Data Breach Legal Watch - Practical Perspectives on Privacy & Data Security Issues Facing Businesses

I.               AN INTERACTIVE COMPANY WEBSITE DOES NOT NECESSARILY MEAN LIABILITY

             As social media continues to expand on the internet, more and more businesses are developing and setting up their own websites.  These websites can include public Facebook pages, social media forum pages, and blogs.  With such increasing popularity, businesses must understand the legal ramifications of owning and running a website and allowing third party individuals to post messages or content on the site. 

A key question many business leaders ask is “whether their company is legally responsible when a third party posts defamatory statements or illegal content on its website.”  Generally, the answer is no.  The Communications Decency Act of 1996, 47 U.S.C § 230, grants providers of interactive computer services with legal immunity.  Interactive computer services are defined as “any information service…that provides or enables computer access by multiple users to a computer server….”  Thus, while the writers of the defamatory content may be liable for defamation, the distributors of the information, or website owners, are not liable.  This immunity is critical for any business that decides to host a website, particularly when more and more companies have set up pubic Facebook pages.  Indeed, recent cases have shown that a variety of businesses, including online review forums, search engines, and chat sites, may be affected by this legislation.

 II.        ELIGIBILITY REQUIREMENTS FOR §230

             The Communications Decency Act provides that a service provider, such as an online blog host, will not be liable for potentially unlawful, or defamatory, speech on its website, if the following three elements are established:

• The person or entity must be a provider or user of an interactive computer service;
•  The underlying claim must treat the service provider as a publisher or speaker of the information; and
•  The communication at issue must have been provided by another information content provider.

 III.       BROAD IMMUNITY FOR INTERNET SERVICE PROVIDERS

In applying this statute, a majority of courts have determined that Congress intended to grant “broad immunity to entities…that facilitate the speech of others on the Internet.”  In Johnson v. Arden, the Eighth Circuit held that an interactive website, where the public could post comments about businesses, was immune to liability for defamation under § 230.  In that case, a cat breeding business alleged that the website operator conspired with its users to post multiple false statements about the business on the website.  The court noted that the majority of federal circuit courts have interpreted § 230 broadly.  Ultimately, the court held that the website was nothing more than a service provider and that it did not exercise control over the content of the posts.  Therefore, it was immune from liability for the information produced by the third-party users of its site.

            Immunity has also been extended to providers who had notice of the unlawful speech posted on their sites. In Zeran v. America Online, Ken Zeran sued AOL for defamatory statements posted on AOL’s website bulletin board.  Specifically, the posts listed Zeran’s home phone number and advertised that he was selling offensive t-shirts regarding the Oklahoma City bombing. Over a period of about five days, Zeran contacted AOL repeatedly, to complain that the posts caused him to receive excessive phone calls and death threats.  Despite AOL’s knowledge of the defamatory comments, the court held that AOL was not liable for the third-party’s posts, pursuant to section 230.  The court stated that “Congress made a policy choice…not to deter harmful online speech through the separate route of imposing tort liability on companies that serve as intermediaries for other parties’ potentially injurious messages.”  Furthermore, the court held that the effects of notice-based liability would subject providers to an “impossible burden” of monitoring the vast amount of speech communicated over the internet.  Thus, whether the defendant had notice of the defamatory posts is irrelevant for purposes of the Communications Decency Act.

IV.       STATE COURT APPLICATION OF THE CDA          

             State courts have also applied the Communications Decency Act broadly.  For instance, the most popular social media site, Facebook, was sued for defamation after four of its users posted negative sexual comments about someone on the website.  Facebook sought dismissal of the claim, asserting immunity under § 230, as an interactive computer service.  While, Facebook’s qualification as an interactive computer service was undisputed, a question still existed about whether it was eligible for § 230 immunity because its “Terms of Use grant[ed] [Facebook] an ownership interest in the alleged defamatory content.”  Although the Terms of Use did contain such a provision, the court determined that Facebook’s ownership interest in the content on its website was irrelevant to a § 230 analysis. Ultimately, because Facebook was a service provider and “there was no claim [that it] had any hand in creating the content,” it was not liable under § 230.

 IV.       BUSINESSES SHOULD AVOID POSTING THEIR OWN COMMENTS

 The best way for businesses to qualify for immunity under the Communications Decency Act is to remain uninvolved with the creation and content of the posts on their website.  Indeed, a website will be held liable for its own unlawful statements, but not for content produced by third parties that it allows to appear online. Thus, ensuring that a website host’s conduct does not rise to the level of a “content provider” is very important.  In fact, the Fourth Circuit has noted that “the scope of section 230 immunity turns on whether the service provider’s actions also make it an ‘information content provider.’”

This issue was recently discussed, in Hare v. Richie, when Dirty World, the owner of a gossip website with the domain name “thedirty.com,” was sued for defamatory comments posted on the website about Hare.  Dirty World filed a motion to dismiss, claiming protection under the Communications Decency Act.  Whether the website was an information content provider of the allegedly defamatory comments, and thus unable to be provided immunity under §230, was the central issue in the case.  The posts were largely written by users of the defendant-website.  However, multiple comments were published, in reply to the posts, by the founder and editor of the website, Nik Richie.  Ultimately, the court denied Dirty World’s motion, finding that Richie’s comments may satisfy the elements of defamation and thus, could expose the website to liability.  However, the court explicitly stated that Dirty World “will be free to raise the issue of §230(c)(1) immunity” in a motion for summary judgment, for the posts made by its users.  Further, the court also noted that Dirty World could address, in the same motion, whether the thedirty.com founder’s comments actually did constitute defamation, which the court seemed to believe they did not.  Thus, a business should be careful, or avoid, posting comments of its own in response to its users potentially unlawful posts.

