San Jose Surveillance Suit, Breach Liability Builds
What Happened
Yesterday’s clearest privacy development was a federal class-action lawsuit against San Jose over its automated license plate reader network. Three residents sued the city over roughly 474 Flock Safety cameras, arguing the system amounts to mass surveillance and violates Fourth Amendment protections. They are asking the court to require deletion of most plate data within 24 hours unless police obtain a warrant for longer retention.
That matters because San Jose had already tried to narrow the program after earlier backlash. The city reduced retention from one year to 30 days, limited camera placement near sensitive locations, and tightened some federal and immigration-agency access. The new suit pushes the fight past local guardrails and into a broader constitutional test of how long governments can keep and share routine location data gathered at scale.
The other concrete movement was in breach fallout. McGraw Hill confirmed unauthorized access tied to a misconfigured Salesforce environment. McGraw Hill said its core systems and educational platforms were not compromised, but outside reporting tied the leaked material to millions of records including names, email addresses, phone numbers, and physical addresses. Bank3 also began notifying consumers about a 2025 intrusion that may have exposed a much more sensitive mix of data, including Social Security numbers, tax IDs, account information, payment card data, and health insurance details.
A separate thread underscored the long tail of privacy liability: reports continued around the claims process for Comcast’s $117.5 million settlement tied to the 2023 Xfinity breach. The larger pattern held. Yesterday brought little in the way of fresh broad regulation, but real movement in lawsuits, disclosures, and the costly afterlife of data incidents.
Key Points
- San Jose’s license-plate reader dispute is now a federal civil-rights case, not just a local oversight fight over police technology.
- The plaintiffs’ proposed 24-hour deletion rule is far stricter than the city’s current 30-day limit and could become a reference point for other municipal surveillance challenges.
- McGraw Hill’s incident again puts vendor-hosted environments and configuration mistakes at the center of privacy risk, even when a company says core systems were untouched.
- Bank3’s notification shows how a single financial-sector breach can expose identity, payment, and insurance data at once, raising both fraud and regulatory risk.
- Comcast’s settlement process is a reminder that breach costs do not end with containment; notice, claims administration, and compensation can run for years.
Implications
For public-sector surveillance, retention periods, access rules, and data-sharing arrangements are becoming the first line of legal defense. San Jose had already tightened its program, and that still was not enough to avoid a federal challenge. If the case moves forward, other cities using Flock-style systems may need to revisit how long they keep plate data, who can query it, and whether aggregation of ordinary travel records starts to look like a search.
For companies, the lesson was more familiar but no less important: privacy exposure is still arriving through operational weak points rather than dramatic policy shifts. Misconfigured cloud environments, delayed notification cycles, and settlement obligations create real compliance work even without a new law on the books. Vendor governance, data minimization, and breach-readiness remain the practical priorities.
Things to watch
Watch
Whether the San Jose case survives early motions and how the court treats long-term retention and cross-jurisdiction sharing of plate-reader data.
Watch
Whether McGraw Hill’s Salesforce-related disclosure widens into a larger vendor-risk story affecting other customers or draws regulator attention.
Watch
Whether Bank3’s notifications trigger follow-on litigation or closer scrutiny of how financial institutions store and segment high-sensitivity customer data.