Know the Law: Who is Liable for Chip-Based Credit Card Fraud

By Cameron G. Shilling (originally published 11/23/2015)

As published in the Union Leader (9/14/2015)

Q.  More and more of my customers are paying with credit cards that have chips in them.   Do I need a chip-based credit card reader?

A.  Credit card companies – not retailers or consumers – have historically absorbed the liability for fraudulent credit card transactions.  That will change on October 1, 2015.  If your business does not use EMV equipped card readers to process credit cards that utilize the new chip technology, then your business – not the credit card company – will be liable for fraudulent transactions.

The credit card industry in the United States has been transitioning for the last several years to cards that utilize embedded chips, in addition to the older magnet strip technology.  The reason is that the vast majority of credit card fraud occurs from the “skimming” of numbers from “swiping” a card’s magnet strip through a card reader.  Target, Home Depot, and TJX are just a few examples of such recent breaches affecting hundreds of millions of consumers.

Retailers outside of the United States started many years ago transitioning to chip technology, which is called “EMV.” Outside of this country, about 70% of all credit card readers employ EMV technology, compared to the relatively negligible adoption of EMV domestically.  As a result, the approximately $10 billion of annual domestic credit card fraud accounts for nearly half of global fraudulent credit card transactions, even though only about one quarter of all credit card transactions worldwide occur in the United States.

On October 1, 2015, there will be a change to the rules that major credit card companies apply to retailers and other credit card processors.  If fraudulent transactions occur using cards with chips, and the retailers/processors did not use EMV equipped card readers, then the retailers/processors – not the credit card companies – are liable for the fraudulent transactions.  By contrast, if a retailer/processor uses an EMV reader to process a chip equipped card, the credit card company is liable.  Also, credit card companies remain liable for fraudulent transactions using credit cards equipped only with a magnet strip and not the chip technology.

Because about 40% of credit cards in the United States presently have embedded chips, domestic retailers and credit card processors face significant potential liability for fraudulent transactions.  As a result, if your business processes credit card transactions, you should promptly convert to EMV enabled credit card readers.

Employee Communications with Attorney on Company Owned Accounts Are Not Privileged

By Cameron G. Shilling (originally published 10/18/2013)

Emails, texts and other communications that an employee has with an attorney using a company account may not be privileged, according to the most recent decision on the issue from a court in Delaware. That state has now joined a growing list of others (Arizona, California, Florida, Idaho, Illinois, New Jersey, New York, Oklahoma, Pennsylvania, Texas, Washington, and West Virginia) where courts have found that an employee waived privilege by communicating with an attorney on a company email account.  However, some courts distinguish between an employee’s communications on a company account, and communications on a personal account using a company electronic device. Thus, a company should ensure  that its technology use policy covers both company accounts and devices, and that the company can permissible review communications between an employee and attorney before doing so.

 The Delaware court adopted a well-recognized four-part test to determine if an employee waived privilege by using a company account or device to communicate with an attorney:

  • Did the company have a policy informing employees that personal communications on company accounts or devices are not private?
  • Did the company monitor and review, or inform employees that it may monitor and review, such personal communications?
  • Did the company have a right and ability to access company accounts and devices?
  • Did the company notify employees, or was the employee otherwise aware, of the company’s policy?

In addition to the states listed above, courts in other states (including Connecticut, the District of Columbia, Maryland, Minnesota, and Kansas) have applied this four-part test, but found on the facts of the particular case that the company did not satisfy each element of the test, and thus that the employee did not waive privilege.

While courts are relatively settled on applying that test to company accounts, there is a split of authority concerning a company’s right to review an employee’s communications with an attorney using a personal account accessed on a company device.  For example, an employee may communicate with an attorney on a webmail account (such as Gmail or Yahoo!) using a company computer, laptop, tablet (e.g., iPad), or smartphone (e.g., iPhone, Droid or Blackberry).  The company may be able to recover such communications from the device if the webmail account was configured to create a backup file on the device, or if the webmail data can be forensically extracted from the “residual” space of the hard drive.

Courts in three states (New Jersey, Massachusetts, and Washington) found that such webmail communications remain privileged.  Two other courts (New York and Washington) disagreed.  They found that, while the differences between a company email account and a personal webmail account accessed on a company device may affect the outcome under the four-part test, the test still should be applied to determine whether the employee waived privilege.

