You may have read about how adultery-oriented website Ashley Madison was hacked and all of its subscriber information posted online. Having seen the negative publicity come out of this data breach, and so many others (including many involving our own government), we wanted to know what a manager’s responsibility is to protect private listener information such as e-mail, telephone numbers and home addresses — information that every radio station collects on a daily basis to build listener databases. We turned to one of our legal experts, John Garziglia.
Radio Ink asks, in this Ashley Madison moment, what should radio broadcasters worry about with listener-supplied data? More importantly, what is a radio station’s liability for data if hacked and its listener-provided data ends up exposed for everyone to see on the Internet?
The Ashley Madison hack has nothing to do with radio, other than the company possibly needing to do some serious public relations enhancements through the purchase of radio advertising. The Ashley Madison data breach is unique in that it involves embarrassment to, as well as the possible financial exposure of, a huge number of people. Radio station listener data, even if posted on the Internet for all to see, for the most part is in a completely different class.
The Ashley Madison hack is revealing in many ways. For those radio personalities reading this, other than being fodder for morning shows, DJs (along with sports and movie stars) may be among the only two classes of our population that are unaffected by the Ashley Madison hack. Air personalities have a request line, after all – all they have to do is be careful of underage callers.
In case you are wondering, the only other class of our population that apparently needs not worry about being personally outed by the data hack is women. It is reported that upwards of 90% or more of Ashley Madison subscribers are men. The remaining subscribers claiming to be women are mostly scammers. But enough on Ashley Madison – let’s talk about guarding data collected in the routine operations of radio stations.
I turned to my partner, Ted Claypoole, who is a renowned data privacy expert and the co-author of “Privacy in the Age of Big Data: Recognizing Threats, Defending Your Rights and Protecting Your Family” and “Protecting Your Internet Identity: Are You Naked Online?, for observations on protection requirements for radio station listener data.
Ted comments that data privacy issues for radio stations are dramatically different depending upon the type of data involved. Assuming a radio station data breach involves credit card data, liability is largely controlled by the various credit card servicing entities, which have strict data security standards.
If a radio station takes credit cards either for advertising payments or for ancillary merchandise and ticket sales, the radio station has the potential of major fines or even to be cut off by the credit card service company from the continuing ability to accept credit cards. It is a private, rather than a governmental, solution to encourage the integrity of credit card numbers. In addition, state attorneys general and the Federal Trade Commission may also pile onto a station who loses listener financial data.
Turning to other types of listener and personal information a radio station may collect, such as listener names, addresses, email addresses and phone numbers, Ted notes that the United States is regarded as “a banana republic” by much of the rest of the world when it comes to data privacy. In Europe and Canada, data privacy is regarded as a “human right that belongs to you”.
In contrast, the United States has data privacy regulations only for certain industry-vertical data. The industries in which there are strong laws regulating data privacy are those dealing with health, financial services, children, education, and video rentals. All companies, including radio stations, are legally responsible for protecting employee data including Social Security numbers, financial accounts, and health data for employees.
So what are the responsibilities of a radio station for collected listener names, home addresses, phone numbers and email addresses? The radio station’s responsibility, in short, is what a radio station promises it will do with any collected data.
If a radio station makes wide and expansive promises that it will absolutely protect its data no matter what, the radio station, if hacked, may have a significant legal liability. After all, the radio station promised to protect its listeners’ identity and data and did not. A private lawsuit could be brought against the radio station for a data breach.
But, as Ted points out, there is no requirement in the United States for any entity outside of the several industries noted above to make any promises about the collection of data. Ted advises that rather than making broad and possibly unfulfillable promises, radio stations’ privacy statements should read like “a stock prospectus” – with the worst news up front and no sugar-coating of any fact.
Ted notes that almost no listener will completely read a privacy statement and even if one did, the listener is still likely to cough up his or her name and email no matter what is said. So Ted advises that radio stations be completely honest about the use of the data to be collected, even if the station plans to use that data for marketing purposes or sell it to third parties.
If the radio station cannot absolutely protect the data (and no radio station can), then it should simply say that it takes reasonable steps to make the data more secure. If the station intends to transfer listener names and email addresses with any sale of the radio station, it should say so. If the station might possibly use listener names and email addresses in conjunction with advertiser promotions, it should say so.
Be honest and expansive as to how listener names and email addresses are planned to be used and might be used, or misused, in the future. Most importantly, do not offer any guarantees of data protection. A radio station has no obligation to promise to fully protect its listener names and email addresses and it probably should not claim to do so.
Other than possibly the wrath of listeners, assuming that no promises are made to protect the data, there is little a radio station needs to worry about in protecting listener names and email addresses from data hackers. After all, how many of us have been in organizations that send a newsletter or other mass mailing to its hundreds of members by putting the email address of each recipient in the “To:” line for all to see. While this is very, very, bad Internet etiquette, it is not unlawful. A radio station that made no promises of data integrity and exposes listener names and email addresses willingly provided to it in a data hack is in no greater jeopardy than the email sender who lists an entire list of email addresses in the email header.