Category: Consumer Protection

Dodd-Frank Whistleblower Litigation Heating Up

Barnes Thornburg

The past few months have been busy for courts and the SEC dealing with securities whistleblowers. The Supreme Court’s potentially landmark decision in Lawson v. FMR LLC back in March already seems like almost ancient history.  In that decision, the Supreme Court concluded that Sarbanes-Oxley’s whistleblower protection provision (18 U.S.C. §1514A) protected not simply employees of public companies but also employees of private contractors and subcontractors, like law firms, accounting firms, and the like, who worked for public companies. (And according to Justice Sotomayor’s dissent, it might even extend to housekeepers and gardeners of employees of public companies).

Since then, a lot has happened in the world of whistleblowers. Much of the activity has focused on Dodd-Frank’s whistleblower-protection provisions, rather than Sarbanes-Oxley. This may be because Dodd-Frank has greater financial incentives for plaintiffs, or because some courts have concluded that it does not require an employee to report first to an enforcement agency. The following are some interesting developments:

What is a “whistleblower” under Dodd-Frank?

This seemingly straightforward question has generated a number of opinions from courts and the SEC. The Dodd-Frank Act’s whistleblower-protection provision, enacted in 2010, focuses on a potentially different “whistleblower” population than Sarbanes-Oxley does. Sarbanes-Oxley’s provision focuses particularly on whistleblower disclosures regarding certain enumerated activities (securities fraud, bank fraud, mail or wire fraud, or any violation of an SEC rule or regulation), and it protects those who disclose to a person with supervisory authority over the employee, or to the SEC, or to Congress.

On the other hand, Dodd-Frank’s provision (15 U.S.C. §78u-6 or Section 21F) defines a “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission.”  15 U.S.C. §78u-6(a)(6).  It then prohibits, and provides a private cause of action for, adverse employment actions against a whistleblower for acts done by him or her in “provid[ing] information to the Commission,” “initiat[ing], testif[ing] in, or assist[ing] in” any investigation or action of the Commission, or in making disclosures required or protected under Sarbanes-Oxley, the Exchange Act or the Commission’s rules.  15 U.S.C. §78u-6(h)(1). A textual reading of these provisions suggests that a “whistleblower” has to provide information relating to a violation of the securities laws to the SEC.  If the whistleblower does so, an employer cannot discriminate against the whistleblower for engaging in those protected actions.

However, after the passage of Dodd-Frank, the SEC promulgated rules explicating its interpretation of Section 21F. Some of these rules might require providing information to the SEC, but others could be construed more broadly to encompass those who simply report internally or report to some other entity.  Compare Rule 21F-2(a)(1), (b)(1), and (c)(3), 17 C.F.R. §240.21F-2(a)(1), (b)(1), and (c)(3). The SEC’s comments to these rules also said that they apply to “individuals who report to persons or governmental authorities other than the Commission.”

Therefore, one issue beginning to percolate up to the appellate courts is whether Dodd-Frank’s anti-retaliation provisions consider someone who reports alleged misconduct to their employers or other entities, but not the SEC, to be a “whistleblower.” The only circuit court to have squarely addressed the issue (the Fifth Circuit in Asadi v. G.E. Energy (USA) LLC) concluded that Dodd-Frank’s provision only applies to those who actually provide information to the SEC.

In doing so, the Fifth Circuit relied heavily on the “plain language and structure” of the statutory text, concluding that it unambiguously required the employee to provide information to the SEC.  Several district courts, including in Colorado, Florida and the Northern District of California, have concurred with this analysis.

More, however, have concluded that Dodd-Frank is ambiguous on this point and therefore have given Chevrondeference to the SEC’s interpretation as set forth in its own regulations. District courts, including in the Southern District of New York, New Jersey, Massachusetts, Tennessee and Connecticut, have adopted this view. The SEC has also weighed in, arguing (in an amicus brief to the Second Circuit) that whistleblowers should be entitled to protection regardless of whether they disclose to their employers or the SEC.  The agency said that Asadi was wrongly decided and, under its view, employees that report internally should get the same protections that those who report to the SEC receive. The Second Circuit’s decision in that case (Liu v. Siemens AG) did not address this issue at all.

Finally, last week, the Eighth Circuit also decided not to take on this question. It opted not to hear an interlocutory appeal, in Bussing v. COR Securities Holdings Inc., in which an employee at a securities clearing firm provided information about possible FINRA violations to her employer and to FINRA, rather than the SEC, and was allegedly fired for it. The district court concluded that the fact that she failed to report to the SEC did not exclude her from the whistleblower protections under Dodd-Frank. It reasoned that Congress did not intend, in enacting Dodd-Frank, to encourage employees to circumvent internal reporting channels in order to obtain the protections of Dodd-Frank’s whistleblower protection.  In doing so, however, the district court did not conclude that the statute was ambiguous and rely on the SEC’s interpretation.

A related question is what must an employee report to be a “whistleblower” under Dodd-Frank. Thus far, if a whistleblower reports something other than a violation of the securities laws, that is not protected. So, for example, an alleged TILA violation or an alleged violation of certain banking laws have been found to be not protected.

These issues will take time to shake out. While more courts thus far have adopted, or ruled consistently with, the SEC’s interpretation, as the Florida district court stated, “[t]he fact that numerous courts have interpreted the same statutory language differently does not render the statute ambiguous.”

Does Dodd-Frank’s whistleblower protection apply extraterritorially?

In August, the Second Circuit decided Liu. Rather than focus on who can be a whistleblower, the Court concluded that Dodd-Frank’s whistleblower-protection provisions do not apply to conduct occurring exclusively extraterritorially. In Liu, a former Siemens employee alleged that he was terminated for reporting alleged violations of the FCPA at a Siemens subsidiary in China.  The Second Circuit relied extensively on the Supreme Court’s Morrison v. Nat’l Aust. Bank case in reaching its decision. In Morrison, the Court reaffirmed the presumption that federal statutes do not apply extraterritorially absent clear direction from Congress.

The Second Circuit in Liu, despite Liu’s argument that other Dodd-Frank provisions applied extraterritorially and SEC regulations interpreting the whistleblower provisions at least suggested that the bounty provisions applied extraterritorially, disag
reed. The court concluded that it need not defer to the SEC’s interpretation of who can be a whistleblower because it believed that Section 21F was not ambiguous.  It also concluded that the anti-retaliation provisions would be more burdensome if applied outside the country than the bounty provisions, so it did not feel the need to construe the two different aspects of the whistleblower provisions identically.  And finally, the SEC , in its amicus brief, did not address either the extraterritorial reach of the provisions or Morrison, so the Second Circuit apparently felt no need to defer to the agency’s view on extraterritoriality.

Liu involved facts that occurred entirely extraterritorially. He was a foreign worker employed abroad by a foreign corporation, where the alleged wrongdoing, the alleged disclosures, and the alleged discrimination all occurred abroad. Whether adding some domestic connection changes this result remains for future courts to consider.

The SEC’s Use Of The Anti-Retaliation Provision In An Enforcement Action

In June, the SEC filed, and settled, its first Dodd-Frank anti-retaliation enforcement action. The Commission filed an action against Paradigm Capital Management, Inc., and its principal Candace Weir, asserting that they retaliated against a Paradigm employee who reported certain principal transactions, prohibited under the Investment Advisers Act, to the SEC. Notably, that alleged retaliation did not include terminating the whistleblower’s employment or diminishing his compensation; it did, however, include removing him as the firm’s head trader, reconfiguring his job responsibilities and stripping him of supervisory responsibility. Without admitting or denying the SEC’s allegations, both respondents agreed to cease and desist from committing any future Exchange Act violations, retain an independent compliance consultant, and pay $2.2 million in fines and penalties.  This matter marks the first time the Commission has asserted Dodd-Frank’s whistleblower provisions in an enforcement action, rather than a private party doing so in civil litigation.

The SEC Announces Several Interesting Dodd-Frank Bounties

Under Dodd-Frank, whistleblowers who provide the SEC with “high-quality,” “original” information that leads to an enforcement action netting over $1 million in sanctions can receive an award of 10-30 percent of the amount collected. The SEC recently awarded bounties to whistleblowers in circumstances suggesting the agency wants to encourage a broad range of whistleblowers with credible, inside information.

In July, the agency awarded more than $400,000 to a whistleblower who appears not to have provided his information to the SEC voluntarily.  Instead, the whistleblower had attempted to encourage his employer to correct various compliance issues internally. Those efforts apparently resulted in a third-party apprising an SRO of the employer’s issues and the whistleblower’s efforts to correct them. The SEC’s subsequent follow-up on the SRO’s inquiry resulted in the enforcement action. Even though the “whistleblower” did not initiate communication with the SEC about these compliance issues, for his efforts, the agency nonetheless awarded him a bounty.

Then, just recently, the SEC announced its first whistleblower award to a company employee who performed audit and compliance functions. The agency awarded the compliance staffer more than $300,000 after the employee first reported wrongdoing internally, and then, when the company failed to take remedial action after 120 days, reported the activity to the SEC. Compliance personnel, unlike most employees, generally have a waiting period before they can report out, unless they have a reasonable basis to believe investors or the company have a substantial risk of harm.

With a statute as sprawling as Dodd-Frank, and potentially significant bounty awards at stake, opinions interpreting Dodd-Frank’s whistleblower provisions are bound to proliferate. Check back soon for further developments.

 
ARTICLE BY

Brian E. Casey
 
OF 
Barnes & Thornburg LLP

Google, the House of Lords and the timing of the EU Data Protection Regulation

Mintz Levin Law Firm

(LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?

In the Google Spain “Right to be Forgotten” case, the ECJ held that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant.  The Google Spain decision has given a much sharper focus to the discussion about the Right to be Forgotten that may soon be adopted as part of the new Data Protection Regulation that is expected to be passed sometime in 2015.  With the advent of the Google Spain decision, an issue that was on the sideline for most businesses – and which was expected by some to be quietly dropped from the draft Data Protection Regulation – has become a hot political issue.  The Right to be Forgotten as interpreted by the ECJ has garnered international attention, deepened the UK/continental EU divide, and ultimately could delay the adoption of a final form of the Data Protection Regulation.

The Google Spain case has been controversial for various reasons.  The decision takes an expansive approach to the long-arm reach of EU data protection law.  It holds search engine providers liable to comply with removal requests even when the information in the search results is true, was originally published legally and can continue to be made available by the original website.  The decision makes the search engine provider the initial arbiter of whether the individual’s right to have his or her information removed from publically available search results is outweighed by the public’s interest in access to that information.   (For a pithy analysis of the “public record” aspects of the case, see John Gapper’s “Google should not erase the web’s memory” published in the Financial Times.)

Google started implementing the ruling almost immediately, but only with respect to search results obtained through the use of its country-specific versions of its search engine, such aswww.google.es or www.google.co.uk.  The EU-specific search engine results notify users when some results have been omitted due to EU’s Right to be Forgotten.  (See the Telegraph’s ongoing list of the stories it has published that have been deleted from Google.co.uk’s search results to get a flavor of the sort of search results that have been deleted.)  However, the “generic” version of Google (www.google.com), which is also the default version for users in the US, does not omit the banned results.

Google has been engaged in an ongoing dialogue with EU data protection authorities regarding Google’s implementation of the Google Spain ruling.  According to some media reports, EU officials have complained that Google is implementing the ruling too broadly, allegedly to make a political point, while other commentators have noted that the ruling give Google very few reference points for performing the balancing-of-rights that is required by the ruling.  Perhaps more interestingly, some EU officials want Google to apply the Right to be Forgotten globally (including for google.com results) and without noting that any search results have been omitted (to prevent any negative inferences being drawn by the public based on notice that something has been deleted).  If the EU prevails with regard to removing personal data globally and without notice that the search results contain omissions, critics who are concerned about distortions of the public record and censorship at the regional level will have an even stronger case.   Of course, if truly global censorship becomes legally required by the EU, it seems likely that non-EU governments and organizations will enter the dialogue with a bit more energy – but even more vigorous international debate does not guarantee that the EU would be persuaded to change its views.

The ongoing public debate about the potentially global reach of the Right to be Forgotten is significant enough that it could potentially delay agreement on the final wording of the Data Protection Regulation.  Recently, an important committee of the UK’s House of Lords issued a report deeply critical of the Google Spain decision and the Right to be Forgotten as enshrined in the draft Data Protection Directive. Additionally, the UK’s Minister of Justice, Simon Hughes, has stated publically that the UK will seek to have the Right to be Forgotten removed from the draft Data Protection Regulation.  The impact of the UK’s stance (and the efforts of other Right to be Forgotten critics) on the timing of the adoption of the Regulation remains to be seen.  In the meantime, search companies will continue to grapple with compliance with the Google Spain decision.  Other companies that deal with EU personal data should tune in as the EU Parliament’s next session gets underway and we move inevitably closer to a final Data Protection Regulation. 

ARTICLE BY

Hope S. Foster
 
OF 
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

European Commission Discusses Big Data

Morgan Lewis logo

The European Commission (the Commission) recently issued a press release recognizing the potential of data collection and exploitation (or “big data”) and urging governments to embrace the positive aspects of big data.

The Commission summarized four main problems that have been identified in public consultations on big data:

  • Lack of cross-border coordination
  • Insufficient infrastructure and funding opportunities
  • A shortage of data experts and related skills
  • A fragmented and overly complex legal environment

To address these issues, the Commission proposed the following:

  • A public-private partnership to fund big data initiatives
  • An open big data incubator program
  • New rules on data ownership and liability for data provision
  • Mapping of data standards
  • A series of educational programs to increase the number of skilled data workers
  • A network of data processing facilities in different member states

The Commission stated that, in order to help EU citizens and businesses more quickly reap the full potential of data, it will work with the European Parliament and the European Council to successfully complete the reform of the EU’s data protection rules. The Commission will also work toward the final adoption of the directive on network and information security to ensure the high level of trust that is fundamental for a thriving data-driven economy.

Article By:

Barbara Murphy Melby
Doneld G. Shelkey
Of:
Morgan, Lewis & Bockius LLP

 

HEARTBLEED: A Lawyer’s Perspective on the Biggest Programming Error in History

Jackson Lewis Logo

By now you have probably heard about Heartbleed, which is the biggest security threat to the Internet that we have ever seen. The bottom line of Heartbleed is that for the past two years most web sites claiming to besecure, shown by the HTTPS address (the S added to the end of the usual HTTP address was intended to indicate a web secured by encryption), have not been secure at all. Information on those webs could easily have beenbled out by any semi-skilled hacker who discovered the defect. That includes your user names and passwords, maybe even your credit card and bank account information.

For this reason every security expert that I follow, or have talked to about this threat, advises everyone to change ALL of their online passwords. No one knows who might have acquired this information in the past two years. Unfortunately, the nature of this software defect made it possible to steal data in an untraceable manner. Although most web sites have upgraded their software by now, they were exposed for two years. The only safe thing to do is assume your personal information has been compromised.

Change All of Your Passwords

After you go out and change all of your passwords – YES – DO IT NOW – please come back and I will share some information on Heartbleed that you may not find anywhere else. I will share a quick overview of a lawyer’s perspective on a disaster like this and what I think we should do about it.

Rules of the Internet

One of the things e-discovery lawyers like me are very interested in, and concerned about, is data security. Heartblead is the biggest threat anyone has ever seen to our collective online security, so I have made a point of trying to learn everything I could about it. My research is ongoing, but I have already published on detailed report on my personal blog. I have also been pondering policy changes, and changes in the laws governing the Internet that be should made to avoid this kind of breach in the future.

I have been thinking about laws and the Internet since the early 1990s. As I said then, the Internet is not a no-mans-land of irresponsibility. It has laws and is subject to laws, not only laws of countries, but of multiple independent non-profit groups such as ICANN. I first pointed this out out as a young lawyer in my 1996 book for MacMillan, Your Cyber Rights and Responsibilities: The Law of the Internet, Chapter 3 of Que’s Special Edition Using the Internet. Anyone who commits crimes on the Internet must and will be prosecuted, no matter where their bodies are located. The same goes for negligent actors, be they human, corporate, or robot. I fully expect that several law suits will be filed as a result of Heartbleed. Time will tell if any of them succeed. Many of the facts are still unknown.

One Small Group Is to Blame for Heartbleed

The surprising thing I learned in researching Heartbleed is that this huge data breach was caused by a small mistake in software programming by a small unincorporated association called OpenSSL. This is the group that maintains the open source that two-thirds of the Internet relies upon for encryption, in other words, to secure web sites from data breach. It is free software and the people who write the code are unpaid volunteers.

According to the Washington Post, OpenSSL‘s headquarters — to the extent one exists at all — is the home of the group’s only employee, a part timer at that, located on Sugarloaf Mountain, Maryland. He lives and works amid racks of servers and an industrial-grade Internet connection. Craig Timberg, Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass (Washington Post, 4/9/14).

The mistake that caused Heartbleed was made by a lone math student in Münster, Germany. He submitted an add-on to the code that was supposed to correct prior mistakes he had found. His add on contained what he later described as a trivial error. Trivial or not, this is the biggest software coding error of all time based upon impact. What makes the whole thing suspicious is that he made this submission at one minute before midnight on New Year’s Eve 2011.

Once the code was received by OpenSSL, it was reviewed by it before it was added onto the next version of the software. Here is where we learn another surprising fact, it was only reviewed by one person, and he again missed the simple error. Then the revised code with hidden defect was released onto an unsuspecting world. No one detected it until March 2014 when paid Google security employees finally noticed the blunder. So much for the basic crowd sourcing rationale behind the open source software movement.

Conclusion

Placing the reliance of the security of the Internet on only one open source group, OpenSSL, a group with only four core members, is too high a risk in today’s world. It may have made sense back in the early nineties when an open Internet first started, but not now. Heartbleed proves this. This is why I have called upon leaders of the Internet, including open source advocates, privacy experts, academics, governments, political leaders and lawyers to meet to consider various solutions to tighten the security of the Internet. We cannot continue business as usual when it comes to Internet data security.

Article By:

Ralph C. Losey
Of: 
Jackson Lewis P.C.

Target Becomes a Target: Proposed California Bill Aims to Make Retailers Liable for Data Breach Incidents

MintzLogo2010_Black

Following a string of high-profile data breaches and new data suggesting that approximately 21.3 million customer accounts have been exposed by data breach incidents over the past two years, the California legislature has introduced legislation aimed at making retailers responsible for certain costs in connection with data breach incidents.  If passed in its current form, Assembly Bill 1710, titled the Consumer Data Breach Protection Act, would have a substantial impact on retailers operating in California.

Among the major changes proposed in the bill:

  • Stricter Notification Requirements.  The proposed bill would create stricter time-frames and specific requirements for notification of affected consumers following a data breach incident.  In addition to current requirements to notify consumers individually in the most expedient time possible, a retailer affected by a data breach will be required, within 15 days of the breach incident, to provide email notification to affected individuals, post a general notice on the retailer’s web page and notify statewide media.
  • Retailer Liability for Costs Associated with Data Breach Incidents.  A.B. 1710 would amend California’s Civil Code to make retailers liable for reimbursement of expenses incurred in providing the notices described above, as well as the cost of replacing payment cards of affected individuals.
  • Mandatory Provision of Credit Monitoring Services.  If the person or business required to provide notification under the Civil Code is the source of the breach incident, A.B. 1710 will require that person or business to offer to provide identity theft prevention and mitigation services at no cost to affected consumers for not less than 24 months.
  • Prohibitions Against Storing Payment-Related Data.  Under a new section to be added to the Civil Code, persons or businesses who sell goods or services and accept credit or debit card payments would be prohibited from storing payment-related data unless that person or business stores and retains the data in accordance with a payment data retention and disposal policy that limits retention of the data to only the amount of time required for business, legal and regulatory purposes.  In addition, A.B. 1710 imposes further restrictions on the retention and storage of certain sensitive authentication information, such as social security numbers, drivers’ license numbers and PIN numbers.
  • Authorization of Civil Penalties.  As amended by A.B. 1710, the Civil Code would authorize a prosecutor to bring an action in response to a data breach incident to recover civil penalties of up to $500 per violation, or up to $3,000 for a willful or reckless violation.

Historically measures like A.B. 1710 have faced a difficult road.  Similar bills passed by the California legislature were vetoed twice by Governor Schwarzenegger, and the proposal of A.B. 1710 has already caused the California Retailers Association to speak out against the bill.  However, there may be a critical difference in the current climate because consumer awareness of the danger and reality of breach incidents has never been higher and, as shown by the recent Harris Poll, consumers overwhelmingly believe that merchants are to blame.

Article By:

Jake Romero
Of:
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

California Proposes Enhanced Prop. 65 Warnings and Possible Online Disclosures – Dietary Supplements and Foods Specially Targeted

GT Law

The California Office of Environmental Health Hazard Assessment (OEHHA)announced on March 7, 2014, that it is considering implementation of the most significant changes to Prop. 65 regulations in more than two decades.  OEHHA has posted the draft regulation and Initial Statement of Reasons on its website.

Passed by voters in 1986, Prop. 65 requires warnings prior to exposures to chemicals listed by OEHHA as “known to the State” to cause cancer or reproductive harm.  The law, which carries the potential penalty of $2,500 for each violation, may be and routinely is enforced by entrepreneurial private plaintiffs who are permitted to bring legal actions against alleged violators with minimal evidence.  OEHHA’s proposed regulations will affect almost every industry subject to Prop. 65 and nearly every aspect of compliance.  In all but a few cases, OEHHA’s changes have the capacity to make compliance with Prop. 65 costlier, riskier, and more disruptive to companies doing business in California.

Four Important Provisions Affecting Food and Dietary Supplements

In its far-reaching proposal, OEHHA aims a number of significant changes directly at food and dietary supplement manufacturers, distributors, and retailers.  Four specific proposals stand out as impactful for the industry:

  1. Chemical Identification: Under OEHHA’s proposal, warning labels would have to specifically identify the chemical in question if it is on a proposed list of 12 “common” substances.  One substance on OEHHA’s list, lead, is sometimes naturally occurring in the ingredients used to produce dietary supplements and has been the source of considerable litigation and expense for the industry.  In OEHHA’s draft regulation, products requiring a warning for lead would have to “conspicuously” state its presence in the product.
  2. Display Requirements: For foods not already subject to a consent judgment, the “safe-harbor” warning language must also be enhanced with specific information about the chemical in question, specific text sizing, and the phrase “Cancer [and/or] Reproductive Hazard.” Even where a food supplier has data showing that the chemical poses no actual health threat, a private plaintiff may still litigate knowing that the costly burden of showing no significant risk is borne by defendants.  Unless modified or declared preempted by federal law, OEHHA’s regulation would virtually ensure that this language will be required for food and supplement packaging in California.
  3. Online Reporting: OEHHA would also mandate reporting of exposure data to the agency for its website if a new Prop. 65 warning does not contain 10 details specified by OEHHA.  The details include, among others, the name of the chemical at issue, anticipated exposure routes, exposure levels, and options for minimizing exposure.  Businesses that fail to provide the required detail, no matter how misleading it might be to the consumer, must disclose the additional information to OEHHA and will likely see such data published online.
  4. More Litigation: Despite statements from the agency to the contrary, OEHHA’s complex rules would encourage even more litigation from an already active community of plaintiffs.  OEHHA’s draft litigation reform, a “cure” or fix-it period for retailers with fewer than 25 employees, would do little to stem the current tide of lawsuits, the vast majority of which are ultimately directed at and defended by suppliers.  Additionally, by replacing the generic safe-harbor warning with specific requirements, a regulatory safe-harbor warning would no longer provide a safe harbor from liability or deter plaintiffs from alleging violations for exposures to unspecified or newly listed chemicals.

What You Can Do

Businesses which stand to be affected by OEHHA’s plans, including those operated out of state, have an opportunity to voice their concerns to the agency.

OEHHA will hold a public workshop on April 14, 2014 to discuss the proposed regulations.  In addition, OEHHA is accepting written comments from the public until May 14, 2014.  Unless OEHHA is convinced to delay or withdraw its plans, formal regulations will likely be proposed in the summer of 2014.

Because OEHHA’s proposals are currently in the preliminary stages, interested parties have a time critical opportunity to engage the agency and encourage it to address specific concerns.  Companies that manufacture distribute, or retail dietary supplements in California should consider retaining experienced counsel to analyze the impact of the proposals on their business and to participate in the public comment period on their behalf.   Given the potentially far-reaching consequences of the proposed changes on the individual companies and the industry at large, interested parties should be diligent in bringing their concerns to OEHHA as early and as persuasively as possible.

Article By:

James Mattesich
Justin J. Prochnow
Anthony J. Cortez
Greg Sperla
Of:
Greenberg Traurig, LLP

California Announces Initial Draft Priority Products Under California Safer Consumer Products Regulations

Beveridge Diamond Logo

On March 13, 2014, the California Department of Toxic Substances Control (“DTSC”) announced the first set of draft priority products that, if finalized, will be subject to the requirements of the California Safer Consumer Products (“SCP”) Regulations.

