E3 data breach that exposed 2,000 journalists' private data puts ESA in legal crosshairs [Update]
The ESA left a list of addresses, phone numbers, and email addresses exposed with no security. Now harassment campaigns have started against some on the list, and the ESA may be legally liable according to experts.
Mike Futter,Sat, 03 Aug 2019 20:18:00
The ESA has provided additional commentary regarding this egregious privacy issue at this year's E3:
“On August 2, the ESA learned that a confidential file containing the contact information of registered E3 2019 media badge holders could be accessed by individuals other than authorized users," an ESA spokesperson told us over email. "The file was located in a password-protected section of the E3 website, which was intended for exhibitors only.
“As soon as we learned of this issue, we took immediate action. We removed the file from the website, we disabled access to the site’s exhibitor portal, and we notified those affected. In addition, we launched a process to locate and remove private and public caches and other publicly-accessible online locations that contained the file.
“In the course of our investigation, we learned that media contact lists from E3 2004 and 2006 were cached on a third-party internet archive site. These were not files hosted on ESA’s servers or on the current website. We took immediate steps to have those files removed, and we received confirmation today that all files were taken down from the third-party site. We also immediately notified those persons impacted. General attendee information was not affected in this situation.
“We are working with our partners, outside counsel, and independent experts to investigate what led to this situation and to enhance our security efforts. We are still investigating the matter to gain a full understanding of the facts and circumstances that led to the issue.”
GameDaily was aware during our initial reporting that files were still live on archives, but did not report that to protect those affected. We contacted the relevant parties and the ESA at the time. We can independently confirm that documents are no longer accessible through standard archives.
The ESA has participated in a mass doxing of more than 2,000 journalists and content creators that attended E3 2019. The organization, which runs the annual E3 event in Los Angeles, is also the industry’s key lobbying body and represents many of the largest publishers.
As part of its work around E3, the ESA gathers collects contact information (including addresses, phone numbers, and email addresses) from journalists and content creators hoping to cover the event. That information is then distributed to exhibitors to facilitate meeting scheduling for the event itself.
Rather than protect the information, the ESA left it available as an excel sheet that could be downloaded by anyone with the direct URL. In response to our inquiry, an ESA spokesperson provided a brief statement.
“ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public,” the organization told GameDaily via email. “Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.”
The organization also sent an email to the more than 2,000 individuals affected by the leak.
“The Entertainment Software Association (ESA) was made aware yesterday of a website vulnerability on the exhibitor portal section of the E3 website. Unfortunately, a vulnerability was exploited and that list became public. We regret this happened and are sorry.
“We provide ESA members and exhibitors a media list on a password-protected exhibitor site so they can invite you to E3 press events, connect with you for interviews, and let you know what they are showcasing. For more than 20 years there has never been an issue. When we found out, we took down the E3 exhibitor portal and ensured the media list was no longer available on the E3 website.
“Again, we apologize for the inconvenience and have already taken steps to ensure this will not happen again.”
What the ESA is calling a “website vulnerability” amounts to negligence. No one broke into the ESA’s website to steal this information. Rather, it was simply uploaded and laid bare for anyone to find and use for unintended purposes.
The ESA is careful not to use the word “breach” in its public statements about the matter, but that doesn’t mean a breach hasn’t taken place. Attorney Stephen McArthur, founder of The McArthur Law Firm (who also goes by “The Video Game Lawyer”) told GameDaily that the law will likely view this issue as a breach.
“The difference between a vulnerability and a breach is that a vulnerability is just the potential for a breach,” he explained. “They are basically saying, ‘There existed the opportunity for someone to... access the data, but there is no evidence anyone did that’. So, they would be saying there is no evidence anyone that was unauthorized ever actually visited the leak and viewed the data.”
As we know, there is a mountain of evidence that this data (which was intended for media credentialing and to facilitate meeting scheduling) was accessed on the ESA’s website by those who were never intended to receive it. In the age of internet harassment, especially around entertainment reporting and criticism, the lobbying organization has handed bad actors a resource for harassing those they dislike. The list is already circulating in hate-filled message boards after an individual widely shared the existence of the list before ensuring it could not be accessed, with evidence that it’s already being used for that purpose. As of publication, the ESA has not patched every hole.
The ESA also collects other information from those seeking media credentials. The organization requires that anyone hoping for press access email a copy of their driver’s license. The ESA declined to comment on the record about how that information is handled.
