The Illinois class action suit has alleged that the plaintiff and class members have suffered damages for the following reasons: the debit and credit card information was compromised, they incurred numerous hours cancelling their compromised cards, activating replacement cards and reestablishing automatic withdraw payment authorizations from their old cards to their new cards.  Plaintiff’s attorney is alleging that beside state negligence claims, Schnucks also violated the Federal Fair Credit Reporting Act. 

           While Schnucks has already set up a consumer call center and spent significant time and resources on the forensic analysis of this data breach, the financial costs have only just begun.  This breach is just one more example of the significant costs that will be incurred by an entity that has sustained a data breach and more than ever demonstrates the critical need for cyber policies that cover data breach related costs for all businesses.

           Schnucks has stated that while the card numbers and expiration dates have been accessed, no names, addresses or other personal identifying information was stolen.  Schnucks has set up a hot line number for its customers to call with questions or concerns regarding this breach. 

           This data breach follows on the February announced breach of the Arizona based grocery store chain Bashas.  Bashas operates approximately 130 grocery stores and also sustained a breach as a result of a malware attack.  News reporting indicates that over 400 customers have reported fraudulent charges on their credit or debit cards that had been previously used at Bashas. 

           These two recent breaches highlight the ongoing malware attacks on retail chain stores.  Cyber criminals continue to look to the retail industry as fertile ground for the theft of information from point of sales.  Retail companies and their insurers must be vigilant on a daily basis for these types of malware attacks that can result in millions of dollars of damages and costs once a breach has been detected.

           This announcement comes in the wake of the massive data breach hacking incident at the South Carolina Department of Revenue.  Last fall, South Carolina announced that millions of consumers and businesses had information accessed by cyber hackers. 

           South Carolina has spent more than $20,000,000 for breach related costs.  Approximately $12,000,000 was paid to Experian for credit monitoring services for one year.  The registration deadline for the year of credit monitoring just ended.  Reports have indicated that the enrollment rate far exceeded the industry norm of 5 to 15%.  Approximately 1.5 million of the 3.8 million affected tax payers have contacted the state to request credit monitoring.  These reports have also indicated that Experian is offering a second year of credit monitoring coverage to South Carolina for $10 million dollars.  State law makers plan to debate whether additional credit monitoring services will be provided and how the services will be paid for.  Other news reports have indicated that some state representatives have floated the idea of credit monitoring for 10 years.  Obviously, such a extensive credit monitoring term would be extremely expensive. 

           These breaches and the subsequent credit monitoring expansions demonstrate how governmental agencies may be forced for a variety of reasons to offer more than the standard one year of credit monitoring for a data breach.  If more and more governmental agencies respond to data breaches with multi-year credit monitoring, such a standard may force private entities to increase the credit monitoring services that they also provide after a breach.  Businesses and their insurers should continue to monitor the breach responses of governmental agencies and, in particular, the costs that are incurred by these agencies.

As an executive order, it directs government agencies to establish policies and procedures to thwart cyber intrusions.  Probably the most significant provision is that The Department of Homeland Security (DHS) and the Director of National Intelligence must now share information about cybersecurity threats with the private sector.  This could include classified as well as unclassified data, depending on the threat and the nature of the infrastructure potentially affected.

To the relief of privacy groups and technology companies, this information sharing is a one-way street.   Meaning that companies like Google and Microsoft will not have to share their data with the government which, privacy groups warned, could potentially invoke personal information of their users.  In fact, the order directs DHS to assess privacy risks as a result of any programs undertaken as a result of the order.  

Further, the executive order requires the establishment of a “Cybersecurity Framework” meant to reduce the cyber risks to critical infrastructure.  The framework must include standards, procedures and processes to reduce cyber risks, incorporating industry best practices.  The final version of the Cybersecurity Framework is due to be issued within 1 year of the date of the order  — by February 12, 2014.

It remains to be seen what new policies and procedures will be implemented as a result of President Obama’s order and what the final “framework” will look like.  However, this action is certainly an acknowledgment of the increasing threat of cyberattacks, not only to individuals and their personal information, but also to national security.

           FTC regulators want the mobile industry to obtain consumers’ permission to tract their location and access other personal information on their mobile phones.  Mobile app makers should also consider using icons to depict what types of data they collect from mobile users, rather than just fine print.  These recommendations will affect not only large technology companies such as Google and Microsoft but also smaller application makers.  While many companies have already adopted some of the suggestions voluntarily, regulators have already sanctioned app makers in the past for privacy violations. 

           For instance, the commission also announced an $800,000 settlement with Path Inc., the maker of a popular social-networking app, for collecting personal data on child users without their parents’ consent.  Path also settled charges it mislead users of all ages by scraping information from smartphone address books without permission.

           Mobile technology companies and their insurers should be fully aware that the FTC is placing more and more of an emphasis on personal privacy as millions of Americans now carry devices constantly connected to the internet.  Once the FTC begins to regulate and sanction the mobile industry, civil actions by private individuals are likely not far behind. 

When originally issued as an “interim final rule” in 2009, the Breach Notification Rule included a risk of harm assessment for determining whether protected health information had been compromised in a breach incident.  Specifically, the interim rule stated:

“compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.”

Thus, covered entities under HIPAA had been able to conduct a risk of harm analysis focusing on the individuals potentially affected by a breach, when assessing whether a breach had occurred.  This subjective standard certainly could be helpful to an organization if it was inclined to lean towards a determination that a particular incident involving PHI did not trigger notification obligations.  Now, however, this potential “never mind” no longer exists.

Rather, under the final rule, HHS has clarified that the impermissible use or disclosure of PHI is PRESUMED to be a breach unless the covered entity demonstrates that there is a low probability that the PHI has been compromised.  The new regulations include 4 factors for an entity to use in conducting such a risk assessment:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.

In other words, the focus of any risk assessment after a potential breach has moved from the point of view of whether individuals were harmed, to instead considering factors related to the PHI itself.   While it remains to be seen how these new risk assessment rules will play out, it certainly appears that HHS has intentionally lowered the bar for reportable incidents.

Whether focusing on PHI (data), instead of individuals, is a good thing is certainly debateable and the new rule is likely to lead to many more PHI incidents where breach notification obligations are triggered.  If the goal is to ensure the privacy and security of PHI, perhaps the threshold lowering is meant to make covered entities and business associates pay more attention.

Of course, cynics may point out that the new rules simply increase the power of a government agency, but fail to adequately take into account the actual impact on individuals.  In other words, no harm no foul, may no longer apply when it comes to the Breach Notification Rule.

Note that the effective date of the final rule is technically March 26, 2013.  However, Covered Entities and Business Associates have until September 23, 2013 to comply with the requirements of the final rule.

Health care providers and their insurance carriers should remember that while a breach affecting more than 500 individuals must be reported within 60 days, breaches of less than 500 individuals must still be reported on an annual basis.   OCR is clearly sending a message at the start of the year that all health care providers must have proper data security procedures or run the risk of future penalties and fines.

This settlement demonstrates that data breaches, no matter the size, can result in significant costs and negative publicity for entities that are not properly prepared for a breach.

      This data breach once again demonstrates how the storage of customers’ information is a critical issue for all business entities.  Even though the breach was allegedly detected the day it happened and immediately contained, Nationwide will still incur significant costs for legal services, credit monitoring and identity theft protection for over one million individuals.

             As social media continues to expand on the internet, more and more businesses are developing and setting up their own websites.  These websites can include public Facebook pages, social media forum pages, and blogs.  With such increasing popularity, businesses must understand the legal ramifications of owning and running a website and allowing third party individuals to post messages or content on the site. 

A key question many business leaders ask is “whether their company is legally responsible when a third party posts defamatory statements or illegal content on its website.”  Generally, the answer is no.  The Communications Decency Act of 1996, 47 U.S.C § 230, grants providers of interactive computer services with legal immunity.  Interactive computer services are defined as “any information service…that provides or enables computer access by multiple users to a computer server….”  Thus, while the writers of the defamatory content may be liable for defamation, the distributors of the information, or website owners, are not liable.  This immunity is critical for any business that decides to host a website, particularly when more and more companies have set up pubic Facebook pages.  Indeed, recent cases have shown that a variety of businesses, including online review forums, search engines, and chat sites, may be affected by this legislation.

 II.        ELIGIBILITY REQUIREMENTS FOR §230

             The Communications Decency Act provides that a service provider, such as an online blog host, will not be liable for potentially unlawful, or defamatory, speech on its website, if the following three elements are established:

• The person or entity must be a provider or user of an interactive computer service;
•  The underlying claim must treat the service provider as a publisher or speaker of the information; and
•  The communication at issue must have been provided by another information content provider.

 III.       BROAD IMMUNITY FOR INTERNET SERVICE PROVIDERS

In applying this statute, a majority of courts have determined that Congress intended to grant “broad immunity to entities…that facilitate the speech of others on the Internet.”  In Johnson v. Arden, the Eighth Circuit held that an interactive website, where the public could post comments about businesses, was immune to liability for defamation under § 230.  In that case, a cat breeding business alleged that the website operator conspired with its users to post multiple false statements about the business on the website.  The court noted that the majority of federal circuit courts have interpreted § 230 broadly.  Ultimately, the court held that the website was nothing more than a service provider and that it did not exercise control over the content of the posts.  Therefore, it was immune from liability for the information produced by the third-party users of its site.

            Immunity has also been extended to providers who had notice of the unlawful speech posted on their sites. In Zeran v. America Online, Ken Zeran sued AOL for defamatory statements posted on AOL’s website bulletin board.  Specifically, the posts listed Zeran’s home phone number and advertised that he was selling offensive t-shirts regarding the Oklahoma City bombing. Over a period of about five days, Zeran contacted AOL repeatedly, to complain that the posts caused him to receive excessive phone calls and death threats.  Despite AOL’s knowledge of the defamatory comments, the court held that AOL was not liable for the third-party’s posts, pursuant to section 230.  The court stated that “Congress made a policy choice…not to deter harmful online speech through the separate route of imposing tort liability on companies that serve as intermediaries for other parties’ potentially injurious messages.”  Furthermore, the court held that the effects of notice-based liability would subject providers to an “impossible burden” of monitoring the vast amount of speech communicated over the internet.  Thus, whether the defendant had notice of the defamatory posts is irrelevant for purposes of the Communications Decency Act.

