Ashley Madison and Standing

August 21, 2015

by Jay Marshall Wolman, CIPP/US

Recently, this blog has published posts on a new Connecticut law and a 7th Circuit ruling on data breach, both of address the issue of standing in class action data breach suits.  Standing, in plain terms, means having a legal right to sue based on an injury to you.  The Sierra Club may have standing to sue for environmental damages because its members are specifically harmed; even if many of those members also belonged to Susan Boyle Fans International, Inc., the fan club would not have standing because the organization as a whole is not harmed.

Actual harm is key.  In many data breach cases, it is hard to show actual harm; identity theft may very well not occur and free credit monitoring eliminates the direct consumer cost.  Thus, a lot of litigation has focused on the right to sue in the event of a data breach.

Now, we have the Ashley Madison hack and data dump.  Ashley Madison, as you may know, is a matchmaking service for adultery.  Unlike prior breaches, the hackers are not merely keeping the information to themselves, but they are releasing information that identifies people, including public figures and federal employees.  Divorces will occur because of the data dump.  This is not a case of “maybe someone will open a credit card in my name”; it is a case of “I have to pay alimony and child support for the foreseeable future”.  Data breach victims now have tangible harm.

Class action attorneys will still litigate questions of typicality and commonality, for not every victim will suffer the same harm.  But class certification is likely, even in such instances.  In the Black Farmers Case, the class was certified even where different class members had widely varying economic losses as a result of allegations of discrimination in USDA loan programs.  The question in this matter will not be whether to certify, then, but rather how to establish class member damages.  Although this is probably the least sympathetic data breach class, it will be one of the best cases.

I should also note that liability seems pretty decent.  In the Neiman Marcus case, the plaintiffs alleged:

negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of several state data breach acts.

That case lacked something this case does–an express guarantee.  Take a look:

100% Secure?  Nope.  Completely Anonymous?  Negative.  Their privacy policy states:

Security
We treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII, we use industry standard practices and technologies including but not limited to “firewalls”, encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.

That just seems to be another broken promise.  Section I of their Terms and Conditions states:

Privacy & Use of Information

Use of the Service is also governed by our Privacy Policy. You agree that by registering a Profile or using our Service you have agreed to our Privacy Statement. You acknowledge that although we strive to maintain the necessary safeguards to protect your personal data, we cannot ensure the security or privacy of information you provide through the Internet and your email messages.  Our privacy policy is incorporated into the Terms by this reference.  You agree to release us, our parent, subsidiaries and affiliated entities and ours and their shareholders, officers, directors, employees and agents, successors and assigns from all claims, demands, damages, losses, liabilities of every kind, know and unknown, direct and contingent, disclosed and undisclosed, arising out of or in any way related to the release or use of such information by third parties.  If you are a California resident, you waive California Civil Code Section 1542, which says: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which, if known by him must have materially affected his settlement with the debtor.”

This is a pretty weak effort at a release and may well not be enforceable.  Of course, the Terms and Conditions does have a choice of law provision, New York, which is pretty strong in their favor.  It also has a mandatory arbitration clause, though there is a class action waiver and a damages cap of $5,000.  I expect significant litigation over the enforceability of these terms.


Knowing Employee Legal Rights

August 12, 2015

by Jay Marshall Wolman, CIPP/US

Shameless self-promotion: Today, I had the privilege of presenting “Knowing Employee Legal Rights” to a Cornell Alumni Leadership Lunch and Learn along with Prof. David Sherwyn.

Video is here: https://vod.video.cornell.edu/media/Leadership+Lunch+and+Learn+Knowing+Employee+Legal+Rights/1_lymufsk9

Downloadable slideshow here:   

http://alumni.cornell.edu/caco/documents/CornellLunchandLearn-KnowingEmployeeLegalRights.pdf

Enjoy!


And Then a Sensible Dinner

August 4, 2015

by Jay Marshall Wolman, CIPP/US

I was driving home from Philadelphia this past Sunday after a wedding, when I learned about the dietary habits of Attorney Rand Spear.

breakfast

(Something like the Rand Corporation, only smarter.)