As for information included in this list, the ESA also hasn’t explained why it needs to provide mailing addresses to PR representatives for the purposes of meeting scheduling. All of that communication is handled via email and, in rare instances, by phone.
As a result of this incident, the ESA could find itself the subject of civil lawsuits, according to attorney Sarah Wesley Wheaton of Odin Law & Media. The distribution of the list across sites known to harbor harassers may create legal liability for the lobbying group, but not at the federal level.
“Federal law has not caught up to this common sense ‘you know about it, disclose it’ approach in many sectors, and the FTC only has the authority to find liability in sectors such as financial, healthcare, children, education, and government,” Wheaton told GameDaily. “The FTC could [potentially] bring an enforcement action through their authority to protect consumers against unfair and deceptive practices, but this is also unlikely. There has never been a successful case against a company for failing to impose strict enough login credentials and I assume similar reasoning will apply [here]. While there weren't any login credentials in ESA's case, because the personal information seems mostly limited to names and addresses and did not include social security information or other embarrassing personal information, the lack of encrypted spreadsheets would likely not considered unfair by the FTC.
“Any potential liability is likely going to be on a state level and depend each state's civil, criminal and the data protection laws. If there is state liability, it will likely arise if a state allows invasion of privacy lawsuits. There will not likely be liability from the doxing itself, as the ESA obtained this information legally and did not post it with nefarious intentions to embarrass and harass.”
However, given that reports and evidence of harassment have surfaced since the leak was made public, the courts may be persuaded to treat this matter seriously.
“Actual death threats and harassment would increase the likelihood of individual civil actions being filed on a state-level and a court agreeing the case has merit as the harm is not speculative,” Wheaton explained. “Again, liability is going to mostly depend on the state’s tort laws and tort law in general has not caught up to the non-tangible harm of the digital age. For example, while most states allow for recovery for negligent infliction of emotional distress, many of these states require a physicality element such as the plaintiff was ‘in the zone of danger’ and physically harmed in some way or that physical symptoms accompanied their emotional distress at being threatened.”
Civil law is not often simple, and this case is no different. The merits of the incident and each potential case would need to be weighed independently. Opinions in the legal community differ, and McArthur believes that a class action lawsuit might be entertained given the harassment that has emerged from it.
“The ESA will almost certainly be hit with a class action lawsuit before the end of the month for failure to exercise reasonable care over the data,” he said. “This is a comparatively small data breach relative to others that have been in the news lately, but exigent circumstances regarding various internet trolls and the class of people whose data was leaked—game journalists—could cause this to be more damaging than the average breach. The ESA is also legally required to formally notify the California Attorney General of this breach, who may launch their own investigation into it.”
Shaq Katikala, privacy counsel for noted industry firm Morrison Rothman, also believes that a class action suit might be appropriate given the documented harm the breach has already caused. In a lengthy Twitter thread (edited for clarity below), he detailed his opinion.
"The E3 data breach is one of the strongest cases I've seen for a class action involving location data. Data breach class actions are usually hard to bring, but this involves some unique circumstances," Katikala said. "Most breach cases get dismissed because it's hard to show concrete harm. But with E3, the failure to safeguard home addresses predictably resulted in journalists getting death threats and having to take efforts to protect their physical safety. It highlights the sensitive nature of location data and the fact that they are journalists greatly exacerbates the dangers. I've always advocated for strong protections of location, especially home addresses, as this data tangibly puts lives and sometimes national security at risk. It would be a case to plant important precedent.
"That said, it's still very hard to bring these cases for a number of procedural reasons, harder to win. And with only 2,000 affected, it would essentially be pro bono for a firm to take it on, especially if it didn't settle early. We'll see what happens. There's always the chance of regulators coming after E3 but don't hold your breath. Either way, the victims should save copies of death threats and receipts of any costs associated with this breach just in case. Companies should take this as a chance to make sure their security fundamentals are in order. Post-CCPA—the California Consumer Privacy Act, which goes into effect next year—a 2,000-person data breach could be $1.5 million in statutory damages. It's time to stop messing around."
The perspective from US-based lawyers doesn’t factor in the EU’s recent General Data Protection Regulation (GDPR). GDPR covers a much wider swath of personal information, including names and addresses. Given that the ESA collected information from EU citizens, some of whom appear on that list, it may find itself slapped with a fine.