Notably, while DTSC had legal authority to identify up to five products, it chose to identify only three draft priority products at this time. The three products are:

  1. Children’s Foam Padded Sleeping Products containing the flame-retardant chemical, Tris (1,3-dichloro-2-propyl phosphate) or (“TDCCP”). Such products include nap mats and cots, travel beds, bassinet foam, portable crib mattresses, play pens, and other children’s sleeping products. In its press release announcing the draft priority products, DTSC asserted that TDCCP is a known carcinogen, is released from products into air and dust where it can be absorbed, inhaled, or transferred from hand to mouth, and has been found in California waters and sediments. DTSC also noted that there is no legal requirement applicable to these products that would require them to be made with flame retardants. For more information on DTSC’s selection of this draft priority product, click here.
  2. Spray Polyurethane Foam (“SPF”) Products containing Unreacted Diisocyanates. SPF products are used for home and building insulation, weatherizing and sealing, and roofing. DTSC asserted in its press release that exposure to wet or “uncured” SPF materials can contribute to occupational asthma and noted that unreacted diisocyanates are a “suspected” carcinogen. DTSC expressed its concern for populations using these products that are not protected by Occupational Safety & Health Administration regulations, such as independent contractors and people performing their own home repairs. In its press release, DTSC noted that currently there are no alternatives to unreacted diisocyanates for spray-foam applications. For additional information from DTSC on this draft priority product, click here.
  3. Paint and Varnish Strippers containing Methylene Chloride. Methylene chloride is a well-known and widely used solvent in paint strippers. According to DTSC, when metabolized, methylene chloride converts to carbon monoxide, which is acutely toxic to the brain and nervous system. DTSC claimed that alternative products without methylene chloride are readily available. For more information on this draft listing, click here.

In announcing the “draft list” of proposed priority products, DTSC emphasized that the naming of these products does not constitute a ban on the products, but rather the initiation of process to examine whether the chemicals of concern used in these products are “necessary” or may be replaced with safer alternatives. To put the draft priority products announcement in context, this announcement begins the second of four steps established by California’s SCP Regulations for identifying, prioritizing, and evaluating the use of chemicals and their alternatives in consumer products. The four steps include:

  1. Identification of Candidate Chemicals. The final SCP Regulations promulgated by DTSC include an initial list of candidate chemicals (~1,200), which DTSC later pared down to an informational “initial” list of fewer than 200 candidate chemicals that exhibit a hazard trait and/or environmental or toxicological endpoint.
  2. Identification of Priority Products. The SCP Regulations require DTSC to evaluate and prioritize product/candidate chemical combinations and to develop a list of priority products for which alternatives analyses must be conducted. Once a candidate chemical is the basis for a priority product listing, it is considered a chemical of concern. March 13’s announcement identifies the first product/candidate chemical combinations that DTSC is proposing to subject to the procedural process outlined in the SCP Regulations.
  3. Alternatives Analysis. Responsible entities of a product listed as a priority product must perform an alternatives analysis to determine how best to limit exposures to, or the level of adverse public health and environmental impacts posed by, the chemicals of concern in the product.
  4. DTSC Regulatory Response. The SCP Regulations provide a range of potential regulatory responses that DTSC may require after review of the alternatives analysis. These include provision of information for consumers (such as safe handling or instructions to limit exposure), restrictions on the use of chemicals of concern in the products, sales prohibition, engineered safety measures, and end-of-life management requirements. DTSC may require regulatory responses for a priority product (if the responsible entity decides to continue producing and distributing the priority product to the California market), or for an alternative product selected to replace the priority product.

Applicability

The SCP regulatory requirements apply to businesses (“responsible entities”) that manufacture, import, distribute, sell or assemble consumer products[1] identified by DTSC as priority products that are placed into the stream of commerce in California. Responsible entities are defined to include manufacturers, importers, retailers and assemblers. The SCP Regulations assign the principal duty to comply with the requirements to manufacturers. If a manufacturer does not comply with its obligations with regard to a priority product, DTSC may notify an importer, retailer or assembler of its duty to meet the requirements with respect to the priority product. Even if not called on to conduct an alternatives analysis, importers, assemblers and/or retailers of priority products may be impacted by regulatory responses selected by DTSC after the manufacturer’s completion of the alternatives analysis (e.g., if DTSC imposes a sales prohibition or requires additional information to be provided to the consumer at the point of sale) .

Requirements for Responsible Entities

Once the draft priority products are formally proposed and finalized through a public rulemaking process (which may take up to one year), responsible entities will be required to:

  • Within 60 days after finalization of the final priority products list, notify DTSC that the responsible entity makes or sells a priority product (DTSC will post information obtained from notifications, including the names of the responsible entities as well as the product names, on its web site);
  • Within 180 days after finalization of the final priority products list, prepare a Preliminary Alternatives Analysis[2] to determine how best to limit exposures to, or the level of adverse public health and environmental impacts posed by, the chemicals of concern in the product; and
  • Within one year after DTSC issues a Notice of Compliance for the Preliminary Alternatives Analysis, prepare a Final Alternatives Analysis.

Next Steps

Those that manufacture, sell, use, or otherwise have an interest in the draft priority products may wish to submit comments to DTSC as part of the priority product listing process. DTSC will follow a formal rulemaking process to finalize the draft priority products, which will take up to a year after the products are formally proposed. DTSC plans to hold several workshops in May and June of 2014 before publishing the notice of proposed rulemaking and opening the public comment period. Stakeholders will then have the opportunity to weigh in on whether, and how, the proposed priority products will be regulated by DTSC.

If your products were not among the three proposed priority products,stay tuned: By October 1, 2014, DTSC is required to issue a Priority Product Work Plan that identifies and describes the product categories that DTSC will evaluate to select priority products for the three years following the issuance of the Work Plan (roughly from 2015 to 2017). DTSC intends the Work Plan to serve as a signal to consumers and the regulated community as to the categories of products it will examine next.

