Know the Law: Who is Liable for Chip-Based Credit Card Fraud

By Cameron G. Shilling (originally published 11/23/2015)

As published in the Union Leader (9/14/2015)

Q.  More and more of my customers are paying with credit cards that have chips in them.   Do I need a chip-based credit card reader?

A.  Credit card companies – not retailers or consumers – have historically absorbed the liability for fraudulent credit card transactions.  That will change on October 1, 2015.  If your business does not use EMV equipped card readers to process credit cards that utilize the new chip technology, then your business – not the credit card company – will be liable for fraudulent transactions.

The credit card industry in the United States has been transitioning for the last several years to cards that utilize embedded chips, in addition to the older magnet strip technology.  The reason is that the vast majority of credit card fraud occurs from the “skimming” of numbers from “swiping” a card’s magnet strip through a card reader.  Target, Home Depot, and TJX are just a few examples of such recent breaches affecting hundreds of millions of consumers.

Retailers outside of the United States started many years ago transitioning to chip technology, which is called “EMV.” Outside of this country, about 70% of all credit card readers employ EMV technology, compared to the relatively negligible adoption of EMV domestically.  As a result, the approximately $10 billion of annual domestic credit card fraud accounts for nearly half of global fraudulent credit card transactions, even though only about one quarter of all credit card transactions worldwide occur in the United States.

On October 1, 2015, there will be a change to the rules that major credit card companies apply to retailers and other credit card processors.  If fraudulent transactions occur using cards with chips, and the retailers/processors did not use EMV equipped card readers, then the retailers/processors – not the credit card companies – are liable for the fraudulent transactions.  By contrast, if a retailer/processor uses an EMV reader to process a chip equipped card, the credit card company is liable.  Also, credit card companies remain liable for fraudulent transactions using credit cards equipped only with a magnet strip and not the chip technology.

Because about 40% of credit cards in the United States presently have embedded chips, domestic retailers and credit card processors face significant potential liability for fraudulent transactions.  As a result, if your business processes credit card transactions, you should promptly convert to EMV enabled credit card readers.

Lawyers Must Advise Employee-Clients About Lack of Email and Text Confidentiality

By Cameron G. Shilling (originally published 5/27/2011)

Courts in New York, California, Florida, Texas, Arizona, New Jersey and Idaho recently ruled that an employee waived his or her right to privacy with respect to attorney-client email communications that took place via an employer-owned email account.  As a result, the American Bar Association (ABA) issued a formal ethics opinion stating that lawyers must warn clients in such circumstances that their communications are not confidential.  The ABA opinion states as follows:

Continue reading →

Social Media and the NLRB (Addendum): More Fuel for the Fire

By Cameron G. Shilling (originally published 10/17/2011)

A new decision has emerged prohibiting companies from adopting and enforcing policies that impact employees’ use of social media.  We recently posted a three part blog discussing the role the National Labor Relations Board (NLRB) has adopted with respect to scrutinizing and invalidating policies that expressly or impliedly apply to employees’ use of social media, and protecting employees from discipline or discharge based on content they post to social media sites.  Before our keyboard had cooled, however, an Administrative Law Judge (ALJ) issued another such decision in Karl Knauz Motors, Inc. d/b/a Knauz BMW.  The Karl Knauz case underscores the points made in our prior blogs, and will serve to further bolster the NLRB’s self-appointed role as protector of social media freedom. Continue reading →

Social Media and the NLRB (Part 3): Discipline and Discharge – The Breadth of Concerted Activity

By Cameron G. Shilling (originally published 10/7/2011)

Activity is concerted if it is “engaged in with or on the authority of other employees, and not solely by and on behalf of the employee himself.”  This includes individual action if the employee “seeks to initiate, induce or prepare for group action” or raises “group complaints to the attention of management.”  In fact, a mere “conversation may constitute concerted activity, even though it involves only a speaker and a listener,” as long as “it had some relation to group action in the interest of employees,” according to National Labor Relations Board (NLRB) in Meyers Industries, Inc.

