In a recent lawsuit filed in California against RockYou Inc., it is alleged that the company, makers of applications meant to be run on social networking websites, failed to take adequate steps to protect consumers' personally identifiable information, in violation of California unfair competition laws. RockYou's applications run on social network sites like Facebook and MySpace, and allow users to share photos, play games, and the like. If a RockYou application is used, paid advertisements are displayed. In order to use a RockYou application, users were required to register at the RockYou website. According to the complaint, RockYou failed to keep the users' passwords and usernames in an encrypted file, making them vulnerable to "reasonably foreseeable" hacker attacks. And, according to the complaint, such attacks did occur, and RockYou was aware that problems with its security had happened. The complaint also alleged that RockYou violated data breach notification laws, inasmuch as it failed to notify users of the security problems in a timely fashion, and those security problems left users at risk for identity theft. In particular, since many people use their email address as a user name, in combination with a password that is shared across multiple accounts, a hacker who obtained the information from RockYou could then potentially break into the user's email account (which might use the same password). The case is currently pending.
TIP: This case reminds us to examine what types of data we consider to be sufficiently "sensitive" to merit strong protections. In particular, if you do not do so already, when allowing users to register at your site, consider using sufficient measures to protect usernames and passwords against hacker attack. Failure to do so might be seen as an "unfair practice" giving rise to a state – or federal – cause of action.