Category: Consumer Protection

2013 ADA Pool Lift Compliance Deadline: Has Your Business Complied?

The National Law Review recently published an article by Tara L. Tedrow with Lowndes, Drosdick, Doster, Kantor & Reed, P.A. regarding, Pool Lifts:

Lowndes_logo

January 31, 2013 marks the date for compliance with the Americans with Disabilities Act (“ADA”) Standards for Accessible Design related to installing fixed pool lifts for swimming pools, wading pools and spas.  Though the Department of Justice (“DOJ”) previously changed its hard deadline for compliance with the installation requirements from March 15, 2012 to January 31, 2013, entities covered by Title III of the ADA should not rely on any more extensions.  If complying with the new ADA requirements fell off your to-do list, it’s time to start planning.

Here are a few questions to ask yourself when understanding how these rules could affect you:

Are you a Title III entity?

Whether you even have to worry about the fixed pool lift requirements depends on whether you are a Title III entity.  Title III prohibits discrimination on the basis of disability by places of public accommodation, including many private businesses, and places with accessibility requirements on such businesses.  Title III entities are businesses such as a hotel and motel, health club, recreation center, public country club or other business that has swimming pools, wading pools and spas.  If you fall under that category, the 2010 Standards apply.

What is this pool lift requirement? 

The 2010 Standards require that newly constructed or altered swimming pools, wading pools, and spas have an accessible means of entrance and exit to pools for those people with disabilities.  However, providing accessibility is conditioned on whether providing access through a fixed lift is “readily achievable.”  The technical specifications for when a means of entry is accessible are available on the DOJ website. Other requirements, based on pool size, include providing a certain number of accessible means of entry and exit, which are outlined in Section 242 of the Standards.  However, businesses should consider the differences in application of the rules depending on whether the pool is new or altered, or whether the swimming pool was in existence before the effective date of the new rule.  Full compliance may not be required for existing facilities; Section 242 and 1009 of the 2010 Standards outline such exceptions.

What exactly is a “fixed pool lift”?

A fixed lift is one that is attached to the pool deck or apron in some fashion.  Conversely, a non-fixed lift is not attached in any way.  Many businesses with pools have purchased or own portable (i.e. non-fixed) pool lifts.  If that portable lift is attached to the pool deck, then it could be considered a fixed lift and compliant under the rules.  Thus, owners of a portable lift may be able to comply with the ADA requirements by affixing lifts to the pool deck or apron.  Moreover, owners of such portable lifts will be required to affix the lifts as a means of compliance if it is readily achievable.  This exception for certain non-fixed lifts stemmed from confusion over the new regulations, spurring the DOJ to grant exceptions to certain entities that purchased an otherwise compliant non-fixed lift before March 15, 2012.  Those exceptions apply only if the non-fixed lifts comply with the 2010 Standards and if the owners keep the portable lifts in position for use at the pool and operational during all times that the pool is open to guests.

What is the “readily achievable” standard?

The ADA does not require providing access to existing pools through a fixed lift if it is not “readily achievable,” meaning that providing access is easily accomplishable without much difficulty or expense.  The DOJ has specified that this standard is a flexible, case by case analysis, so that the ADA requirements are not unduly burdensome.  However, businesses cannot simply claim that installing a fixed pool lift is not readily achievable.  Rather, factors such as the nature and cost, the overall financial resources of the site and the effect on expenses and resources are all considered and evaluated when determining the application of the standard. Though for some businesses immediate compliance may seem impossible because of issues such as the backorder on pool lifts, it is not a valid excuse for non-compliance.  Businesses are still required to comply with the 2010 Standards through other means, as specified in the Standards.

Should I shut my pool down if I haven’t complied?

If accessibility is not readily achievable, businesses should develop plans for providing access into the pool when it becomes readily achievable in the future.  Businesses that are worried about their current status of compliance should consult with legal counsel or call the ADA Information Line to speak with an ADA Specialist regarding any further questions.

