To: XXXX, Managing Counsel Apps & Stuff
From:
Date: XXX
Re: DATA BREACH AND NOTIFICATION OF THE TEST USERS
QUESTIONS PRESENTED
1. Whether there has been a data breach requiring notification under each applicable
federal and state law.
2. The notification requirements under each applicable law where there has been a
breach requiring notification.
BRIEF ANSWER
With regard to whether there has been a data breach requiring notification under
federal or state law, the answer is yes. This is because there has been an unauthorised
acquisition of computerised data that compromises the security, confidentiality, or integrity
of personal information. Further, the data contained in the stolen laptop is not encrypted
hence a guaranteed breach of the data contained in the laptop.
FACTS
A&S is developing a dating app called Face Swipe. To create a Face Swipe username,
password, and profile, the user must provide an email address and input their basic physical
attributes, including hair color, eye color, weight, and height. The user is then required to
allow the app to create multiple scans of the user’s face via the user’s phone camera. The app
stores these scans and tests all the profile photos uploaded by the user against the scans.
2
Photos are only approved for profile use if the app’s algorithm determines they accurately
portray the user’s facial features. The app is still in beta testing and has only been released to
a select clientele of 500 test users in each of three North-eastern college cities: Syracuse, NY;
New Brunswick, NJ; and College Park, MD. The app is being offered to the test users for
free, so credit card information and verified names were not collected from the users.
On May 19th, a developer for Face Swipe had his work laptop stolen while commuting to
work. The laptop’s hard drive contains unencrypted files with the user information that he
was utilizing to test and perfect the app’s algorithms. The following user data was on the
laptop: email addresses, physical attributes, user uploaded photos, and Face Swipe face scans.
Usernames and passwords were not on the laptop.
DISCUSSION
Issue 1: Whether there has been a data breach requiring notification under each
applicable federal and state law.
A breach of security is defined as the unauthorised acquisition of computerised data
that compromises the security, confidentiality, or integrity of personal information (6 Del. C.
§ 12B-102). It is not considered a breach of security if the information is encrypted (6 Del. C.
§ 12B-102). However, this safe harbour does not apply if the encrypted data and the
encryption key are breached, and there is a likelihood that the key could be used to unencrypt
the data. Stealing of the work laptop of a developer of the Face Swipe thus does amount to
breach of security since it creates the possibility of the unauthorized access to the data.
Further, the data was not encrypted hence further amounting to a possible data breach. The
conclusion is thus that there has been a data breach that requires notification under the
applicable federal and state law.
3
Issue 2: The notification requirements under each applicable law where there has been a
breach requiring notification.
In the event of a breach of security, the person doing business in Delaware who owns
or licenses computerised data that includes personal information about a Delaware resident
must provide notice of the breach without unreasonable delay, but no later than 60 days after
the determination of the breach of security to any Delaware resident whose personal
information is reasonably believed to have been breached, unless, a shorter time is required
under federal law, a law enforcement agency determines that notice would impede a criminal
investigation and such agency has requested a delay in notification, when a person required to
give notice could not, through reasonable diligence, or identify within 60 days that personal
information of certain residents of Delaware was included in the breach (6 Del. C. § 12B-
102). In such a case, notice must be made as soon as practicable after such determination is
made. If, after an appropriate investigation, the person reasonably determines that the breach
of security is unlikely to result in harm to such an individual (6 Del. C. § 12B-101), no notice
is required. Also, the Delaware Attorney General must be notified if the affected number of
Delaware residents to be notified exceeds 500 (6 Del. C. § 12B-101).
In the present case, a developer of Face Swipe had his work laptop stolen while
commuting to work. The laptop’s hard drive contains unencrypted files with the user
information that he was utilizing to test and perfect the app’s algorithms. The information
included email addresses, physical attributes, user uploaded photos, and Face Swipe face
scans which falls under the category of private data. This information could put the security
of the 500 test users at risk if it fell in the hands of malicious third party.
Accordingly, A & S being the software developer employer is bound by 6 Del. C. §
12B-102 to notify the test users without unreasonable delay within 60 days of determining
4
that the breach of the data is imminent. However, in the event A & S determine that the
breach of data will not put the security of the test users at risk, then it is not bound to notify
the users.
Moreover, the Computer Security Breaches Law defines ‘personal information’ as a
Delaware resident’s first name or first initial and last name in combination with any of the
following elements, provided that either the name or the data elements are not encrypted:
social security number; driver’s license number or state or federal identification card; account
number or credit or debit card number, in combination with any code, access code, or
password that would allow access to the resident’s financial account; passport number;
username or email address, in combination with a password or security question and answer
that would permit access to an online account; medical history, medical treatment by a
healthcare professional, diagnosis of mental or physical condition by a health care
professional, or deoxyribonucleic acid profile; health insurance policy number, subscriber
identification number, or any other unique identifier used by a health insurer to identify the
person; unique biometric data generated from measurements or analysis of human body
characteristics for authentication purposes; and an individual taxpayer identification number
(6 Del. C. § 12B-101 (7) (a).
In the present case, email addresses, physical attributes, user uploaded photos, and
Face Swipe face scans in the stolen laptop are categorized as a personal information which, if
accessed, could put the security of the test users at risk. Thus A & S is obliged to abide by the
requirements of notification by informing the participants of the risk posed by their
information being in the hands of a third party.
CONCLUSION AND RECOMMENDATIONS
5
The theft of the laptop of one of the developers of the Face Swipe application presents
a high likelihood of a data breach especially because the data is not encrypted. Thus, in the
future, A & S should enforce the necessary measures to ensure that all data collected from the
public is highly encrypted to prevent unauthorized access of the data. Further, as a privacy
and data protection and security measure, A & S, in the future, should publish a policy
guaranteeing the protection of the personal information of the users of the Face Swipe
application on its website. It should also include the security measures that will be undertaken
in the event of a breach of data (6 Del. C. § 1202C).
At Legal writing experts, we would be happy to assist in preparing any legal document you need. We are international lawyers and attorneys with significant experience in legal drafting, Commercial-Corporate practice and consulting. In the last few years, we have successfully undertaken similar assignments for clients from different jurisdictions. If given this opportunity, The LegalPen will be able to prepare the legal document within the shortest time possible. You can send us your quick enquiry ( here )