At last. The lawyer episode of Supergirl. It is like writers were said, “Hey, let’s talk about hacking, incident response, a reasonable expectation of privacy on work computers, and document review.” Christmas came early for us.
Cat Grant was the victim of a hacking that exposed all of her emails. The press naturally started going through her emails, thus prompting an internal investigation of James Olsen reading print outs of her emails. Lawyers are quickly on the scene, taking a lukewarm approach to suing those who published Cat’s information.
Publication of Personal Identifiable Information
There are multiple laws in play with the Cat-Hack. Generally speaking, a data breach is access to, or the use of, or the disclosure of unencrypted personal identifiable information (for a list of state data breach notification laws, check out the National Conference of State Legislatures website). In California, personal identifiable information is defined as follows:
First name or first initial and last name in combination with any one of the following, & either are unencrypted:
Driver’s license or ID card number;
Account number (credit card; debit card + security/access code);
Medical or health insurance information; or
User name to online accounts or email address + password or security question and answer.
Cal. Civ. Code § 1798.81.5 (d).
Cat’s hackers had access to Cat’s banking history, likely her Social Security Number, and possibly her health insurance information. There is no question that the hackers had access to Cat’s personal identifiable information. If news agencies were to publish Cat’s PII, then her lawyers should rain Hell on any publishers for the disclosure of illegally acquired and statutorily protected information.
California has a state constitutional right to privacy. Cal Const, Art. I § 1. Moreover, state law states that every person has “the right of protection…from personal insult, from defamation, and from injury to his personal relations.” Cal Civ Code § 43. As such, when information is given publicity that places a person before the “public in a false light” the wrongdoer can be sued if “(a) The false light in which the other was placed would be highly offensive to a reasonable person, and (b) The actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other would be placed.” Restatement Second of Torts, section 652E.
Payment history from Cat to a 24-year-old male named Adam Foster would give rise to a false light claim. The publication of such information would be intended to give readers the inference that Cat paid a young male escort. This would be a publication that was “false, defamatory, unprivileged, and has a tendency to injure or cause special damage.” Hawran v. Hixson (2012) 209 Cal.App.4th 256, 277. Damaging Cat’s reputation with the inference that she was paying a young man for an illegal purpose should be enough grounds to successfully sue anyone who published that information. If a publication outright stated Cat paid someone for sex, her attorneys could add a claim for libel per se, because the publication would be claiming Cat committed a crime and imputed her chastity.
The young man in question was Cat’s oldest son from a prior marriage, who she lost custody of long ago early in her career. Adam Foster suddenly being subject to public ridicule would also have his own case against a news agency publishing an innuendo about he and his mother.
James Olsen is a Photojournalist, Not a Document Review Attorney
Reviewing tens of thousands of printed emails on paper is right up there with looking at the sun with binoculars.
People at work averaged sending 121 emails a day in 2014 (The Radicati Group, Inc., Email Statistics Report, 2014-2018). Given Cat’s extremely dedicated work ethic, she likely sent more like 150 emails a day. If the hack covered four years worth of email, that would be approximately 219,000 email messages. Assuming a banker’s box holds 3,000 pages, James would need 73 banker’s boxes for all of Cat’s email messages. Moving the boxes would be a job for Supergirl.
Printing that amount of email would not be practical. James Olsen would be living the nightmare many young attorneys face when senior partners say, “Just print the email.” This is great if you want to build a Fortress of Solitude with boxes, but really expensive. Worse yet, it takes data that was searchable and puts it in a non-searchable form (paper).
It would make more sense to export Cat’s email out to a review application. Using search terms, email threading, and data analytics, those conducting the review of Cat’s email could find potentially harmful information far faster then James Olsen reading one email at a time.
Work Email Privacy
Dirk Armstrong did not have a reasonable expectation of privacy in his work emails, especially if CatCo had an Internet usage policy that stated employees did not have an expectation of privacy. TBG Ins. Services Corp. v. Superior Court (2002) 96 Cal.App.4th 443, 451-452.
It is far better that corporate counsel, IT, and HR are involved in an internal investigation to avoid any legal issues, however, it is plausible that Kara had authority as Cat Grant’s Executive Assistant to order the investigation of Armstrong. First, Kara has a significant amount authority for Cat, so the issue would be if Kara had exercised similar authority before. Secondly, there was a real concern the corporate attorneys were working with Armstrong, which arguably would have violated their ethical duties to CatCo. Third, we got to see the Scooby Gang pull off a Hogan’s Hero’s style computer heist, which in the end, I think we all wanted to see anyway.