Maryland Business Law Blog

Early Detection and Response Plans Are Essential Elements of Cybersecurity Policies

Posted by Jeanine Gagliardi on Tue, 09/09/2014 - 04:00

If you read the news, you are probably accustomed to hearing about customer data being stolen by hackers. In 2008, hackers accessed Wyndham Worldwide Corporation’s computer system through a single computer that an employee in a franchised hotel had connected to the Internet. Just before Christmas 2013, hackers obtained the payment card data of tens of millions of Target shoppers. At the start of the New Year, craft store Michaels discovered that its customer data had been stolen.

Although businesses are required to take reasonable steps to protect the data in their control, most experts concur that breaches are unavoidable. Thus, the key elements of every cybersecurity policy should be protocols to detect and respond to breaches once they occur. If they had implemented or followed such protocols, Wyndham, Target, and Michaels could have avoided at least some of the harm resulting from their breaches. Follow the jump to read how.

Several months passed before Wyndham even recognized that it had been hacked. Then, it mistakenly believed that it had fixed the weaknesses which allowed the hack. This allowed the hackers to return and steal additional data on multiple occasions. The vulnerabilities in Michaels’ system remained and allowed hackers to steal its data for more than eight months.

Target had a plan to detect precisely the type of attack it suffered. Before the hack, Target installed a detection tool and had a team of security specialists in India constantly monitoring its computers. These monitors discovered the attack and, in accordance with Target’s plan, notified headquarters in Minneapolis before any data was stolen. Target inexplicably did nothing, allowing forty million credit card numbers and seventy million addresses, phone numbers, and other pieces of personal information to be stolen.

Wyndham, Target, and Michaels, like most others who have been victimized by a data breach, have suffered serious consequences, including:

• The expense of notifying affected individuals (which is required by forty-seven states’ laws);

• The cost of providing credit monitoring to affected customers;

• The time and resources required to respond to state investigations;

• Having to reimburse financial institutions for issuing new credit and debit cards and for fraudulent charges;

• Lawsuits filed by customers, shareholders, the Federal Trade Commission, insurance companies, and financial institutions; and

• Damage to their reputation.

These expenses could have been allayed, and some avoided altogether, had the companies implemented and followed protocols that (1) called for tighter monitoring to detect breaches earlier and (2) established response plans. All businesses that collect or maintain customers’ private data should take these steps to protect themselves from the harm resulting from a breach.

The Fight to Expose Defamatory Online Reviews

Posted by Jeanine Gagliardi on Fri, 08/29/2014 - 04:00

It is easy for customers to post negative or even false reviews on the internet. Businesses that are criticized often wonder whether they can take legal action for defamatory online reviews. Unfortunately, it is not so easy. One of the biggest difficulties is learning the identity of anonymous online posters.

We recently wrote about different legal standards courts use when assessing the right of internet posters to remain anonymous. The standards are being defined currently, and the case we previously reported on is still being contested in Virginia’s highest court. Continue reading for the latest . . .

The case arose when a business sued anonymous reviewers and subpoenaed Yelp for information about them. Although Yelp objected, the trial court ordered it to produce information about the posters. Despite the order, Yelp continued to withhold and was held in contempt by the trial court.

Yelp appealed the order of contempt to Virginia’s intermediate appellate court, contending that the trial court’s decision violated the users’ First Amendment rights to free speech. The court rejected Yelp’s argument, finding that the business’s good faith belief in the unlawfulness of the online postings was sufficient to outweigh the users’ First Amendment rights.

This is the decision under review in Virginia’s Supreme Court. Because the Virginia Court’s opinion will not control courts in other jurisdictions, even after it renders the decision, the law concerning piercing an Internet poster’s anonymity will remain murky. Two things that business can be certain of, though, are that:

(1) under all of the standards used by courts so far, the question of whether a business will be able to discover the identity of an anonymous online reviewer is complex; and

(2) before rushing to file suit, you should undertake an analysis of the likelihood that you will succeed in overcoming users’ First Amendment rights in the circumstances of your case.

ADA: Is Lack of an Ability the Same as a Disability

Posted by Edward Sharkey on Fri, 06/27/2014 - 04:00

We’ve often posted about employers’ struggles with issues related to the Americans with Disabilities Act (“ADA”). One challenge businesses sometimes face is figuring out whether a particular employee should be deemed disabled.

This is important because the ADA covers only those employees who, among other things, have a disability. In a recent opinion, the Texas Supreme Court explained an interesting consideration – the difference between an employee with a disability covered by the ADA and one who merely lacks an ability required for a specific job.

The Texas case concerned a fireman. On two occasions, the fireman was too anxious to enter a burning building to which he had been dispatched as part of a firefighting crew. The fireman's employer reassigned him from the firefighting crew to a training facility.

The fireman sued his employer, claiming that the reassignment was disability discrimination under the ADA. The jury returned a verdict in favor of the firefighter, and the trial court entered a judgment on that verdict. The Texas Supreme Court reversed the judgment on the ground that the fireman failed to prove that he had a disability.

Under the ADA, an employee has a disability if he has a mental or physical impairment that substantially limits a major life activity. In determining whether an employee is substantially limited, the key is whether the employee is unable to perform the tasks central to most people's daily lives. An inability to perform the tasks associated with a specific job or the lack of a special skill that most people do not have is not a disability.

The Texas court applied this standard and concluded that the fireman's inability to overcome the fear of entering a burning building is not a disability under the ADA. Most people would not have the ability to overcome the natural fear of entering a burning building. The court gave an additional example: lacking the special skill required to play sports at a professional level is not a disability.

The relevance of cases like this to other employers and other jobs is always uncertain. Still, the case serves as an important reminder for any employer assessing an employee’s ADA claim: to be covered by the Act, the employee must have an impairment that substantially limits at least one major life activity. Lacking a special skill that is required to perform a particular job is not necessarily the same thing.

Call Today (301) 657-8184

 Google+  View Edward Sharkey's profile on LinkedIn