Episode 71 - Doxing and Kentucky’s Pioneering Anti-Doxing Statute
Kentucky is perhaps the first state to adopt a comprehensive anti-doxing statute that creates a civil tort of doxing, as well as providing explicit criminal penalties for defined doxing conduct. It allows Kentucky residents to sue someone for intentionally disseminating their personal identifying information (PII) with an intent to intimidate, abuse, threaten, harass, or frighten a person or immediate family or household member.
In this podcast episode, Justin Fowles, an attorney in Frost Brown Todd LLC's Louisville, Kentucky office, shares key insights on what the new law contains and could mean for individuals' and businesses' online behavior.
What is doxxing – or is it doxing? This word entered the Merriam-Webster Dictionary in the 21st century. It defines “dox” as a verb – “to publicly identify or publish private information about (someone) especially as a form of punishment or revenge.”
Today it connotes cyberbullying or troll harassment by posting personal information about a targeted person or organization, urging others to take action intended to shame or expose the target. Doxxing has had tragic ends. Doxed individuals have had surprise visits by SWAT teams breaking down doors to targets’ homes based on the doxer’s false message that a kidnapping or domestic violence was occurring there. Death and more commonly emotional stress arise from doxing attacks.
A federal anti-stalking statute includes the language “interactive computer service or electronic communication service” within it. If a person uses such services with intent to kill, harass or otherwise target persons in specific ways that puts them in reasonable fear, causes substantial emotional distress, or otherwise causes them to suffer specified harm, a doxer can be criminally prosecuted. But federal prosecutions are rare, and no U.S. statute was designed specifically to combat doxing.
Enter the states. Kentucky's anti-doxing statute creates a civil tort of doxing, as well as providing explicit criminal penalties for defined doxing conduct. Effective June 29, 2021, the Kentucky statute was passed by a Republic legislature with Democratic support and signed by a Democratic governor. It allows Kentucky residents to sue someone for intentionally disseminating their personal identifying information (PII) with an intent to intimidate, abuse, threaten, harass, or frighten a person or immediate family or household member. The spread of PII must be such that a reasonable person would be in fear of physical injury to the targeted person or an immediate family or household member. Intent is measured by what would cause a reasonable person to be in fear of physical injury personally or to a family or household member, rather than requiring express proof of the doxer’s actual intent.
Organizations should consider how best to avoid being either a doxing victim or a doxing perpetrator. Organizations could face civil and criminal challenges under Kentucky’s statute as to their use of personal information if communicated within the scope of the statute’s reach. Businesses and other organizations should review the personal information they hold and how it is shared or communicated, to avoid being charged with a doxing tort or prosecution. Organizations can likewise review defenses to being doxxed. The anti-doxing statute could suggest responses and provide recourse to unfair personal attacks on company personnel.
If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.