Though compliance to the pool lift requirements may seem onerous, it is necessary to prevent legal and financial liability on the part of a Title III covered business.  These requirements also potentially affect tax breaks under the IRS Code, insurance coverage, ongoing maintenance and accessibility obligations and staff training requirements, all of which are even more of a reason to take compliance seriously.

© Lowndes, Drosdick, Doster, Kantor & Reed, PA

Data Privacy Day 2013 – Passwords

The National Law Review recently featured an article on Passwords written by Cynthia J. Larose with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

MintzLogo2010_Black

 

Something everyone can do for Data Privacy Day:  make it a point to change at least one password and make it “long and strong.”

Here are some tips for building strong passwords from David Sherry, Chief Information Security Officer at Brown University:

To create a strong password, you should use a string of text that mixes numbers, letters that are both lowercase and uppercase, and special characters. Best practice says it should be eight characters, but the more the better. The characters should be random, and not follow from words, alphabetically, or from your keyboard layout.

So how do you make such a password?

Spell something backwards. Example: Turn “New York” into “ kroywen ”

Use “l33t speak”: Substitute numbers for certain letters.  Example: Turn “kroywen” into kr0yw3n

Randomly throw in some capital letters.  Example: Turn “kr0yw3n” into Kr0yW3n

Don’t forget the special character.  Example: Turn “Kr0yW3n” into       !Kr0y-W3n$

So, you say you can’t remember “complex” passwords…

One suggestion: create one, very strong, password and “append” it with an identifier:

!Kr0y-W3n$Bro

!Kr0y-W3n$Ama

!Kr0y-W3n$Boa

!Kr0y-W3n$Goo

!Kr0y-W3n$Yah

©1994-2013 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

HIPAA Final Omnibus Rule Brings “Sweeping Change” to Health Care Industry

Dinsmore-2c-print NEW

On January 17, 2013, the U.S. Department of Health and Human Services (HHS)announced the release of the HIPAA final omnibus rule, which was years in the making. The final rule makes sweeping changes to the HIPAA compliance obligations of covered entities and business associates and comprises four final rules wrapped into one:

  1. Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010;
  2. Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act and to adopt the additional HITECH Act enhancements to the Enforcement Rule that were not previously adopted in the October 30, 2009 interim final rule, including provisions to address enforcement where there is HIPAA non-compliance due to willful neglect;
  3. A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which eliminates the breach notification rule’s “harm” threshold and supplants an interim final rule published on Aug. 24, 2009; and
  4. A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.

HHS estimates a total cost of compliance with the final omnibus rule’s provisions to be between $114 million and $225.4 million in the first year of implementation and approximately $14.5 million each year thereafter. Among the costs HHS associates with the final rule are: (i) costs to covered entities of revising and distributing new notices of privacy practices; (ii) costs to covered entities related to compliance with new breach notification requirements; (iii) costs to business associates to bring their subcontracts into compliance with business associate agreement requirements; and (iv) costs to business associates to come into full compliance with the Security Rule. HHS attributes between $43.6 million and $155 million of its first year estimates to business associate compliance efforts. It is predicted that the true compliance costs for both covered entities and business associates will be far in excess of these HHS estimates.

Some of the key provisions of the final omnibus rule include:

