Flash Digest – News in Brief

Cybersecurity Digest Reports Flash Digest

Forever 21 Reports Possible Data Breach

Fashion retailer Forever 21 Inc. released a statement on November 14, 2017 on its website stating that “there may have been unauthorized access to data from payment cards” used in some of its stores. The company, which operates more than 815 stores in 57 countries, did not specify which of its stores were affected. According to Verizon’s 2017 Data Breach Investigations Report, point of sale (“POS”) breaches represented a little over 10% of all breaches this year. The report suggested that adopting two-factor authentication in every transaction might help reduce the risk of data hacking.

In the statement, Forever 21 mentioned that it implemented encryption and tokenization solutions in 2015, and therefore believes that the breach only involved certain POS devices in stores where the encryption on those devices was not operating correctly. The statement was based on an investigation conducted by the company after receiving a report from a third party. The results of the report are not final and the company, which is headquartered in Los Angeles, California, will continue to investigate the matter, focusing on card transactions that occurred between March and October of this year. Forever 21 expects to provide additional updates once the specific stores and timeframes involved are clarified.

The company advised customers to “closely monitor their payment card statements.” Customers are encouraged to immediately notify the bank that issued the card should there be an unauthorized charge. Under Regulation Z of the Truth in Lending Act, 12 C.F.R. § 226 (2011) and Regulation E of the Electronic Fund Transfer Act, 12 C.F.R. § 205 (2007), both credit card and debit card holders are generally protected in cases of unauthorized charges stemming from data breaches and are entitled to a chargeback. Forever 21 now joins the long list of companies that have been hit by data breach this year, following Arby’s, Saks Fifth Avenue, Chipotle, Verizon, Equifax, and Whole Foods Market.


Does California Protect Anonymity in Online Posters?

California has long been known to be a state that upholds the anonymity of online posters. In 2012, the California Anti-SLAPP Project published an article titled “California Leads the Country in Protecting Online Anonymity”. The expectation of confidentiality when posting anonymously in an online platform, however, may no longer be the case in California following a recent opinion by the state’s Court of Appeals. Yelp Inc. v. Superior Court, G054358 consol. w/G054422 (Cal. Ct. App. Nov. 13, 2017).

Yelp is an online platform where users can freely leave feedback for a business based upon their experiences. These reviews help inform others considering the business. In Yelp, the court decided that Yelp must disclose information which may relate to the identity of an anonymous poster who is accused of committing defamation in a review on the website. The case started from a lawsuit filed by an accountant named Gregory Montagna against a client whom Montagna alleges left a bad review for Montagna’s services under the name of “Alex M.” Montagna served a subpoena to Yelp requesting documents that would support his claim to prove that “Alex M.” was indeed his client. Yelp ignored the subpoena.

In Krinsky v. Doe 6, 159 Cal. App. 4th 1154 (2008), which is cited by the court in Yelp, a subpoena seeking disclosure of an anonymous defendant’s identity will be quashed unless the plaintiff “make[s] a prima facie showing” of the existence of defamation. Not only does it require that the plaintiff prove the statement was made, but also that it contains “falsity” and has had a negative impact on the plaintiff. The Court of Appeals in Yelp held that the posted statement was more than mere opinion and did in fact include a false statement—meeting the requirements to support a defamation claim. The trial court had previously concluded not only that Yelp has to turn over documents that might identify “Alex M.,” but also that the company does not have standing to enforce any First Amendment rights on the poster’s behalf.

On appeal, the Court of Appeals reversed this portion of the decision, confirming Yelp’s right to claim the First Amendment protections for its posters. This is in line with Glassdoor, Inc. v. Superior Court, 9 Cal. App. 5th 623 (Cal. Ct. App. 2017), where the court held that companies hosting “anonymous online reviews . . . had standing to assert the review author's First Amendment right to anonymous speech.” Nevertheless, the court still required Yelp to disclose the relevant documents in relation the poster’s identity, agreeing with the trial court that Montagna had shown sufficient evidence that the review was defamatory.

Given the outcome of the case, Reuters has said that online anonymity is “slipping away” in California, as the courts “seem to be developing a consensus that rejects the widely-accepted” balancing test established in Dendrite Int'l, Inc. v. John Doe, No. 3, 342 N.J. Super. 134 (N.J. 2001). In Yelp, the court held that the balancing test was no longer necessary, as “the plaintiff had already demonstrated a prima facie case of defamation.” Digital rights advocates such as the Electronic Frontier Foundation (EFF) worry that such a view may encourage people to easily “pierce online speakers’ anonymity” when they do not agree with the review. Nevertheless, the fate of online anonymity overall is yet to be determined, as it appears that the revealing of anonymous users will be considered on a case-by-case basis. Joe Kukura of SF Weekly, also optimistically believes that the possibility of businesses suing their users for defamation over an online review remains minimal. EFF hopes that California courts will continue their role in preventing the abuse of unmasking subpoenas and that online platforms will continue to stand up for their users’ anonymous speech rights, defending them in court when necessary.

 

DOJ: Trump’s Tweet Are “Official Statements of the President of the United States”

President Trump’s tweets have become the primary source for information on the President’s activities and opinions. As reported by the National Law Journal, lawyers and legal scholars have been questioning whether President Trump’s tweets are considered “official statements” since the start of his presidency. On November 13, the Department of Justice (DOJ) announced that they are, in fact, treating tweets from the @realDonaldTrump Twitter account as “official statements of the President of the United States.” The DOJ expressed this opinion in an eight-page statement submitted to D.C. Federal District Court in response to a Freedom of Information Act (FOIA) lawsuit initiated early this year regarding the so-called “Steele dossier” detailing President Trump’s alleged ties to Russia.

The lawsuit was filed by The James Madison Project and Politico reporter Josh Gernstein against the DOJ, Central Intelligence Agency (CIA), the Office of Director of National Intelligence (ODNI), and the Department of Defense (DOD). The plaintiffs brought the action after the agencies ignored requests to obtain copies of records related to the dossier written by former British spy Christopher Steele and a related two-page synopsis provided by the U.S. Government to President Trump, as well as any determinations by the government on its accuracy.

Although the DOJ considers the President’s tweets official presidential statements, the agency’s brief also states that nothing in the President’s statements, including those posted on his Twitter account, suggests that the federal agencies have made a final determination on whether statements in the government’s synopsis of the dossier are true. In another case, Knight First Amendment Institute at Columbia University v. Donald J. Trump, No. 17-cv-5205 (S.D.N.Y. 2017) the DOJ argued that “the fact that the President may ‘announce the actions of state’ through his Twitter account does not mean that all actions related to that account are attributable to the state.”

According to CNN’s Julian Zelizer, the President’s tweets are a reflection of his state of mind as the commander in chief of the most powerful country in the free world. Without monitoring from the White House officials and staffs, “this ongoing lack of supervision and self-control can be dangerous on many levels.”


Made Grazia V. Ustriyana is an LL.M. student at Harvard Law School.