“The GDPR does not require businesses to be infallible and immune to attacks,” Peter Lewin of UK law firm Purewal and Partners told GameDaily. “It does however require businesses to have in place reasonable and proportionate security measures and processes to protect any data they hold. To be fair to the ESA, details of exactly how this data was stored and could be accessed are still unclear. If however reports are correct that E3 attendee data was simply being stored in an open spreadsheet which anyone with a link could access, this would not look good for the ESA. A data breach occurs where a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. Where a serious data breach occurs, the data controller must notify both the individuals concerned and the relevant EU data protection authority. Failure to do so promptly can lead to larger fines.”
Lewin pointed out that GDPR fines can amount to €20 million or 4% of net revenue, whichever is greater. According to the ESA’s 2018 IRS form 990 filing, the organization’s net revenue amounted to $35.1 million, making it eligible for the €20 million ($22.2 million) penalty if data protection groups decide to pursue the matter. However, given that the ESA does not have an EU presence, enforcement of GDPR penalties may be difficult.
“The number of individuals affected, the type of information leaked and the appropriateness of the security measures in place at the time of a breach are some of the factors that would be taken into account,” he explained. “All of this said, it’s still unclear how—if at all—the GDPR would practically be enforced against an entity without an EU-headquarters like the ESA. This represents one of the significant limitations of GDPR. Also, evidence suggests that data protection authorities are being bombarded with complaints and can often only investigate the biggest and most serious incidents due to resource constraints.”
For Canadians affected by this breach, things may not be so cut and dried. Of the 2025 individuals on the list, 90 registered with a Canadian mailing address. GameDaily spoke with Ryan J. Black, co-chair of video games and esports at McMillan LLP for more information on how that country's law handles a privacy violation of this nature.
"We don't have something quite like the GDPR and nothing like what California is going to have in the CCPA," Black said. "We've had legislation in Canada since about 2004—privacy legislation that's both federal and broad-based. Much like the GDPR, Canada's privacy legislation is broad-based. It protects all personal information. It doesn't have penalties like the GDPR does, though. It's very principles-based. For example, one of the organizing principles around our legislation is that you have to have reasonable and appropriate safeguards to protect the personal information against unintentional loss. That is intentionally very broad. They don't define it. You just have to do what people reasonably do to protect it."
Black explained that Canada and many of the provinces have privacy commissioners that investigate breaches, report on them, and issue findings. Fines, however, are strictly limited to cases when a company fails to alert the government of a breach. There are no punitive damages at this point for failing to protect personal information. That doesn't mean there isn't recourse, though.
"What happens instead is that people go to court and sue on a class-action basis, much like they do in the U.S., for invasion of privacy or loss," Black said. "Normally what happens if there are enough Canadians involved in a data breach, then there will be parallel litigation in Canada."
The bad news is that the 90 people affected might not be enough to pique the interest of the privacy commissioners.
"I think that for a breach of this size, it's going to be very difficult," Black explained. "I also think that there is going to be a percentage of people on that list who used business information and not personal information. The subset keeps getting smaller and smaller of who might be affected. I'm not sure this something the privacy commissioners would get interested in."
Of course, the nature of the leak and the affected parties may sway the commisioners. Journalists, especially in the entertainment space, are often subject to harassment. There have been numerous documented threats and harassing phone calls already from the ESA's failure to protect this data.
The ESA has had its share of woes even before this, with a long lapse in leadership and an exposé by Variety that exposed an organization in disarray. The group appointed former Viacom senior vice president and associate general counsel for intellectual property Stanley Pierre-Louis as its new CEO in May. While some hoped that Pierre-Louis would help right the ship, this incident has created immense unease throughout the industry.
The ESA has failed to address some of the core concerns posed by those affected. How did this happen? How will the organization specifically take steps to ensure this doesn’t occur in the future? And what steps will the lobbying group take to rebuild trust, as journalists and content creators look toward E3 2020 with the knowledge that the ESA failed to properly manage sensitive data?
Unless the ESA fully takes ownership of its failure, transparently commits with specific action items, and works to engage those affected in a meaningful way, this incident won’t be soon forgotten. As E3 continues to struggle in its metamorphosis from trade show to consumer event, this is one more shadow hanging over a show that has in many ways lost its luster.
This story was updated on August 5, 2019, to include additional commentary.