  • Expanded definition of “business associate.” The definition of “business associate” has been expanded to include subcontractors of business associates, any person who “creates, receives, maintains, or transmits” protected health information on behalf of a covered entity, and certain identified categories of data transmission services that require routine access to protected health information, among others. A covered entity is not required to enter into a business associate agreement with a business associate that is a subcontractor; that obligation flows down to the business associate, who is required to obtain the proper written agreement from its subcontractors.
  • Direct compliance obligations and liability of business associates.Business associates are now directly liable for compliance with many of the same standards and implementation specifications, and the same penalties now apply to business associates that apply to covered entities, under the Security Rule. Additionally, the rule requires business associates to comply with many of the same requirements, and applies the same penalties to business associates that apply to covered entities, under the Privacy Rule. Business associates must also obtain satisfactory assurances in the form of a business associate agreement from subcontractors that the subcontractors will safeguard any protected health information in their possession. Finally, business associates must furnish any information the Secretary requires to investigate whether the business associate is in compliance with the regulations.
  • Modified definition of “marketing.” The definition of “marketing” has been modified to encompass treatment and health care operations communications to individuals about health-related products or services if the covered entity receives financial remuneration in exchange for making the communication from or on behalf of the third party whose product or service is being described. A covered entity must obtain an individual’s written authorization prior to sending marketing communications to the individual.
  • Prohibition on sale of PHI without authorization. An individual’s authorization is required before a covered entity may disclose protected health information in exchange for remuneration (i.e., “sell” protected health information), even if the disclosure is for an otherwise permitted disclosure under the Privacy Rule. The final rule includes several exceptions to this authorization requirement.
  • Clear and conspicuous fundraising opt-outs. Covered entities are required to give individuals the opportunity to opt-out of receiving future fundraising communications. The final rule strengthens the opt-out by requiring that it be clear and conspicuous and that an individual’s choice to opt-out should be treated as a revocation of authorization. However, the final rule leaves the scope of the opt-out to the discretion of covered entities. In addition to demographic information, health insurance status, and dates of health care provided to the individual, the final rule also allows covered entities to use and disclose: department of service information, treating physician information, and outcome information for fundraising purposes. Covered entities are prohibited from conditioning treatment or payment on an individual’s choice with respect to the receipt of fundraising communications. In addition, the NPP must inform individuals that the covered entity may contact them to raise funds and that they have a right to opt-out of receiving such communications.
  • Right to electronic copy of PHI. If an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
  • Right to restrict disclosures to health plans. When an individual requests a restriction on disclosure of his or her protected health information, the covered entity must agree to the requested restriction (unless the disclosure is otherwise required by law), if the request for restriction is on disclosures to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to protected health information for which the health care provider has been paid out of pocket in full. Covered health care providers will need to employ some method to flag or make a notation in the record with respect to the protected health information that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan.
  • GINA changes for some health plans. Health plans that are HIPAA covered entities, except issuers of long term care policies, are prohibited from using or disclosing an individual’s protected health information that is genetic information for underwriting purposes. The rule does not affect health plans that do not currently use or disclose protected health information for underwriting purposes.
  • Provision for compound authorizations for research. A covered entity may combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the conditioned and unconditioned research components, clearly allows the individual the option to opt in to the unconditioned research activities, and the research does not involve the use or disclosure of psychotherapy notes. For research that involves the use or disclosure of psychotherapy notes, an authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes.
  • Required changes to Notice of Privacy Practices (NPP). NPPs must be modified and distributed to individuals to advise them of the following: (1) for health plans that underwrite, the prohibition against health plans using or disclosing PHI that is genetic information about an individual for underwriting purposes; (2) the prohibition on the sale of protected health information without the express written authorization of the individual, as well as the other uses and disclosures for which the rule expressly requires the individual’s authorization (i.e., marketing and disclosure of psychotherapy notes, as appropriate); (3) the duty of a covered entity to notify affected individuals of a breach of unsecured protected health information; (4) for entities that have stated their intent to fundraise in their notice of privacy practices, the individual’s right to opt out of receiving fundraising communications from the covered entity; and (5) the right of the individual to restrict disclosures of protected health information to a health plan with respect to health care for which the individual has paid out of pocket in full.
  • Broader disclosure of decedents’ PHI. Covered entities are permitted to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
  • Disclosure of proof of immunizations to schools. A covered entity is permitted to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor.
  • Tiered and enhanced enforcement provisions. The final rule conforms the regulatory language of the rule to the enhanced enforcement provisions of the HITECH Act. Penalties for non-compliance are based on the level of culpability with a maximum penalty of $1.5 million for uncorrected willful neglect.

As detailed above, the changes announced by HHS expand many of the requirements to business associates and subcontractors. Fortunately, the final rule provides a slight reprieve in one respect. It allows covered entities and business associates up to one year after the 180-day compliance date to modify business associate agreements and contracts to come into compliance with the rule.

