A jury verdict on Nov. 6, 2024, for the plaintiff in a case involving claims of violation of Texas Penal Code provides valuable lessons for the collection, use and storage of data.
Case Background
In Angelyn A. Olson et al. v. The Consilio LLC, et al. filed in Tarrant County, Texas, plaintiff Angelyn Olson alleged that she was involved in other litigation during which an e-discovery service provider (Consilio) was engaged to collect her personal emails. In that other litigation, the plaintiff had agreed to a collection of her emails from her personal email account that were responsive to certain search terms. The plaintiff alleged her lawyer had stressed that the search terms should be applied at the point of collection, rather than after a full collection of her email account. Instead, the plaintiff alleged Consilio downloaded all of her emails (34,000 files) and then applied the search terms. The plaintiff further alleged she had sensitive information in her emails, including "emails with medical providers, attorney-client privileged information, social security numbers, and other private information." As a result, the plaintiff asserted claims against Consilio and its representative for invasion of privacy and harmful access by a computer in violation of Texas Penal Code Title 7, Section 33.02(a) by knowingly accessing data and a computer without consent, among other claims. The plaintiff alleged that the basis for bringing a claim for harmful access by computer in violation of the Texas Penal Code is that the Texas Civil Practice and Remedies Code "provides a corresponding civil action, under which a [p]laintiff[] can bring suit for actual damages and attorney's fees when…the conduct constituting the violation was committed knowingly or intentionally." Tex. Civ. Prac. & Rem. § 143.002. The plaintiff also asserted a negligence per se claim under the same section of the Texas Penal Code. In an amended petition, the plaintiff further alleged spoliation of evidence by Consilio when it allegedly destroyed or overwrote some of the data it had downloaded from the plaintiff's email account after receiving notice of its overcollection of emails.
On Nov. 6, 2024, a Fort Worth jury returned a verdict in favor of the plaintiff as to certain causes of action, including a finding that Consilio "knowingly access[ed] a computer, computer network, or computer system without effective consent." The jury awarded $50,000 in damages for mental anguish (in the past and in the future) and medical care expenses that the plaintiff would likely incur in the future.
Case Takeaways
There are several lessons to be learned from this case.
- Criminal laws apply to the misuse or unauthorized access of data. Under the Texas criminal statute cited by the plaintiff, Texas Penal Code Title 7, Section 33.02(a), if a person "knowingly accesses a computer, computer network, or computer system without the effective consent of the owner," they commit an offense under the code. Another example of a Texas criminal statute that can apply to the misuse or unauthorized use of data is Texas Penal Code Title 7, Section 32.51, where it is an offense if a person, "with the intent to harm or defraud another, obtains, possesses, transfers, or uses…identifying information of another person without the other person's consent or effective consent."
- The importance of the need for strict controls with service providers. This case involved an e-discovery service provider that was hired to collect and store specific data. Instead, the e-discovery firm, according to the plaintiff, went beyond the limited scope that was agreed to. When engaging any service provider, including an e-discovery provider, it is important to include contractual limitations on their ability to collect, use and store data, as well as an obligation to protect the data (including from inadvertent destruction) and the right to oversee/audit their services.
- Consider data minimization and data segregation. This case is a reminder for businesses to consider data minimization and data segregation as a general matter. Because, as this unfortunate oversight with respect to an individual's data exemplifies, it is not only cyberattacks that can trigger litigation but also permitted access that may lead to overcollection and improper disclosure.
- It is not just what is historically considered "sensitive" data that needs to be protected. This case is also a reminder that it is not only Social Security numbers and other typically protected data elements that matter. While the plaintiff in the subject case contended that her emails contained Social Security numbers, health information and other sensitive information about her and her family, the plaintiff also alleged the overcollection of her data generally. Under the criminal statute on which the negligence per se claim was based, improper access had consequences regardless of the data elements/types involved. In addition, the Federal Trade Commission (FTC) (and various state laws) have begun to expand what the law will consider to be "sensitive," especially for purposes of regulatory actions. For example, see a 2024 FTC Technology Blog that discusses three enforcement actions relating to the collection and mishandling of re-identifiable browsing history and location data, which, without more, would not typically be considered sensitive.