Supreme Court to Decide Who Can Sue Under Privacy Law

Does a consumer, as an individual, have standing to sue a consumer reporting agency for a “knowing violation” of the Fair Credit Reporting Act (“FCRA”), even if the individual may not have suffered any “actual damages”?

The question will be decided by the U.S. Supreme Court in Spokeo, Inc. v. Robins, 742 F.3d 409 (9th Cir. 2014), cert. granted, 2015 U.S. LEXIS 2947 (U.S. Apr. 27, 2015) (No. 13-1339). The Court’s decision will have far-reaching implications for suits under the FCRA and other statutes that regulate privacy and consumer credit information.

FCRA

Enacted in 1970, the Fair Credit Reporting Act obligates consumer reporting agencies to maintain procedures to assure the “maximum possible accuracy” of any consumer report it creates. Under the statute, consumer reporting agencies are persons who regularly engage “in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” Information about a consumer is considered to be a consumer report when a consumer reporting agency has communicated that information to another party and “is used or expected to be used or collected” for certain purposes, such as extending credit, underwriting insurance, or considering an applicant for employment. The information in a consumer report must relate to a “consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.”

Under the FCRA, consumers may bring a private cause of action for alleged violations of their FCRA rights resulting from a consumer reporting agency’s negligent or willful actions. For a negligent violation, the consumer may recover the actual damages he or she may have sustained. For a “willful” or “knowing” violation, a consumer may recover either actual damages or statutory monetary damages of $100 to $1,000.

Background

Spokeo is a website that aggregates personal data from public records that it sells for many purposes, including employment screening. The information provided on the site may include an individual’s contact information, age, address, income, credit status, ethnicity, religion, photographs, and social media use.

Spokeo, Inc., has the dubious distinction of receiving the first fine ($800,000) from the Federal Trade Commission (“FTC”) for FCRA violations involving the sale of Internet and social media data in the employment screening context. The FTC alleged that the company was a consumer reporting agency and that it failed to comply with the FCRA’s requirements when it marketed consumer information to companies in the human resources, background screening, and recruiting industries.

Conflict in Circuit Courts

In Robins v. Spokeo, Inc., Thomas Robins had alleged several FCRA violations, including the reckless production of false information to potential employers. Robins did not allege he had suffered or was about to suffer any actual or imminent harm resulting from the information that was produced, raising only the possibility of a future injury.

The U.S. Court of Appeals for the Ninth Circuit, based in San Francisco, held that allegations of willful FCRA violations are sufficient to confer Article III standing to sue upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of the statute. In other words, the consumer need not allege any resulting damage caused by a violation; the “knowing violation” of a consumer’s FCRA rights alone, the Ninth Circuit held, injures the consumer. The Ninth Circuit’s holding is consistent with other circuits that have addressed the issue. See e.g., Beaudry v. TeleCheck Servs., Inc., 579 F.3d 702, 705-07 (6th Cir. 2009). It refused to follow the U.S. Court of Appeals for the Eighth Circuit in finding that one “reasonable reading of the [FCRA] could still require proof of actual damages but simply substitute statutory rather than actual damages for the purpose of calculating the damage award.” Dowell v. Wells Fargo Bank, NA, 517 F.3d 1024, 1026 (8th Cir. 2008).

The constitutional question before the U.S. Supreme Court is the scope of Congress’ authority to confer Article III standing, particularly, whether a violation of consumers’ statutory rights under the FCRA are the type of injury for which Congress may create a private cause of action to redress. In Beaudry, the Sixth Circuit identified two limitations on Congress’ ability to confer standing:

  1. the plaintiff must be “among the injured,” and

  2. the statutory right must protect against harm to an individual rather than a collective.

The defendant companies in Beaudry provided check-verification services. They had failed to account for a change in the numbering system for Tennessee driver’s licenses. This led to reports incorrectly identifying consumers as first-time check-writers.

The Sixth Circuit did not require the plaintiffs in Beaudry to allege the consequential damages resulting from the incorrect information. Instead, it held that the FCRA “does not require a consumer to wait for consequential harm” (such as the denial of credit) before bringing suit under FCRA for failure to implement reasonable procedures in the preparation of consumer reports. The Ninth Circuit endorsed this position, holding that the other standing requirements of causation and redressability are satisfied “[w]hen the injury in fact is the violation of a statutory right that [is] inferred from the existence of a private cause of action.”