Perhaps the most highly anticipated change found in the final omnibus rule relates to what constitutes a “breach” under the Breach Notification Rule. The final rule added language to the definition of breach to clarify that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity (or business associate) demonstrates that there is a low probability that the PHI has been compromised. Stated differently, the rule removes the subjective harm standard and modifies the risk assessment to focus instead on the risk that the PHI has been compromised. The final rule also identifies four objective factors covered entities and business associates are to consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.

The final omnibus rule does not address the accounting for disclosures requirements, which is the subject of a separate proposed rule published on May 31, 2011, or the penalty distribution methodology requirement, which HHS has stated will both be the subject of future rulemaking.

The Office of Civil Rights has characterized the new rules as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” Leon Rodriguez, the Director of the Office of Civil Rights, stated, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

The HIPAA final omnibus rule is scheduled to be published in the Federal Register on January 25, 2013 and will go into effect on March 26, 2013. Covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013. Entities affected by this final rule are strongly urged to begin an analysis of their existing HIPAA compliance policies and procedures and take steps to comply with the final rule.

The HHS Press Release announcing the final rule is available at:
http://www.hhs.gov/news/press/2013pres/01/20130117b.html

The full text of the rule is currently available at:
https://www.federalregister.gov/articles/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules

© 2013 Dinsmore & Shohl LLP

Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting

The National Law Review recently published an article, Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting, written by Elizabeth H. Johnson with Poyner Spruill LLP:

Poyner Spruill

 

The U.S. Department of Health and Human Services (HHS) has finally issued its omnibus HITECH Rules.  Our firm will issue a comprehensive summary of the rules shortly (sign up here), but of immediate import is the change to the breach reporting harm threshold.  The modification will make it much more difficult for covered entities and business associates to justify a decision not to notify when an incident occurs.

Under the interim rule, which remains in effect until September 23, 2013, a breach must be reported if it “poses a significant risk of financial, reputational, or other harm to the individual.” The final rule, released yesterday, eliminates that threshold and instead states:

“[A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.”
(Emphasis added).

In other words, if a use or disclosure of information is not permitted by the Privacy Rule (and is not subject to one of only three very narrow exceptions), that use or disclosure will be presumed to be a breach.  Breaches must be reported to affected individuals, HHS and, in some cases, the media.  To rebut the presumption that the incident constitutes a reportable breach, covered entities and business associates must conduct the above-described risk analysis and demonstrate that there is only a low probability the data will be compromised.  If the probability is higher, breach notification is required regardless of whether harm to the individuals affected is likely.  (Interestingly, this analysis means that if there is a low probability of compromise notice may not be required even if the potential harm is very high.)

What is the effect of this change?  First, there will be many more breaches reported resulting in even greater costs and churn than the already staggering figures published by Ponemon which reports that 96% of health care entities have experienced a breach with average annual costs of $6.5 billion since 2010.

Second, enforcement will increase.  Under the new rules, the agency is required (no discretion) to conduct compliance reviews when “a preliminary review of the facts” suggests a violation due to willful neglect.  Any reported breach that suggests willful neglect would then appear to require agency follow-up.  And it is of course free to investigate any breach reported to them.  HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews?  Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.

Third, covered entities and business associates can expect to spend a lot of time performing risk analyses.  Every single incident that violates the Privacy Rule and does not fit into one of three narrow exceptions must be the subject of a risk analysis in order to defeat the presumption that it is a reportable breach.  The agency requires that those risk analyses be documented, and they must include at least the factors listed above.

So why did the agency change the reporting standard?  As it says in the rule issuance, “We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. . . .”

The agency may also have changed the standard because it was criticized for having initially included a harm threshold in the rule, with critics claiming that the HITECH Act did not provide the authority to insert such a standard.  Although the new standard does, in essence, permit covered entities and business associates to engage in a risk-based analysis to determine whether notice is required, the agency takes the position that the new standard is not a “harm threshold.”  As they put it, “[W]e have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.”  So, the agency got their way in that they will not have to receive notice of every single event that violates the Privacy Rule and they have made a passable argument to satisfy critics that the “harm threshold” was removed.

