Tag: Consumer Protection

California District Court Holds that Providing Cellphone Number for an Online Purchase Constitutes “Prior Express Consent” Under TCPA – Telephone Consumer Protection Act

DrinkerBiddle

 

A federal district court in California recently ruled that a consumer who voluntarily provided a cellphone number in order to complete an online purchase gave “prior express consent” to receive a text message from the business’s vendors under the TCPA. See Baird v. Sabre, Inc., No. CV 13-999 SVW, 2014 WL 320205 (C.D. Cal. Jan. 28, 2014).

In Baird, the plaintiff booked flights through the Hawaiian Airlines website. In order to complete her purchase, the plaintiff provided her cellphone number. Several weeks later she received a text message from the airline’s vendor, Sabre, Inc., inviting the plaintiff to receive flight notification services by replying “yes.” The plaintiff did not respond and no further messages were sent. The plaintiff sued the vendor claiming that it violated the TCPA by sending the single text message.

The central issue in Baird was whether, by providing her cellphone number to the airline, the plaintiff gave “prior express consent” to receive autodialed calls from the vendor under the TCPA. In 1992, the FCC promulgated TCPA implementing rules, including a ruling that “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.” In re Rules & Reg’s Implementing the Tel. Consumer Prot. Act of 1991, 7 F.C.C.R. 8752, 8769 ¶ 31 (1992) (“1992 FCC Order”). In support of this ruling, the FCC cited to a House Report stating that when a person provides their phone number to a business, “the called party has in essence requested the contact by providing the caller with their telephone number for use in normal business communications.” Id. (citing H.R.Rep. No. 102–317, at 13 (1991)).

The court found that, while the 1992 FCC Order “is not a model of clarity,” it shows that the “FCC intended to provide a definition of the term ‘prior express consent.’” Id. at *5. Under that definition, the court held that the plaintiff consented to being contacted on her cellphone by an automated dialing machine when she provided the number to Hawaiian Airlines during the online reservation process. Id. at *6. Under the existing TCPA jurisprudence, a text message is a “call.” Id. at *1. Furthermore, although the plaintiff only provided her cellphone number to the airline (and not to Sabre, Inc., the vendor), the court concluded that “[n]o reasonable consumer could believe that consenting to be contacted by an airline company about a scheduled flight requires that all communications be made by direct employees of the airline, but never by any contractors performing services for the airline.” Id. at *6. The Judge was likewise unmoved by the fact that the plaintiff was required to provide a phone number (though not necessarily a cellphone number) to complete the online ticket purchase. Indeed, the court observed that the affirmative act of providing her cellphone number was an inherently “voluntary” act and that, had the plaintiff objected, she could simply have chosen not to fly Hawaiian Airlines. Id.

Baird does not address the October 2013 TCPA regulatory amendments that require “prior express written consent” for certain types of calls made to cellular phones and residential lines (a topic that previously has been covered on this blog). See 47 CFR § 64.1200(a)(2), (3) (emphasis added). “Prior express written consent” is defined as “an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial prerecorded voice, and the telephone number to which the signatory authorized such advertisements or telemarketing messages to be delivered.” 47 CFR § 64.1200(f)(8). Whether the Baird rationale would help in a “prior express written consent” case likely would depend on the underlying facts such as whether the consumer/plaintiff agreed when making a purchase to be contacted by the merchant at the phone number provided, and whether the consumer/plaintiff provided an electronic signature. See 47 CFR § 64.1200(f)(8)(ii).

Nonetheless, Baird is a significant win for the TCPA defense bar and significantly reduces TCPA risk for the defendants making non-telemarketing calls (or texts) to cellphones using an automated dialer (for which “prior express consent” is the principal affirmative defense). If that cellphone number is given by the consumer voluntarily (and, given the expansive logic of Baird, we wonder when it could be considered “coerced”), the defendant has obtained express consent. Baird leaves open a number of questions worth watching, including how far removed the third-party contractor can be from the company to whom a cellphone number was voluntarily provided. Judge Wilson seemed to think it was obvious to the consumer that a third-party might be utilized by an airline to provide flight status information, but how far does that go? We’ll be watching.

Article By:

Of:

Drinker Biddle & Reath LLP

To 8-K, or not to 8-K? For Target, that is indeed the question.


