Category: Litigation

What’s “So” Important: Computer Fraud and Abuse Act Gets a Close Look from SCOTUS

In a case with significant ramifications for employers concerned with protecting sensitive information, and for employees accused of abusing access to computer networks, the United States Supreme Court (“SCOTUS”) heard oral argument this week in Van Buren v. United States, No. 19-783, a case from the Court of Appeals for the Eleventh Circuit that will require interpretation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.  The argument was lively.  All of the Justices asked questions, and several expressed concern about vagueness in the CFAA’s definition of covered activity.  Much of the discussion centered on an alleged “parade of horribles,” and on the meaning of the word “so.”  We expect a relatively prompt decision.  Time will tell what SCOTUS will decide, but we would not be surprised to see a reversal and remand.

The CFAA has been a useful litigation tool for employers when confidential or other sensitive information accessed via computer is misappropriated, misused, or otherwise compromised. The CFAA generally prohibits obtaining sensitive information from a computer without authorization, or by exceeding authorized access, and, importantly, confers federal jurisdiction.  While it is a criminal statute, it also provides for a private right of action for those damaged by certain violations.  The issue now before SCOTUS in Van Buren is whether the CFAA is violated when someone with authorized access obtains information for an unauthorized purpose.  For example, when an employee who is authorized to access and use the employer’s computer-stored customer information for business purposes downloads the information to a thumb drive and shares it with a potential new employer, s/he plainly violates company policy.  But does s/he run afoul of the CFAA? Over time, a Circuit split has developed regarding this issue.

Van Buren is a criminal case in which Petitioner Nathan Van Buren, a police sergeant in Cumming, Georgia, was convicted of violating the CFAA.  The Eleventh Circuit affirmed his conviction and SCOTUS granted certiorari.  Briefly stated, as part of his duties Van Buren was granted authorized access to a database containing license plate and vehicle registration information maintained by the Georgia Crime Information Center (“GCIC”).  Training materials supplied to those with access to the GCIC database quite reasonably prohibit use of the database for personal purposes.  However, in return for cash payments, Van Buren agreed to, and did, use his authorized GCIC username and password to access a woman’s license and registration information in order to learn personal information about her on behalf of another individual.  There is no dispute that such use was not within the GCIC guidelines for authorized use. Accordingly, Van Buren used his authorized access to the GCIC database for an unauthorized purpose.  He was charged with, among other things, violating the CFAA.  He was convicted of the CFAA violation, sentenced to 18 months in prison, and he appealed.  The Eleventh Circuit court upheld the conviction, holding, based on precedent within the Circuit, that the unauthorized use of authorized access does constitute a violation of the CFAA.

Because Van Buren was not an outsider or other unauthorized user hacking into the GCIC database, his conviction under the CFAA turns on application of the facts to the CFAA’s prohibition on “exceeding authorized access.” The CFAA defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  18 U.S.C. 1030(e)(6) (emphasis added).  Generally, the First, Fifth, Seventh and Eleventh Circuits construe the definition broadly, finding CFAA violations against employees, for example, who access information they are entitled to obtain for certain purposes, but do so for unauthorized uses.  In other words, courts in those Circuits tend to focus on the purposes of authorized access and require computer users to stay within those purposes in order to avoid violations of the CFAA.  This interpretation would allow an employer to bring an action under the CFAA against an employee who, for example, misappropriates sensitive business information s/he was entitled to access as part of his or her job for use with a subsequent employer.  The Second, Fourth and Ninth Circuits, on the other hand, favor a narrower interpretation, in which there is no violation unless the accessed information at issue is, itself, not information the user is entitled to obtain or access at all.  Under that construction, an employee who obtains information from a database s/he is not otherwise permitted to use (e.g. restricted Human Resources information by someone not within the permitted sphere) would violate the CFAA while someone who misuses information s/he is otherwise entitled to access would not.