The new rules are effective March 26, 2013 with a compliance deadline of September 23, 2013.  Until then, the current breach notification rule with its “significant risk of harm” threshold is in effect.  To prepare for compliance with this new rule, covered entities and business associates need to do the following:

  • Create a risk analysis procedure to facilitate the types of analyses HHS now requires and prepare to apply it in virtually every situation where a use or disclosure of PHI violates the Privacy Rule.
  • Revisit security incident response and breach notification procedures and modify them to adjust notification standards and the need to conduct the risk analysis.
  • Revisit contracts with business associates and subcontractors to ensure that they are reporting appropriate incidents (the definition of a “breach” has now changed and may no longer be correct in your contracts, among other things).
  • If you have not already, consider strong breach mitigation, cost coverage, and indemnification provisions in those contracts.
  • Revisit your data security and breach insurance policies to evaluate coverage, or lack thereof, if applicable.
  • Consider strengthening and reissuing training.  With every Privacy Rule violation now a potentially reportable breach, it’s more important than ever to avoid mistakes by your workforce.  And if they happen anyway, during a subsequent compliance review, it will be important to be able to show that your staff was appropriately trained.
  • Update your policies to address in full these new HIPAA rules.  The rules require it, and it will improve your compliance posture if HHS does conduct a review following a reported breach.

As noted above, our firm will issue a more comprehensive summary of these new HIPAA rules in coming days.

© 2013 Poyner Spruill LLP

Privacy of Mobile Applications

The National Law Review recently featured an article, Privacy of Mobile Applications, written by Cynthia J. Larose with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

MintzLogo2010_Black

 

As we continue our “new year, new look” series into important privacy issues for 2013, we boldly predict:

Regulatory Scrutiny of Data Collection and Use Practices of Mobile Apps Will Increase in 2013

Mobile apps are becoming a ubiquitous part of the everyday technology experience.  But, consumer apprehension over data collection and their personal privacy with respect to mobile applications has been growing.   And as consumer apprehension grows, so does regulatory scrutiny.  In 2012, the Federal Trade Commission (FTC) offered guidance to mobile app developers to “get privacy right from the start.”    At the end of 2012, the California Attorney General’s office brought its first privacy complaint against Delta Airlines, Inc., alleging that Delta’s mobile app “Fly Delta” failed to have a conspicuously posted privacy policy in violation of California’s Online Privacy Protection Act.  And also in December, SpongeBob Square Pants found himself in the middle of a complaint filed at the FTC by a privacy advocacy group alleging that the mobile game SpongeBob Diner Dash collected personal information about children without obtaining parental consent.

In 2013, we expect to see new regulatory investigations into privacy practices of mobile applications.   Delta was just one of 100 recipients of notices of non-compliance from the California AG’s office and the first to be the subject of a complaint.  Expect to see more of these filed early in this year as the AG’s office plows through responses from the lucky notice recipients.   Also, we can expect to hear more from the FTC on mobile app disclosure of data collection and use practices and perhaps some enforcement actions against the most blatant offenders.

Recommendation for action in 2013:  Take a good look at your mobile app and its privacy policy.   If you have simply ported your website privacy policy over to your mobile app – take another look.  How is the policy displayed to the end user?  How does the user “accept” its terms?  Is this consistent with existing law, such as California, and does it follow the FTC guidelines?  

©1994-2013 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Privacy Policies Now a Must for Mobile Apps

The National Law Review recently published an article, Privacy Policies Now a Must for Mobile Apps, written by Tanya L. CurtisLeonard A. Ferber, and Doron S. Goldstein of Katten Muchin Rosenman LLP:

Katten Muchin

 

California has long been a leader in privacy legislation. That position was strengthened recently when the California Attorney General filed a first-of-its-kind lawsuit against a company for its failure to include a privacy policy with a smartphone application. The lawsuit, filed on December 6 against Delta Airlines, alleges that the airline violated California law requiring online services to “conspicuously post its privacy policy” by failing to include such a policy with its “Fly Delta” mobile application. This action by the state of California has broad implications to anyone developing or distributing mobile apps.

