Content Liability for Computer Service Providers

Providers of websites, bulletin boards, and various other online services often wonder about how much legal responsibility they bear for the content that their users upload. On the one hand, online service providers want to open, useful forums for their customers or users, and not have to spend a lot of time policing content. On the other hand, few want to be seen as tolerant of content that is offensive, inappropriate, or illegal.

These concerns over free speech and liability on the Internet led to section 230 of the 1996 Communications Decency Act. The section states that providers or users of an “interactive computer service” shall not be considered the speakers or publishers of material added to that service by third parties. It also includes a “Good Samaritan” clause, which shields providers and users from civil liability for acting in good faith to police or restrict objectionable content.

§230 provides sweeping protections for online service providers. Providers are given free reign to restrict or permit third party content on their services as they see fit. Indeed, providers retain their protection from liability even after being notified of the presence of objectionable content on their service.

The law, however, is not all-encompassing. Decisions over the law often revolve around the distinction between “service providers” and “content providers,” which is not as clear as it seems at first glance. The use of trademarked or copyrighted materials without permission is not protected by §230, and instead falls under the Digital Millennium Copyright Act. Nevertheless, the law gives providers of interactive computer services broad protection from liability for the actions of their users or customers.

Digital Signatures

In recent years, the question of the validity of digital signatures has come before various courts and legislatures. Since so many types of legal transactions are legally required to be authenticated with a person’s signature, the issue of how to approve agreements online presented a new problem. Fortunately, strong, clear laws have emerged in the last few years, and digital signatures are now essentially legally equivalent to the real thing.

The first major breakthrough for digital signatures came in 1999, when President Clinton signed into law the Electronic Signatures in Global and National Commerce Act. Simply put, the Act declared that at the Federal level, no electronic signature could be refused solely for the reason of being electronic. State legislatures quickly followed suit with various laws to similar effect.

Consumers’ levels of comfort with digital transactions, however, still vary a bit. While more technologically savvy consumers are as comfortable purchasing items on eBay or Amazon as at a local store, others still have concerns. Some worry about record-keeping or the confidentiality of their personal information, while others are intimidated by lengthy “click-wrap” agreements that are included with software programs and websites.

Anonymity, Defamation and Free Speech on the Internet

Whether through a Facebook page, an email, or a blog, the Internet allows average individuals to publish content to a wide audience quickly and cheaply. But on the Internet, unlike in the real world, one can often speak without his name or face being known to his listeners. While some use this freedom as a way to express controversial or unpopular opinions that they wouldn’t otherwise be able to, others use it to avoid accountability for fraudulent or damaging speech. What distinguishes the two, and just how anonymous is the content on the Internet?

As a rule of thumb, one should never consider anything viewed or posted online to be perfectly anonymous or untraceable. For example, in a recent New York Supreme Court case – in re Cohen v. Google – a fashion model in New York City sought to file suit for defamation in response to insulting comments and photos posted about her on a blog. When Internet titan Google, who hosted the blog in question, refused to disclose the blogger’s identity, the model applied for a court order to force it do so. The judge ruled in her favor.

The lesson here is that since Internet Service Providers (ISPs) can identify their users, it’s fair to assume that anything you can be sued for publishing in real life, you can be sued for publishing online. That’s not to say that every blogger who makes fun of a celebrity online should expect to be hauled into court. It’s probably more likely that most targets of such abuse are either unaware, indifferent, or disinclined to spend time and money on litigation.

Nevertheless, the blogger in Cohen v. Google took a risk by posting what she did. A simple disclaimer pointing out that her statements were merely opinion might have helped to protect her, but not necessarily. The First Amendment protects one’s right to speak anonymously, but only up to a point. Those who make false statements that harm others cannot expect courts to protect their identity. While the Internet undeniably does provide its users with some degree of anonymity, it’s important to know that it is still no shield for tortious or unlawful speech.

Ohio’s Security Breach Notification Act

For millions of American consumers, identity theft is a scary subject. With the proliferation of information technology in every aspect of daily life, it has become increasingly difficult for consumers to know what sorts of information businesses keep about them, and what is done with that information. It is no longer uncommon to hear news reports wherein a stolen laptop or hacked computer system puts at risk the personal information of thousands, or even millions of people.

These kinds of security breaches have prompted many state governments to pass mandatory disclosure statutes to protect consumers. These laws require businesses and other organizations to notify anyone affected by a security breach that puts their personal information at risk. The purpose of such notification is to give consumers the opportunity to change passwords, and to monitor their accounts or credit reports for unauthorized use. Ohio passed its own notification law in 2006.

Since so many businesses now keep customers’ personal information on file, business owners should take care to understand what the Security Breach Notification Act covers, and what it requires of them. The law applies to all types of business organizations that own computerized personal information, which is defined as an individual’s full name in combination with one or more of the following:

Social security number
Driver’s license number or state ID card number
Credit card, debit card or account number and password which would permit access to an individual’s financial account

Businesses should consider carefully whether or not it is necessary to keep this type of information on file. Those that do should consider storing such information in an encrypted or redacted form, which will provide a measure of protection to their customers. When personal information is compromised by a security breach, businesses have 45 days to notify affected persons who are Ohio residents. The law applies to any security breach that “causes or reasonably is believed will cause a material risk of identity theft or other fraud.” Ohio Rev. Code S 1349.19(B)(1). The primary notification methods outlined in the statute include written notification, telephone notification or electronic notification (when this is the primary means of communication with the affected resident). Alternative methods of notification are available for businesses that can demonstrate one of the following:

There is not adequate contact information to make the required disclosure
The cost of disclosure would exceed $250,000
The number of residents affected is more than 500,000
The business has 10 or fewer employees and the cost of disclosure would exceed $10,000

Furthermore, businesses must also notify consumer reporting agencies when a security breach affects more than 1,000 people.

Although the law does not provide a private right of action (that is, an affected individual cannot sue a company that fails to disclose a security breach), it does allow the Ohio Attorney General to impose severe fines for violations. Understanding the requirements of the Security Breach Notification Act is the first step for those who wish to protect themselves and their customers. Other organizations may even want to consult with their attorneys and/or IT professionals to assess and mitigate their security risks.