Legal Brief: Peeping Tom Reveals Privacy Vulnerabilities
This article originally appeared in the April 2021 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag on Twitter and Security Business magazine on LinkedIn.
Back in Oct. 2018, I wrote about a young couple whose privacy rights were violated when the owner of a summer home they rented used a hidden camera to record the couple in the master bedroom (www.securityinfowatch.com/12430984). That invasion of privacy resulted in a lawsuit against the homeowner and monetary damages awarded to the couple.
As technology has continued to evolve, and live and recorded video has become ubiquitous, individual privacy is at greater risk. Video is powerful, but it also can provide a window into where we have our highest expectation of privacy: the home. These risks were no more evident than in a series of civil and criminal cases which arose in 2020 against ADT.
Multiple Class-Action Lawsuits and Criminal Charges
In May 2020, multiple class-action lawsuits were filed in federal court in Florida against ADT by plaintiffs who alleged that their privacy was breached by a former company employee who secretly and repeatedly accessed streaming video from customers' security cameras, including of minors. The rogue technician allegedly watched videos that depicted naked women and couples engaging in sexual activity inside of their own homes, without the customers' knowledge or consent.
One of these lawsuits was stayed in favor of arbitration on the basis that the ADT contract requires the plaintiff to arbitrate – not litigate – the dispute. The value of a stay in favor of arbitration is that it renders the proceeding private and better protects ADT from the risk of a class action.
However, not all cases can be arbitrated; in fact, another case against ADT is ongoing in federal court, and most of the plaintiff’s claims in that case survived ADT’s motion to dismiss.
Next, the court will have to determine whether a class should be certified. Class certification is the stage of a proposed class action where a court agrees that the action can proceed on behalf of a class of plaintiffs rather than just the plaintiff or plaintiffs that initiated the lawsuit. A class certification is a big deal – because it materially increases the scope of damages that can be imposed on a defendant.
Meanwhile, in October 2020, the technician responsible for these violations was charged criminally in the U.S. District Court for the Northern District of Texas. It did not take him long to admit his guilt. In Jan. 2021, only two months after he was charged, the former employee pleaded guilty – admitting that, for more than four years, he secretly accessed around 200 customer accounts more than 9,600 times without their consent or knowledge.
According to his plea, the former employee admitted that, contrary to company policy, he routinely added his personal email address to customers' ADT Pulse accounts, giving him real-time access to the video feeds from their homes. The breach was discovered when a customer noticed an unauthorized email among addresses that had permission to access the security system. That led to the civil lawsuits and the criminal lawsuit followed.
In April 2020, upon discovering the breach, ADT promptly notified the approximately 220 customers affected. The lawsuits allege, however, that ADT discovered the breaches by luck – not because it had policies in place to prevent such a breach.
Lessons Learned for Service Providers
Full disclosure: I have represented ADT as its legal counsel in the past and was among the lead outside attorneys for ADT’s Protection One division for many years (before its merger with ADT). There is no doubt that ADT regrets that this happened and is working to fix the issue, and I am not commenting on the merits of the lawsuits or whether there is any basis for a class certification against ADT. Instead, I prefer to highlight a few valuable lessons from this unfortunate circumstance – so that your company can ensure that your customer accounts are secure.
No company wants to endure the reputational damage and litigation risk that has been inflicted on ADT by its nefarious former employee. Luckily, as a security business owner, you are not helpless to improve the security of your customer accounts. Here are six policies and methods to find any vulnerabilities and fix them before it is too late:
1. Make account security a priority. Simply, a security company should be good at security.
2. Monitor subscriber accounts. Whenever a new email is added to a customer’s monitoring account, promptly alert the subscriber by text, email or via app.
3. Secure video feeds. Consider using dual-factor authentication or text alerts to promote security of the video feed.
4. Create uniform video deployment policies. Mandate to installing technicians that video cameras are not to be placed in areas where the customer has a heightened expectation of privacy, such as in bedrooms or bathrooms. I realize that these cameras can be moved by the customer after the installation; however, setting a policy from the start reduces the risk that any such choice could be attributed to your technician or company. For my clients, we include a contract provision that indicates that technicians are prohibited from installing cameras in certain areas – this puts the customer on notice of the restriction and promotes the company’s privacy policy.
5. Conduct employee background checks. Most companies already do this, including ADT. In fact, I suspect that ADT did a background check for this rogue employee and that it was clear. While such a check may not have helped in this particular circumstance, background checks nevertheless remain an essential step in the hiring of a security services technician and should be used and updated routinely.
6. Audit your accounts. Nearly every lawsuit that I have handled in the security industry has involved a review of the underlying account records for the subscribers involved in the case. Invariably, I find issues with the account – which could include problems with the subscriber agreement, missing records, irregular data, or inadequate recordation of customer interactions. Had these types of reviews been performed prior to litigation, problems could have been avoided. Lawyers are expensive, but lawsuits are more expensive. Hire counsel to audit your accounts before something bad happens.
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at [email protected].
Timothy J. Pastore, Esq.
Timothy J. Pastore Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, he was an officer and Judge Advocate General (JAG) in the U.S. Air Force and Attorney with the DOJ. [email protected] • (212) 551-7707
Meet Timothy J. Pastore
Timothy J. Pastore, Esq., is the newest columnist to join the Security Business magazine family. He is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department.
Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. As a JAG, in particular, Mr. Pastore was legal counsel to the Air Force Security Forces and Air Force Office of Special Investigations.
Mr. Pastore has represented some of the largest companies in the security industry, including Protection One, Comcast, Charter, Cox, Altice, Mediacom, IASG, CMS and others. He regularly provides counsel on risk management, contracting, operations, licensing, sales practices, etc. Mr. Pastore also has served as lead counsel in courts throughout the country in dozens of litigation matters involving the security industry.
Among other examples, Mr. Pastore led the successful defense at trial of cable giant Comcast in a home invasion case in Seattle, Washington. The case received significant press attention and was heralded by CVN as a top-ten defense verdict.
Mr. Pastore is a graduate of Bucknell University and Boston College Law School.
Reach him at (212) 551-7707 or by e-mail at [email protected].