Tag Archives: delaney

Data Breaches: Who Has Legal Liability?

Untold millions of people provide personal and private information on the Internet every day to pay their bills, to purchase a product, to post a picture and so on, even though data breaches have become practically a daily occurrence. The problem has focused attention on the lack of security by the companies that use the data, but consumers also need to take some responsibility.

The hacking of Target at the end of 2013 is the best-known of recent data breaches, but hackers know no bounds. Virtually every individual who uses the Internet—no matter who he is or what she does professionally—is at risk for a data breach.

For instance: In May 2014, three desktop computers were stolen from the California office of Bay Area Pain Medical Associates. About 2,780 patients were notified that their personal information was in a spreadsheet that could have been accessed by the thieves.

In March 2014, about 1,700 people in the employee wellness program for Virginia-based Dominion Resources had their personal records accessed by a hacker who gained entry to the systems of a subcontractor, Onsite Health Diagnostics. The personal information of their spouses and domestic partners was also hacked, if they had scheduled a health-screening appointment online.

In Encinitas, a California Public Employees’ Retirement System (CalPERS) payment document containing 615 current and former employees’ personal information—including Social Security numbers—was inadvertently made public on the city’s website from May 18, 2014, to July 3, 2014, and was accessed by 16 unauthorized individuals before the data breach was discovered.

In July 2014, Orangeburg-Calhoun Technical College in South Carolina had to notify 20,000 current and former students and faculty that their personal information—including Social Security numbers—was on a laptop that was stolen on July 7, 2014, from a staffer’s office.

In Texas, from Dec. 28, 2013, until June 20, 2014, the Houstonian Hotel Club & Spa’s payment processing systems were compromised when they were infected with malware. More than 10,000 customers had their payment card data exposed.

In April 2014, Park Hill School District in Missouri learned that before leaving the district an employee downloaded 10,210 current and former staffers’ and students’ personnel and student files that contained their personal information. The former employee made the files accessible to untold numbers on the Internet.

The Department of Managed Health Care (DMHC) discovered on May 16, 2014, that Blue Shield of California inadvertently made public the names, business addresses, business telephone numbers, medical groups, practice areas and Social Security numbers of about 18,000 doctors.

The list could go on and on, but you get the message. Data breaches can occur on any computer system, anywhere and any time.

So, who is ultimately responsible for data breaches? The company holding the data, because of its system’s vulnerability? Or the user/consumer, because we are responsible, through our passwords and PINs, for the security of all data we post? (If you read the privacy policies of the sites you use, the user is responsible.)

The answer is not an easy one.

If your information was hacked through an entity’s online systems, your answer most likely would be the entity, and you might participate in a class action. at least two dozen federal class actions have been filed against Target, alleging it did not adequately protect customer privacy. A class action has been filed against P.F. Chang’s China Bistro for a security breach that involved, according to the complaint, 7 million customers’ credit and debit card payment data stolen from its restaurants’ systems between March and May 2014. (It has been reported that the breach came to light only when a batch of card data was alleged to be up for sale at Rescator, an underground store best-known for selling customer data stolen in the Target breach.)

But is it that simple, that the sole responsibility lies with the entity that was hacked?

What about us, the consumers? Do we need to be part of the answer by accepting that we willingly create those passwords and PIN numbers and that we provide our personal and private information so we can shop on eBay (which just notified 145 million of us that a cyber attack may have compromised customers’ login information and other personal and private information) or pay bills online?

Should it be our responsibility to understand that online systems, or the strips on the back of our credit and debit cards, that store the data we provide are moving targets (no pun intended) for theft?

Saying “yes” would be the first step in the right direction. Everyone, user and organizations alike, is vulnerable, so the responsibility to protect our information lies with us all.

The second step is for each of us to do whatever we can to manage our vulnerability. Such as:

  • Making sure our anti-virus software is current, to prevent scammers from installing viruses on our computers that allow hackers to steal our personal and financial information. When the popular online ticket marketplace Stub Hub suffered a data breach, the hackers did not break directly into Stub Hub’s system; instead, they stole account information directly from the customer by downloading viruses onto each customer’s personal computer, or by collecting the information from data breaches of other websites.
  • Monitoring our bank and credit card accounts every day. If you see charges or withdrawals you did not authorize, contact the bank or credit card company immediately. (The liability is still yours until you report that your information has been compromised.)
  • Make sure your homeowner’s or renter’s insurance policy covers losses because of fraud, because, even if a class action is settled, there may be strings attached to how you can collect your share. For example: Vendini, another company that offers ticketing services to theaters and event venues, settled a class action in 2014 about compromised data. The settlement requires Vendini to pay as much as $3,000 a customer for identify theft losses. But here is the catch—you have to prove that the information used to make you a victim of identity theft actually came from Vendini’s systems.

Here is the bottom line:

The landscape on cybersecurity is shifting rapidly as data breaches are spiking. Congress, regulators and state attorneys general are taking a hard look at how companies, universities and governmental agencies are protecting consumer information from unauthorized access. Hearings have been held and new laws pushed. As a result, organizations are facing critical questions about what their responsibilities are to ensure consumers’ private and personal information is secure and in compliance with old as well as new laws.

But it is also imperative that you, the consumer, understand that you cannot depend on organizations to protect the information you provide to them. Rather, you need to take matters into your own hands and pose critical questions to yourself about how you use your own information online. You need to decide what information you are willing to turn over to be able to pay bills, make purchases or register for social media online.

It is after all, your information and your life. Think about it.