MintzLogo2010_Black

As anyone with a pulse and a computer, television or carrier pigeon knows, Target Corporation (NYSE: TGT) suffered a major data breach in December – the extent of which is still being uncovered – and pegs the latest number of customers that have had their personal information stolen anywhere from 70 to 110 million.  As a public company, a breach of this magnitude should be material enough to warrant a Form 8-K filing, right?  As of this post, Target doesn’t seem to think so.

Form 8-K contains mandatory disclosure requirements when certain enumerated events occur, as in the entry into a material definitive agreement (Item 1.01) or the resignation of a director (Item 5.02).  Reporting an event such as the Target data breach would likely fall under Item 8.01 of Form 8-K, which is used to report “Other Events.”  Item 8.01 permits the registrant, at its option, to disclose any events not otherwise called for by another Form 8-K Item that the registrant “deems of importance to security holders,” and is an entirely voluntary filing.

Although filing under Item 8.01 of Form 8-K is voluntary, other companies that have suffered smaller data breaches have opted to file an 8-K to disclose such breaches, including The TJX Companies, Inc.’s (NYSE: TJX) breach disclosed in an 8-K in January, 2007, and Morningstar, Inc.’s (NASDAQ: MORN) more recent breach disclosed in an 8-K in July, 2013.  Target’s securities lawyers may believe that the breach is not “important to security holders,” or  is not sufficiently material enough to the roughly $38 billion company to warrant the filing of an 8-K, but 70 to 110 million affected customers is hardly immaterial, even for Target.   In a statement released January 10, Target warned that the costs related to the breach “may have a material adverse effect on Target’s results of operations in fourth quarter 2013 and/or future periods.”

Indeed, Target evidently determined when filing its Form 10-K for 2012 that the risk of a data security breach was material enough to warrant disclosure in its risk factors:

If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.”

The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant.  If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.” (emphasis added)

Of course, there is no time limit for filing under Item 8.01 of Form 8-K due to it being a voluntary filing, so a filing may still be forthcoming from Target.  In any event, one can only imagine that the risk factor language above will look very different in Target’s next Form 10-K filing in two months.

Article by:

Of:

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Consumer Financial Protection Bureau Issues New Rule Regarding Consumer Mortgage Transaction Forms

Michael Best Logo

 

On November 20, 2013 the Consumer Financial Protection Bureau (CFPB) issued a rule that will simplify and improve disclosure forms for consumer mortgage transactions. This rule implements the Dodd-Frank Act’s directive to integrate mortgage loan disclosures required by the Truth In Lending Act (TILA) and the Real Estate Settlement Procedures Act (RESPA). The two new disclosures are the Loan Estimate, which must be given three business days after application, and the Closing Disclosure, which must be given three business days before closing.

The Loan Estimate form replaces two current federal forms, the Good Faith Estimate designed by the U.S. Department of Housing (HUD) under RESPA and the “early” Truth in Lending disclosure required by TILA. The Closing Disclosure form replaces the current form used to close a loan, the HUD-1, which was designed by HUD under RESPA. It also replaces the revised Truth in Lending disclosure designed by the Federal Reserve Board under TILA.

These new rules apply to most closed-end consumer mortgages. They do not apply to home equity lines of credit, reverse mortgages or mortgages secured by mobile homes or by dwellings not attached to real property. To assist lenders, the final rule and official interpretations contain detailed instructions as to how these forms should be completed.

To permit time for lenders to come into compliance, the final rule will be effective on August 1, 2015.

Article by:

Jon G. Furlow

Of:

Michael Best & Friedrich LLP

New Federal Communication Commission (FCC) Rules to Protect Telephone Consumers from Autodial/Robocalls

Lewis & Roca

On October 16, 2013, new Federal Communication Commission rules took effect to further protect consumers under the Telephone Consumer Protection Act of 1991 (TCPA). See 47 U.S.C. § 227; 47 C.F.R. § 64.1200. The changes ordered by the FCC are designed to protect consumers from unwanted autodialed or pre-recorded telemarketing calls, also known as “telemarketing robocalls.” The new TCPA rules accomplish four main things: (1) require prior written consent for all autodialed or pre-recorded telemarketing calls to wireless numbers and residential lines; (2) require mechanisms to be in place that allow consumers to opt out of future robocalls even if during the middle of a current robocall; (3) limit permissible abandoned calls on a per-calling campaign basis in order to discourage intrusive calling campaigns; and (4) exempt from TCPA requirements calls made to residential lines by health care related entities governed by the Health Insurance Portability and Accountability Act of 1996. None of the FCC’s actions change the requirements for prerecorded messages that are non-telemarketing, informational calls such as calls by or on behalf of tax-exempt organizations, calls for political purposes, and calls for other non-commercial purposes including those to people in emergency situations.