Once DTSC finalizes the initial priority product listings (anticipated late summer or early fall of 2015), responsible entities will be required to meet a series of deadlines for notification and submission of alternatives analysis reports outlined above. Manufacturers of draft priority products should engage their supply chain partners to evaluate options prior to finalization of the priority product listings. Note that manufacturers that choose to reformulate products prior to finalization of the priority product listing will not be subject to the DTSC notification or alternatives analysis requirements.

[1] “Consumer product” is defined for purposes of the California Safer Consumer Products regulations to mean “a product or part of the product that is used, brought, or leased for use by a person for any purposes.” Cal. Health & Safety Code § 25251(e). Certain limited products, such as dental restorative material or its packaging, prescription drugs or devices and their packaging, medical devices and their packaging, food, and federally registered pesticides, and mercury containing lights are excluded from the definition of consumer product.

[2] DTSC is currently developing an alternatives analysis guidance document to assist responsible entities in carrying out their obligations under the SCP Regulations. As of March 13, 2014, the guidance is still in development. DTSC anticipates that it will be released sometime before the first set of priority products is finalized.

Article By:

 
Of:

 

Risky Business: Target Discloses Data Breach and New Risk Factors in 8-K Filing… Kind Of

MintzLogo2010_Black

After Target Corporation’s (NYSE: TGT) net earnings dropped 46% in its fourth quarter compared to the same period last year, Target finally answered the 441 million dollar question – To 8-K, or not to 8-K?  Target filed its much anticipated Current Report on Form 8-K on February 26th, just over two months after it discovered its massive data breach.

In its 9-page filing, Target included two introductory sentences relating to disclosure of the breach under Item 8.01 – Other Events:

During the fourth quarter of 2013, we experienced a data breach in which certain payment card and other guest information was stolen through unauthorized access to our network. Throughout the Risk Factors in this report, this incident is referred to as the ‘2013 data breach’.

Target then buried three new risk factors that directly discussed the breach apparently at random within a total of 18 new risk factors that covered a variety of topics ranging from natural disasters to income taxes.  Appearing in multiple risk factors throughout the 8-K were the following:

  • The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.
  • A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.
  • We experienced a significant data security breach in the fourth quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.

An interesting and atypically relevant part of Target’s 8-K is the “Date of earliest event reported” on its 8-K cover page.  Although Target disclosed its fourth quarter 2013 breach under Item 8.01, Target still listed February 26, 2014 as the date of the earliest event reported, which is the date of the 8-K filing and corresponding press release disclosing Target’s financial results.  One can only imagine that this usually benign date on Target’s 8-K was deliberated over for hours by expensive securities lawyers, and that using the February earnings release date instead of the December breach date was nothing short of deliberate.  Likely one more subtle way to shift the market’s focus away from the two-month old data breach and instead bury the disclosure within a standard results of operations 8-K filing and 15 non-breach related risk factors.

To Target’s credit, its fourth quarter and fiscal year ended on February 1, 2014, and Target’s fourth quarter included the entirety of the period during and after the breach through February 1.  Keeping that in mind, Target may not have had a full picture of how the breach affected its earnings in the fourth quarter until it prepared its fourth quarter and year-end financial statements this month.  Maybe the relevant “Date of earliest event” was the date on which Target was able to fully appreciate the effects of the breach, which occurred on the day that it finalized and released its earnings on February 26.  But maybe not.

Whatever the case may be, Target’s long awaited 8-K filing is likely only a short teaser of the disclosure that should be included in Target’s upcoming Form 10-K filing.

Article by:

Adam M. Veness

Of:

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

California District Court Holds that Providing Cellphone Number for an Online Purchase Constitutes “Prior Express Consent” Under TCPA – Telephone Consumer Protection Act

DrinkerBiddle

 

A federal district court in California recently ruled that a consumer who voluntarily provided a cellphone number in order to complete an online purchase gave “prior express consent” to receive a text message from the business’s vendors under the TCPA. See Baird v. Sabre, Inc., No. CV 13-999 SVW, 2014 WL 320205 (C.D. Cal. Jan. 28, 2014).

In Baird, the plaintiff booked flights through the Hawaiian Airlines website. In order to complete her purchase, the plaintiff provided her cellphone number. Several weeks later she received a text message from the airline’s vendor, Sabre, Inc., inviting the plaintiff to receive flight notification services by replying “yes.” The plaintiff did not respond and no further messages were sent. The plaintiff sued the vendor claiming that it violated the TCPA by sending the single text message.

The central issue in Baird was whether, by providing her cellphone number to the airline, the plaintiff gave “prior express consent” to receive autodialed calls from the vendor under the TCPA. In 1992, the FCC promulgated TCPA implementing rules, including a ruling that “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.” In re Rules & Reg’s Implementing the Tel. Consumer Prot. Act of 1991, 7 F.C.C.R. 8752, 8769 ¶ 31 (1992) (“1992 FCC Order”). In support of this ruling, the FCC cited to a House Report stating that when a person provides their phone number to a business, “the called party has in essence requested the contact by providing the caller with their telephone number for use in normal business communications.” Id. (citing H.R.Rep. No. 102–317, at 13 (1991)).