An employee’s communications on company accounts and devices (including with attorneys) can be a treasure trove of valuable evidence.  To ensure that the company has the best possible right to review such communications, it should adopt a technology use policy that appropriately informs employees that all data created, stored, sent or received on a company account or device is the property of the company, and may be monitored and reviewed by the company at any time and for any reason, and therefore that employees cannot expect any such data to be private or confidential from the company.  The policy should be sent to all employees, and each employee should acknowledge that he or she received, reviewed, and will comply with it.  Companies should behave in accordance with the policy, and refrain from doing anything that may lead an employee to expect privacy with respect to such data.  Finally, when a company encounters employee communications with an attorney on a company account or device, it should ensure that it has the right under applicable law to review such communications before doing so.

Employers Liable Under Stored Communication Act for Accessing Employee Facebook and Gmail Accounts

By Cameron G. Shilling (originally published 9/25/2013)

Employers frequently access and review data created or stored by employees on company-owned electronic devices, such as computers, laptops, tablets (iPad), and cellphones (iPhone, Droid and Blackberry).  Well-crafted technology and social media policies specifically authorize employers to do so.  But, if not careful, employers can step over the line between permissible conduct and conduct that violates the federal Stored Communications Act (SCA).  The line between permitted and unlawful conduct is not always apparent,so employers need to be aware of the SCA and seek counsel before accessing or reviewing an employee’s electronic communications.Company-owned electronic devices are treasure troves of evidence of employee misconduct, particularly where employees use the devices to access personal email (Gmail, Yahoo!, etc.) or social media (Facebook, Google+, Twitter, Flickr, etc.).  Employers feel justifiably entitled to access and review data created and stored on such devices, particularly where employees are instructed that the company owns the devices and has the right to monitor the data, and that employees have no right to privacy.  As a general rule, the law supports employers here.

But the SCA imposes some limits on employers.  And, as few recent cases demonstrate, it is all too easy for employers to step over the line and violate the federal law.

In Deborah Ehling v. Monmouth-Ocean Hospital Service Corp., the employer terminated the employee based (in part) on posts she made on Facebook.  The court underwent a rigorous analysis to determine that the SCA protects Facebook posts, as long as the posts are limited to friends and not on the person’s public Facebook pages.  As the court explained,

“when it comes to privacy protection, the critical inquiry is whether Facebook users took steps to limit access to the information on their Facebook walls” and the “privacy protection provided by the SCA does not depend on the number of Facebook friend that a user has.”

Although the employee’s Facebook posts were protected, the employer did not violated the SCA because it received the posts through a person authorized to access them: one of the employee’s co-workers, who was her Facebook friend, gave them to the employer.  However, as this court and others have recognized, an employer violates the SCA if it obtains an employee’s private Facebook posts by other means, such as (1) using a password retrieved from the hard drive of the employee’s company-owned electronic device or from a keystroke logger installed on the device, (2) accessing the account by using the employee’s company-owned device where the password populates automatically, (3) creating a fictitious person on Facebook to friend the employee, and (4) pressuring co-workers to divulge the employee’s Facebook posts.  In those circumstances, access to the Facebook posts would not be authorized under the SCA.

In another case, Sandi Lazette v. Verizon Wireless, the employee returned her company-owned Blackberry to her employer, but did not properly disconnect her Gmail account from it before doing so.  Over the next 18 months, her supervisor read 48,000 emails sent to that account, some of which were quite personal.  The court in that case (like many other courts) found that email stored in webmail accounts (like Gmail) is protected by the SCA, at least while the email resides unread on the servers of the service provider.

The employer made several unsuccessful arguments to avoid liability.  For example, the court rejected the argument that the supervisor was accessing only the company-owned Blackberry, recognizing that he was actually using that device to access an account on the Gmail servers.  However, an employer does not violate the SCA if it recovers an employee’s personal emails that are stored on a company-owned device, such as when the data is in a backup file or recovered from the “residual” space of a hard drive.  The court also rejected the employer’s argument that the employee had impliedly consented to the employer’s review of her Gmail by not properly disconnecting the account.  While consent need not be explicit, the court recognized that,

“Negligence is … not the same as approval, much less authorization.  There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone will be stopping by.”

Technology presents legitimate opportunities for employers to monitor their employees.  It also presents potential pitfalls, some of which are not apparent.  Employers should continue to harvest valuable information from company-owned electronic devices, but also need to become aware of the SCA and seek counsel before accessing or reviewing employee electronic communications.

