Responding to legal requests is part of operating a phone service, and apparently they failed to do that without seriously endangering a stalking victim.
I have no idea what exact laws and liabilities apply here, but my feeling is there's very likely going to be an undisclosed civil settlement between Verizon and the victim, and maybe some laughable fine (let's say ≤$10k) for violating privacy laws on the criminal side.
If the law is "you will hand over this data in response to a warrant", how did they fail?
The fact that the US warrant system has holes capable of driving a truck through isn't the fault of Verizon - there exists no sensible way of validating a warrant.
> If the law is "you will hand over this data in response to a warrant", how did they fail?
Just because a piece of paper claims to be a warrant, doesn't mean it is one. Warrants and subpoenas contain contact information for the person that issued them. It is on verizon to verify that the warrant the received was legitimate and if it wasn't, to report to the DA that someone is issuing fake warrants (which is a crime all by itself).
Subpoenas (like verizon was issued) are never immediately actionable. You have a right to appeal subpoenas. If the subpoena had a "You must respond right now" trigger it'd eliminate that right. Something I'm CERTAIN verizon knows because they file motions to quash all the time [1].
There is a way, that’s the whole point. They can contact the issuing authority, just like you do when you get any letter or email asking you for sensitive information.
I don't think it'd actually be a GDPR case in EU; it's more of a wiretapping case - note some of the victims communication was revealed. (GDPR violations might be a secondary charge, but wiretapping would be way more significant.)
That said it really depends on the exact legal framework (which I have no clue about) and eagerness of a prosecutor to make a case. Hence my "maybe".
FWIW I have a side job at a small community ISP in the EU and the GDPR was a no-op for us. The requirements for anyone operating in the telco space were already stricter. If I remember correctly the GDPR fines are higher though, whereas wiretapping (& co.) laws are much more likely to land you personally in jail.
(I was being intentionally vague with "privacy laws"; I do include wiretapping charges in that but, again, I don't know the US legal situation.)
I have no idea what exact laws and liabilities apply here, but my feeling is there's very likely going to be an undisclosed civil settlement between Verizon and the victim, and maybe some laughable fine (let's say ≤$10k) for violating privacy laws on the criminal side.