IV.       STATE COURT APPLICATION OF THE CDA          

             State courts have also applied the Communications Decency Act broadly.  For instance, the most popular social media site, Facebook, was sued for defamation after four of its users posted negative sexual comments about someone on the website.  Facebook sought dismissal of the claim, asserting immunity under § 230, as an interactive computer service.  While, Facebook’s qualification as an interactive computer service was undisputed, a question still existed about whether it was eligible for § 230 immunity because its “Terms of Use grant[ed] [Facebook] an ownership interest in the alleged defamatory content.”  Although the Terms of Use did contain such a provision, the court determined that Facebook’s ownership interest in the content on its website was irrelevant to a § 230 analysis. Ultimately, because Facebook was a service provider and “there was no claim [that it] had any hand in creating the content,” it was not liable under § 230.

 IV.       BUSINESSES SHOULD AVOID POSTING THEIR OWN COMMENTS

 The best way for businesses to qualify for immunity under the Communications Decency Act is to remain uninvolved with the creation and content of the posts on their website.  Indeed, a website will be held liable for its own unlawful statements, but not for content produced by third parties that it allows to appear online. Thus, ensuring that a website host’s conduct does not rise to the level of a “content provider” is very important.  In fact, the Fourth Circuit has noted that “the scope of section 230 immunity turns on whether the service provider’s actions also make it an ‘information content provider.’”

This issue was recently discussed, in Hare v. Richie, when Dirty World, the owner of a gossip website with the domain name “thedirty.com,” was sued for defamatory comments posted on the website about Hare.  Dirty World filed a motion to dismiss, claiming protection under the Communications Decency Act.  Whether the website was an information content provider of the allegedly defamatory comments, and thus unable to be provided immunity under §230, was the central issue in the case.  The posts were largely written by users of the defendant-website.  However, multiple comments were published, in reply to the posts, by the founder and editor of the website, Nik Richie.  Ultimately, the court denied Dirty World’s motion, finding that Richie’s comments may satisfy the elements of defamation and thus, could expose the website to liability.  However, the court explicitly stated that Dirty World “will be free to raise the issue of §230(c)(1) immunity” in a motion for summary judgment, for the posts made by its users.  Further, the court also noted that Dirty World could address, in the same motion, whether the thedirty.com founder’s comments actually did constitute defamation, which the court seemed to believe they did not.  Thus, a business should be careful, or avoid, posting comments of its own in response to its users potentially unlawful posts.

            Service providers still enjoy immunity even if they exercise some discretion about what comments are posted on their website.  For example, in Dimeo v. Max, Max had a blog and message board on which multiple people allegedly posted defamatory comments about Dimeo.  While maintaining this blog, Max did not post all of the comments submitted.  Instead, he selected, removed and edited posts that appeared on the message board.  When deciding whether Max was liable for these defamatory posts, the court referred to the three elements to establish immunity under section 230.  Under that analysis, the court found that two of the three elements for § 230 immunity were easily established: 1. The blog was a service provider because multiple users were able to access it and post comments; and 2. Dimeo’s claim of defamation treated Max as the speaker of the comments.  Therefore, the sole element at issue was whether Max’s editorial actions demonstrated that he had developed the content of the posts. The Court held that Max was not a content provider because the posts were completely authored by the users.  Furthermore, the court reasoned that if editing comments meant that a service provider could be held liable, then providers who removed defamatory content would also be held liable.  Therefore, to prove that an entity is a “content provider,” evidence of more than editing and selecting comments to post must exist.

VII.     PRACTICE POINTS

             Today, it is becoming more and more common for businesses, of all varieties, to maintain a presence on the internet through a company website.  Often included on these sites is a comment section, or discussion area, for visitors and users to post their own ideas.  Unfortunately, not every comment made by such visitors is lawful.  However, companies should be comforted to know that they are protected from liability for their users’ unlawful comments, under the Communications Decency Act.

Somehow, and the exact methodology has not been revealed, hackers were able to capture information from PIN pads used by customers to swipe credit and debit cards.    Barnes & Noble stated that only one PIN pad in each of the 63 affected stores was compromised.  The number of affected customers has not been revealed.

By accessing the PIN pads, the criminals were able to capture credit card numbers and PIN numbers.  As a temporary measure, Barnes & Noble removed all PIN pads from its stores.  Although Barnes & Noble has not yet notified individuals that may be impacted, it has been working with banks and credit card companies with respect to fraudulent transactions that have occurred in the wake of the breach.

This incident demonstrates the security issues inherent  with credit card swiping hardware that is made available to the public at the point of sale .  While self-service in such transactions has become the norm, including at gas stations and many retail outlets, it also provides a vulnerability for criminals into the point of sale system.   However, it is unknown if the intruders in this instance used employees (unsuspecting or not) to gain access to the system or somehow hacked into the network themselves.  As the arms race between hackers and security experts continues, attacks on POS systems will likely become more prevelant.