The information contained in this article is provided only as general information and may or may not reflect the most current developments legal or otherwise pertaining to the subject matter thereof. Accordingly, this information is not promised or guaranteed to be correct or complete and is not intended to create or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or all of the content of this article.

The Fallout From Ill-Advised Tweets

During the presidential debate on Oct. 3, 2012, a KitchenAid employee used the corporate account to send a tasteless (some would say disparaging and grossly offensive) tweet regarding the president’s grandmother. KitchenAid quickly apologized to the president and his family and explained what happened. In other words, KitchenAid followed the “rules” of reactive reputation management.  

KitchenAid was praised for responding quickly. But the outrage about the tweet was overwhelming, if only for a short period, and underscores that companies need to consider their potential liability from ill-advised tweets.

A bit of background: Libel (written) and slander (spoken), collectively known as “defamation,” which is the general term used internationally, are civil wrongs (sometimes carrying criminal penalties) that harm a reputation, decrease respect, regard or confidence or induce disparaging, hostile or disagreeable opinions or feelings against an individual or entity. If the allegedly defamatory assertion is an expression of opinion rather than a statement of fact, defamation claims usually cannot be brought because opinions are inherently not falsifiable. However, some jurisdictions decline to recognize any legal distinction between fact and opinion. 

Contrary to a general belief that insulting tweets (or comments online through Facebook, online message boards, etc.)  are exempt from libel laws because they are fleeting, libel laws apply to the Internet the same way they do to newspapers, magazines, books, films, etc. The same technology that gives you the power to share your opinion with thousands of people also qualifies you to be a defendant in a lawsuit.    

In considering your legal exposure if an employee may have committed libel, you must consider the country you live in, as well as your exposure to libel laws around the world.

U.S.

The medium for communication is irrelevant; even an email to a single person can be libelous if the sender knew a statement to be false, acted with reckless disregard for the facts or was otherwise irresponsible. To be libelous, the statement must also cause some damage.

United Kingdom 

The basis of British libel law is not substantially different from that in the U.S.: to protect the reputation of an individual from unjustified attack. In British law, a person is defamed if statements in a publication expose a person to hatred or ridicule, cause a person to be shunned, lower a person in the estimation in the minds of “right-thinking” members of society or disparage a person in his work. In the U.K, though, the burden of proof is with the defendant, while in the U.S. the plaintiff must provide the proof. Unlike in the U.S., there is also no provision in the U.K. that makes it harder for public figures to win a judgment–in the U.K., a public figure does not have to prove a statement was made with malice.

Almost all of the rest of the world

There is ever-expanding concern about the use of social media, especially Twitter, to post harassing, offensive and false statements that are defaming or invade another’s privacy. As one judge said: “Twitter as we all know is widely used by individuals and organizations to disseminate and receive information. It is inconceivable that grossly offensive, indecent, obscene or menacing messages sent in this way would not be potentially unlawful.” ([2012] EWHC 2157 (Admin) at {23}. In India, amendments to the Information Technology Act, 2000 (IT ACT) specify that defamation via a computer or communication can lead to a prison term of three years and a fine. (The United Nations Commission on Human Rights ruled in 2012 that the criminalization of libel violates the right to freedom of expression and  is inconsistent with Article 19 of the International Covenant on Civil and Political Rights. The impact of this ruling, if any, is not part of the discussion in this article.) 

Now, let’s consider liability if you or an employee is the “retweeter”:

U.S.

If you retweet a libelous statement in the U.S., you or the company you work for  may be protected from defamation liability based on Section 230 of the Communications Decency Act, which states, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Simply put, this means you cannot be sued for something you retweet, even if the original tweet is libelous, so long as the libelous content was created by a third party. However, if you did have control (it was KitchenAid’s corporate Twitter account)  or you add something defamatory, you could be held responsible. 

United Kingdom

Keir Starmer QC was addressing the London School of Economics about social media in 2012 when he was asked: “Is it an offense to retweet something grossly offensive?” He replied: “You retweet, you commit an offense under the Act.”

The “Act” is the Communications Act, which outlaws sending a tweet that is “grossly offensive or of an indecent, obscene or menacing character.” A person can be prosecuted if he “causes any such message or matter to be so sent.”

For example: In 2012, the British Broadcasting Corporation settled a libel suit for about $300,000 with a UK politician. (The BBC reported that he was involved in a child sex abuse scandal but should have known the statement was false.) The UK politician then sought libel damages from at least 20 “high profile” people who tweeted and retweeted the report. 

Because tweets cross borders so easily, Twitter users in the U.S. and elsewhere should take the UK law into account.

India

Some legal scholars in India say that even accidentally retweeting an offensive tweet can create liability.

Freedom of Speech?

While freedom of speech in the U.S. is a constitutional right, legal exceptions make that right limited. For example: Speech that involves incitement, false statements of fact, obscenity, child pornography, threats and speech owned by others are all completely exempt from First Amendment protections. The U.S. Supreme Court has ruled that the First Amendment does not require recognition of a privilege for those stating opinions. Therefore, the  position that nothing should stand in the way of unabashed free speech on the Internet is like the ostrich with its head in the sand. Defamation and speech intended to inflict severe emotional distress is not protected.States can and do regulate this type of speech.

So here is the takeaway:

If you or an employee tweets or retweets something defamatory, you may face a libel claim. It doesn't matter how quickly you delete the entry or whether you follow up with a correction or an apology. It also doesn't matter where in the world you are.

Disclaimer: The information contained in this article is provided only as general information and may or may not reflect the most current developments legal or otherwise pertaining to the subject matter hereof. Accordingly, this information is not promised or guaranteed to be correct or complete, and is not intended to create, or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or part of this article.