BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Netflix Sued for "Largest Voluntary Privacy Breach To Date"

From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Sun, 3 Jan 2010 13:01:14 -0500
Netflix Sued for "Largest Voluntary Privacy Breach To Date"
http://stewarttosh.typepad.com/risk-management-news-feed/2010/01/netflix-sued-for-largest-voluntary-privacy-breach-to-date.html

On December 17, 2009, a class action suit was filed against online
movie rental giant, Netflix, Inc., in the United States District Court
for the Northern District of California. Plaintiffs in the suit are
claiming that Netflix has “perpetrated the largest voluntary privacy
breach to date.”According to the Complaint, Netflix knowingly and
voluntarily disclosed the sensitive and personal information of
approximately 480,000 Netflix subscribers when Netflix provided
participants in a contest initiated to improve Netflix’s movie
recommendation systems with data sets containing over 100 million
subscriber movie ratings and preferences. Netflix has claimed that the
data sets provided to the contest participants were anonymized and
that the subscribers’ movie ratings were accompanied only by “a
numeric identifier unique to the subscriber” (as opposed to the
subscriber’s name or other personal information). However, the
complaint sites the results of several researchers who, in fact, were
able to crack Netflix’s anonymization process and identify individual
subscribers.

Plaintiffs argue this disclosure constitutes a sever invasion of their
privacy by Netflix, which violates, among other things, the Video
Privacy Protection Act of 1988 (18 U.S.C. 2710 (2002)). Additionally,
the lead plaintiff in this case, Jane Doe, claims that Netflix’s
disclosure of her movie rental history and ratings has and/or will
“identify or permit inference of her sexual orientation… [which… ]
would negatively affect her ability to pursue her livelihood and
support her family, and would hinder her and her children’ ability to
live peaceful lives within Plaintiff Doe’s community.”

The Video Privacy Protection Act (the “Act”) was originally enacted in
1998 (in response to a public disclosure of a Supreme Court nominee,
Robert Bork’s, video rental history), and, according to the Electronic
Privacy Information Center, while not often invoked, the Act “stands
as one of the strongest protections of consumer privacy against a
specific form of data collection.”

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
Previous By Date Next
Previous By Thread Next

Current thread: