Peloton Failed to Protect User Privacy, Physical Safety

peloton data breach

Hours after it finally agreed to recall unsafe treadmills, Peloton admitted to a data breach and insufficient fix that exposed millions of accounts.

An information security consultant identified a flaw in Peloton’s online system which allowed anyone to access information about all users.

Such information includes data such as age, weight, and preferred workout location.

A privacy setting didn’t prevent such mass access. When Peloton became aware of the problem, it limited access to authorized users. But the same information was still available, if one had a username and password. After a public chastisement, Peloton corrected the problem.

In a statement, the company said “It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community.”

Data Storage Responsibilities

In terms of personal safety, there are basically three levels of legal responsibility. These duties also apply to data security.

Doctors, accountants, and other professionals usually have a fiduciary duty.

Patients fully entrust their doctors with their health and clients fully entrust their accountants with their money. With great power comes great responsibility. A fiduciary duty requires people to set aside all other concerns and focus exclusively on what’s best for the patient or client.

Companies have a fiduciary duty to protect financial information, such as credit card numbers or bank account information. They must go above and beyond. Notice that most online accounts have a billing tab and a user information tab.

The billing tab, which contains financial information, usually has stronger security than the user information tab.

Next, there’s a duty of utmost care. In many states, Uber drivers, taxi drivers, and other common carriers have a duty of utmost care. These companies must protect passenger safety on multiple levels.

For example, driving defensively is not enough. Commercial operators must take extra steps to avoid the possibility of an accident. Furthermore, the company must keep passengers safe during transit. Bus aisles must be free from debris, drivers must break up fights between unruly passengers, and so on.

If data contains Personal Identifiable Information, the company usually has a duty of utmost care. PII includes items like:

  • Residence address,
  • Date of birth,
  • Social Security number,
  • Drivers’ license number,
  • Email address, and
  • Telephone number.

PII security measures need not be quite as robust as financial information security measures. But they must be close. In the wrong hands, this information could cause significant financial loss.

Finally, there’s a duty of reasonable care. Most noncommercial drivers have a duty of reasonable care. They must avoid accidents when possible and drive defensively. Most property owners, like hotel or apartment complex owners, also have a duty of reasonable care. This responsibility level probably applied to the Peloton leaked data, which included information like user ID and weight.

Breach of Duty

Compensation is available in court if an entity which had a legal duty breached, or violated, that duty. Not every security lapse constitutes a breach of duty.

If a DoD hacker breaks into a secure information storage system, that doesn’t mean the system is not secure.

However, if a teenager steals financial data or PII, that probably means the security was inadequate.

More often than not, data breaches have nothing to do with security measures. Instead, an employee hooks up to an unsecure public WiFi signal or leaves a thumb drive in the open.

In these situations, the respondeat superior doctrine usually applies. Employers are legally responsible for damages if their employees are negligent during the course and scope of their employment. In other words, bosses cannot blame workers in these situations.

Damages Available

If the defendant was negligent, and that negligence caused injury, a New York personal injury attorney can usually obtain compensation for economic losses, such as stolen money, and noneconomic losses, such as pain and suffering.

Negligence could be ordinary negligence, which is the lack of care discussed above, or negligence per se, which is the violation of a safety law.

The Health Insurance Portability and Accountability Act, which applies to medical diagnosis and other patient information, is a good example.

Technically, victims must sustain actual financial, physical, or other injury to obtain compensation.

That element is sometimes hard to establish in a data breach claim. However, many companies are anxious to show that they care about customers and are trying to do the right thing.

Therefore, they are often willing to settle these claims rather than go through a public trial.

Companies which sell products or provide services have an almost universal duty to keep people safe. For a free consultation with an experienced New York personal injury lawyer, contact Napoli Shkolnik PLLC. We do not charge upfront legal fees in these matters.