The nature and breadth of this definition has significance to social media, which frequently involves on-line conversations about work between employees who are social media “friends.” Continue reading →

Social Media and the NLRB (Part 2): Employment Policies – The Chilling of Concerted Activity

By Cameron G. Shilling (originally published 10/5/2011)

The “mere maintenance” of a policy or practice that tends to chill employees’ exercise of their right to engage in concerted activity violates the National Labor Relations Act (Act), according to the National Labor Relations Board (NLRB) in Lafayette Park Hotel.  Thus, if the policy or practice “explicitly restricts activities protected” by the Act, it is unlawful.  In addition, as the NLRB found in Lutheran Heritage, even if the policy or practice does not do so, it still is unlawful if any one of the following is true:

1. Employees would reasonably construe the policy or practice to restrict or prohibit concerted activity.
2. The policy or practice was promulgated in response to union activity.
3. The policy or practice is applied to restrict protected concerted activity.

Continue reading →

Social Media and the NLRB (Part 1): The NLRB Intervenes in Social Media

By Cameron G. Shilling (originally published 10/3/2011)

New and exciting developments are a hallmark of the social media revolution.  The least expected of these developments, however, is that social media would be regulated by the National Labor Relations Board (NLRB).  Over the past few years, the NLRB has reviewed more than 130 social media cases, filed numerous complaints against businesses, issued several decisions, and published a report summarizing its position.  Is the NLRB’s activity justified and helpful, or an unwarranted hindrance?  The courts have not resolved that issue yet.  Until then, businesses should beware not to unwittingly stumble into these legal problems. Continue reading →

McLane Recognized as “Thought Leader” in Data Privacy

By Cameron G. Shilling (originally published 10/3/2011)

The leader of McLane’s Privacy and Data Security Group, Cam Shilling, has been identified and interviewed as a “Thought Leader” with respect to Data Privacy by Beagle Research Group, LLC.  You can read the interview at http://www.beagleresearch.com/.

Beagle Research Group, LLC is a market research and consulting firm focusing on front office business processes and white collar productivity.  The company is led by Denis Pombriant, who is a well-known analyst and thought leader in the CRM space.  Denis writes for CRM Magazine, Destination CRM, Search CRM, and CRM Buyer, conducts research in emerging areas of front office technology and business, and consults regularly to many of the leading companies in CRM.

HHS Issues Proposed Rule Governing Clinical Laboratories

By Cameron G. Shilling (originally published 9/26/2011)

The United States Department of Health and Human Services issued a proposed rule that expands the rights of patients to access test results directly from clinical labs covered by HIPAA.  The rule would amend the regulations under the Clinical Laboratory Improvement Amendments of 1988 (CLIA) to require that, upon a patient’s request, the lab must provide access to completed test reports concerning the patient.  The proposed rule was published on September 14, 2011, and has a 60 day comment period.

Digital Privacy Article Analyzing Quon v. City of Ontario Published in ABA Journal

By Cameron G. Shilling (originally published 5/27/2011)

The American Bar Association has published in its Journal of Employment and Labor Relations Law an article I recently wrote analyzing the U.S. Supreme Court’s decision in Quon v. City of Ontario. The following is the opening passage from the District Court’s decision, and foreshadows the potential significance of this case with regard to data privacy issues.

Continue reading →

Facebook Exonerated by Federal Court of EPCA and SCA Claims

By Cameron G. Shilling (originally published 5/20/2011)

A federal court has dismissed class action claims against Facebook under the Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA).  The claims arose from Facebook’s practice in early 2010 of disclosing to advertisers the user names of Facebook users who clicked on advertisements, even though that practice was contrary to Facebook’s privacy policy.

The ECPA prohibits the interception of an electronic communication when it is in transit from sender to recipient.  The SCA prohibits the unauthorized access or disclosure of electronic communications stored on certain computer systems.

Continue reading →