The court found that, while the 1992 FCC Order “is not a model of clarity,” it shows that the “FCC intended to provide a definition of the term ‘prior express consent.’” Id. at *5. Under that definition, the court held that the plaintiff consented to being contacted on her cellphone by an automated dialing machine when she provided the number to Hawaiian Airlines during the online reservation process. Id. at *6. Under the existing TCPA jurisprudence, a text message is a “call.” Id. at *1. Furthermore, although the plaintiff only provided her cellphone number to the airline (and not to Sabre, Inc., the vendor), the court concluded that “[n]o reasonable consumer could believe that consenting to be contacted by an airline company about a scheduled flight requires that all communications be made by direct employees of the airline, but never by any contractors performing services for the airline.” Id. at *6. The Judge was likewise unmoved by the fact that the plaintiff was required to provide a phone number (though not necessarily a cellphone number) to complete the online ticket purchase. Indeed, the court observed that the affirmative act of providing her cellphone number was an inherently “voluntary” act and that, had the plaintiff objected, she could simply have chosen not to fly Hawaiian Airlines. Id.

Baird does not address the October 2013 TCPA regulatory amendments that require “prior express written consent” for certain types of calls made to cellular phones and residential lines (a topic that previously has been covered on this blog). See 47 CFR § 64.1200(a)(2), (3) (emphasis added). “Prior express written consent” is defined as “an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial prerecorded voice, and the telephone number to which the signatory authorized such advertisements or telemarketing messages to be delivered.” 47 CFR § 64.1200(f)(8). Whether the Baird rationale would help in a “prior express written consent” case likely would depend on the underlying facts such as whether the consumer/plaintiff agreed when making a purchase to be contacted by the merchant at the phone number provided, and whether the consumer/plaintiff provided an electronic signature. See 47 CFR § 64.1200(f)(8)(ii).

Nonetheless, Baird is a significant win for the TCPA defense bar and significantly reduces TCPA risk for the defendants making non-telemarketing calls (or texts) to cellphones using an automated dialer (for which “prior express consent” is the principal affirmative defense). If that cellphone number is given by the consumer voluntarily (and, given the expansive logic of Baird, we wonder when it could be considered “coerced”), the defendant has obtained express consent. Baird leaves open a number of questions worth watching, including how far removed the third-party contractor can be from the company to whom a cellphone number was voluntarily provided. Judge Wilson seemed to think it was obvious to the consumer that a third-party might be utilized by an airline to provide flight status information, but how far does that go? We’ll be watching.

Article By:

Of:

Drinker Biddle & Reath LLP

One Day Left to Share Your Comments about the Closing Process with the Consumer Financial Protection Bureau (CFPB)!

McBrayer NEW logo 1-10-13

 

On January 3, the Consumer Financial Protection Bureau (“CFPB”) issued a notice and request for information in the Federal Register regarding the real estate closing process. Specifically, the CFPB is interested in knowing the consumer “pain points” associated with mortgage closing and how those pain points might be addressed by market innovations and technology.

The bureau wants input from consumers, mortgage lenders, housing attorneys, settlement closing agents, real estate agents, fair lending and consumer advocates – basically anyone and everyone with closing experience. This is your chance to share your perspective, whether good or bad, and help the closing process to be a smoother and more consumer friendly one for your future purchase, sale or refinance. The information collected during the comment period will be used to help the CFPB come up with future improvement initiatives. This is part of the larger “Know Before You Owe” project, which is intended to help consumers understand and navigate the home-buying process.

The CFPB has made it easy to share information by listing seventeen specific questions they would like responses to, including:

1. What are common problems or issues consumers face at closing? What parts of the closing process do consumers find confusing or overwhelming?

2. Are there specific parts of the closing process that borrowers find particularly helpful?

3. What do consumers remember about closing as related to the overall mortgage/home-buying process? What do consumers remember about closing?

4. How long does the closing process usually take? Do borrowers feel that the time at the closing table was an appropriate amount of time? Is it too long? Too short? Just right?

5. How empowered do consumers seem to feel at closing? Did they come to closing with questions? Did they review the forms beforehand? Did they know that they can request their documents in advance? Did they negotiate?

6. What, if anything, have you found helps consumers understand the terms of the loan?

7. What are some common errors you have seen at closing? How are these errors detected, if at all? Tell us about errors that were detected after closing.

8. What changes, diverging from what was originally presented at closing, often surprise consumers at closing? How do consumers react to changes at closing?

9. How, if at all, do consumers typically seek advice during closing? In person? By phone? Online?

10. Where and to whom do consumers turn for advice during closing? Whom do they typically trust?

11. What documents do borrowers usually remember seeing? What documents they remember signing?

12. What documents do consumers find particularly confusing?

13. What resources do borrowers use to define unfamiliar terms of the loan?

14. What, if anything, would you change about the closing process to make it a better experience for consumers?

15. What questions should consumers ask at closing? What are the most important pieces of information/documents for them to review?

16. What is the single most important question a consumer should ask at closing?

17. What is the single most important thing a consumer should do before coming to the closing table?

You can submit answers to these questions, along with your own additional comments, online by visiting this webpage:  http://www.regulations.gov. But time is of the essence! The comment period closes tomorrow, February 7th. Hurry and let your opinions be known!

 

Article by:

Brittany C. MacGregor

Of:

McBrayer, McGinnis, Leslie and Kirkland, PLLC