As the recent Target and Neiman Marcus data breaches have made clear, cyber security is one of the top threats to business today.  These threats can be devastating to companies - damaging customer confidence, the company brand, and the bottom line by increasing costs through remediation costs, lost revenues and customers, litigation, and fines.  Governments and customers are now holding businesses accountable for inadequate protection of customer data.  

It has been reported that 24% of data breaches occur in retail environments and restaurants.  And the average total cost to a US company of a data breach is approximately $5.4 million.  There are 46 different state statutory schemes and a host of federal regulations that apply to the collection and storage of data and the prevention and reporting of a breach.  These rules often contradict.  An interstate or internet retailer, however, must comply with the laws of the states in which a customer makes a purchase.
 
While consultants, IT experts, insurance and security firms can be integral parts of a Data Protection plan, they are only players on the team.  In fact, many experts are engaging in breach event information sharing to assist each other in identifying and defending against cyberthreats.  Cyber security concerns are now part of doing business, and general counsel and C-Suite executives must be ready to guide their companies through these complex issues.  

Prevention
Prevention is the first step to minimizing cyber security liability.  The following steps can help minimize the cost and likelihood of security breaches:   
• Security measures before a breach.  Studies have found that having an incident response plan, establishing a strong security infrastructure, and appointing a Chief Information Security Officer can lower the costs of a data breach by approximately 50%.  
 Cyber-security audits.  Businesses should conduct regular cyber-security audits and limit the access of sensitive data by third parties and employees.  
• Cyber-security insurance.  Businesses should review insurance policies to determine whether and to what extent they are covered for cyber-security threats.  
• Encryption.  If a data breach occurs, encryption can help minimize liability.  

Notification
If a data breach occurs, businesses must immediately determine whether they have notification obligations under federal or state law.  Congress has yet to enact comprehensive federal law governing notification in the private sector, so businesses must conduct a state- and industry-specific analysis.  The following are examples of notification obligations: 
• Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act.  HIPAA requires covered entities to protect against reasonably anticipated threats or hazards to security.  The HITECH Act requires covered entities and business associates to notify the individuals whose protected health information was accessed no later than 60 days after the breach was discovered.  If the breach affects more than 500 individuals, the law also requires notification within 60 days after the breach was discovered to the US Department of Health and Human Services and the media.  
• Gramm-Leach-Bliley Act.  This act requires financial institutions to publicize their privacy policies and establish internal safeguards and procedures to protect customer information.  Related guidelines require covered financial institutions to notify customers whose personal information has been subject to unauthorized access or use if misuse of the customer’s information has occurred or is reasonably possible, unless law enforcement determines that notification will interfere with a criminal investigation.  
• Securities & Exchange Commission.  The SEC has issued guidance stating that publicly traded companies should report certain instances of cyber incidents.   
• State law.  Currently, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws requiring notification of security breaches involving personal information.  

Potential Litigation
Businesses should be ready for litigation if a data breach occurs.  Potential claims by private parties and the government include: 
 State-law claims.  Businesses could face suits under individual states’ consumer protection laws, tort and contract law, fiduciary requirements, and other cyber security rules.   
• FTC Safeguards Rule.  The FTC has brought numerous enforcement actions to address whether businesses security systems are reasonable and appropriate to protect consumer information.  
• SEC Enforcement Actions.  The SEC’s Division of Corporation Finance has taken the position that public companies should disclose their risk of cyber incidents.  Failure to disclose cyber security breaches or risks could lead to actions on security anti-fraud provisions like Rule 10b-5 or books and records violations under Rule 13b2-2.  

Conclusion
A business’s cyber-security obligations are too complex to address in this blog.  Regardless, it is critical for businesses to be prepared.  In house counsel are invited to join Polsinelli attorney Leon Silver and Kevin Morgan of Grant Thornton at DRI’s 2014 Retail & Hospitality Litigation and Claims Management Seminar, May  15, 2014 in Chicago at the Westin Chicago River North Hotel for a presentation titled “Cybersecurity and Data Governance:  The 21st Century Legal Issue.”

Bookmark and Share

Categories: Corporate America | Retail | Seminar

Actions: E-mail | Comments

 

New Technology = New Concerns For Hotels

Posted on December 5, 2012 04:20 by Philip M. Gulisano

Recently Forbes.com published an article exposing a security flaw in common keycard hotel room locks that permitted hackers with a digital device to effortlessly trigger the opening of the locking mechanisms. This, of course, would allow the hacker to have access to the personal belongings inside the room or, worse yet, unwanted access to the guests themselves.  The “security vulnerability” was said to be present in keycard locks built by a particular lock company and specifically in a model of lock that appears in at least four million hotel rooms worldwide. There are believed to be a number of “patches” to fix the issue, which vary in cost.