            Service providers still enjoy immunity even if they exercise some discretion about what comments are posted on their website.  For example, in Dimeo v. Max, Max had a blog and message board on which multiple people allegedly posted defamatory comments about Dimeo.  While maintaining this blog, Max did not post all of the comments submitted.  Instead, he selected, removed and edited posts that appeared on the message board.  When deciding whether Max was liable for these defamatory posts, the court referred to the three elements to establish immunity under section 230.  Under that analysis, the court found that two of the three elements for § 230 immunity were easily established: 1. The blog was a service provider because multiple users were able to access it and post comments; and 2. Dimeo’s claim of defamation treated Max as the speaker of the comments.  Therefore, the sole element at issue was whether Max’s editorial actions demonstrated that he had developed the content of the posts. The Court held that Max was not a content provider because the posts were completely authored by the users.  Furthermore, the court reasoned that if editing comments meant that a service provider could be held liable, then providers who removed defamatory content would also be held liable.  Therefore, to prove that an entity is a “content provider,” evidence of more than editing and selecting comments to post must exist.

VII.     PRACTICE POINTS

             Today, it is becoming more and more common for businesses, of all varieties, to maintain a presence on the internet through a company website.  Often included on these sites is a comment section, or discussion area, for visitors and users to post their own ideas.  Unfortunately, not every comment made by such visitors is lawful.  However, companies should be comforted to know that they are protected from liability for their users’ unlawful comments, under the Communications Decency Act.

 TD Bank recently began notifying approximately 260,000 customers in numerous states from Maine to Florida that their personal information had been lost.  A TD Bank spokesman confirmed to the Associated Press that unencrypted back-up data tapes were misplaced in transport earlier this year.  The tapes contained personal information that included account information and social security numbers.  TD Bank claims it is not aware of any misuse of customer information but has still not ruled out that possibility.  Notification letters are being sent to customers and free credit monitoring and identity theft protection is being offered.  

 This breach once again demonstrates that business entities and their insurers must encrypt all personal identification since its loss or theft will lead to significant data breach response expenses along with likely increased regulatory investigations.

            HHS’ Office of Civil Rights announced this week that a Mass. health care provider will pay a $1.5 million settlement to resolve a HIPAA privacy violation.   http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html.  The monetary settlement is part of a resolution agreement and the result of the alleged 2010 theft of a laptop computer that held 3,621 patient records.  The monetary settlement will be paid in three equal yearly $500,000 installments.  The provider will also adhere to a corrective privacy action plan and must permit semi-annual independent monitoring of its compliance plan for three years. 

             This significant monetary settlement once again demonstrates the importance of data security compliance plans for all health care providers and their insurers.   The OCR is sending a strong message that failure to comply with HIPAA Privacy and Security Rules will result in significant fines no matter the size of the breach.   Businesses and their insurers must understand the potential monetary risk for failure to implement a strong data security plan.  

There is a little secret that your ISP probably does not want you to know.  And you certainly will not see it listed anywhere as part of your ISP’s advertised services.

Since July 1st  many ISPs, including Time Warner, Comcast, Verizon and AT&T, have started efforts to actively scrutinize their customers’ Internet activity.  What are they looking for?  Evidence related to downloading or sharing of copyrighted material, including music, movies and software.

In other words, rather than passively allowing traffic to course through their networks (a hands-off policy known as “Net Neutrality”), major ISPs have been cajoled  by various interests, including the Recording Industry Association of America (RIAA), into acting as copyright police.  Although this partnership has been in the works since 2011, it officially kicked off on July 1, 2012.

Under the deal, ISPs that find suspicious copyright infringing activity will begin a “graduated response”, which starts with notices to the customer and then increasing levels of pressure meant to deter the activity.  Should it continue, the customer may find bandwidth throttled down or, in the most severe instances, Internet service could be suspended.

But you have nothing to fear — do you?  After all, only kids are pirating music, right?  Well the same equipment that enables an ISP to identify pirated music and movies also enables the reading of emails, personal data and any other information sent over the Internet.  It is akin to the Post Office opening your mail and reading it before sending it on to its destination.

ISPs accomplish this using Deep Packet Inspection (DPI).  With DPI equipment, not only can ISPs examine the precise content of your traffic, but personal data like your age, location, and shopping records can even be logged and sold to marketing companies.

Not long ago I wrote about how Comcast ran into hot water with the FCC [.pdf] over the use of DPI.  Those days now appear to be over.  It seems that privacy and net neutrality are increasingly at odds with pressure from various forces in the entertainment industry, not to mention government interests.

In fact, Wired Magazine recently reported on the astounding Orwellian scope of the NSA’s massive new data facility.  “Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital pocket litter.”  The article notes that the NSA “has established listening posts throughout the nation to collect and sift through billions of email messages and phone calls, whether they originate within the country or overseas.”

So whether it’s your ISP, the government or hackers, one thing is certain, expect the increased use of tools to monitor your Internet activity.  When it comes to the Internet, it is probably safe to assume that Big Brother is watching.

Despite repeated promises, the new HIPAA and HITECH rules are still not out.  While the Department of Health provided the Rules to the White House Office of Managment and Budget on March 24, 2012, OMB has asked for additional time to review the omnibus rules.

Normally, OMB review is completed in 90 days.  With this new delay, final rules seem unlikely until fall.