The story is nothing new. And, apparently, Mr. Spear holds a trademark in that phrase.  This serves as a reminder that phrases can be trademarked.

Other well-known phrases have been trademarked, e.g., Coke is it! (cancelled).  Some are completely random:  I love what you’ve done with the trash!

A phrase that is trademarked, like a logo, may also enjoy copyright protection.  And the misuse of a trademarked phrase could wind up subjecting a defendant to both copyright and trademark liability.  The defenses might not necessarily be identical and even if one count is thrown out, the other might survive.

For those wondering:  Lawyers may or may not be permitted under state ethics rules and the First Amendment to advertise their gustatory predilections, though the 2nd Circuit’s decision in Alexander v Cahill (cert. denied) is persuasive (Heavy Hitter attorneys prevailed).

It is unclear if Mr. Spear literally or figuratively eats insurances companies for breakfast or any other meal.  Personally, if my last name were “Spear”, I’d be using imagery invoking my name rather than my gut.  Something a bit more fun.

Forgetting, for a second, the outcome of that fight (spoiler alert!!) isn’t that a better lawyer vs insurer image?

Unbowed, Unbent, Unbroken.


We Gettin’ Money, Bank Roll, Supersized: Digesting the 7th Circuit’s Data Breach Ruling

July 28, 2015

by Brent Tuttle, CIPP/US, E*

Recently, the 7th Circuit handed down a ruling in a data breach case that has class action plaintiffs’ attorneys poppin’ bottles. The case is Remijas v. Neiman Marcus Grp., LLC, No. 14-3122, 2015 WL 4394814 (7th Cir. July 20, 2015).

Background:

Between July 16, 2013 and October 13, 2013, malware found its way onto the Neiman Marcus computer systems. This potentially exposed 350,000 credit cards, 9,200 of which were known to have been used fraudulently. (The Court of Appeal noted that all 9,200 fraudulent charges were subsequently reimbursed.)

The company discovered this breach January 1, 2014 and publicly disclosed it nine days later. The company offered all customers who shopped at Neiman Marcus between January 2013 and January 2014 one year of free credit monitoring and identity theft protection.

This announcement prompted a number of class action suits spearheaded by four individual plaintiffs who represent 350,000 other customers whose credit card information may have been stolen; the disclosures indicated that social security numbers and other PII had not been exposed. The complaint relies on several theories: negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws.

The company moved to dismiss the claim, arguing that the plaintiffs lacked Article III standing, a usually successful procedural tactic in data breach litigation. A litigant with standing to sue must have “suffered [a] concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Hollingsworth v. Perry, 133 S. Ct. 2652, 2661 (2013). Plaintiffs alleged injuries relating to lost time, money, and aggravation in dealing with the breach, as well as “an increased risk of future fraudulent charges and greater susceptibility to identity theft.” Neiman Marcus at 6. The case was dismissed by the district court, based on the 2013 Supreme Court case Clapper v. Amnesty Int’l USA, which held that allegations of possible future injury are not sufficient.

Seventh Circuit’s Decision:

On July 20, 2015, in a unanimous decision by a three–judge panel, the Seventh Circuit reversed the district court’s decision.  The Seventh Circuit stated “Clapper does not…foreclose any use whatsoever of future injuries.” In Clapper, the Supreme Court decided that Amnesty International did not have standing to challenge the Foreign Intelligence Surveillance Act (FISA) because they could not show that their communications were actually intercepted by the government, but only that such interceptions might have occurred. This was too speculative to establish standing.  However, Clapper left open what is known as the “substantial risk” standard, stating “[o]ur cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about. In some instances, we have found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Clapper, 133 S. Ct. at 1150 n.5 (2013). The Seventh Circuit ruled that the data breach plaintiffs alleged a sufficient substantial risk of harm.

The Seventh Circuit concluded that “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing because there is an ‘objectively reasonably likelihood’ that such an injury with occur.” Neiman Marcus at 9 (citing Clapper, 133 S. Ct. at 1147). Thus, the 350,000 Neiman Marcus customers whose information may have been stolen have standing to sue despite the fact that no real harm may ever come about. Or as Vietnam veteran Walter Sobchak might say, these plaintiffs may move forward based on “…what appears…to be a series of victimless crimes.”