Lawyers Must Advise Employee-Clients About Lack of Email and Text Confidentiality

By Cameron G. Shilling (originally published 5/27/2011)

Courts in New York, California, Florida, Texas, Arizona, New Jersey and Idaho recently ruled that an employee waived his or her right to privacy with respect to attorney-client email communications that took place via an employer-owned email account.  As a result, the American Bar Association (ABA) issued a formal ethics opinion stating that lawyers must warn clients in such circumstances that their communications are not confidential.  The ABA opinion states as follows:

Continue reading

Social Media and the NLRB (Addendum): More Fuel for the Fire

By Cameron G. Shilling (originally published 10/17/2011)

A new decision has emerged prohibiting companies from adopting and enforcing policies that impact employees’ use of social media.  We recently posted a three part blog discussing the role the National Labor Relations Board (NLRB) has adopted with respect to scrutinizing and invalidating policies that expressly or impliedly apply to employees’ use of social media, and protecting employees from discipline or discharge based on content they post to social media sites.  Before our keyboard had cooled, however, an Administrative Law Judge (ALJ) issued another such decision in Karl Knauz Motors, Inc. d/b/a Knauz BMW.  The Karl Knauz case underscores the points made in our prior blogs, and will serve to further bolster the NLRB’s self-appointed role as protector of social media freedom. Continue reading

Social Media and the NLRB (Part 3): Discipline and Discharge – The Breadth of Concerted Activity

By Cameron G. Shilling (originally published 10/7/2011)

Activity is concerted if it is “engaged in with or on the authority of other employees, and not solely by and on behalf of the employee himself.”  This includes individual action if the employee “seeks to initiate, induce or prepare for group action” or raises “group complaints to the attention of management.”  In fact, a mere “conversation may constitute concerted activity, even though it involves only a speaker and a listener,” as long as “it had some relation to group action in the interest of employees,” according to National Labor Relations Board (NLRB) in Meyers Industries, Inc.
The nature and breadth of this definition has significance to social media, which frequently involves on-line conversations about work between employees who are social media “friends.” Continue reading

Social Media and the NLRB (Part 2): Employment Policies – The Chilling of Concerted Activity

By Cameron G. Shilling (originally published 10/5/2011)

The “mere maintenance” of a policy or practice that tends to chill employees’ exercise of their right to engage in concerted activity violates the National Labor Relations Act (Act), according to the National Labor Relations Board (NLRB) in Lafayette Park Hotel.  Thus, if the policy or practice “explicitly restricts activities protected” by the Act, it is unlawful.  In addition, as the NLRB found in Lutheran Heritage, even if the policy or practice does not do so, it still is unlawful if any one of the following is true:

  1. Employees would reasonably construe the policy or practice to restrict or prohibit concerted activity.
  2. The policy or practice was promulgated in response to union activity.
  3. The policy or practice is applied to restrict protected concerted activity.

Continue reading

Social Media and the NLRB (Part 1): The NLRB Intervenes in Social Media

By Cameron G. Shilling (originally published 10/3/2011)

New and exciting developments are a hallmark of the social media revolution.  The least expected of these developments, however, is that social media would be regulated by the National Labor Relations Board (NLRB).  Over the past few years, the NLRB has reviewed more than 130 social media cases, filed numerous complaints against businesses, issued several decisions, and published a report summarizing its position.  Is the NLRB’s activity justified and helpful, or an unwarranted hindrance?  The courts have not resolved that issue yet.  Until then, businesses should beware not to unwittingly stumble into these legal problems. Continue reading

McLane Recognized as “Thought Leader” in Data Privacy

By Cameron G. Shilling (originally published 10/3/2011)

The leader of McLane’s Privacy and Data Security Group, Cam Shilling, has been identified and interviewed as a “Thought Leader” with respect to Data Privacy by Beagle Research Group, LLC.  You can read the interview at http://www.beagleresearch.com/.
Beagle Research Group, LLC is a market research and consulting firm focusing on front office business processes and white collar productivity.  The company is led by Denis Pombriant, who is a well-known analyst and thought leader in the CRM space.  Denis writes for CRM Magazine, Destination CRM, Search CRM, and CRM Buyer, conducts research in emerging areas of front office technology and business, and consults regularly to many of the leading companies in CRM.

HHS Issues Proposed Rule Governing Clinical Laboratories

By Cameron G. Shilling (originally published 9/26/2011)

The United States Department of Health and Human Services issued a proposed rule that expands the rights of patients to access test results directly from clinical labs covered by HIPAA.  The rule would amend the regulations under the Clinical Laboratory Improvement Amendments of 1988 (CLIA) to require that, upon a patient’s request, the lab must provide access to completed test reports concerning the patient.  The proposed rule was published on September 14, 2011, and has a 60 day comment period.