communications because in the banking context, where these claims most commonly arise, state versions of the Uniform Commercial Code often displace traditional negligence principles. Given the facts and potential damages at issue here, Verizon may settle before the issue is resolved, but the mere filing of the complaint serves to put businesses on notice of yet another avenue by which they might be subject to attack — the phishing subpoena. Businesses should confirm that their policies and procedures are up to date to handle everything criminals throw at them. An ounce of prevention and training, in this case recognition of common fraud signs and verification with law enforcement regarding the subpoena’s validity, might save a business hundreds and thousands of dollars in litigation costs.