Neiman Marcus represents a significant change in the tide for data breach litigation and as this is the first Court of Appeals to lower the bar for plaintiffs to gain standing, it may very well open up the floodgates elsewhere. This decision has the potential to send not just waves, but tsunamis, through the judicial system (at least within the Seventh Circuit). The ruling handed down in Neiman Marcus via “substantial risk” is distinct from past theories of injury previous courts have relied on dismissing data breach plaintiffs for lack of Article III standing. Past cases (some within the Seventh Circuit) had rejected the “clearly impending” theory of injury. See In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588, at *3 (N.D. Ill. Sept. 3, 2013) (holding “[m]erely alleging an increased risk of identity theft or fraud is insufficient to establish standing.”; see also Strautins v. Trustwave Holdings, Inc., No. 12-C-09115, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014); see also Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451, 468 (D.N.J. 2013).

However beyond the 7th Circuit, at least two cases in the Ninth Circuit have also afforded data breach plaintiffs standing through the substantial risk standard, one of which was cited in the Seventh Circuit’s opinion.  See In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014); see also In re: Sony Gaming Networks & Customer Data Sec. Breach Litig., No. 11-md-2258, 2014 WL 223677, at *9 (S.D. Cal. Jan. 21, 2014).

The Seventh Circuit’s justification upon which it placed the above reasoning is questionable. The court states “…it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” That is quite a presumption, is it not? How can anyone truly know the purpose behind a hack or data breach? There may be other purposes, such as causing fear itself, seeking to increase the costs of Neiman Marcus, or simply exploiting a security weakness because it is there.  On remand, would this be a rebuttable presumption relegated to the damages phase of a trial?

Further, one wonders if the facts of the Neiman Marcus case will be extrapolated:  Is there such presumption for the Sony breach? (Coincidentally a suit involving that breach has been allowed to move forward. See Corona v. Sony Pictures Entm’t, Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744 (C.D. Cal. June 15, 2015)). What about the Office of Personnel Management breach? Is it plausible to presume any intent or motive with that incident? The enemies of the U.S. government may have different motives from the enemies of Neiman Marcus.

How about the Ashley Madison hack that was in the headlines earlier last week? Adult Friend Finder earlier this summer? These breaches certainly don’t seem to fit within the Seventh Circuit’s reasoning above. Those may have been primarily targeting the businesses, not the customers.

Another consideration is that hackers might take haystacks of data in order to identify the desirable needles.  Can a court presume that a breach isn’t really targeting a needle as opposed to the entire haystack? And what sort of public policy does this promote by allowing the entire haystack a bite at the apple if it’s unknown whether they were ever actually harmed or the target thereof? The Seventh Circuit’s language in Neiman Marcus may just be a presumption, but it’s going to be an expensive presumption for data breach defendants to bear.

It is further problematic that the Seventh Circuit partially grounded its decision on the basis that “[i]t is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers whom it had contact information and who shopped at their stories between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.” Neiman Marcus at 11. It may be true that Neiman Marcus’s actions are unlikely a result of ephemeral risk. However, the Seventh Circuit ignored the fact that at least one state data breach law requires Neiman Marcus to pay for such services if offered (See Cal. Civ. Code § 1798.82(G)). Furthermore, many laws require that data breach notices provide the victim with information as to where they can obtain free credit reports (See VA. Code Ann. 18.2-186.6; see also Wash. Rev. Code § 42.56.590; see also W. Va. Code § 46A-2A-102.) It is a logical fallacy to conclude that Neiman Marcus’s actions, then, were related to an assessment of risk rather than statutory obligations.

There are other legitimate reasons, beyond risk, why Neiman Marcus would offer such services.  First, it makes for good public relations, to give the appearance their response is proactive.  Second, it typically renders moot the standard plaintiff’s claim that the breach forced them to purchase their own credit monitoring.  However, the Seventh Circuit has challenged that tactic as well.  On remand, the court not so subtly advises the district court to investigate how long stolen data puts consumers at risk (a question they will not find an answer to). It seems this will be used to assert whether the 350,000 potentially harmed customers will need credit monitoring services beyond the twelve months that Neiman Marcus has offered to pay for, something the Seventh Circuit says “easily qualifies as a concrete injury.”

It is troubling that the Seventh Circuit has utilized evidence that Neiman Marcus is taking measures to mitigate any further harm from the breach against them. Customarily, evidence of remedial measures is inadmissible to prove a breach of duty.  Although it may be admissible as proof of harm (or standing), the prejudice may outweigh the probative value.

In sum, there is a “substantial risk” that we’ll see a lot more class action data breach suits getting filed under this new theory. This should make for some interesting developments in the field data breach litigation as most plaintiffs have not previously been able to get around the Article III standing issue. However, it’s hard to say whether the ruling will have a positive net impact on privacy for consumers, or merely just benefit plaintiffs’ attorneys looking for a payday. Legislative changes are also likely to impact the data breach class action landscape.  Two things are almost certain to come out of the Neiman Marcus ruling: OPM is probably getting sued in the Seventh Circuit and it might be a good time to invest in Orville Redenbacher.

__________

*Brent Tuttle is a Summer Associate at Randazza Legal Group


A Federal Pure Bill of Discovery

July 21, 2015

by Jay Marshall Wolman

I read an interesting case over the weekend.  You may recall the case of Heleen Mees allegedly stalking Citigroup chief economist Willem Buiter.  She was charged with five misdemeanor counts after, it seems, an affair with the married Buiter didn’t pan out.  The charges were dropped as part of a deal.  However, the story doesn’t end there.

It seems that, following the criminal process, Ms. Mees intended to sue Mr. Buiter in the Netherlands for defamation.  She filed an application in Federal court in New York, pursuant to 28 U.S.C. § 1782, which allows a district court, “upon the application of any interested person,” to require a person (assuming personal jurisdiction) to “give his testimony or statement or to produce a document or other thing for use in a proceeding in a foreign or international tribunal.” The application was denied, so she appealed to the Second Circuit.

Last week, the Second Circuit issued its decision.  There are two key parts to its holding:

First, an applicant may satisfy the statute’s “for use” requirement even if the discovery she seeks is not necessary for her to succeed in the foreign proceeding. Second, the discovery need not be sought for the purpose of commencing a foreign proceeding in order to be “for use” in that proceeding.

Ms. Mees had not even begun litigation in the Netherlands and it was unclear whether she even needed what she sought to either plead her case or prove it.  Yet, the 2nd Circuit ruled that her application could proceed.  It was remanded to determine whether the discretionary factors under Intel Corp. v. Advanced Micro Devices, Inc., 542 U.S. 241, 259, 124 S.Ct. 2466, 159 L.Ed.2d 355 (2004) were met.  As set forth in that case, the factors are:

   First, when the person from whom discovery is sought is a participant in the foreign proceeding (as Intel is here), the need for §1782(a) aid generally is not as apparent as it ordinarily is when evidence is sought from a nonparticipant in the matter arising abroad. A foreign tribunal has jurisdiction over those appearing before it, and can itself order them to produce evidence….In contrast, nonparticipants in the foreign proceeding may be outside the foreign tribunal’s jurisdictional reach; hence, their evidence, available in the United States, may be unobtainable absent §1782(a) aid. …

   Second, …a court presented with a §1782(a) request may take into account the nature of the foreign tribunal, the character of the proceedings underway abroad, and the receptivity of the foreign government or the court or agency abroad to U. S. federal-court judicial assistance. …Further, the grounds Intel urged for categorical limitations on §1782(a)’s scope may be relevant in determining whether a discovery order should be granted in a particular case. …Specifically, a district court could consider whether the §1782(a) request conceals an attempt to circumvent foreign proof-gathering restrictions or other policies of a foreign country or the United States…. Also, unduly intrusive or burdensome requests may be rejected or trimmed. …[Internal citations omitted]

This case got me thinking.  Normally, to obtain discovery in a case, one must file a lawsuit against a defendant over whom the court has jurisdiction, engage in a Rule 26(F) conference with them, and then propound discovery.  One of the biggest obstacles is when you don’t know who the defendant is.  Take, for example, your standard bittorrent movie download, violating the studio’s copyright.  Let’s assume that actual infringement has occurred and that the studio has the right to pursue the claim.  All the investigation may turn up is the IP address used to download the movie.

One of the problems raised by the defendants is that an IP address, like a telephone number, only tells you the subscriber, not the infringer.  It is as if you only got the license plate number of the car that hit you, not the driver.  In the MVA context, you can frequently sue the driver under a theory of negligent entrustment or vicarious liability and ultimately learn the identity of the motorist.  Unfortunately, those theories might not be available in the copyright context, notwithstanding arguments to the contrary.  So, what is a content creator to do?  Suing the John Doe account holder might get the case thrown out when trying to obtain early discovery if the complaint does not allege facts to suggest John Doe is the infringer, rather than his roommate.

What is needed, then, is a pure bill of discovery.  Some states, such as Connecticut, permit the taking of discovery before commencing an action in its own state courts.  C.G.S. 52-156a.  Florida, though, appears to permit it more broadly.  However, both of those have limitations where the person with the information is either in a different state or if (in Connecticut’s case) the use is for an action in another court.

The Second Circuit effectively determined that a section 1782(a) application can work as a pure bill of discovery.  The caveat, of course, is that the rights holder must be able to contemplate an action against the infringer outside the United States.  Under the Berne Convention, it would seem generally cognizable, assuming a foreign infringer in a signatory country.  Bittorrent swarms not infrequently include actual foreign infringers and domestic infringers using foreign proxies.  Thus, a cognizable claim to pursue these infringers in a foreign court can be alleged; the scope of the discovery, however, need not be limited to them.  Under the Second Circuit’s ruling, the rights holder could pursue discovery from a domestic ISP to identify the account holder and then directly from the account holder to identify the swarm participant, so as to potentially call the participant as a witness in the foreign proceeding that the rights holder never actually has to file. [Of course, it is a good idea to actually file abroad, especially if there is a concern that the 1782(a) application was not filed in good faith.] And, once an actual domestic infringer is identified, there is nothing to preclude bringing a domestic copyright infringement action against that person.

Now to see if anyone thinks this could work.


Updates in Railroad Employee Liability Law

July 17, 2015

by Jay Marshall Wolman

In addition to my usual lawyerly activities, I am also a Vice Chair of the Workers’ Compensation and Employers’ Liability Law Committee of the American Bar Association’s Tort Trial and Insurance Practice Section.  Probably the longest line on my resume.

The Committee’s Spring 2015 Newsletter is out.  I contributed an article on updates on the Federal Employers Liability Act (FELA), 45 U.S.C. sec. 51, et seq.  In short, before general workers’ compensation laws existed, the U.S. Congress established a liability and compensation framework for railroad employees.  That framework continues to govern on-the-job injuries to railroad employees.

Cases continue to develop, both in state and federal courts.  The article highlights four recent developments:

  1. Expert medical opinions on differential etiology (diagnosing the cause of the injury) must meet Daubert requirements.  Shannon Brown v. Burlington Northern Santa Fe Railway Co., 765 F.3d 765 (7th Cir. 2014).
  2. Injured employees cannot recover prejudgment interest for the gap between the verdict and the issuance of the judgment.  Dennis Kinworthy v. Soo Line Railroad Co., 860 N.W. 2d 355 (Minn., Mar. 4, 2015).
  3. Questions of constructive knowledge of defects are Federal substantive questions, requiring that the defendant should have known at a time sufficiently before the incident to have taken preventative or ameliorative measures.  Andrew Spencer v. Norfolk Southern Railway Co., 450 S.W. 3d 507 (Tenn. 2014).
  4. Railways are permitted to introduce statistical evidence  relative to when the injured worker might otherwise have retired.  John Giza v. BNSF Railway Co., 843 N.W. 2d 713 (Iowa 2014).

I highly recommend the other articles, including:

  • A Committee Notice on a proposal dealing with Medicare set-asides in workers’ compensation claims;
  • An article by Matthew Schiff and Kathryn Nadro on how different states (Ohio, Pennsylvania, Louisiana, Illinois, New Jersey & California) handle PTSD and other psychological injuries arising from the .workplace.

If you have an interest in these or other workers’ compensation topics, check out the committee at http://www.ambar.org/tipsworkers .


Problems with Revenge Porn Laws

July 16, 2015

by Jay Marshall Wolman

Revenge porn is bad, and this blog has been active in fighting it.  As a moral matter, it is a pretty easy thing to address.  As a legal matter, it is not.

More and more states have been passing laws against revenge porn.  California, for example, in 2013, added Penal Code Section 647(j)(4),   The meat is in sub-subsection (A), which states:

Any person who intentionally distributes the image of the intimate body part or parts of another identifiable person, or an image of the person depicted engaged in an act of sexual intercourse, sodomy, oral copulation, sexual penetration, or an image of masturbation by the person depicted or in which the person depicted participates, under circumstances in which the persons agree or understand that the image shall remain private, the person distributing the image knows or should know that distribution of the image will cause serious emotional distress, and the person depicted suffers that distress.

There are three exemptions in sub-subsection (D):

  1. The distribution is made in the course of reporting an unlawful activity.
  2. The distribution is made in compliance with a subpoena or other court order for use in a legal proceeding.
  3. The distribution is made in the course of a lawful public proceeding.

California’s law is similar to the model law of the Cyber Civil Rights Initiative, spearheaded by Prof. Mary Anne Franks. A Federal bill is expected to be introduced soon, with Prof. Franks’s involvement.  Although of late I have had some concerns regarding Prof. Franks, we are likely on the same side of opposing revenge porn.

A similar Arizona law was recently put on hold for vagueness.  So, too, do the California and model laws suffer from practical problems, and it is probably the case that, if the Federal bill follows the model, it will be defective.  The problem is that there are many circumstances where it is entirely appropriate to share a picture or video of nudity or a sexual encounter, taken without consent, that does not fit among the exemptions, to wit:

  • A woman suspects her husband is cheating and rigs up a motion activated camera in the bedroom.  She records him in the act and shows her mother to get advice on what to do.  She decides to stay with him.  Two years later he files for divorce and the recording and the fact of sharing with the mother is revealed.  Since her distribution two years earlier was not “in the course” of a public proceeding, she has no defense.
  • A female employee has been harassed by a male supervisor.  On more than one occasion, he has exposed himself to her and started playing with himself.  She sets up a surreptitious recording on her cellphone and brings it to her union representative.  She doesn’t want to file a formal complaint, so the union representative helps her arrange for a transfer.  Notwithstanding the transfer, the harassment continues and she quits.  The supervisor hears through the grapevine that the recording and sharing with the representative was discussed at the unemployment hearing.  The distribution to the union representative was not a proper report of unlawful activity, so she has no defense.
  • An employer suspects employee theft and sets up hidden cameras.  Instead of theft, employee fraternization, violating company policy, is caught.  The supervisor shares the video with the human resources manager.  The employees are notified of the video during exit interviews.  Again, no exemptions apply.
  • A mother installs a nanny cam, suspicious of the new babysitter.  One day, it catches the babysitter with her girlfriend getting intimate while the child naps.  The mother shares it with the father, and the father mentions it while firing her.  No exemptions.
  • A couple decides to make an intimate video.  During the encounter, he gets too aggressive, beyond their normal activities.  She shares it with her therapist, who then mentions it in a later joint therapy session. No exemption applies.

Other scenarios exist as well.  Even sharing photographs of unclothed infants could be deemed unlawful.  In each scenario, there would be the expectation that the encounter, and therefore images thereof, should remain private. And, each of these scenarios might find the law unconstitutional as it prohibits parties from sharing information, the essence of free speech. In the ideal world, there would be no revenge porn, so it wouldn’t matter how well crafted the anti-revenge porn legislation was written.  These are all plausible scenarios based on how people act in reality.

None of these scenarios are the ones that revenge porn activists are addressing.  They are focusing on the run of the mill ex-lover who posts online nude photos or videos sent or taken (with knowledge or without) during the course of the relationship.  Unfortunately, sweeping legislation is frequently overbroad or ill-considered.


Follow

Get every new post delivered to your Inbox.

Join 3,786 other followers