Authored by: Jason C. Gavejian and Tyler Philippi of Jackson Lewis P.C.

Jackson Lewis P.C. © 2015

CPSC & DOJ Sue Michaels Stores for Failing to Report Product Safety Hazard and Filing Misleading Information

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

For the first time in recent memory, the Department of Justice (DOJ) and Consumer Product Safety Commission (CPSC) jointly announced the filing of a lawsuit in federal court for the imposition of a civil penalty and injunctive relief for violation of the Consumer Product Safety Act (CPSA). The lawsuit is against arts and crafts retailer Michaels Stores and its subsidiary Michaels Stores Procurement Co. Inc. (collectively, “Michaels” or “the Company”)  for failing to timely report a potential product safety hazard to the CPSC. Unlike other CPSC civil penalty actions involving DOJ, this penalty does not already have a negotiated consent decree in place and it appears that the case could be fully litigated.

The complaint alleges that Michaels knowingly violated the CPSA by failing to timely report to the CPSC that the glass walls of certain vases were too thin to withstand normal handling, thereby posing a laceration hazard to consumers.  According to the complaint, multiple consumers suffered injuries, including nerve damage and hand surgeries, from 2007 to late 2009.

Michaels allegedly did not report the potential defect to the Commission until February 2010.  Of course, we only know one side of the allegations, and Michaels will respond to those allegations in the coming weeks. The Company did state that “it believes the facts will show it acted promptly and appropriately.”

WaterNotably, the complaint also alleges that when Michaels filed an initial report with the CPSC in 2010, it provided “only the limited information required to be furnished by distributors and retailers” under the CPSA.  However, and critically, as the complaint sets forth in more detail, manufacturers—whose definition under the CPSA includes importers of record—are required to provide more information to the Commission than retailers.

According to the government, Michaels’ report conveyed the false impression that the Company did not import the vases, even though the Company was the importer of record and thus was required to submit significantly more information as themanufacturer of the vases.  The lawsuit alleges that Michaels made this misrepresentation in order to avoid the responsibility of undertaking a product recall.

As for the remedy, the government is seeking a civil penalty (in an unidentified amount) and various forms of injunctive relief, including the enactment of a stringent compliance program to ensure future compliance with CPSC reporting obligations.  This requested relief is similar to what the CPSC has required in almost all civil penalty agreements with other companies over the past few years.

What makes this complaint so newsworthy is that the government and Michaels plan to litigate the imposition of a civil penalty.  As noted above, this is not a frequent occurrence because companies tend to settle civil penalty claims rather than litigate. Given how infrequently civil penalties are litigated and the lack of any legal precedent guiding civil penalty negotiations under the heightened $15 million penalty limits, any judgment likely would have a wide-ranging impact on all future civil penalty negotiations between companies and the CPSC.

As we have previously stated, we expect the Commission to remain active in 2015 in bringing enforcement actions against companies for violations of the CPSA and other safety statutes.

We will watch this case closely and update our readers on any noteworthy developments.

ARTICLE BY

Consumer Product Matters Blog

CPSC & DOJ Sue Michaels Stores for Failing to Report Product Safety Hazard and Filing Misleading Information

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

For the first time in recent memory, the Department of Justice (DOJ) and Consumer Product Safety Commission (CPSC) jointly announced the filing of a lawsuit in federal court for the imposition of a civil penalty and injunctive relief for violation of the Consumer Product Safety Act (CPSA). The lawsuit is against arts and crafts retailer Michaels Stores and its subsidiary Michaels Stores Procurement Co. Inc. (collectively, “Michaels” or “the Company”)  for failing to timely report a potential product safety hazard to the CPSC. Unlike other CPSC civil penalty actions involving DOJ, this penalty does not already have a negotiated consent decree in place and it appears that the case could be fully litigated.

The complaint alleges that Michaels knowingly violated the CPSA by failing to timely report to the CPSC that the glass walls of certain vases were too thin to withstand normal handling, thereby posing a laceration hazard to consumers.  According to the complaint, multiple consumers suffered injuries, including nerve damage and hand surgeries, from 2007 to late 2009.

Michaels allegedly did not report the potential defect to the Commission until February 2010.  Of course, we only know one side of the allegations, and Michaels will respond to those allegations in the coming weeks. The Company did state that “it believes the facts will show it acted promptly and appropriately.”

WaterNotably, the complaint also alleges that when Michaels filed an initial report with the CPSC in 2010, it provided “only the limited information required to be furnished by distributors and retailers” under the CPSA.  However, and critically, as the complaint sets forth in more detail, manufacturers—whose definition under the CPSA includes importers of record—are required to provide more information to the Commission than retailers.

According to the government, Michaels’ report conveyed the false impression that the Company did not import the vases, even though the Company was the importer of record and thus was required to submit significantly more information as themanufacturer of the vases.  The lawsuit alleges that Michaels made this misrepresentation in order to avoid the responsibility of undertaking a product recall.

As for the remedy, the government is seeking a civil penalty (in an unidentified amount) and various forms of injunctive relief, including the enactment of a stringent compliance program to ensure future compliance with CPSC reporting obligations.  This requested relief is similar to what the CPSC has required in almost all civil penalty agreements with other companies over the past few years.

What makes this complaint so newsworthy is that the government and Michaels plan to litigate the imposition of a civil penalty.  As noted above, this is not a frequent occurrence because companies tend to settle civil penalty claims rather than litigate. Given how infrequently civil penalties are litigated and the lack of any legal precedent guiding civil penalty negotiations under the heightened $15 million penalty limits, any judgment likely would have a wide-ranging impact on all future civil penalty negotiations between companies and the CPSC.

As we have previously stated, we expect the Commission to remain active in 2015 in bringing enforcement actions against companies for violations of the CPSA and other safety statutes.

We will watch this case closely and update our readers on any noteworthy developments.

ARTICLE BY

Consumer Product Matters Blog

Junk Fax Act Compliance: One Week Left to Request a Waiver for Non-Compliance

McDermott Will & Emery

Thursday, April 30, 2015, marks the last day a business can request a retroactive waiver for failing to comply with certain fax advertising requirements promulgated by theFederal Communications Commission (FCC). The scope of these requirements was clarified on October 30, 2014, when the FCC issued an Order (2014 Order) under the Junk Fax Prevention Act of 2005 (Junk Fax Act). The 2014 Order confirms that senders of all advertising faxes must include information that allows recipients to opt out of receiving future faxes from that sender.

The 2014 Order clarifies certain aspects of the FCC’s 2006 Order under the Junk Fax Act (the Junk Fax Order). Among other requirements, the Junk Fax Order established the requirement that the sender of an advertising fax provide notice and contact information that allows a recipient to “opt out” of any future fax advertising transmissions.

Following the FCC’s publication of the Junk Fax Order, some businesses interpreted the opt-out requirements as not applying to advertising faxes sent with the recipient’s prior express permission (based on footnote 154 in the Junk Fax Order). The 2014 Order provided a six-month period for senders to comply with the opt-out requirements of the Junk Fax Order for faxes sent with the recipient’s prior express permission and to request retroactive relief for failing to comply. The six-month period ends on April 30, 2015. Without a waiver, the FCC noted that “any past or future failure to comply could subject entities to enforcement sanctions, including potential fines and forfeitures, and to private litigation.”

ARTICLE BY

New Data Security Bill Seeks Uniformity in Protection of Consumers’ Personal Information

Morgan, Lewis & Bockius LLP.

Last week, House lawmakers floated a bipartisan bill titled the Data Security and Breach Notification Act (the Bill). The Bill comes on the heels of legislation proposed by US President Barack Obama, which we recently discussed in a previous post. The Bill would require certain entities that collect and maintain consumers’ personal information to maintain reasonable data security measures in light of the applicable context, to promptly investigate a security breach, and to notify affected individuals of the breach in detail. In our Contract Corner series, we have examined contract provisions related to cybersecurity, including addressing a security incident if one occurs.

Some notable aspects of the Bill include the following:

  • Notification to individuals affected by a breach would generally be required within 30 days after a company has begun taking investigatory and corrective measures (rather than based on the date of the breach’s discovery).