While the lock manufacturer in such an instance may certainly be responsible if its locks do not perform as intended, generally, a property owner or lessor, such as a hotel, has a duty to keep its guests safe from known or reasonably anticipated dangers. This begs the question of what is a hotel’s duty or obligation to its guests when it knows, or should know, that the locks present on the hotel room doors, which guests would reasonably anticipate are capable of keeping people out, are highly vulnerable to hackers.
 
To start, any hotel that has direct knowledge that its room door locking mechanisms, whichever they are, do not perform as intended and as relied upon by its guests, would be wise to immediately remedy the problem to ensure the safety and comfort of the guests.  One could easily imagine the horrific publicity and liability if it was discovered that guests were losing property, being assaulted or otherwise attacked in the confines of their presumptively safe hotel room if the hotel knew that the locks were easily by-passed. 
 
Often times, with new technology comes uncertainty with how it will perform and whether there will be “bugs” in the system.  However, almost by definition technology has faults that its possessors must investigate, anticipate and seek to minimize.  It would be wise for any hotel to understand what issues and/or risks exist with the technology it uses and develop a plan to minimize those risks and ensure its guests have a safe stay and come back again.

Bookmark and Share

Categories: Hospitality Law | Privacy | Retail | Technology

Actions: E-mail | Comments

 

ON YOUR MARK…., GET SET…., SHOP!

Posted on November 15, 2012 02:17 by Philip M. Gulisano

With the start of the holiday shopping rush just a week away, retailers should be mindful of their responsibility to keep customers safe when large crowds gather to take advantage of well-advertised and highly-anticipated sales. Customers, drawn by the promise of “doorbuster savings” and warned of limited quantities, do not always act in the most courteous manner when rushing to enter the store and running toward the products they desire.  Sadly, it has become all too common for injury, whether accidental or intentional, to occur as customers dash into and through stores during these special sales, and when a customer is injured during the clamor, a retailer can be held liable.

Although the law varies from state to state, in many states, a retailer’s duty to use reasonable care to protect customers from reasonably anticipated injuries includes foreseeing that large crowds might gather due to the advertised sales and that individuals might be injured due to the overcrowding, the congestion at the door, or the unruliness of the other customers.  Consequently, a retailer may be held liable to a customer who is injured due to pushing, crowding, trampling, or jostling by other customers when the retailer conducts a promotional activity or sale that will foreseeably cause crowds to gather and push.

At least one jury has determined that reasonable care when undertaking a special promotion that might cause people to run, push, and shove includes the retailer giving warnings of the dangers involved, taking steps to control or police the crowd, using loud speakers to warn the crowd not to run over people, and warning the elderly or children to stay out of the crowd.    Given the tragedies that have occurred in the past several years during “Black Friday Sales,” it is advisable for retailers to, at the very least, implement the above measures.  However, the above measures may not be sufficient given the particular circumstances of a retailer.  That is why each retailer should conduct a careful risk assessment evaluation that is tailored to its location and history.  This assessment will allow the retailer to develop and implement a plan that keeps its customers safe and happy during this holiday season. Now go shopping!

Bookmark and Share

 

Rent to Own Computers and the FTC

Posted on October 12, 2012 02:19 by Chad Godwin

Wired Magazine recently reported that seven rent-to-own companies and a software manufacturer are settling charges with the Federal Trade Commission.  The charges claimed that computers rented from the rent-to-own companies used pre-installed spyware to obtain a host of data from the users.  The settlement only requires the companies to stop using the spyware, known as “Detective Mode,” which has been installed on as many as 420,000 rental computers.  In addition to secretly turning on a computer’s webcam, the software was capable of logging keystrokes, and  taking screen shots of a user’s activity.  The software then transmitted the secretly gathered information to the manufacturer, DesignerWare, who forwarded the material on to the rent-to-own company, all without the user’s knowledge.  The settlement still allows the rent-to-own companies to employ the software so long as they notify the renters.  Further, the FTC lacks criminal jurisdiction, so the companies have yet to face any criminal charges.  However, the FTC acknowledged that criminal activity appears to have occurred in a nod to the potential for ongoing investigations. 

