Category: Consumer Protection

Why Your Qualified Plan – Isn’t

Recently The National Law Review published an article by Ben F. Wells and William M. Freedman of Dinsmore & Shohl LLP regarding Qualified Plans:

There are many generous tax benefits that come from having a “qualified” retirement plan (such as a section 401(k) plan). For example, as an employer, you can deduct your plan contributions, but participating employees don’t have to recognize the contributions as income until they receive a distribution; usually many years later. However, those tax benefits disappear if your plan loses its qualified status.

What can cause a plan to lose its qualified status?

Several things, but there are three types of problems that frequently arise:

  • Failure to adopt required plan amendments in a timely fashion. The IRS issues reams of guidance that require plan amendments. Fail to adopt even one on time, and your plan is technically disqualified.
  • Failure to administer the plan in accordance with its terms. Your plan document probably contains hundreds of pages of fine print and technical jargon. Most employers have never read it, at least not all the way through. But you are required to follow it to the letter. Slip up one time and your plan can be considered disqualified.
  • Failure to satisfy the Internal Revenue Code’s various tests. The Code contains a number of mathematical tests which specify who must benefit from the plan and what benefits must be provided. These tests also prohibit “discrimination” in favor of highly compensated employees and others. Many of those tests are extremely complex and easy to violate. Fail one of them, and fail to correct it within the allowable time periods, and your plan will be disqualified.

How to correct qualification failures

Luckily the IRS has provided ways to correct most qualification failures. For example, their “Employee Plans Compliance Resolution System” or “EPCRS” allows plan sponsors to correct qualification failures through a variety of methods, such as employer contributions, retroactive amendments and corrective distributions. Generally those corrections are designed to put the plan in a position as if the qualification error had not occurred. But these require experienced and knowledgeable advisors to navigate.

Conclusion

To help avoid disqualification, make sure that:

  • Your advisors are monitoring your plan to help eliminate potential causes of disqualification.
  • Your plan document is up to date, and matches the way you actually administer your plan. Don’t make a change to your plan without telling your document provider and third party administrator.
  • Someone in your organization is reviewing your plan’s discrimination testing and dealing with violations.

If you see a problem, correct it as soon as possible – before the IRS audits you. This way you can keep your qualified plan “qualified.”

© 2012 Dinsmore & Shohl LLP

White House Report May Have Long-Term Effect on Consumer Privacy and How Companies Do Business

A recent White House report on consumer  data privacy forecasts a multifaceted approach to fulfilling public expectations regarding the protection of consumer’s personal information.  Although it is uncertain if the report will result in new legislation in the near future, the report could have long-term implications for the current regulatory landscape.

In February 2012 the White House released a report detailing the current administration’s position on consumer privacy, entitled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.  Although it is uncertain if the report will result in new privacy legislation in the near term, the report may still have long-term implications for the current regulatory landscape.

As explained in the report’s Executive Summary, the consumer privacy framework proposed by the administration consists of four key elements: (1) a Consumer Privacy Bill of Rights; (2) a “multistakeholder” process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business  contexts; (3) effective enforcement; and (4) a commitment to increase interoperability with the privacy frameworks of international partners. Below we examine each of these elements.

1. Consumer Privacy Bill of Rights

Building upon Fair Information Practice Principles that were first promulgated by the U.S. Department of Health, Education, and Welfare in the 1970s, the Consumer Privacy Bill of Rights is intended to affirm consumer expectations with regard to how companies handle personal data.2  Although the administration recognizes consumers have “certain responsibilities” to protect their own privacy, it also emphasizes the importance of using personal data in a manner consistent with the context in which it is collected.

In a press release accompanying the release of the report, the White House summarized the basic tenets of the Consumer Privacy Bill of Rights3:

Transparency—Consumers have a right to easily understandable information about privacy and security practices.

Respect for Context—Consumers have a right to expect that organizations will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.4

Security—Consumers have a right to secure and responsible handling of personal data.

Access and Accuracy—Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.

Focused Collection—Consumers have a right to reasonable limits on the personal data that companies collect and retain.

Accountability—Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

The outline for the Consumer Privacy Bill of Rights is largely aspirational, in that it does not create any enforceable obligations.  Instead, the framework simply creates suggested guidelines for companies that collect personal data as a primary, or even ancillary, function of their business operations.  As the administration recognizes, in the absence of legislation these are only “general principles that afford companies discretion in how they implement them.”5

Nevertheless, as consumers become more invested in how their personal information is used, a company that disregards the basic tenets of the Consumer Privacy Bill of Rights may be doing so at its own peril.  Although the Consumer Privacy Bill of Rights has not been codified, companies should expect that some iteration of the same principles will ultimately be legislated, or voluntarily adopted by enough industry leaders to render them enforceable by the FTC.  Therefore, companies would be welladvised to make sure they have coherent privacy policies in place now in order to avoid running afoul of guidelines imposed by whatever regulatory framework is implemented later.

2. The “Multistakeholder” Process to Develop Enforceable Codes of Conduct

The report also encourages stakeholders—described by the Administration as “companies, industry groups, privacy advocates, consumer groups, crime victims, academics, international partners, State Attorneys General, Federal civil and criminal law enforcement representatives, and other relevant groups”—to cooperate in the development of rules implementing the principles outlined in the Consumer Privacy Bill of Rights.  Of all the elements comprising the administration’s consumer privacy framework, it is this “multistakeholder” process that will likely see the most activity in coming months.

The report identifies several benefits attributable to this approach6:  First, an open process reflects the character of the internet itself as an “open, decentralized, user-driven platform for communication, innovation and economic growth.”  Second, participation of multiple stakeholders encourages flexibility, speed and creativity.  Third, this approach is likely to producesolutions “in a more timely fashion than regulatory processes and treaty-based organizations.”  Finally, the multistakeholder process allows experts to focus on specific challenges, rather than relying upon centralized authority.

The report contemplates that the multistakeholder process  will be moderated by the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA), a view echoed by the press release accompanying the report.7  This process will likely present companies whose operations involve the collection of consumer data online—a rapidly expanding category that encompasses far more than just internet businesses—with an opportunity to shape future internet privacy legislation.

NTIA has already initiated the conversation through the issuance of a Request for Public Comments on the administration’s consumer privacy framework.8  NTIA has suggested the first topic for discussion should be a “discrete issue that allows consumers and businesses to engage [in] and conclude multistakeholder discussions in a reasonable timeframe.”9    As  one example, NTIA has suggested stakeholders discuss how the  Consumer Privacy Bill of Rights’ “transparency” principle should be applied to privacy notices for mobile applications.  When one considers that by some estimates the revenue generated by the mobile application market is expected to reach $25 billion over the next four years, it is clear that even this “discrete” issue alone could result in a significant regulatory impact.10

3. Effective Enforcement

The report further suggests that the Federal Trade Commission (FTC) will play a vital role in the enforcement of the consumer privacy protections outlined by the administration and developed during the multistakeholder process.  The administration admits, however, that in the absence of new legislation, the FTC’s authority in the area of consumer privacy may be limited to the enforcement of guidelines adopted by companies voluntarily.

According to the administration, enforcement actions “by the FTC (and State Attorneys General) have established that companies’ failures to adhere to voluntary privacy commitments, such as those stated in privacy policies, are actionable under the FTC Act’s (and State analogues) prohibition on unfair or deceptive acts or practices.”11  Therefore, in the administration’s view, the guidelines developed during the multistakeholder process would be enforceable under the existing statutory framework.

In light of the current election cycle and the resulting political landscape, it seems unlikely Congress will pass new consumer privacy legislation in the near term.  Nevertheless, companies should remain mindful that the FTC—and even state Attorneys General—may become more aggressive in addressing flagrant violations of consumers’ privacy expectations.  For instance, California’s Attorney General has explained that her office intends to enforce an agreement that California reached with Apple and other industry leaders earlier this year.  The agreement would require developers of mobile applications to post conspicuous privacy policies that explain how users’ personal information is gathered and used.

Moreover, the increased attention directed at privacy issues by consumer groups and the public at large suggests an inevitable groundswell of support for new privacy legislation.  As Jon Leibowitz, the chairman of the FTC, explained earlier this week, we could see new privacy legislation early in the term of the next Congress.12

4. A Commitment to Increased Operability

Recognizing that other countries have taken different approaches to data privacy issues, the report also encourages the development of interoperability with regulatory regimes implemented internationally.  The administration has suggested a three-pronged approach to achieving increased operability: mutual recognition, development of codes of conduct through multistakeholder processes and enforcement cooperation.

With respect to mutual recognition, the report identifies existing examples of transnational cooperation in the privacy context.  For example, it cites the Asia-Pacific Economic Cooperation’s voluntary system of Cross Border Privacy Rules and also the European Union’s Data Protection Directive.  It appears that the administration, at least for now, will depend upon companies’ voluntary adoption of these international frameworks.

Just as the administration will rely upon the multistakeholder process to develop domestic codes of conduct, it will adopt the same approach to developing globally applicable rules and guidelines.  Although the administration contemplates this process will be directed by the U.S. Departments of Commerce and State, the report does not provide any details.

Finally, the report explains the FTC will spearhead the U. S. Government’s efforts to cooperate with the FTC’s foreign counterparts in the “development of privacy enforcement priorities, sharing of best practices, and support for joint enforcement initiatives.”13

1  Report at 1. 

2  Although businesses are also “consumers,” the report appears to focus on protecting individuals’ personally identifiable information. 

3  We Can’t Wait: Obama Administration Unveils Blueprint for a “Privacy Bill of Rights” to Protect Consumers Online, February 23, 2012, Office of the Press Secretary. 

4 To illustrate the “context” principle, the report provides the example of a hypothetical social networking provider.  Users expect that certain biographical information will be collected in order to improve the service; however, if the provider sells the same biographical information to an information broker for advertising purposes, that use is more attenuated from users’ expectations.  Therefore, the latter use is not consistent with the “context” in which the biographical information was provided. 

5  Report at 2. 

6  Report at 23. 

7  We Can’t Wait, February 23, 2012, Office of the Press Secretary (“In the coming weeks, the Commerce Department’s National Telecommunications and Information Administration will convene stakeholders … .”). 

8  Docket No. 120214135-2135-01, February 29, 2012. 

9 Moving Forward with the Consumer Privacy Bill of Rights, Lawrence E. Strickling, Assistant Secretary for Communications and Information, February 29, 2012. 

10 According to Markets & Markets, a market research company and consulting firm. 

11 Report at 29. 

12 U.S. Agency Seeks Tougher Consumer Privacy Rules, The New York Times, March 26, 2012. 

13 Report at 33. 

© 2012 McDermott Will & Emery

The Growing Corporate Threat of Taxpayer Identity Theft Fraud

The National Law Review recently published an article by Latour “LT” Laffferty of Fowler White Boggs P.A. regarding Identity Theft:

Identity theft continues to be a growing problem nationwide, but particularly in Florida which continues to lead the nation per capita in reported incidents of identity theft according to the Federal Trade Commission (FTC), a national clearinghouse for consumer fraud complaints. Taxpayer identity theft fraud, a subset of identity theft in general, is the most prevalent form of identity theft according to the FTC which reported that tax-related identity theft incidents increased from 51,702 in 2008 to 248,357 in 2010. This is a dramatic increase from the 35,000 instances of employment-related identity theft cases reported in 2007.

Taxpayer identity theft fraud involves not only the theft of someone’s identity but also the filing of a fraudulent tax return using the victim’s social security number to receive a tax refund often totaling more than $9,000.00. The IRS identified and prevented the issuance of more than $14 billion in fraudulent refunds in 2011. A 2008 report issued by the Treasury Inspector General for Tax Administration (TIGTA), an IRS watchdog, stated that the prevention of taxpayer identity theft fraud is an employer’s issue involving the security of their systems and data. According to TIGTA, 938,664 of the 2.1 million fraudulent tax returns filed in 2011 involved identity theft and totaled $6.5 billion. The stolen information includes the person’s name, date of birth and social security number or Medicare beneficiary number.

The latest twist, however, is that your own employees are in on the crime as law enforcement agencies are reporting that employees at many businesses that compile personal information are misappropriating and selling the information to thieves who are filing fraudulent tax returns. The Centers for Medicare and Medicaid Services (CMS) issued a Fraud Alert in February 2012 warning healthcare providers that perpetrators are misappropriating the identities of Medicare beneficiaries from “employers, schools, hospitals, and prisons” but any businesses that store personal information are at risk from current or prospective employees. Recent law enforcement arrests report finding suspects with massive quantities of tax refunds and lists of prospective employers to apply for jobs with the specific intent to steal taxpayer identities from their databases.

The reality of this emerging threat is that perpetrators are actually targeting organizations for employment so that they can specifically breach their data security and commit identity theft and aid those committing tax refund fraud. These organizations have both a fiduciary and legal duty to safeguard that personal information, but also a legal duty to notify those consumers who they can reasonably identify that their personal information has been stolen.

©2002-2012 Fowler White Boggs P.A.

FTC Obtains Injunction, Asset Freeze on Alleged Mortgage Scam

The National Law Review recently published an article by Steven Eichorn of Ifrah Law regarding a Recent FTC Injunction:

The Federal Trade Commission has obtained an order from the federal court for the Central District of California for a preliminary injunction and asset freeze against all the defendants in an alleged mortgage modification scam.

The complaint was filed against California-based Sameer Lakhany and a number of related corporate entities for violating the Federal Trade Commission Act and the Mortgage Assistance Relief Services Rule, now known as Regulation O.This was the first FTC complaint against a mortgage relief scheme that falsely promised to get help for homeowners who joined with other homeowners to file so-called “mass joinder” lawsuits against their lenders.

The complaint listed two separate alleged schemes that collected over $1 million in fees and used images of President Obama to urge consumers to call for modifications under the “Obama Loan Modification Programs.”

The first scheme was a loan modification plan under which the defendants allegedly promised substantial relief to unwary homeowners from unaffordable mortgages and foreclosures. Their website featured a seal indicating that it was an “NHLA accredited mortgage advocate” and that NHLA is “a regulatory body in the loan modification industry to insure only the highest standards and practices are being performed. They have an A rating with the BBB.” Unfortunately, the NHLA is not a “regulatory body” and it actually has an “F” rating with the BBB.

The defendants reinforced their sales pitch by portraying themselves as nonprofit housing counselors that received outside funding for all their operating costs, except for a “forensic loan audit” fee. According to the FTC, the defendants told consumers that these audits would uncover lender violations 90 percent of the time or more and that the violations would provide leverage over their lenders and force the lenders to grant a loan modification. The defendants typically charged consumers between $795 and $1595 for this “audit.” Also, if the “audit” did not turn up any violations, the consumers could get a 70 percent refund. Unfortunately, there were often no violations found, any “violations” did not materially change the lender’s position, and it was nearly impossible to actually get a refund for this fee.

The second alleged scheme was that the defendants created a law firm, Precision Law Center, and attempted to sell consumers legal services. Precision Law Center was supposed to be a “full service law firm”, with a wide variety of practice areas. It even claimed to “have assembled an aggressive and talented team of litigators to address the lenders in a Court of Law.” However, the FTC charged that the firm never did anything besides for filing a few complaints, which were mostly dismissed.

To assist Precision Law Center in getting new clients, the defendants sent out direct mail from their law firm that resembled a class action settlement notice. The notice “promised” consumers that if they sued their lenders along with other homeowners in a “mass joinder” lawsuit, they could obtain favorable mortgage concessions from their lenders or stop the foreclosure process. The fee to participate in this lawsuit was usually between $6,000 to $10,000. The material also allegedly claimed that 80 to 85 percent of these suits are successful and that consumers might also receive their homes free and clear and be refunded all other charges.

The defendants’ direct mail solicitation also contained an official-looking form designed to mimic a federal tax form or class action settlement notice. It had prominent markings urging the time sensitivity of the materials and it requested an immediate response.

Obviously, these defendants employed many egregious marketing techniques that crossed the FTC’s line of permissibility. However, in light of the FTC’s renewed focus on Internet marketing, even a traditional marketing campaign should be carefully crafted with legal ramifications in mind.

As a final note, it is always smart not to antagonize the FTC by proclaiming (like the defendants here did) that they are “Allowed to Accept Retainer Fees” because it was “Not covered by FTC.” We couldn’t think of a better way to get onto the FTC’s radar screen!

© 2012 Ifrah PLLC

Data Security Breach Alert: 1.5 Million Credit Card Customers Affected

The National Law Review recently published an article regarding A Recent Security Breach written by Adam M. Veness of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

Global Payments, Inc. (NYSE: GPN) (“Global”) has reported a significant data security breach for approximately 1.5 million credit card customers.  According to astatement that Global released on Sunday, their investigation has revealed that “Track 2 card data may have been stolen, but that cardholders’ names, addresses and social security numbers were not obtained by criminals.”  Using Track 2 data, a hacker can transfer a credit card’s account number and expiration date to a fraudulent card, and then use the fraudulent card for purchases.

As a result of the breach, Visa has removed Global from its list of companies that it considers to be “compliant services providers.”  In an effort to calm consumers, Global issued a press release today assuring that “[b]ased on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”

The incident reinforces the importance of maintaining adequate data security.  Companies must take ample precautions to secure their customers’ data, and if they fail to do so, they may be vulnerable to a serious security breach that could adversely affect their bottom line.  As of the time of this post, Global’s stock price has fallen approximately 12% since the data breach news was announced.  Even when following best practices in data security, companies still may face data security breaches.  Despite these inevitable risks, companies should do everything reasonably required to protect against data breaches.  If a company can show that it has taken the proper precautions, then this may mitigate or reduce potential liability in the event of a breach.  After a breach, companies should ensure that they follow all of the strict legal requirements for notifying customers of the breach and remedying the effects of the breach.  Doing so may greatly reduce a company’s exposure to customer lawsuits and government action against the company.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Identity Theft Continues to Top FTC’s List of Consumer Complaints

Recently The National Law Review published an article by Rachel Hirsch of Ifrah Law regarding FTC’s Top Consumer Complaints:

For more than a decade, the Federal Trade Commission has been releasing its list of the top ten categories of consumer complaints received by the agency in the previous year. This list always serves as a good indication of the areas toward which the FTC may choose to direct its resources and increase its scrutiny.

For the 12th year in a row, identity theft was the number one complaint received by the FTC. Out of more than 1.8 million complaints the FTC received last year, 15% – or 279,156 – were about identity theft. Of those identity theft complaints, close to 25 percent were related to tax or wage-related fraud. The number of complaints related to identity theft actually declined in 2011 from the previous year, but this type of fraud still topped the list.

Most identity theft complaints came from consumers reporting that their personal information was stolen and used in government documents — often to fraudulently collect government benefits. Complaints about government document-related identity theft have increased 11% since 2009 and represented 27% of identity theft complaints last year. These numbers are likely to increase as concerns about consumer data privacy continue to garner the attention of the FTC.

After ID theft, the FTC’s top consumer complaints for 2011 were as follows:

• Debt collection complaints
• Prizes, sweepstakes, and lotteries
• Shop-at-Home and catalog sales
• Banks and lenders
• Internet services
• Auto-related complaints
• Imposter scams
• Telephone and mobile services
• Advance-fee loans and credit protection or repair

While credit cards are intertwined with many of the above complaints, complaints about credit cards themselves are noticeably absent from the 2011 list. In past years, credit card fraud was a major source of complaints from consumers. The drop in credit card-fraud-related complaints, however, is not surprising given the passage of the Credit CARD Act of 2009. This landmark federal legislation banned interest rate hikes “at any time for any reason” and limited the instances when rates on existing card balances could be hiked by issuers. The law also required lenders to give customers at least 45 days advance notice of significant changes in terms to allow card users time to shop around for better terms.

With the upcoming changes to the FTC’s advertising guidelines, there may very well be new additions to the consumer complaint list next year. Those complaints that already appear on the list are also likely to receive increased scrutiny.

© 2012 Ifrah PLLC

FDA Discloses Method for Classifying Food Facilities as "High Risk" Under FSMA

The National Law Review published an article regarding FDA High Risk Food Facilities Classification Methods written by Lynn C. Tyler, M.S.Nicolette R. Hudson and Hae Park-Suk of Barnes & Thornburg LLP:

The Food Safety Modernization Act (FSMA), signed by President Obama in January 2011, requires FDA to inspect food facilities on different time tables depending on whether a facility is classified as “high risk” or not. High-risk facilities must be inspected at least once within the first five years after the enactment of the FSMA and once every three years thereafter. Non-high risk facilities must be inspected at least once within the first seven years after the enactment of the FSMA and once every five years thereafter.

The U.S. Food and Drug Administration (FDA) recently disclosed the method it intends to follow to classify food facilities as high risk or non-high risk under the FSMA. The agency first noted that the FSMA set forth six risk factors to be considered in making this determination:

  • The known safety risks of the food manufactured, processed, packed or held at the facility
  • The compliance history of the facility
  • The facility’s hazard analysis and risk-based preventive controls (HARBPC)
  • Whether the food at the facility meets the criteria for priority to detect intentional adulteration in imported food
  • Whether the food at the facility has received certain certifications
  • Other criteria identified by Health and Human Services

FDA then noted that for FY 2011-13 the classification decision will be based primarily on the first two factors and according to the following algorithms:

  • If a facility manufactures food categories associated with foodborne outbreaks AND class I recalls (reasonable probability of serious adverse health consequences or death), it is high risk
  • If a facility manufactures food categories associated with foodborne outbreaks OR class I recalls AND it has not been inspected within the last five years, it is high risk
  • Facilities with a checkered compliance history (three or more inspections resulting in Voluntary Action Indicated findings or one or more resulting in Official Action Indicated findings within the last five years) are high risk

FDA stated that it plans to modify and adjust these criteria in the future as it develops data on some of the FSMA criteria and for other reasons. It also reserved the right to inspect a facility more frequently when necessary in its judgment.

© 2012 BARNES & THORNBURG LLP

U.S. Department of Justice Postpones ADA Requirements for Swimming Pools and Spas

Recently The National Law Review published a paper by the Labor and Employment Law Department of Barnes & Thornburg LLP regarding the ADA Requirements for Pools and Spas:

On March 20, 2012, the U.S. Department of Justice (the Department) announced an immediate 60-day postponement of the effective date for the accessibility requirements for pools and spas subject to either Title II (state and local government programs) or Title III (places of public accommodation). These requirements will now take effect on May 21, 2012.

The Department also is contemplating further extending the effective date, and simultaneously issued a Notice of Proposed Rulemaking (NPRM) soliciting public comment as to whether the effective date of the pool and spa requirements should be postponed until Sept. 17, 2012, 180 days from the original effective date. The Department indicated that it was taking this action in order to allow pool owners and operators additional time to address certain misunderstandings regarding these requirements and their application to existing pools and spas.

On Sept. 15, 2010, the Department adopted the 2010 ADA Standards for Accessible Design (2010 Standards), which took effect on March 15, 2012. The 2010 Standards contain requirements for accessible means of entry into and exit from swimming pools and spas as follows:

  • Swimming pools with at least 300 linear feet of pool wall must provide two accessible means of entry and exit from the pool.  At least one means of entry and exit must be either a sloped entry (i.e., ramp) or pool lift that complies with the requirements set forth in Section 1009 of the 2010 Standards.  The second means of entry and exit can be either a transfer wall, transfer system or pool stairs.  (Wave action pools, leisure rivers, sand bottom pools and other pools with only one area for entry are required to provide only one accessible means of entry and exit.)
  • Swimming pools with less than 300 linear feet of pool wall are required to provide only one accessible means of entry and exit, provide that means is either a sloped entry or pool lift.
  • Only one accessible means of entry and exit is required into spas. This means of entry and exit must be either a pool lift, transfer wall or transfer system.  Furthermore, where more than one spa is provided in a cluster, only five percent (5%) of the spas are required to have an accessible means of entry and exit.

On Jan. 31, 2012, the Department issued technical guidance with respect to these requirements, in particular the manner in which they pertain to existing pools and spas.  See “ADA 2010 Revised Requirements: Accessible Pools – Means of Entry and Exit,” available athttp://www.ada.gov/pools_2010.htm ). Use of pool lifts generally is the most convenient method for providing access to existing pools and spas. In its technical guidance and in subsequent correspondence further explaining the pool requirements, the Department indicated that under Title II (state and local government programs), access could be provided through the use of portable pool lifts.  Under Title III, however, the Department indicated the pool lift must be fixed, or at least capable of being affixed to the pool deck or apron when in use; use of portable lifts is permitted only if provision of a fixed lift is not readily achievable. This difference stems from the fact that unlike Title III, which requires the removal of physical barriers to access where readily achievable, Title II permits state and local programs to provide access to existing facilities via alternative methods, including the purchase of equipment, in lieu of making structural modifications. Whether covered under Title II or Title III, however, newly constructed pools must comply with the 2010 Standards, and altered pools must comply to the maximum extent feasible.

In its technical guidance, the Department also indicated that pool lifts must be in place during the hours the pool or spa is open.  Where a facility has multiple pools or spas that are required to be accessible, a pool lift cannot be shared among the pools and spas, unless providing multiple lifts creates an undue burden.

Following issuance of the technical guidance, certain pool owners and operators expressed concern over its substance and urged the Department to permit the use of portable lifts under Title III and to permit pool lifts to be shared among pools.  They also raised safety concerns regarding the Department’s position that pool lifts must be in place during the hours the pool or spa is open.

In issuing its NPRM to further extend the effective date of the pool and spa requirements, the Department emphasized that it will not revisit the merits of the accessibility requirements for pools and spas.  Public comments on the issue of whether the effective date of these requirements should be further extended to Sept. 17, 2012 must be submitted no later than April 4, 2012.

© 2012 BARNES & THORNBURG LLP

Protecting Your Rights as an Additional Insured: Why a Certificate of Insurance Is Not Enough

An article by Daniel J. Struck and Neil B. Posner of Much Shelist, P.C. regarding Certificates of Insurance recently appeared in The National Law Review:

When entering into some types of contracts, you likely require that your business be named as an “additional insured” on the other party’s insurance policies. You might do this so that your insurance will not be depleted by defense and indemnification costs for losses for which you might be legally liable by virtue of your relationship to the other party, rather than due to your own direct negligence.

There are many situations in which it makes sense to be named as an additional insured. If you are a building owner, for example, you want to be an additional insured on the property and general liability insurance of your tenants in case one of them damages your building or an accident occurs involving a visitor. If you are a mortgagee, you want to be an additional insured on the property and general liability insurance of your mortgagors in case there is damage to the mortgaged property that reduces its value. If you are the owner or a contractor on a construction project, you want to be an additional insured on the general liability insurance of your contractors and subcontractors in case there is an injury to one of their employees. If you are a distributor or a retailer, you may want to be an additional insured on the insurance programs of the manufacturers of the products that you sell. Other examples abound. Despite the ubiquity of additional insured requirements, however, misconceptions about them are numerous.

Your efforts to protect your business cannot stop at simply including an additional insured requirement in your commercial contracts. Even the strongest possible additional insured provision does little good if the other party does nothing to secure your status as an additional insured with its insurers. Nor are your interests served if you do nothing to confirm that your business has indeed been named as an additional insured. In this context, trust is never a suitable substitute for concrete verification, and otherwise careful and responsible businesses are too often surprised because one of two very basic pre-conditions have not been met: (1) they never actually became additional insureds, or (2) there is no insurance in effect that provides coverage for a particular accident or loss. How is it possible that such basic conditions can trip up sophisticated businesses? And what can be done to avoid these pitfalls?

A Certificate of Insurance Is Not Insurance

It is not unusual that the only evidence of additional insured status is a form document—known as a certificate of insurance—that is usually prepared by the insurance broker for the named insured. The standard certificate of insurance generally states that the additional insured is an insured under the listed policy(ies) and that nothing in the certificate supersedes, changes or replaces what is contained in the identified policy(ies). All too frequently, certificates of insurance are collected, stored away and quickly forgotten. But a certificate of insurance does not create insurance coverage or confer status as an insured, nor is it part of an insurance policy.

Additional insured status is effectively conferred through an additional insured endorsement (i.e., an amendment to the terms of an insurance policy that is expressly incorporated into the relevant insurance policy). These amendments can take the form of an endorsement that specifically names a particular additional insured, or a general endorsement that identifies some class of parties as additional insureds.

If there is a dispute about whether the necessary additional insured endorsement was actually issued, the certificate will only be one of the factors that is taken into account. For example, if there is evidence that the insurer failed to act on a request to add an additional insured, the putative insured may be able to establish that it actually is an insured. If no endorsement was ever issued, and all the intended additional insured has is a certificate of insurance, the frustrated party may have a basis for a declaratory judgment claim against the insurer, as well as claims against the named insured and its insurance broker. But being forced to sue to establish insured status is not the same as being provided with a defense against an ongoing claim.

Here are a few best practices that a party can implement to help make certain its status as an additional insured is in place:

  • At a minimum, always insist on receiving a copy of the relevant additional insured endorsement because this is the instrument that establishes its status. A certificate of insurance is not enough.
  • An additional insured endorsement does not, however, state an insurance policy’s terms and conditions. In order to avoid being surprised by unexpected policy terms (e.g., a strict notice requirement or unfavorable notice of cancellation provisions), require a copy of the entire insurance policy under which you are an additional insured and be sure to read it.
  • Retain additional insured endorsements and the relevant insurance policies for as long as there is any potential that claims triggering those policies might be made.

A Certificate of Insurance Does Not Necessarily Entitle You to Notice of Cancellation

When you require that you be named as an additional insured, is it reasonable to expect that your status will remain in effect throughout the stated term of the insurance policy? Not necessarily. For example, what if you are a landlord and there is a fire at a restaurant operated by a financially troubled tenant in one of your properties? Unknown to you, the first-party property insurance policy to which you are an additional insured was cancelled two months before the fire. You may still be able to recover under your own property insurance policy, but that will affect your loss experience.

In order to avoid such situations, additional insured provisions in commercial contracts often contain a requirement that the additional insured receive notice of a cancellation at the same time as the named insured. If your business, however, relies only on a certificate of insurance as proof of its status, you run a heightened risk of an unwanted outcome.

Certificates of insurance are form documents. The most recent version of the standard certificate of insurance—often referred to as an ACORD certificate—contains a change in its terms that has the potential to surprise unsuspecting additional insureds. The current form states that “should any of the above described polices be cancelled before the expiration date thereof, notice will be delivered in accordance with the policy provisions.” In contrast, the pre-2009 version provided that “should any of the above described policies be cancelled before the expiration date thereof, the issuing insurer will endeavor to mail…written notice to the certificate holder in the event the insurance policy is cancelled.”

On its face, the old ACORD certificate at least appeared to support the expectation that an additional insured should receive a notice of cancellation from the insurer. However, it was dangerous to rely on those terms because the certificate itself was not part of an insurance policy. Insurers regularly took the position that the ACORD certificate could not modify the terms of an insurance policy.

The new form, however, is even more problematic. The current ACORD certificate refers to the notice of cancellation provisions of the relevant insurance policy. If the relevant insurance policy provides that the only party entitled to receive notice of cancellation is the named insured, then the new ACORD certificate is not likely to support the argument that an additional insured is also entitled to receive notice of cancellation. It is all well and good that your commercial contracts require that you receive advance notice of any cancellation But remember that an insurer has no reason to know the terms of the contract between you and its insured. If you never insist on reviewing the actual additional insured endorsement and the relevant insurance policy, you have no way of knowing whether or not you are entitled to notice of cancellation from the insurer.

What can an additional insured do to make certain that it receives advance notice of the cancellation of an insurance policy? Following are some things you should consider and steps you can take to protect your interests as an additional insured:

  • The preferred approach is to request that the insured have its insurer provide an endorsement stating that you, as an additional insured, are entitled to the same rights as the named insured in the event of cancellation. This can take the form of a separate endorsement or an amendment to an additional insured endorsement. Although you may receive pushback from the insured and its insurers, with suitable counsel and persistence, you may be able to obtain the requested endorsement.
  • Your contractual additional insured provisions should be revised to reflect the foregoing requirements.
  • If it is not possible to secure the requested notice provisions via endorsement, the best alternative is to require that the insured provide prompt notice of cancellation and/or regular confirmations that the relevant insurance remains in force.

Additional insured status is an asset that imposes certain obligations on the party enjoying that status. Furthermore, it should not be regarded as a “freebie” to be treated in a passive manner. It is important to take an active interest in securing and knowing your rights—or risk erosion of their value. Ultimately, to be sure that you have the additional insured protection that you expect consistent with your needs, consult with your lawyer and insurance broker before signing on the dotted line.

