• Facebook has reported its discovery that a data broker has been paying application developers to identify user information, and the company has placed some developers on a six-month suspension from its site because of the practice. Some applications on the social-networking site were sending users’ Facebook ID numbers to third-party marketing or data firms in violation of Facebook’s privacy policies. That ID can be used to look up a user’s name and other information on the site and link it to their use of the application. Facebook stated it has reached an agreement with RapLeaf Inc., which it described as “the data broker who came forward to work with us on this situation.” Under the agreement, Rap Leaf agreed to delete all Facebook user IDs in its possession, and also agreed “not to conduct any activities on the Facebook Platform” in the future. Facebook has not identified which developers have been suspended, but noted that they number fewer than a dozen and are small entities. Facebook is developing a mechanism to enable developers who need to share a unique identifier with outside parties, such as content partners, to do so in an anonymous fashion. This new function will be required of all applications by January 1, 2011.
  • The Indiana Attorney General is suing health insurance provider WellPoint Inc. for $300,000 for its failure to timely notify insured persons that their medical records, credit card numbers, and other sensitive information may have been exposed online. State officials say the personal records were exposed for at least 137 days between October 2009 and March 2010. The suit alleges that WellPoint learned of the problem on February 22, 2009, but did not begin notifying customers until June. The insurer previously has stated that 470,000 people might have been affected.
  • Three class action complaints filed recently in Georgia's Fulton County Superior Court allege that Internet service providers (ISPs) Yahoo! Inc., Comcast Corp., and Windstream Corp. violated federal electronic privacy standards by releasing subscriber information in response to subpoenas that were invalid. The lawsuits allege that the ISPs violated the Stored Communications Act and the Wiretap Act by improperly disclosing subscribers’ private data and information to law enforcement. Under those statutes, when a subpoena is served, the subscriber is entitled to notice of the subpoena and have an opportunity to file a motion to quash, according to Joshua A. Millican, attorney for the plaintiffs. The information allegedly released–without notice to the plaintiffs–included the plaintiffs’ names, addresses, phone numbers, birth dates, genders, Social Security numbers, account creation dates, account statuses, email addresses, login IP addresses, and other information. The cases are Sams v. Windstream Corp., No. 2010CV191484 (Ga. Super. Ct.); Sams v. Yahoo! Inc., No. 2010CV191482 (Ga. Super. Ct.), and Losapio v. Comcast Corp., No. 2010CV191107 (Ga. Super. Ct.).