The computers at issue collected everything from addresses, photos and video of often compromising situations, to phone numbers, email and social media passwords and financial logins, begging the question of what type and how much information a user should feel comfortable entering on a computer they don’t own.  In the case of someone renting a computer, it can be easy to see how a user operates under the impression that they have unfettered access to the machine for the term of the rental.  Nonetheless, there are measures that such parties can take in an effort to secure their privacy.  There are free firewall programs, such as Zone Alarm and Windows Firewall, that allow users to designate and monitor every program that accesses and/or attempts to access outbound internet connections.  Had the renters correctly configured and employed such a program, they would have known that a program, by whatever name, was attempting to send information from the subject computer.  In the event that renters were unable to install or configure (in the case of pre-installed Windows Firewall) such programs, it should serve as a red flag to carefully consider the manner in which to employ a rental or loaner computer. 

 

 

Bookmark and Share

 

RETAILERS WHO “SPY” BEWARE

Posted on September 27, 2012 02:22 by Philip M. Gulisano

Retailers providing consumers with electronics on a rent-to-own basis face many challenges in ensuring that they are paid for the electronics that they rent.  In particular, computers are small and easy to hide if a retailer seeks to repossess the computer from a non-paying customer.  The temptation to use software that allows the retailer to view where the computer is located and what the renter is doing with the computer is strong, however, the consequences of doing so can be high.  Obtaining information from the computer without the renter’s knowledge or consent not only erodes the renter’s trust and confidence in the retailer, but also opens the retailer up to possible civil and criminal liability.

The recent settlement of charges brought against several rent-to-own companies by the Federal Trade Commission highlights that using software that can log onto a computer, turn on the webcam to take photographs, take screen shots of the computer user’s activities on the computer, and log the keystrokes of the computer user, comes with a price.   According to one news report, civil penalties are not a part of the settlement because civil penalties cannot be imposed for a first violation of the Federal Trade Commission Act.  However, the companies are required to cease using their “spy tools” and, presumably in the future, advise renters of the use of tracking software.  

Further, aside from possible federal action and the costs associated with defending such actions, retailers need to consider possible civil and criminal liability under state laws.  While laws vary from state to state, several states recognize a tort for invasion of privacy, such as intrusion upon seclusion.  Capturing images of a person in a private setting, particularly while engaged in private acts, without the person’s knowledge or consent, may subject a retailer to a civil action.   Even in states that do not recognize a tort for invasion of privacy, under certain circumstances, a person who secretly videotapes an individual engaged in private actions may be liable for the tort of intentional infliction of emotional distress.  Remember that if you use a webcam to take pictures of the area surrounding the computer, you may be capturing images of individuals other than the renters.  Criminal liability is also arguably possible if the state has a statute prohibiting unlawful surveillance and, in some states, there is the possibility, in certain situations, of criminal liability for installing and using key stroke logging software to collect personal information.

If you decide that despite the risks, it is necessary to install and use tracking software, be sure to advise renters of the presence of the software, its uses, and your policy on its use.  The best practice would be to obtain an acknowledgement from the renter, in writing, that the renter was so advised.

Bookmark and Share

 

In the wake of the recent tragedy in Aurora, Colorado, retailers, restaurants and other establishments open to the public must be ever vigilant to the actions of “third-parties” to ensure, first and foremost, the safety of their patrons, as well as protect themselves from potential liability stemming from such actions.

In most states, New York included, businesses have a duty to maintain their premises in a reasonably safe condition, which includes taking minimal precautions to protect members of the public from the reasonably foreseeable criminal acts of third-persons.  Often in cases a plaintiff will allege that the proprietor should have anticipated the criminal actions of a third-party due to some advanced notice, such as specific comments or threats made, a highly publicized event, the expectation of an excessive number of people attending an event, and so on.  While many such lawsuits are typically broadly worded so as to “state a cause of action” and pass any initial dismissal challenges, few make it to a jury due to the difficult burden of establishing that a third-party’s criminal actions were or should have been anticipated.

With the horrible set of circumstances that are coming to light in Colorado, which seem too frequent lately, one must ask the question, will Courts eventually require proprietors to expect the unexpected?  For now, it is wise for proprietors to take any information they perceive or receive seriously to prevent such tragedies and avoid the legal system.


 

Bookmark and Share

 

An unnamed company has taken the first step in challenging the Consumer Product Safety Commission's (CPSC) online complaint database.  No information is currently listed in Pacer, the federal court filing system, but the Washington Post reported that a complaint was filed Monday in Maryland District Court.  The company that filed the suit is listed as "Company Doe" to protect its name – the exact reason that it filed the complaint in the first place. 

On August 14, 2008, the Consumer Product Safety Improvement Act became law and mandated that the CPSC create an online portal for customers to post complaints about products that can either injure children or pose fire, electrical, chemical, or mechanical hazards.  The Act sought to provide consumers with timely information about potentially unsafe products, so consumers would not have to wait for a recall to get the information.  However, the database has been criticized because of accuracy issues and the burden it places on manufacturers. 

Anyone can file a report in the database, found at www.SaferProducts.gov. , but a report is not eligible for publication unless it contains: (1) a description of the product; (2) the name of the manufacturer; (3) a description of the injury or risk of injury caused by the product; (4) the date that the incident occurred or risk of injury was discovered; (5) the type of reporter (consumer, agency, child service provider, etc.); (6) the reporter's name and address (this is not published); (7) the reporter's acknowledgement that the report is true and accurate; and (8) whether or not the reporter wants the information published. 

Once a report is filed online, the CPSC has five days to review it before sending it to the manufacturer.  However, the CPSC's "review" only entails ensuring that the minimum publication requirements have been met; the CPSC does not conduct any type of fact-finding investigation.  Instead, the burden is placed on the manufacturer to prove that the report is untrue, and it has just ten days to prove it.   If a report ends up being published, manufacturers can have their comments published with the report, but the CPSC does not always process comments in time to publish them the same day the report is published, and posting a comment is little consolation if a report is untrue. 

Since its inception, the database has been criticized for not requiring more information to reduce inaccuracies, such as a product serial number.  And the fact that manufacturers have to conduct all of the fact-finding and essentially prove themselves innocent seems a bit backwards considering anyone with access to a computer can file a report. 

Given these circumstances, it was only a matter of time before a company stepped up and challenged the system.  Consistent with argument that the database needlessly harms the reputation of manufacturers, the company has filed the lawsuit anonymously.  Whether or not the court will allow the company to remain "Company Doe" presents another question altogether.  But either way, this case could have major consequences for the CPSC database, and is definitely one to watch. 

William F. Auther is a partner with an active trial practice in product liability and business litigation and Kelly M. McInroy is a law clerk in the Phoenix office of Bowman and Brooke LLP.  

Bookmark and Share

 

You’ll leave with more than a hangover…

Posted on October 28, 2011 05:03 by Jobby Mathew

For all of you attending Annual Meeting this week – you might want to take a fire extinguisher to the cocktail mixer. Lawyerist.com has an interesting story regarding a lawsuit against the manufacturers of Bacardi 151. It seems that Bacardi’s popularity as a novelty in certain cocktails is contributing to its potential liability. Should the manufacturer be held liable for the tricks of a bartender? Have you had a close call or witnessed a trick like this at a bar? Let us know. In the interim, wear a fire retardant jacket if you are standing to close to the bar.

 

Bookmark and Share

 

Sometimes in the hospitality industry, you can’t win for trying.  Hilton Hotels is learning this lesson the hard way.  Last week, a former guest commenced a class action suit in federal district court in California against the Hilton hotel group based on the fact that he was charged $.75 for a newspaper he received, but did not request.  The suit alleges that the newspaper charge was fraudulent because it was disclosed in small print on the key-card sleeve, which he admittedly received upon check-in, and because the paper charge was not itemized on his bill at check out.  The plaintiff, Rodney Harmon, asserts claims of Unfair Business Practices, Violation of the Consumer Legal Remedies Act,  and Unjust Enrichment. 

Of course the only winners in the suit, which seeks an injunction, monetary damages and legal fees, are the plaintiff’s attorneys who will seek huge class action counsel fees for a case that involves only nominal damages and questionable liability for the putative class.

It seems quite plausible that Hilton, in an attempt to accommodate guests who did not want a paper, came up with the system of providing a $.75 credit for those guests who affirmatively asked not to receive one.  The deed has not gone unpunished as now Hilton must defend claims that it was intentionally deceiving customers by not itemizing the paper charge bill.   It is these unique issues faced by the Hospitality industry that will be covered in depth at the upcoming Hospitality Seminar, Sept 22-23 in Scottsdale. Download the brochure describing the full breadth of topics covered and sign up today!

Bookmark and Share

 
 

Submit Blog

If you wish to submit a blog posting for DRI Today, send an email to today@dri.org with "Blog Post" in the subject line. Please include article title and any tags you would like to use for the post.
 
 
 

Search Blog


Recent Posts

Categories

Authors

Blogroll



Staff Login