© 2012 Much Shelist, P.C.

Privacy-on-the-Go: California Attorney General and Major Mobile Application Platforms Agree to Privacy Principles for Mobile Applications

Recently The National Law Review featured an article written by Cynthia J. Larose and Jake Romero of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. regarding Mobile Apps and Privacy:

Application developers have been put on notice by the State of California. It is time to pay attention to user privacy and collection of information from user devices.

In an effort led by the office of California Attorney General Kamala D. Harris, the state has reached an agreement committing the six largest companies offering platforms for mobile applications (commonly referred to as “apps”) to a set of principles designed to ensure compliance with California’s Online Privacy Protection Act. The agreement with Apple Inc., Google Inc., Microsoft Corp., Amazon.com Inc., Hewlett-Packard Co., and Research In Motion Ltd., who collectively represent over 95% of the mobile application market, is significant for two reasons. First, it operates as an acknowledgement that California’s Online Privacy Protection Act applies to app developers as well as platform providers. Second, the agreement may effectively create a minimum standard for disclosures and transparency with regard to the collection of personal information by mobile applications. Because of the global nature of the Internet, the law will apply to every mobile app provided through the six firms’ app stores even though it is a state law.

This alert includes a description of the principles underlying this agreement, as well as certain best practices to help mobile app developers ensure compliance. The full text of the agreement, as well as comments from the Office of the Attorney General, can be accessed online at http://ag.ca.gov/newsalerts/print_release.php?id=2630.

Mobile Applications and Data Privacy

The most recent data from the Pew Research Center shows that 50% of all adult cell phone owners have apps on their mobile phones, a percentage that has nearly doubled over the past two years. This same survey also indicated that approximately 43% of those surveyed purchased a phone on which apps were already installed. Many of these mobile applications, in order to facilitate the functionality of the app, allow the app developer broad access to data held on the user’s mobile device. However, as noted by Attorney General Harris in a press conference announcing the agreement, many mobile applications, including twenty-two of the thirty most popular apps, lack a privacy policy to explain how much of the user’s data is accessible by the developer, and how and with whom that data is shared.

California’s Online Privacy Protection Act provides that “[a]n operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site,” or in the case of an operator of an online service, make that policy reasonably accessible to those consumers. In entering into this agreement, the six major platform providers have acknowledged that this requirement applies equally to mobile app developers (as “online services”) and the platform providers have agreed to, among other things, implement a means for users to report apps that do not comply with this requirement and a process for investigating and responding to those reports.

The New Privacy Standard and Ensuring Compliance

A likely outcome of this agreement is that compliance with California’s Online Privacy Protection Act will become a minimum standard for the mobile application industry, because even those developers located outside the state of California will likely conclude that it is easier to have a single policy that meets California’s requirements, rather than risk inadvertent non-compliance.

To ensure compliance, developers or providers of mobile apps that collect personal data from users’ mobile devices will be required to have a privacy policy that meets the requirements set forth in Section 22575(b) of California’s Business and Professions Code (as an incorporated portion of the Online Privacy Protection Act, Section 22575(b) can be accessed in full by following the link provided above). Specifically, the privacy policy must:

·         Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.

·         If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.

·         Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.

·         Identify its effective date.

In establishing a compliant privacy policy, an app developer or provider should take great care to ensure that the descriptions and processes contained therein match the actual operations of the company and the information it collects, and the policy should be reviewed periodically by both legal counsel and the app developer’s technical experts so that it can be updated as necessary. The policy should be clear and easy to understand, especially with regard to the collection and sharing of personal data. For those companies who may be affected by this agreement and already have a privacy policy in place, that policy should be reviewed to determine whether it should be updated. Developers and platform providers that do not comply with the law can be prosecuted under California’sUnfair Competition Law and/or False Advertising Law, which has penalties of up to $500,000 per use of the app in violation, Harris said. “If developers do not follow the privacy policies we will sue,” she added.

Anticipated Developments

Per their agreement with Attorney General Harris, the six major mobile app platforms will commence working with app developers to ensure compliance and provide education regarding privacy and data sharing. To increase awareness and promote transparency, mobile app developers will be required, as part of the application submitting an app to the platform, to provide either a link to that developer’s privacy policy, a statement describing the policy, or the full text of the policy itself. In each case, a user who is considering downloading the developer’s app will be provided access to the privacy policy associated with that app prior to downloading it.

The six major platforms have agreed to reconvene within six months to further evaluate any required changes), but no specific timeline has been stated with regard to implementing the changes described above. However, for mobile app developers who hope to continue to be a part of this quickly growing and highly lucrative market, there may not be a more opportune time to take advantage of the resources being provided on both a state and industry level.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.