  • Notification to the Federal Trade Commission (FTC) and the Secret Service or the Federal Bureau of Investigation would be required if the number of individuals whose personal information was (or there is a reasonable basis to conclude was) leaked exceeds 10,000.

  • To advance uniform and consistently applied standards throughout the United Sates, the Bill would preempt state data security and notification laws. However, the scope of preemption continues to be discussed, and certain entities would be excluded from the Bill’s requirements, including entities subject to existing data security regulatory regimes (e.g., entities covered by the Health Insurance Portability and Accountability Act).

  • Violations of the Bill would be enforced by the FTC or state attorneys general (and not by a private right of action).

ARTICLE BY

Online Behavioral Advertising: Industry Guides Require Real Time Notice When Data Are Collected or Used for Personalized Ads

Greenberg Traurig Law firm

WHAT’S COVERED?

Online behavioral advertising (OBA) has become a very common tool for commercial websites. OBA can be defined as follows:

the collection of data online from a particular computer or device regarding web viewing behaviors over time and across Web sites for the purpose of using such data to predict preferences or interests and to deliver advertising to that computer or device presumed to be of interest to the user of the computer/device based on observed Web viewing behaviors.

OBA might be implemented by use of cookies directly on a company’s website by the company itself. Or it might occur through technology embedded in ads from other parties displayed on the company’s site. Either way, the operators of commercial websites need to be aware when OBA is occurring on their sites and should be taking steps to provide greater transparency about OBA occurring on their sites.

WHAT’S THE CONCERN?

While the use of OBA is largely unregulated by law in the U.S. at this time, its spread has generated concern among privacy advocates. Of particular concern is the gathering of data about consumers without their knowledge where such information is supposed to be anonymous but advances in technology make it more and more possible to link that information to individuals (not just devices) through combination with other information. Examples can include information about health conditions and other sensitive information gleaned by watching the sites a user visits, the searches he/she conducts, etc. Key characteristics of OBA include that it is: (a) invisible to the user; (b) hard to detect; and (c) resilient to being blocked or removed.

In an effort to stave off government regulation of OBA in the United States, the Digital Advertising Alliance (DAA), a consortium of the leading advertising trade associations, has instituted a leading set of guidelines. Based on standards proposed by the Federal Trade Commission, the DAA Self-Regulatory Program is designed to give consumers enhanced control over the collection and use of data regarding their Internet viewing for OBA purposes.

WHAT’S REQUIRED?

The key principles of the DAA’s guides are to provide greater transparency to consumers to allow them to know when OBA is occurring and to provide the ability to opt out. For commercial website operators that allow OBA on their sites, the compliance implications are as follows:

  1. First Party OBA. First Parties are website operators/publishers. If a company simply gathers information for its own purposes on its own site, it is generally not covered by the guidelines. However, as soon as the First Party allows others to engage in OBA via the site, it has a duty to monitor and make sure that proper disclosures are being made and even to make the disclosures itself if the others do not do so, including assuring that “enhanced notice” (usually the icon discussed below or a similar statement) appears on every page of the First Party’s site where OBA is occurring.

  2. Third-Party OBA. Third parties are ad networks, data companies/brokers, and sometimes advertisers themselves, who engage in OBA through ads placed on other parties’ sites. These Third Parties should provide consumers with the ability to exercise choice with respect to the collection and use of data for OBA purposes. (See below on how to provide recommended disclosures.)

  3. Service Providers. These are providers of Internet access, search capability, browsers, apps or other tools that collect data about sites a user visits Service Providers generally are expected to provide clear disclosure of OBA practices which may occur via their services, obtain consumer consent for such practices, and provide an easy-to-use opt-out mechanism.

HOW TO COMPLY

Generally, Third Parties and Service Providers should give clear, meaningful, and prominent notice on their own websites that describes their OBA data collection and use practices. Such notice should include clear descriptions that include:

  • The types of data collected online, including any PII for OBA purposes;

  • The uses of such data, including whether the data will be transferred to a nonaffiliate for OBA purposes;

  • An easy to use mechanism for exercising choice with respect to the collection and use of the data for OBA purposes or to the transfer of such data to a nonaffiliate for such purpose; and

  • The fact that the entity adheres to OBA principles.

