Our experienced team views data breach response as a joint effort in partnership with the client where the client’s philosophy, brand and customer base are considered integral in reconciling compliance with the numerous, and often competing, laws and regulations. [...]
I. AN INTERACTIVE COMPANY WEBSITE DOES NOT NECESSARILY MEAN LIABILITY
As social media continues to expand on the internet, more and more businesses are developing and setting up their own websites. These websites can include public Facebook pages, social media forum pages, and blogs. With such increasing popularity, businesses must understand the legal ramifications of owning and running a website and allowing third party individuals to post messages or content on the site.
A key question many business leaders ask is “whether their company is legally responsible when a third party posts defamatory statements or illegal content on its website.” Generally, the answer is no. The Communications Decency Act of 1996, 47 U.S.C § 230, grants providers of interactive computer services with legal immunity. Interactive computer services are defined as “any information service…that provides or enables computer access by multiple users to a computer server….” Thus, while the writers of the defamatory content may be liable for defamation, the distributors of the information, or website owners, are not liable. This immunity is critical for any business that decides to host a website, particularly when more and more companies have set up pubic Facebook pages. Indeed, recent cases have shown that a variety of businesses, including online review forums, search engines, and chat sites, may be affected by this legislation.
II. ELIGIBILITY REQUIREMENTS FOR §230
The Communications Decency Act provides that a service provider, such as an online blog host, will not be liable for potentially unlawful, or defamatory, speech on its website, if the following three elements are established:
- The person or entity must be a provider or user of an interactive computer service;
- The underlying claim must treat the service provider as a publisher or speaker of the information; and
- The communication at issue must have been provided by another information content provider.
III. BROAD IMMUNITY FOR INTERNET SERVICE PROVIDERS
In applying this statute, a majority of courts have determined that Congress intended to grant “broad immunity to entities…that facilitate the speech of others on the Internet.” In Johnson v. Arden, the Eighth Circuit held that an interactive website, where the public could post comments about businesses, was immune to liability for defamation under § 230. In that case, a cat breeding business alleged that the website operator conspired with its users to post multiple false statements about the business on the website. The court noted that the majority of federal circuit courts have interpreted § 230 broadly. Ultimately, the court held that the website was nothing more than a service provider and that it did not exercise control over the content of the posts. Therefore, it was immune from liability for the information produced by the third-party users of its site.
Immunity has also been extended to providers who had notice of the unlawful speech posted on their sites. In Zeran v. America Online, Ken Zeran sued AOL for defamatory statements posted on AOL’s website bulletin board. Specifically, the posts listed Zeran’s home phone number and advertised that he was selling offensive t-shirts regarding the Oklahoma City bombing. Over a period of about five days, Zeran contacted AOL repeatedly, to complain that the posts caused him to receive excessive phone calls and death threats. Despite AOL’s knowledge of the defamatory comments, the court held that AOL was not liable for the third-party’s posts, pursuant to section 230. The court stated that “Congress made a policy choice…not to deter harmful online speech through the separate route of imposing tort liability on companies that serve as intermediaries for other parties’ potentially injurious messages.” Furthermore, the court held that the effects of notice-based liability would subject providers to an “impossible burden” of monitoring the vast amount of speech communicated over the internet. Thus, whether the defendant had notice of the defamatory posts is irrelevant for purposes of the Communications Decency Act.
IV. STATE COURT APPLICATION OF THE CDA
IV. BUSINESSES SHOULD AVOID POSTING THEIR OWN COMMENTS
The best way for businesses to qualify for immunity under the Communications Decency Act is to remain uninvolved with the creation and content of the posts on their website. Indeed, a website will be held liable for its own unlawful statements, but not for content produced by third parties that it allows to appear online. Thus, ensuring that a website host’s conduct does not rise to the level of a “content provider” is very important. In fact, the Fourth Circuit has noted that “the scope of section 230 immunity turns on whether the service provider’s actions also make it an ‘information content provider.’”
This issue was recently discussed, in Hare v. Richie, when Dirty World, the owner of a gossip website with the domain name “thedirty.com,” was sued for defamatory comments posted on the website about Hare. Dirty World filed a motion to dismiss, claiming protection under the Communications Decency Act. Whether the website was an information content provider of the allegedly defamatory comments, and thus unable to be provided immunity under §230, was the central issue in the case. The posts were largely written by users of the defendant-website. However, multiple comments were published, in reply to the posts, by the founder and editor of the website, Nik Richie. Ultimately, the court denied Dirty World’s motion, finding that Richie’s comments may satisfy the elements of defamation and thus, could expose the website to liability. However, the court explicitly stated that Dirty World “will be free to raise the issue of §230(c)(1) immunity” in a motion for summary judgment, for the posts made by its users. Further, the court also noted that Dirty World could address, in the same motion, whether the thedirty.com founder’s comments actually did constitute defamation, which the court seemed to believe they did not. Thus, a business should be careful, or avoid, posting comments of its own in response to its users potentially unlawful posts.
Service providers still enjoy immunity even if they exercise some discretion about what comments are posted on their website. For example, in Dimeo v. Max, Max had a blog and message board on which multiple people allegedly posted defamatory comments about Dimeo. While maintaining this blog, Max did not post all of the comments submitted. Instead, he selected, removed and edited posts that appeared on the message board. When deciding whether Max was liable for these defamatory posts, the court referred to the three elements to establish immunity under section 230. Under that analysis, the court found that two of the three elements for § 230 immunity were easily established: 1. The blog was a service provider because multiple users were able to access it and post comments; and 2. Dimeo’s claim of defamation treated Max as the speaker of the comments. Therefore, the sole element at issue was whether Max’s editorial actions demonstrated that he had developed the content of the posts. The Court held that Max was not a content provider because the posts were completely authored by the users. Furthermore, the court reasoned that if editing comments meant that a service provider could be held liable, then providers who removed defamatory content would also be held liable. Therefore, to prove that an entity is a “content provider,” evidence of more than editing and selecting comments to post must exist.
VII. PRACTICE POINTS
Today, it is becoming more and more common for businesses, of all varieties, to maintain a presence on the internet through a company website. Often included on these sites is a comment section, or discussion area, for visitors and users to post their own ideas. Unfortunately, not every comment made by such visitors is lawful. However, companies should be comforted to know that they are protected from liability for their users’ unlawful comments, under the Communications Decency Act.
Hackers gained access to credit card information from customers at 63 Barnes & Noble stores. Although the incident was first discovered in September, the FBI requested that Barnes & Noble delay publicly reporting the incident so as not to impede the investigation.
Somehow, and the exact methodology has not been revealed, hackers were able to capture information from PIN pads used by customers to swipe credit and debit cards. Barnes & Noble stated that only one PIN pad in each of the 63 affected stores was compromised. The number of affected customers has not been revealed.
By accessing the PIN pads, the criminals were able to capture credit card numbers and PIN numbers. As a temporary measure, Barnes & Noble removed all PIN pads from its stores. Although Barnes & Noble has not yet notified individuals that may be impacted, it has been working with banks and credit card companies with respect to fraudulent transactions that have occurred in the wake of the breach.
This incident demonstrates the security issues inherent with credit card swiping hardware that is made available to the public at the point of sale . While self-service in such transactions has become the norm, including at gas stations and many retail outlets, it also provides a vulnerability for criminals into the point of sale system. However, it is unknown if the intruders in this instance used employees (unsuspecting or not) to gain access to the system or somehow hacked into the network themselves. As the arms race between hackers and security experts continues, attacks on POS systems will likely become more prevelant.
TD Bank recently began notifying approximately 260,000 customers in numerous states from Maine to Florida that their personal information had been lost. A TD Bank spokesman confirmed to the Associated Press that unencrypted back-up data tapes were misplaced in transport earlier this year. The tapes contained personal information that included account information and social security numbers. TD Bank claims it is not aware of any misuse of customer information but has still not ruled out that possibility. Notification letters are being sent to customers and free credit monitoring and identity theft protection is being offered.
This breach once again demonstrates that business entities and their insurers must encrypt all personal identification since its loss or theft will lead to significant data breach response expenses along with likely increased regulatory investigations.
The Social Security numbers of 31 Army Medal of Honor recipients were accidentally posted on line by a Pentagon employee. The Los Angeles Times reported last week that the personal information was removed from the internet after the breach was discovered by a well known military historian. The Social Security numbers appear to have been publically available for a extended period of time. The information included Social Security numbers along with the recipients names, ranks, units and narratives of their battlefield heroics.
This data breach serves as another reminder to business entities and their insurers that many data breaches occur not as a result of malicious hacking or malware but, instead, through accidental or negligent actions by businesses’ own employees. Insureds and Insurers must remain vigilant and constantly review their on line data to ensure that personal identifiable information is not improperly disclosed.
HHS’ Office of Civil Rights announced this week that a Mass. health care provider will pay a $1.5 million settlement to resolve a HIPAA privacy violation. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html. The monetary settlement is part of a resolution agreement and the result of the alleged 2010 theft of a laptop computer that held 3,621 patient records. The monetary settlement will be paid in three equal yearly $500,000 installments. The provider will also adhere to a corrective privacy action plan and must permit semi-annual independent monitoring of its compliance plan for three years.
This significant monetary settlement once again demonstrates the importance of data security compliance plans for all health care providers and their insurers. The OCR is sending a strong message that failure to comply with HIPAA Privacy and Security Rules will result in significant fines no matter the size of the breach. Businesses and their insurers must understand the potential monetary risk for failure to implement a strong data security plan.
Cancer Care Group (CCG), an Indiana oncology practice, has announced a data breach that affected approximately 55,000 individuals, including patients and employees. CCG has approximately 21 locations within Indiana. CCG reported that a laptop computer bag was stolen from an employee’s locked vehicle on July 19th. The data allegedly stored on the laptop computer included patient’s names, addresses, social security numbers, dates of birth, medical record numbers and insurance information. The laptop also contained similar information for CCG’s employees.
The breach once again demonstrates that despite several years of private and public education about securing personal information, breaches are still occurring because of lapse security for laptop computers. Individuals, businesses and insurers must continue to be vigilant in reviewing and updating all data security procedures, particularly for mobile devices like laptops, as well as their breach response plans.
There is a little secret that your ISP probably does not want you to know. And you certainly will not see it listed anywhere as part of your ISP’s advertised services.
Since July 1st many ISPs, including Time Warner, Comcast, Verizon and AT&T, have started efforts to actively scrutinize their customers’ Internet activity. What are they looking for? Evidence related to downloading or sharing of copyrighted material, including music, movies and software.
In other words, rather than passively allowing traffic to course through their networks (a hands-off policy known as “Net Neutrality”), major ISPs have been cajoled by various interests, including the Recording Industry Association of America (RIAA), into acting as copyright police. Although this partnership has been in the works since 2011, it officially kicked off on July 1, 2012.
Under the deal, ISPs that find suspicious copyright infringing activity will begin a “graduated response”, which starts with notices to the customer and then increasing levels of pressure meant to deter the activity. Should it continue, the customer may find bandwidth throttled down or, in the most severe instances, Internet service could be suspended.
But you have nothing to fear — do you? After all, only kids are pirating music, right? Well the same equipment that enables an ISP to identify pirated music and movies also enables the reading of emails, personal data and any other information sent over the Internet. It is akin to the Post Office opening your mail and reading it before sending it on to its destination.
ISPs accomplish this using Deep Packet Inspection (DPI). With DPI equipment, not only can ISPs examine the precise content of your traffic, but personal data like your age, location, and shopping records can even be logged and sold to marketing companies.
Not long ago I wrote about how Comcast ran into hot water with the FCC [.pdf] over the use of DPI. Those days now appear to be over. It seems that privacy and net neutrality are increasingly at odds with pressure from various forces in the entertainment industry, not to mention government interests.
In fact, Wired Magazine recently reported on the astounding Orwellian scope of the NSA’s massive new data facility. “Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital pocket litter.” The article notes that the NSA “has established listening posts throughout the nation to collect and sift through billions of email messages and phone calls, whether they originate within the country or overseas.”
So whether it’s your ISP, the government or hackers, one thing is certain, expect the increased use of tools to monitor your Internet activity. When it comes to the Internet, it is probably safe to assume that Big Brother is watching.
The Connecticut Attorney General just announced that personal health information and protected health information for over 9,000 Hartford Hospital patients was lost in June. http://www.ct.gov/ag/cwp/view.asp?Q=508726&A=2341. A laptop carried by an EMC subsidiary employee was reportedly stolen. The State AG announced that the unencrypted information on the laptop contained names, addresses, dates of birth, social security numbers, Medicaid and Medicare numbers and medical records numbers as well as other medical treatment information. The vendor was performing a quality improvement on hospital readmissions.
This breach has red flags all over it for procedures that a medical provider or covered entity should NOT do with their PHI. First, the information was unencrypted. Second, the information contained not just protected health information but full social security numbers as well. Third, the unencrypted information was provided to a third party vendor. Fourth, the vendor was allowed to download the PHI onto a portable personal laptop and presumably take it off hospital grounds.
As a result of the breach, the hospital has to answer a number of public questions from the State AG who is already demanding a copy of the hospital policies and procedure for data protection pursuant to HIPAA requirements as well as its business associates policies, procedures and agreements. Hopefully, the hospital has all of its privacy policies and BA agreements in order or significant fines or settlement fees may be paid in the future. The State AG is also demanding that the hospital provide the affected individuals with two years of credit monitoring services, identity theft insurance and pay for a security freeze to be placed and then lifted on the patient’s credit reports.
This breach provides a perfect example for medical providers and their representatives to see how poor data security procedures can lead to embarrassing and expensive public questions from a State Attorney General.
Despite repeated promises, the new HIPAA and HITECH rules are still not out. While the Department of Health provided the Rules to the White House Office of Managment and Budget on March 24, 2012, OMB has asked for additional time to review the omnibus rules.
Normally, OMB review is completed in 90 days. With this new delay, final rules seem unlikely until fall.
Earlier this month Connecticut amended its data breach notification statutes. As of October 1, 2012, the state Attorney General must be provided notification when a data breach notification is being provided to a Connecticut resident.
The statute is not as onerous as the recently passed Vermont notification statute that requires state Attorney General notification within 14 days of a data breach. However, Connecticut is joining a growing number of states that require official state notification of a data breach.
Businesses and their representatives must keep up to date on the ever changing data breach statutes. A proper response to a data breach will require notification to an ever expanding list of States.