Under the FCC’s new rules, “prior written consent” will require two things: a clear and conspicuous disclosure that by providing consent the consumer will receive auto-dialed or prerecorded calls on behalf of a specific seller, and a clear an unambiguous acknowledgement that the consumer agrees to receive such calls at the mobile number. The content and form of consent may include an electronic or digital form of signature such as the FTC has recognized under the E-SIGN Act. See Electronic Signatures in Global and National Commerce Act, 15 U.S.C. § 7001 et seq. However, prior written consent may be terminated at any time. In addition, the written agreement must be obtained “without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.” 16 C.F.R. § 310.4(b)(v)(A)(ii).

Read the full rule here.

Article By:

Working with 3rd Party Providers to Make Dodd Frank Conflict Mineral Compliance Easy

Assent Logo

At your firm or within your company dealing with conflict minerals, you might have recently heard the buzz about the latest Dodd Frank Conflict Mineral Compliance requirements. If these requirements affect the way law firms or companies do business, then working towards compliance initiatives remains a priority.

Regulatory Assessment and Scope Analysis

This involves examining the law firm’s client or company seeking compliance product portfolio and doing an analysis of whether the product are affected by the law and therefore must be in compliance, or “in scope” Vs “out of scope.” It can also include:

  • Examining corporate obligations
  • Determination of key regulatory compliance decision points
  • Creation of a conflict minerals technical document

Creation of a Compliance Plan

This involves creating an end to end compliance plan and associated processes

  • All activities detailed in chronological order
  • Creation of application of due diligence standards
  • Responsibilities assigned to personnel
  • Determination of compliance communication pathways

Software Set Up

Industry standard to date for the majority of companies in scope of this regulation involve using a software platform to manage the large amount of data and suppliers that will be surveyed.Vendor Selection

  • Vendor Selection
  • Decisions to integrate with Enterprise Resource Planning system  (ERP), which is used to design and manage resources within a company, as well as Product Lifecyle Management (PLM), used to design, manufacture and plan the development of products
  • Methodology of supplier communication

Supplier Engagement

This portion of the process involves communication and data collection from the supply chain. Includes:

  • Data collection methodology
  • Reporting and analytics of the data collected
  • Corrective action and addressing problem suppliers

Reporting

Once data has been collected firms enter the reporting phase to complete the process for the first year. This process is then replicated year over year. With the infrastructure in place firms enter the “maintenance” phase of compliance.

Standard practise in the compliance industry has also seen that Law firms or the company seeking Dodd Frank compliance are engaging 3-4 outside service providers.

They are usually:

1.       Law firms: To determine exact requirements and legal requirements.

2.       Software: To provide the platform for data collection, management and analytics.

3.    Accounting: To audit the data collected and ensure strong data backing the program.

4.    Consulting: To develop the processes, work with /train suppliers and help with data collection.

Assisting your clients with Dodd Frank Conflict Mineral Compliance does not have to be complicated. Working through the 5 step process above and working with other 3rd party providers makes compliance at any level easy.

Article By:

 of

What Does The Word “Natural” Mean, Anyway?

Mintz Logot’s 2 o’clock in the afternoon, you need a snack – maybe a granola bar, but which one? Does the package that boasts it is “100% Natural” win out over the one that is only “All Natural”?  Would you even consider one that is merely “Natural”? Well, don’t expect the U.S. Food and Drug Administration to help you decide anytime soon – they have left it up to the courts to grapple with.