In addition, “enhanced notice” should appear on each and every ad (or page) where OBA is occurring. The “enhanced notice” means more than just traditional disclosure in a privacy policy. It means placement of a notice on the page/ad where OBA is occurring. The notice typically is given in the form of the following icon (in blue color) which should link to a DAA page describing OBA practices and providing an easy-to-use opt-out mechanism:

online behavioral advertising

The icon/link should appear in or around each ad where data are collected. Alternatively, it can appear on each page of a website on which any OBA ads are being served. It is normally the duty of the advertisers (Third Parties) to deploy the icon. However, if they fail to do so, then the operator of the site where the OBA ads appear has the duty to make appropriate real-time disclosures about OBA on each page where OBA activity is occurring, including links to the DAA page describing OBA practices and providing an easy-to-use opt-out mechanism.

ENFORCEMENT

The DAA is taking its OBA guidelines seriously. It has issued sets of “compliance warnings” to many major U.S. companies. While DAA has no direct authority to impose fines or penalties, its issuance of a ruling finding a violation of its guidelines could create a tempting target for the FTC or plaintiffs’ class action lawyers to bring separate actions against a company not following the DAA guidelines. For all these reasons, operators of websites employing OBA (either first party or third party) should pay heed to the DAA Guidelines.

ARTICLE BY

OF

California To Expand Its Data Breach Notification Rules

Sheppard Mullin Law Firm

California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information.  AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer.  The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.”  It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”

The use and placement of the phrase “if any” in the statute does create some ambiguity.  The statute, however, speaks in mandatory terms when it states the notification “shall include” an offer of these services.  Its plain language also suggests the phrase “if any” is directed to the question of whether appropriate identity theft or mitigation services exist and are available – not whether or not they must be offered.  A review of the measure’s legislative history confirms this.  The Committee analyses all discuss this element of the statute as “requiring” an offer of services.  Indeed, the legislative analysis immediately following the addition of the phrase “if any” defined the problem under existing law to be that it does not require any prevention or mitigation steps and states that this measure (AB 1710) addresses this issue by requiring an offer of appropriate “identity theft prevention and mitigation services, if any are available,…”  This interpretation is also consistent with the fact that an offer is only required when the breach involves disclosure of highly sensitive information that tends to lead to identity theft or credit card fraud, i.e., the customer’s social security, driver’s license or California identification number.

The standard of whether or not such services would, to some degree, be appropriate will not likely be the primary conversation that this amendment sparks.  The more lively topic will likely be who is the “source of the breach” (and even then the offer is only required when you are both the source of the breach and the party giving notice under the statute) and what standards apply for determining “appropriate” services.  The legislative history is not as equally helpful on these questions.  Thus, until the scope of this new requirement becomes more clear, businesses involved in a breach under the statute need to carefully think through the risks of offering certain services when providing notice.

These new rules take effect on January 1, 2015.  To review the amended statute or its legislative history click here.

Dodd-Frank Whistleblower Litigation Heating Up

Barnes Thornburg

The past few months have been busy for courts and the SEC dealing with securities whistleblowers. The Supreme Court’s potentially landmark decision in Lawson v. FMR LLC back in March already seems like almost ancient history.  In that decision, the Supreme Court concluded that Sarbanes-Oxley’s whistleblower protection provision (18 U.S.C. §1514A) protected not simply employees of public companies but also employees of private contractors and subcontractors, like law firms, accounting firms, and the like, who worked for public companies. (And according to Justice Sotomayor’s dissent, it might even extend to housekeepers and gardeners of employees of public companies).

Since then, a lot has happened in the world of whistleblowers. Much of the activity has focused on Dodd-Frank’s whistleblower-protection provisions, rather than Sarbanes-Oxley. This may be because Dodd-Frank has greater financial incentives for plaintiffs, or because some courts have concluded that it does not require an employee to report first to an enforcement agency. The following are some interesting developments:

What is a “whistleblower” under Dodd-Frank?

This seemingly straightforward question has generated a number of opinions from courts and the SEC. The Dodd-Frank Act’s whistleblower-protection provision, enacted in 2010, focuses on a potentially different “whistleblower” population than Sarbanes-Oxley does. Sarbanes-Oxley’s provision focuses particularly on whistleblower disclosures regarding certain enumerated activities (securities fraud, bank fraud, mail or wire fraud, or any violation of an SEC rule or regulation), and it protects those who disclose to a person with supervisory authority over the employee, or to the SEC, or to Congress.

On the other hand, Dodd-Frank’s provision (15 U.S.C. §78u-6 or Section 21F) defines a “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission.”  15 U.S.C. §78u-6(a)(6).  It then prohibits, and provides a private cause of action for, adverse employment actions against a whistleblower for acts done by him or her in “provid[ing] information to the Commission,” “initiat[ing], testif[ing] in, or assist[ing] in” any investigation or action of the Commission, or in making disclosures required or protected under Sarbanes-Oxley, the Exchange Act or the Commission’s rules.  15 U.S.C. §78u-6(h)(1). A textual reading of these provisions suggests that a “whistleblower” has to provide information relating to a violation of the securities laws to the SEC.  If the whistleblower does so, an employer cannot discriminate against the whistleblower for engaging in those protected actions.

However, after the passage of Dodd-Frank, the SEC promulgated rules explicating its interpretation of Section 21F. Some of these rules might require providing information to the SEC, but others could be construed more broadly to encompass those who simply report internally or report to some other entity.  Compare Rule 21F-2(a)(1), (b)(1), and (c)(3), 17 C.F.R. §240.21F-2(a)(1), (b)(1), and (c)(3). The SEC’s comments to these rules also said that they apply to “individuals who report to persons or governmental authorities other than the Commission.”

Therefore, one issue beginning to percolate up to the appellate courts is whether Dodd-Frank’s anti-retaliation provisions consider someone who reports alleged misconduct to their employers or other entities, but not the SEC, to be a “whistleblower.” The only circuit court to have squarely addressed the issue (the Fifth Circuit in Asadi v. G.E. Energy (USA) LLC) concluded that Dodd-Frank’s provision only applies to those who actually provide information to the SEC.

In doing so, the Fifth Circuit relied heavily on the “plain language and structure” of the statutory text, concluding that it unambiguously required the employee to provide information to the SEC.  Several district courts, including in Colorado, Florida and the Northern District of California, have concurred with this analysis.

More, however, have concluded that Dodd-Frank is ambiguous on this point and therefore have given Chevrondeference to the SEC’s interpretation as set forth in its own regulations. District courts, including in the Southern District of New York, New Jersey, Massachusetts, Tennessee and Connecticut, have adopted this view. The SEC has also weighed in, arguing (in an amicus brief to the Second Circuit) that whistleblowers should be entitled to protection regardless of whether they disclose to their employers or the SEC.  The agency said that Asadi was wrongly decided and, under its view, employees that report internally should get the same protections that those who report to the SEC receive. The Second Circuit’s decision in that case (Liu v. Siemens AG) did not address this issue at all.

Finally, last week, the Eighth Circuit also decided not to take on this question. It opted not to hear an interlocutory appeal, in Bussing v. COR Securities Holdings Inc., in which an employee at a securities clearing firm provided information about possible FINRA violations to her employer and to FINRA, rather than the SEC, and was allegedly fired for it. The district court concluded that the fact that she failed to report to the SEC did not exclude her from the whistleblower protections under Dodd-Frank. It reasoned that Congress did not intend, in enacting Dodd-Frank, to encourage employees to circumvent internal reporting channels in order to obtain the protections of Dodd-Frank’s whistleblower protection.  In doing so, however, the district court did not conclude that the statute was ambiguous and rely on the SEC’s interpretation.

A related question is what must an employee report to be a “whistleblower” under Dodd-Frank. Thus far, if a whistleblower reports something other than a violation of the securities laws, that is not protected. So, for example, an alleged TILA violation or an alleged violation of certain banking laws have been found to be not protected.

These issues will take time to shake out. While more courts thus far have adopted, or ruled consistently with, the SEC’s interpretation, as the Florida district court stated, “[t]he fact that numerous courts have interpreted the same statutory language differently does not render the statute ambiguous.”

Does Dodd-Frank’s whistleblower protection apply extraterritorially?

In August, the Second Circuit decided Liu. Rather than focus on who can be a whistleblower, the Court concluded that Dodd-Frank’s whistleblower-protection provisions do not apply to conduct occurring exclusively extraterritorially. In Liu, a former Siemens employee alleged that he was terminated for reporting alleged violations of the FCPA at a Siemens subsidiary in China.  The Second Circuit relied extensively on the Supreme Court’s Morrison v. Nat’l Aust. Bank case in reaching its decision. In Morrison, the Court reaffirmed the presumption that federal statutes do not apply extraterritorially absent clear direction from Congress.

The Second Circuit in Liu, despite Liu’s argument that other Dodd-Frank provisions applied extraterritorially and SEC regulations interpreting the whistleblower provisions at least suggested that the bounty provisions applied extraterritorially, disag
reed. The court concluded that it need not defer to the SEC’s interpretation of who can be a whistleblower because it believed that Section 21F was not ambiguous.  It also concluded that the anti-retaliation provisions would be more burdensome if applied outside the country than the bounty provisions, so it did not feel the need to construe the two different aspects of the whistleblower provisions identically.  And finally, the SEC , in its amicus brief, did not address either the extraterritorial reach of the provisions or Morrison, so the Second Circuit apparently felt no need to defer to the agency’s view on extraterritoriality.

Liu involved facts that occurred entirely extraterritorially. He was a foreign worker employed abroad by a foreign corporation, where the alleged wrongdoing, the alleged disclosures, and the alleged discrimination all occurred abroad. Whether adding some domestic connection changes this result remains for future courts to consider.

The SEC’s Use Of The Anti-Retaliation Provision In An Enforcement Action

In June, the SEC filed, and settled, its first Dodd-Frank anti-retaliation enforcement action. The Commission filed an action against Paradigm Capital Management, Inc., and its principal Candace Weir, asserting that they retaliated against a Paradigm employee who reported certain principal transactions, prohibited under the Investment Advisers Act, to the SEC. Notably, that alleged retaliation did not include terminating the whistleblower’s employment or diminishing his compensation; it did, however, include removing him as the firm’s head trader, reconfiguring his job responsibilities and stripping him of supervisory responsibility. Without admitting or denying the SEC’s allegations, both respondents agreed to cease and desist from committing any future Exchange Act violations, retain an independent compliance consultant, and pay $2.2 million in fines and penalties.  This matter marks the first time the Commission has asserted Dodd-Frank’s whistleblower provisions in an enforcement action, rather than a private party doing so in civil litigation.

The SEC Announces Several Interesting Dodd-Frank Bounties

Under Dodd-Frank, whistleblowers who provide the SEC with “high-quality,” “original” information that leads to an enforcement action netting over $1 million in sanctions can receive an award of 10-30 percent of the amount collected. The SEC recently awarded bounties to whistleblowers in circumstances suggesting the agency wants to encourage a broad range of whistleblowers with credible, inside information.

In July, the agency awarded more than $400,000 to a whistleblower who appears not to have provided his information to the SEC voluntarily.  Instead, the whistleblower had attempted to encourage his employer to correct various compliance issues internally. Those efforts apparently resulted in a third-party apprising an SRO of the employer’s issues and the whistleblower’s efforts to correct them. The SEC’s subsequent follow-up on the SRO’s inquiry resulted in the enforcement action. Even though the “whistleblower” did not initiate communication with the SEC about these compliance issues, for his efforts, the agency nonetheless awarded him a bounty.

Then, just recently, the SEC announced its first whistleblower award to a company employee who performed audit and compliance functions. The agency awarded the compliance staffer more than $300,000 after the employee first reported wrongdoing internally, and then, when the company failed to take remedial action after 120 days, reported the activity to the SEC. Compliance personnel, unlike most employees, generally have a waiting period before they can report out, unless they have a reasonable basis to believe investors or the company have a substantial risk of harm.

With a statute as sprawling as Dodd-Frank, and potentially significant bounty awards at stake, opinions interpreting Dodd-Frank’s whistleblower provisions are bound to proliferate. Check back soon for further developments.

 
ARTICLE BY

 
OF 

Google, the House of Lords and the timing of the EU Data Protection Regulation

Mintz Levin Law Firm

(LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?