Background

In 2004, California enacted the California Online Privacy Protection Act (CalOPPA)requiring commercial operators of websites and online services to conspicuously post detailed privacy policies to enable consumers to understand what personal information is collected by a website and the categories of third parties with which operators share that information. CalOPPA provides that “an operator shall be in violation of this [posting requirement] only if the operator fails to post its policy within 30 days after being notified of noncompliance,” and if the violation is made either (a) knowingly and willingly or (b) negligently and materially. In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service.”

While CalOPPA does not define an “online service” or specifically mention “mobile” or “smartphone” applications, the California Attorney General considers any service available over the internet or that connects to the internet, including mobile apps, to be an “online service.” In light of this interpretation, in 2011 the Attorney General’s office contacted the six leading operators of mobile application platforms in an attempt to improve mobile app compliance with CalOPPA. In February 2012, the Attorney General reached an agreement with these companies on a set of principles designed to ensure that mobile apps include a conspicuously posted privacy policy where applicable law so requires (such as in California), and that the policy appear in a consistent location on the app download screen.

Delta markets its Fly Delta mobile app though various online “app stores.” Among other things, the Fly Delta app allows customers to check in to flights, rebook cancelled flights and pay for checked baggage. Delta has a website that includes a privacy policy, but that policy did not mention the Fly Delta app or the types of information collected from the app.

The Case

In October, the California Attorney General’s office sent letters to a number of mobile application makers, including Delta, that did not have a privacy policy reasonably accessible to app users, giving them 30 days to respond or make their privacy policies accessible in their apps. Delta either forgot about or ignored the letter, and the Attorney General filed suit.

The complaint stated that the Fly Delta application did not have a privacy policy within the application itself or in the app stores from which the application could be downloaded. The complaint also noted that, while Delta’s website has a privacy policy, the policy does not mention the Fly Delta app or the personal information collected by the app, and is not reasonably accessible to consumers who download the app. Since Delta failed to respond to the October letter, the Attorney General charged the airline with violating California law by knowingly and willfully, or negligently and materially, failing to comply with CalOPPA. And, in a separate charge under a provision of CalOPPA not requiring 30 days’ notice of noncompliance, the Attorney General alleged that Delta failed to comply with the privacy policy posted on its own website, in that the Fly Delta app does not comply with that policy. The complaint asks for damages of $2,500 for each violation, presumably for each download.

What You Need to Know

While California is currently unique in applying its privacy law to mobile applications, many states look to California, as a leader in this area, for guidance. CalOPPA applies to any “operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service…” In light of California’s large population, the practical effect of CalOPPA is that an overwhelming number of online businesses (including mobile app developers) must comply with it.

It is now clear that virtually all mobile or smartphone app makers, as well as companies that use smartphone apps as part of their “mobile strategy,” must make privacy policies accessible to app users. The actions of the California Attorney General also make it clear that there is a cost to noncompliance. Such accessibility can be achieved either by including the privacy policy within the app itself or by creating an icon or text link to a readable version of the privacy policy, which may be part of a company’s or developer’s overall web privacy policy.

©2012 Katten Muchin Rosenman LLP

‘Get-Rich-Quick’ Systems Penalized by FTC to Tune of $478 Million

As part of the Federal Trade Commission’s ongoing efforts to shut down scams that target financially vulnerable consumers, a U.S. district judge has issued a $478 million judgment at the request of the FTC against the marketers of three get-rich-quick systems that the agency says are used for deceiving consumers. The order is the largest litigated judgment ever obtained by the FTC.

The judgment was awarded against companies and individuals who marketed the schemes, titled “John Beck’s Free & Clear Real Estate System,” “John Alexander’s Real Estate Riches in 14 Days,” and “Jeff Paul’s Shortcuts to Internet Millions.”