Lawsuits against food companies alleging consumer fraud based on deceptive labeling have increased in the last few years.  Many of these lawsuits have been brought in the U.S. District Court in the Northern District of California, causing that court to be known as the “Food Court” (no, not the one at the mall).  One common bone of contention is the use of the word “natural” in food labeling.  “Natural” remains undefined by the U.S. Food and Drug Administration after a failed attempt to do so in 1991.  It reaffirmed its informal policy for use of the word “natural” on food labeling claims:

The agency will maintain its current policy . . . not to restrict the use of the term “natural” except for added color, synthetic substances, and flavors as provided in [21 CFR] §101.22.  Additionally, the agency will maintain its policy . . . regarding the use of “natural,” as meaning that nothing artificial or synthetic (including all color additives regardless of source) has been included in, or has been added to, a food that would not normally be expected to be in the food.  Further, at this time the agency will continue to distinguish between natural and artificial flavors as outlined in §101.22. See more here.

A typical claim in a lawsuit will contend that the use of the word “natural,” whether as “100% Natural,” “All Natural,” or something similar, is misleading if the product contains or was processed with a compound perceived by plaintiffs to be artificial or synthetic.  The problem in these lawsuits is that the term is undefined, and even FDA says that it is difficult to define a food product that is natural because it has likely been processed and is no longer a “product of the earth.”  This leaves fertile ground for plaintiff’s class action attorneys to bring claims against food companies for any use of the word.

Article By:

 of

Consumer Financial Protection Bureau (CFPB) Releases Exam Procedure Updates For Truth in Lending Act (TILA) and Real Estate Settlement Procedures Act (RESPA)

Sheppard Mullin 2012

On August 15 the Consumer Financial Protection Bureau released updates to its examination procedures in connection with the new mortgage regulations that were issued in January. These updates offer valuable guidance on how the CFPB will conduct examinations for compliance with the Truth in Lending Act and the Real Estate Settlement Procedures Act.

The updates incorporate the first set of interim TILA exam procedures from June. The CFPB Examination manual now contains updated interim exam procedures for RESPA, covering final rules issued by the CFPB through July 10, procedures for TILA, covering final rules issued by the CFPB through May 29, and the previously released interim exam procedures for the Equal Credit Opportunity Act, covering final rules issued by the CFPB through January 18.

A copy of the RESPA exam procedures released on August 15 can be found at:http://files.consumerfinance.gov/f/201308_cfpb_respa_narrative-exam-procedures.pdf

A copy of the TILA exam procedures released on August 15 can be found at: http://files.consumerfinance.gov/f/201308_cfpb_tila-narrative-exam-procedures.pdf

Article By:

of

ALERT: Fraud Scheme Targets Foreign Nationals

GT Law

Foreign nationals are advised to be aware of a reported fraud scheme that is currently being perpetrated in the United States.

Individuals purporting to be officers of U.S. Citizenship and Immigration Services (USCIS) are reportedly telephoning foreign nationals to falsely claim a discrepancy or problem in such individuals’ immigration records and pressure victims to pay a “penalty” to rectify the issue. Victims are told to wire funds to an address the caller provides.

The perpetrators may possess personal information about the victim and may ask victims to provide or confirm immigration information, including an I-94 number, an alien registration number or a visa control number.

Foreign nationals who receive such calls should not forward any funds as instructed by the caller or disclose any personal information. Those targeted by the scheme should contact law enforcement, the Federal Trade Commission Bureau of Consumer Protection, and an attorney.

Article By:

 of

Recent Data Breach Reports: And the Hits Keep on Coming….

Mintz Logo

The ”hits” to data bases, in any event.   Here is a rundown of some of the most recent data breach reports –

Oregon Health & Science University Data Breach Compromises 3,000 Patients’ Records in the Cloud.

Modern Healthcare (subscription may be required) reports that the Oregon Health & Science University announced it is “notifying more than 3,000 of its patients of a breach of their personally identifiable information after their data were placed by OHSU resident physicians on a pair of Google’s cloud-based information-sharing services.” The data breach, which involves “patients’ names, medical record numbers, dates of service, ages, diagnoses and prognoses and their providers’ names” posted to Gmail or Google Drive, was discovered in May by an OHSU faculty member.  According to  Healthcare IT News, this is OHSU’s “fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services.”

Citigroup Reports Breach of Personal Data in Unredacted Court Filings; Settles with Justice Department

American Banker reports that Citigroup recently admitted having failed to safeguard the personal data (including birthdates and Social Security numbers) of approximately 146,000 customers who filed for bankruptcy between 2007 and 2011. Citi apparently failed to fully redact court records placed on the Public Access to Court Electronic Records (PACER) system. “The redaction issues primarily resluted from a limitation in the technology Citi had used to redact personally identifiable information in the filings,” Citi said in a statement. “As a result of this limitation in technology, personally identifiable information could be exposed and read if electronic versions of the court records were accessed and downloaded from the courts’ online docket system and if the person downloading the information had the technical knowledge and software to restore the redacted information.”

In a settlement with the Justice Department’s U.S. Trustee Program, Citi has agreed to redact the customer information, notify all affected debtors and third parties, and offer all those affected a year of free credit monitoring.

University of Delaware Reports Cyberattack – 72,000 Records Affected

The University of Delaware is notifying the campus community that it has experienced a cyberattack in which files were taken that included confidential personal information of more than 72,000 current and past employees, including student employees. The confidential personal information includes names, addresses, UD IDs (employee identification numbers) and Social Security numbers.

Stanford University Reports Hack – Investigating Scope

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.”

Japan’s Railway Company Apologizes for Unauthorized “Sharing”

The Wall Street Journal reported yesterday (registration may be required) that Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent, The Wall Street Journal reports. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states.

Article By:

 of

In Largest Known Data Breach Conspiracy, Five Suspects Indicted in New Jersey

DrinkerBiddle

On July 25, 2013, the United States Attorney for the District of New Jersey announced indictments against five men alleging their participation in a global hacking and data breach scheme in which more than 160 million American and foreign credit card numbers were stolen from corporate victims, including retailers, financial institutions, payment processing firms, an airline, and NASDAQ.  The scheme is the largest of its kind ever prosecuted in the United States.

The Second Superseding Indictment alleges the defendants (four Russian nationals and one Ukrainian national) and other uncharged co-conspirators targeted corporate victims’ networks using “SQL [Structured Query Language] Injection Attacks,” meaning the hackers identified vulnerabilities in their victims’ databases and exploited those weaknesses to penetrate the networks.  Once the defendants had access to the networks, they used malware to create “back doors” to allow them continued access, and used their access to install “sniffers,” programs designed to identify, gather and steal data.

Once the defendants obtained the credit card information, they allegedly sold it to resellers all over the world, who in turn sold the information through online forums or directly to individuals and organizations.  The ultimate purchasers encoded the stolen information on blank cards and used those cards to make purchases or withdraw cash from ATMs.

The defendants allegedly used a number of methods to evade detection.  They used web-hosting services provided by one of the defendants, who unlike traditional internet service providers, did not keep records of users’ activities or share information with law enforcement.  The defendants also communicated through private and encrypted communication channels and tried to meet in person.  They also changed the settings on the victims’ networks in order to disable security mechanisms and used malware to circumvent security software.

Four of the defendants are charged with unauthorized access to computers (18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(i)) and wire fraud (18 U.S.C. § 1343).  All of the defendants are charged with conspiracy to commit these crimes.

Two of the defendants have been arrested, with one in federal custody and the other awaiting an extradition hearing.  The other three defendants, two of whom have been charged in connection with hacking schemes, remain at large.

This conspiracy is noteworthy for its massive scale, and for the patience the hackers demonstrated in siphoning data from the networks.  The U.S. Attorney “conservatively” estimates more than 160 million credit card numbers were compromised in the attacks, and alleges that the hackers had access to many victims’ computer networks for more than a year.  Many prominent retailers were targets, including convenience store giant 7-Eleven, Inc.; multi-national French retailer Carrefour, S.A.; American department store chain JCPenney, Inc.; New England supermarket chain Hannaford Brothers Co.; and apparel retailer Wet Seal, Inc.  Payment processors were also heavily targeted, including one of the world’s largest credit card processing companies, Heartland Payment Systems, Inc., as well as European payment processor Commidea Ltd.; Euronet, Global Payment Systems and Ingenicard US, Inc. The hackers also targeted financial institutions such as Dexia Bank of Belgium, “Bank A” of the United Arab Emirates; the NASDAQ electronic securities exchange; and JetBlue Airways.  Damages are difficult to estimate with precision, but they total several hundred million dollars at least.  Just three of the corporate victims suffered losses totaling more than $300 million.

Article By:

of