In the Google Spain “Right to be Forgotten” case, the ECJ held that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant.  The Google Spain decision has given a much sharper focus to the discussion about the Right to be Forgotten that may soon be adopted as part of the new Data Protection Regulation that is expected to be passed sometime in 2015.  With the advent of the Google Spain decision, an issue that was on the sideline for most businesses – and which was expected by some to be quietly dropped from the draft Data Protection Regulation – has become a hot political issue.  The Right to be Forgotten as interpreted by the ECJ has garnered international attention, deepened the UK/continental EU divide, and ultimately could delay the adoption of a final form of the Data Protection Regulation.

The Google Spain case has been controversial for various reasons.  The decision takes an expansive approach to the long-arm reach of EU data protection law.  It holds search engine providers liable to comply with removal requests even when the information in the search results is true, was originally published legally and can continue to be made available by the original website.  The decision makes the search engine provider the initial arbiter of whether the individual’s right to have his or her information removed from publically available search results is outweighed by the public’s interest in access to that information.   (For a pithy analysis of the “public record” aspects of the case, see John Gapper’s “Google should not erase the web’s memory” published in the Financial Times.)

Google started implementing the ruling almost immediately, but only with respect to search results obtained through the use of its country-specific versions of its search engine, such aswww.google.es or www.google.co.uk.  The EU-specific search engine results notify users when some results have been omitted due to EU’s Right to be Forgotten.  (See the Telegraph’s ongoing list of the stories it has published that have been deleted from Google.co.uk’s search results to get a flavor of the sort of search results that have been deleted.)  However, the “generic” version of Google (www.google.com), which is also the default version for users in the US, does not omit the banned results.

Google has been engaged in an ongoing dialogue with EU data protection authorities regarding Google’s implementation of the Google Spain ruling.  According to some media reports, EU officials have complained that Google is implementing the ruling too broadly, allegedly to make a political point, while other commentators have noted that the ruling give Google very few reference points for performing the balancing-of-rights that is required by the ruling.  Perhaps more interestingly, some EU officials want Google to apply the Right to be Forgotten globally (including for google.com results) and without noting that any search results have been omitted (to prevent any negative inferences being drawn by the public based on notice that something has been deleted).  If the EU prevails with regard to removing personal data globally and without notice that the search results contain omissions, critics who are concerned about distortions of the public record and censorship at the regional level will have an even stronger case.   Of course, if truly global censorship becomes legally required by the EU, it seems likely that non-EU governments and organizations will enter the dialogue with a bit more energy – but even more vigorous international debate does not guarantee that the EU would be persuaded to change its views.

The ongoing public debate about the potentially global reach of the Right to be Forgotten is significant enough that it could potentially delay agreement on the final wording of the Data Protection Regulation.  Recently, an important committee of the UK’s House of Lords issued a report deeply critical of the Google Spain decision and the Right to be Forgotten as enshrined in the draft Data Protection Directive. Additionally, the UK’s Minister of Justice, Simon Hughes, has stated publically that the UK will seek to have the Right to be Forgotten removed from the draft Data Protection Regulation.  The impact of the UK’s stance (and the efforts of other Right to be Forgotten critics) on the timing of the adoption of the Regulation remains to be seen.  In the meantime, search companies will continue to grapple with compliance with the Google Spain decision.  Other companies that deal with EU personal data should tune in as the EU Parliament’s next session gets underway and we move inevitably closer to a final Data Protection Regulation. 

ARTICLE BY

 
OF 

European Commission Discusses Big Data

Morgan Lewis logo

The European Commission (the Commission) recently issued a press release recognizing the potential of data collection and exploitation (or “big data”) and urging governments to embrace the positive aspects of big data.

The Commission summarized four main problems that have been identified in public consultations on big data:

  • Lack of cross-border coordination
  • Insufficient infrastructure and funding opportunities
  • A shortage of data experts and related skills
  • A fragmented and overly complex legal environment

To address these issues, the Commission proposed the following:

  • A public-private partnership to fund big data initiatives
  • An open big data incubator program
  • New rules on data ownership and liability for data provision
  • Mapping of data standards
  • A series of educational programs to increase the number of skilled data workers
  • A network of data processing facilities in different member states

The Commission stated that, in order to help EU citizens and businesses more quickly reap the full potential of data, it will work with the European Parliament and the European Council to successfully complete the reform of the EU’s data protection rules. The Commission will also work toward the final adoption of the directive on network and information security to ensure the high level of trust that is fundamental for a thriving data-driven economy.

Of: