By Hayes Hunt and Jillian Thornton
You are general counsel to a company, and your CEO steps into your office, clutching his iPhone in one hand and wiping sweat from his brow with the other, and tells you that a compromising photograph of him was stolen from his phone and posted online. You start thinking not if, but when, shareholders will discover this embarrassment, how much it will cost the company and what legal action to take.
Unfortunately, such incidents are becoming more common in this digital age, a fact highlighted by the recent leak of stolen nude celebrity photographs. A few weeks ago, hackers uploaded nude photos of several dozen female celebrities to the Internet. Allegedly, the leak was made possible by software designed for use by law enforcement to pull data from iPhones in conjunction with a tool that can crack Apple iCloud passwords. With this method, hackers can impersonate a victim’s iPhone and download its full backup of data. That means a lot of personal—and possibly embarrassing or even incriminating—information can be spread across the globe via the Internet. While hackers employing this type of computer crime frequently seem to target popular celebrities, hackers have and will continue to victimize “normal” people as well.
Due to the pace at which technology advances, the deliberate cadence of the law does not match technology’s pace. However, some legal options are available to those whose personal data has been stolen by hackers and then published on the Internet.
Without a doubt, the most important thing to remember when facing a potential hacker leak online is to act quickly. The quicker the response, the better the result. The Internet seems to move at the speed of light, but a fast response can help to limit the damage.
The next step is to contact local law enforcement to report the theft. Cybercrime can be difficult to investigate and prosecute because the information can be stolen in one jurisdiction and then uploaded to servers in another jurisdiction, depriving local authorities of the right to prosecute. Nevertheless, your local law enforcement agency is obligated to take a formal report and refer you to other agencies that can help.
Another group to contact is the Internet Crime Complaint Center (IC3), which is a partnership between the FBI and the National White Collar Crime Center. The IC3 will evaluate your complaint and refer it to the appropriate law enforcement or regulatory agency that has jurisdiction. Complaints can be filed online at http://www.ic3.gov/default.aspx.
Your employee will also need to change the passwords for all of his or her online accounts to prevent further exploitations. You should hire an external investigator who has experience with and understands computer forensics and investigations. It is essential to save the evidence related to your complaint.
After taking these immediate steps to report the cybercrime that occurred, the options to contain the damage to your employee and company become more varied.
One method that has resulted in successfully quelling the spread of stolen celebrity photos is taking advantage of copyright laws. For instance, a hacker stole photos of Scarlett Johansson that she had taken herself and were stored on her cellphone. Her attorneys registered the photographs with the U.S. Copyright Office with Johansson as the copyright owner. The attorneys then sent takedown notices to Internet service providers and websites, claiming that the publication of the photos was copyright infringement.
There are some limitations to this avenue. First, it may be impossible to remove a widely circulated image from every unauthorized location, especially if viewers save the image to a personal storage device, but acting quickly can curb additional broadcasting of the image. Second, if the photos were taken by someone else, and not your employee, then your employee cannot claim copyright ownership. Fortunately (or not, depending on your perspective), selfies have become commonplace. In fact, the majority of all naked pictures found on “revenge porn” sites (websites where people post personal naked photos without the subject’s consent) are selfies. Most people, then, will have the ability to claim copyright ownership. Money damages may be available as well. Accordingly, demanding that ISPs and websites take down the image or else face liability for copyright infringement is probably the most effective legal remedy in an attorney’s arsenal.
A victim of hacking can also claim a violation of his or her right to privacy. Unlike the celebrities mentioned above, your typical CEO, director or officer of a corporation would not be considered to be a public figure with limited privacy rights. The right to privacy can be invaded by unreasonable intrusion upon the seclusion of another, appropriation of another’s name or likeness, unreasonable publicity given to another’s private life or publicity that unreasonably places another in a false light before the public. With regard to wrongful appropriation, the victim would need to show that the stolen image was used in a way that the victim does not approve or did not intend, such as unlawful commercial use of an image.
If, however, your CEO is considered a public figure, then he or she can make a claim for right of publicity, which is a public figure’s right to control all commercial uses of his or her image. This type of claim may be vulnerable to a First Amendment challenge, however.
Don’t think about going after Apple, though. In the United States, there is no overarching law requiring technology companies to keep consumers’ data secure, unless they are operating in a regulated sector, such as health or finance. Additionally, technology companies often force their consumers to waive liability by agreeing to complicated privacy policies and end-user license agreements. It is possible that soon these laws will change and make companies like Apple more vulnerable to security breach suits. Action by the aforementioned celebrities, for example, could change the tide. But in the meantime, taking action against websites and ISPs is the most predictable route.
Of course, the best offense is a good defense. Preventing leaks of embarrassing information or confidential data is much easier. Therefore, it is imperative that all companies have comprehensive social media, technology and confidentiality policies, and that employees understand and follow them. And for the most essential and visible members of your corporation, emphasize an obvious but seemingly ignored rule: Don’t take or send compromising photographs of yourself. Even if you trust the person to whom you send the photos, their phone or computer could also be stolen or hacked.
Unfortunately, current law devalues the privacy of people, celebrities and non-celebrities alike. However, you can minimize the likelihood and the consequences of a hacking leak.
Originally published in The Legal Intelligencer on September 17, 2014.