Carney Bates Finds Niche in Data Security

Carney Bates Finds Niche in Data Security
Allen Carney (Submitted)

Trying to protect your privacy by restricting your internet use is like trying "to opt out of fire," said Hank Bates, a partner in the Little Rock law firm Carney Bates & Pulliam.

The internet as a tool of modern life is now so pervasive — and so essential — that avoiding it is next to impossible.

But almost every digital act performed by consumers involves sharing private data, and consumers may not always fully understand their level of exposure.

In the past four years or so, Carney Bates has focused on legal issues surrounding data security and privacy. Among the high-profile cases it has been a party to are class-action lawsuits against Facebook and Google and cases involving Home Depot, Target and Sony.

Data privacy cases now comprise about 40 percent of Carney Bates' business, said partner Allen Carney.

The firm focuses on three distinct areas of data security, Bates said.

There are data breach cases, when a third party takes data from a company "and therefore the claim is that the company didn't protect your data," he said. The subsequent litigation is "about the company — the defendant — not properly protecting that data." The Home Depot, Target and Sony cases illustrate that area.

Carney Bates & Pulliam has represented financial institutions in several of these data breach cases.

Banks often take the first hit when a retailer's customer data is compromised.

Retailer data breaches harm banks in several ways, Bates said. Reissuing payment or credit cards is "a huge out-of-pocket cost," he said.

Banks also sustain a "huge goodwill hit," because of the inconvenience customers experience when forced to change their payment information. And if financial institutions fail to cancel cards quickly enough after a data breach, they find themselves covering fraud losses.

Data privacy is the second area. These cases, Bates said, are "about the actions of the defendant affirmatively doing something with your data that they weren't transparent about." The Facebook and Google cases illustrate that area.

Although people call that area "data privacy," he said, "I think of it more as ‘data autonomy' because ‘data privacy' makes a lot of people think it's about the company having some sort of [perverse] interest in what you're doing."

But that's not the central issue, Bates said. 

"It's really about autonomy and power, that you control what information people have about you," he said. "When people get information about you and then gather a lot of information about you, they get to a point where they may know you better than you know yourself. And then they start influencing you in ways that you aren't even aware of.

"We see that through changes to people's Facebook feeds, the news you get, the type of advertising you get. And that, over time, gives them power to change you. You lose personal autonomy, and, of course, that can get worse and worse and worse."

In addition, Bates added, "it leads to a concentration of power, so that you get an imbalance of power among certain companies that are getting very, very powerful."

The third area of data security is the marketing of protection from data breaches and theft. In January 2015, the Carney Bates firm brought a class-action case against LifeLock Inc. of Tempe, Arizona, an identify theft protection company, alleging deceptive marketing. That case, filed in federal court in the Northern District of California, was settled last year for $81 million, Bates said.

Fast and Slow

Carney Bates had always done a lot of consumer work — for example, representing credit card holders in cases alleging fraudulent billing by card issuers — and as consumer activity shifted to the internet, the law firm's focus shifted with it.

And then, Bates said, "We started taking a personal interest in the issues, just because we think it's important."

It's also "intellectually engaging and sort of fun," he said. While business and technology are moving at lightning speed, "law moves slow," Bates said. "And law has a lot of catching up to do because you've moved to a new paradigm." 

Law once applied in one context — privacy as it pertains to the mail, for example — must now be applied in a very different context.

"I think the thing that's interesting to me is the huge, unknowing loss of privacy that people suffer on the internet, on their phones," Carney said. "I think the average person does not appreciate that when they download an app on their phone to play a game, for example, that the app developer and then a group of other folks in that stream of commerce are looking at all of their contacts. They note where they are 24 hours a day by looking at their GPS location. They look at their photos. Every photo that's saved — you're giving access to those.

"I think that's what's interesting to us," he said. "Maybe we're old-fashioned privacy advocates, but the idea that you turn over all that private information to persons you don't know is troubling. And in the modern world it's almost impossible to avoid using a cellphone."

Bates agreed, offering an analogy. To not use a mobile phone, he said, is "like being a caveman and saying, ‘You know, that fire thing looks interesting, but it looks dangerous and I'm opting out.'"

And once the phone tracking begins, "then they start tracking you across devices," Bates said. "And it's all these companies you've never heard of that are tracking you on your phone and then they find ways … to track you across your mobile phone, your TV, your laptop" and, if you still have one, your desktop computer.

As people adopt "smart," internet-connected devices in their homes, that tracking will only intensify, he said.

The companies gathering this information fall into a couple of categories, Bates said. "A small subset" is very sophisticated in the information they collect and the ways in which they use it. But a much larger group is collecting the information just because they can and because it "may be worth something someday."

And those companies, Carney said, are susceptible to data breaches as well.

The internet provides enormous convenience to consumers, but, Carney said, he's not sure the average consumer realizes he's trading privacy for convenience. 

Citing cellphone use, he said, "Did you really contemplate that Verizon or AT&T could, if asked, say within 4 meters everywhere you have been … everyone you've sent an email to, every telephone call you'd made, every website you've looked at?"

More On This Story