Nearly a million consumers paid $39.95 for one of these “get-rich-quick” systems, and some consumers purchased personal coaching services, which cost up to $14,995. According to the FTC complaint filed in June 2009, one system was marketed to consumers with the promise that consumers could “quickly and easily earn substantial amounts of money by purchasing homes at tax sales in their area ‘free and clear’ for just ‘pennies on the dollar’ and then turning around and selling these homes for full market value or renting them out for profit.”

The FTC said that nearly all the consumers that bought the systems lost money.

The FTC’s suit alleged violations of the Federal Trade Commission Act, based on the defendants’ representations in connection with the advertising, marketing, promoting and sale of the systems. The FTC also alleged that the defendants’ violated the Telemarketing Sales Rule through their marketing to consumers.

Two of the individual defendants, Douglas Gravnik and Gary Hewitt, were held jointly and severally liable for the monetary part of the judgment. The judge also imposed a lifetime ban from infomercial products and telemarketing against Gravnik and Hewitt. Gravnik and Hewitt indicated that they are likely to appeal the order to the extent it imposes a lifetime ban. A third individual, John Beck, is responsible for $113.5 million of the judgment.

In its case, the FTC filed 30 consumer declarations detailing consumers’ experiences with the defendants’ products. The defendants objected to many of these declarations on various grounds, including hearsay, relevance, and the best evidence rule among other objections, but these objections were all overruled.

The defendants also objected to the use of a survey by the FTC that showed that less than 0.2 percent of consumers who purchased the defendants’ system made any profits and only 1.9 percent of consumers who purchased coaching material made any revenue. The defendants moved to exclude all evidence relating to the survey on the ground that the pre-notification letter “poisoned the well in such a way as to invalidate whatever survey finding the FTC obtained” and argued that the manner in which the survey was conducted rendered the results unreliable. The court found that the survey was performed under accepted principles used by experts in the field and was admissible.

The court granted summary judgment for the FTC , finding that the defendants made material misrepresentations that were either false or unsubstantiated. The court pointed out that the materials provided by the defendants to consumers taught consumers how to purchase tax liens and certificates, but these purchasers do not obtain title to the property and thus were not “purchasing” the homes as the advertising materials stated.

The court also granted summary judgment on the Telemarketing Sales Rule allegations. The basis of the defendants’ argument was that the violations were isolated and should not be the basis for liability. The court found that there was no dispute that the defendants’ telemarketers repeatedly initiated calls to consumers who asked the defendants not to contact them. The FTC also produced “overwhelming” evidence that the defendants lacked a meaningful compliance program or any written procedures in place to comply with the regulations.

Jeffrey Klurfeld, director of the FTC’s Western Region, stated in a press release that “This huge judgment serves notice to anyone thinking of using phony get-rich-quick schemes to defraud consumers. The FTC will come after you if you violate the law.”

In this case, the FTC had already completed its surveys when it went to court. Trial judges will often be very impressed with FTC surveys and will grant judgment to the agency in nearly every case. Therefore, it is critical that a company that is being targeted by the FTC obtain counsel at the earliest possible stage, before the agency files anything in court. Counsel should be ready to vigorously defend the client’s marketing practices with techniques such as the use of countersurveys and customer testimonials and expert testimony, before the FTC files in court.

© 2012 Ifrah PLLC

Cyber Attacks Hit Major Banks. Is Your Business Next?

Roy E. Hadley, Jr. and Joan L. Long of Barnes & Thornburg LLP recently had an article regarding Cyber Attacks published in The National Law Review:

Over the past week, several websites belonging to some of the largest banks in the country have been hacked in what experts are calling one of the “biggest cyber attacks they’ve ever seen.” As this CNN Money article points out, the websites “have all suffered day-long slowdowns and been sporadically unreachable for many customers.”

According to security experts, the “denial of service” attacks, which began on Sept. 19, are the largest ever recorded.

For all businesses, denial of service attacks are a growing and more menacing threat.  Your customers can’t access your website and can’t buy your goods and services. This can be catastrophic to your company. So the question remains: What have you done to protect your business?

The CNN Money article can be read in its entirety clicking on the link below.

CNN Money – “Major banks hit with biggest cyberattacks in history

© 2012 BARNES & THORNBURG LLP

Apple Shareholders Request Information From Board on Privacy/Security Risk

The National Law Review recently published an article, Apple Shareholders Request Information From Board on Privacy/Security Risk, by Amy Malone of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

 

This week, Apple shareholders requested that its Board of Directors publish a report explaining how the board oversees privacy and data security risks.  The proposal, which is available here, was prompted by concern that recent issues such as the unauthorized access to iPhone users’ address books and the release of one million Unique Device IDs could place the company’s growth opportunities at risk.

The shareholder proposal references a recent study conducted by Carnegie Mellon University’s Cylab that made various recommendations to boards including, annual reviews of privacy and security programs to gage effectiveness and identify gaps and requiring regular privacy and security reports from management.   The interest in privacy and security as risk management issues at both the shareholder and board level is increasing. A recent study conducted by Corporate Board Member & FTI Consulting, Inc. surveyed 11,340 corporate directors and 1,957 general counsel regarding legal risks on their radar.  For the first time in the 12 years since the study has been conducted, data security was noted as the most prevalent concern among both directors (48 percent) and general counsel (55 percent). This level of concern has almost doubled in the last four years. For instance, in 2008, only 25 percent of directors and 23 percent of general counsel identified data security as an area of great concern.  Moreover, 33 percent of general counsel surveyed believe their board is not effective at managing cyber risk. This is one of the lowest ratings among the 13 risk management areas surveyed.

When asked whether their company had a plan in place to manage a data breach should one occur, only 42 percent of directors said their company had a formal Incident Response Plan. Twenty-seven percent responded that their company had no such plan and 31 percent were uncertain.  Despite acknowledging such unpreparedness, 77 percent of directors and general counsel still believe their company is prepared to handle a data breach. There is a serious concern, however, given the disconnect between having written response plans and the perception of preparedness.   Apple shareholders are recognizing that disconnect and apparently want to ensure that its Board has adequately addressed it.  The proposal will be voted on at Apple’s 2013 Annual Meeting.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Consumer Financial Services Basics – ABA Conference

The National Law Review is pleased to bring you information regarding the upcoming Consumer Financial Services Basics Conference sponsored by the ABA:

When

October 08 – 09, 2012

Where

American University

Washington College of Law

Washington, DC

Program Description

Facing the most comprehensive revision of federal consumer financial services (CFS) law in 75 years, even experienced consumer finance lawyers might feel it is time to get back in the classroom. This live meeting is designed to expose practitioners to key areas of consumer financial services law, whether you need a primer or a refresher.It is time to take a step back and think through some of these complex issues with a faculty that combines decades of practical experience with law school analysis. The classroom approach is used to review the background, assess the current policy factors, step into the shoes of regulators, and develop an approach that can be used to interpret and evaluate the scores of laws and regulations that affect your clients.Program FocusThis program will explain each of the major sources of regulation of consumer financial products in the context of the regulatory techniques and policies that are the common threads in a complex pattern, including:

  • Price regulation and federal preemption of state price limitations
  • Truth in lending and disclosure requirements
  • Marketing, advertising and unfair or deceptive conduct
  • Account servicing and collections
  • Regulating the “fairness” of financial institution conduct
  • Data security, fraud prevention and identity protection
  • Consumer reporting: FCRA & FACT Act
  • Fair lending and fair access to financial services
  • Remedies: regulators and private plaintiffs
  • Regulatory and legislative priorities for 2012 and beyond

Who Should Attend…The learning curve for private practitioners, in-house lawyers and government attorneys to understand the basics and changes to CFS law is very steep. This program is a great way to jump up that curve for:

  • Private practitioners with 1-10 years of experience who focus on CFS products or providers
  • In-house counsel at financial institutions and non-bank lenders
  • Government attorneys, in financial practices regulatory agencies
  • Compliance officers (who may be, but need not be, attorneys)