Van Buren is the first case to present the issue to SCOTUS.  Petitioner, with robust amici support from organizations like Reporters Committee for Freedom of the Press, National Whistleblower Center and technology companies, largely focused his arguments on the dangers of a “parade of horribles” that could arise from the broader interpretation. (See, e.g., Oral Argument at 8).  Petitioner posited that, for example, computer users who check Instagram on their work computers in violation of their employer’s computer use policies, or those who inflate their characteristics on a dating site, in violation of the stated terms of use of such sites, could be guilty of a federal crime should the Government choose to prosecute.  (Oral Argument 4, 22).  He argued that the CFAA is impermissibly vague and that any changes should be left to Congress.

The Government’s position that the CFAA should be broadly read was also supported by several amici, including the Electronic Privacy Information Center and the Digital Justice Foundation.  The Government contended that, pursuant to the definition, a user “exceeds authorized access” by accessing information that s/he did not have a right to access in the particular manner or circumstances used.  Thus, Van Buren violated the CFAA, according to the Government’s position, because he accessed the GCIC under circumstances other than for law enforcement purposes.  As part of its argument, the Government closely examined the meaning of the word “so” in the definition of “exceeds authorized access,” and contended that a person is “entitled so” to do something only when s/he has a right to do it in the particular manner or circumstance authorized.  Brief for the United States at 13.  Van Buren, on the other hand, contended that “so” refers only to “access[ing] a computer with authorization” such that an individual does not “exceed authorized access” if entitled to access the database in question at all. (Oral Argument at 21).

The questions from the Justices during oral argument closely followed those competing themes, further discussing the proper construction of the word “so,” and examining whether some of the more innocuous-sounding activities would actually constitute violations of the CFAA under the broader construction.  Some expressed concern about the privacy of the public if the CFAA is not construed to encompass, for example, government employees reviewing private information for purposes other than those called for in their jobs.  Oral Argument at 14.  Based on the overall tenor of the argument, SCOTUS may be prepared to agree with the more narrow interpretation currently favored by the Second, Fourth and Ninth Circuits, and to overturn Van Buren’s criminal conviction that turned on the broader interpretation. In any case, we will watch for a decision.

We observe use of the CFAA in civil cases to already be diminished in the last four years.  Passage of the Defense of Trade Secrets provides access to federal courts in circumstances where the CFAA was used to create federal jurisdiction.  And as explained above, use of the CFAA in such cases has been curtailed in several Circuits. It will be interesting to see whether the SCOTUS decision in Van Buren further restricts its utility.

©2020 Epstein Becker & Green, P.C. All rights reserved.
For more articles on computer fraud, visit the National Law Review Litigation / Trial Practice section.

The Legality of Loot Boxes: A Primer

What is a Loot Box?

Loot boxes are virtual items that may be redeemed to receive a randomized selection of additional virtual items. In some instances, they are free. In others, loot boxes can be a lucrative monetization mechanic. These random sets of virtual items can range from aesthetic items, which make something in the game look good (e.g., a visual customization for a player’s avatar or weapons), to functional items that improve in-game performance (e.g., weapons, power-ups, powers, etc.). Loot boxes can be “accessed” in a variety of ways, such as by earning access via game play or purchasing a “key” using virtual currency or real money to unlock the loot box.

Legal Considerations with Loot Boxes

With the proliferation of loot boxes over the past 15 years, the use of them in games has received increased attention from legislators, regulators and the plaintiffs’ bar. The primary legal issue is whether a loot box mechanic constitutes gambling. Other issues include whether the age rating of games with loot box mechanics should be impacted based on the inclusion of the game mechanic, and whether consumer protection laws require disclosure of the odds of obtaining certain virtual items through loot boxes. Some of these key issues are discussed below.

Gambling. There is a great debate about whether loot boxes constitute gambling. The gambling laws vary by country, and in the United States, by state as well. In the US, few if any laws specifically address gambling based on virtual items. At a high-level, an overly simplified definition of gambling involves: staking something of value (consideration) for a chance to win something of value (a prize). If all three elements are present in an activity (prize, chance, and consideration), it may be gambling.

Impact on Children. Content ratings typically indicate the appropriate age group for and type of content included in a video game. Some advocate that even if loot box mechanics are not gambling, they have an addictive effect and therefore this should be reflected in the games rating. Some commenters have suggested modifying the ESRB rating for games with loot boxes, for example by rating all such games as Mature or Adult Only, or by creating a new rating.

Disclosure Considerations

• Disclosure of Loot Box Odds. Currently, Apple and Google require all mobile apps that have loot boxes to disclose odds. By the end of 2020, Nintendo and similar companies manufacturing consoles are supposed to require disclosure of loot box odds for new games and existing games that add new loot box features. Many major game publishers have also committed to disclosing loot box odds by the end of 2020. Disclosure of loot box odds must be accurate and non-misleading to avoid a FTC Act Section 5 violation.

• In-Game Purchase Disclosures. In April 2020, the ESRB announced a new “Interactive Element”—used to describe disclosures for video games that highlight a game’s interactive or online features that may be of interest but do not influence a game’s rating. The “In-Game Purchases (Includes Random Items)” disclosure sits just below a game’s content rating assigned to any game that contains in-game offers to purchase digital goods or premiums with real world currency (or with virtual coins or other forms of in-game currency that can be purchased with real world currency) for which the player doesn’t know prior to purchase the specific digital goods or premiums they will be receiving (e.g., loot boxes, item packs, mystery awards).

• Content Creator Disclosures. With the rise of avid video game players livestreaming gameplay to followers, these players are reminded of the need to follow FTC Endorsement Guidelines. These guidelines require, among other things, disclosure of any material connections between the players and the products they are touting, such as compensation agreements.

Increasing Litigation from Consumers

The legality of loot boxes may be challenged through a variety of paths. For example, state attorneys general may bring criminal or civil actions, or aggrieved consumers may bring challenges directly under most states’ anti-gambling laws. Even if loot boxes are presumptively legal and do not constitute gambling under applicable law, consumers may bring lawsuits based on consumer protection or false advertising laws if they believe that the loot boxes are promoted in an arguably misleading way.

Several class action lawsuits have been brought recently in California against game developers, game publishers, and distributors of games. While some of the lawsuits have alleged violations of unfair competition laws by engaging in an “unlawful” business under the states’ gambling law, other cases claimed that the defendant misrepresented its marketing and selling of the loot box. We discussed one of those lawsuits in this post.

Regulatory Attention

Various federal, state, and foreign officials, have proposed regulating loot boxes. In 2018, state legislatures in at least four states (California, Hawaii, Minnesota, and Washington) introduced bills aimed at regulating loot box sales. All failed to pass. At the federal level, the most notable effort to restrict loot boxes was “The Protecting Children from Abusive Games Act,” a 2019 bill introduced by Sen. Josh Hawley aimed at prohibiting loot boxes in any game played by minors (which we covered here). In August 2020, the FTC released a staff perspective paper in response to the workshop held a year prior in 2019 about loot boxes and microtransactions. The FTC paper summarizes key concerns from panelists and commenters about how loot boxes function, as well as recommendations to address the concerns.

There is no consistent approach internationally either, although many EU member states have released position papers within the last few years.

Loot Box Jurisdictions

Considerations to Help Mitigate Risk

  • Take steps to avoid creating a wager, chance or win/loss structure required for a finding of gambling
  • Accurately and transparently disclose probably for winning
  • Consider substantial parental controls on loot box purchases made by minors
  • Ensure that there are minimal “fine print” terms or fees that consumers plausibly could contend are hidden or obscured
  • Develop and implement strategies for enforcement against unauthorized secondary markets that improperly sell your virtual items
Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.
ARTICLE BY Julia K. Kadish and James G. Gatto of Sheppard, Mullin, Richter & Hampton LLP

Supreme Court Hears Oral Argument in Its First CFAA Case

On November 30, 2020, the Supreme Court held an oral argument in its first case interpreting the “unauthorized access” provision of the Computer Fraud and Abuse Act (CFAA). The CFAA in part prohibits knowingly accessing a computer “without authorization” or “exceeding authorized access” to a computer and thereby obtaining information and causing a “loss” under the statute. The case concerns an appeal of an Eleventh Circuit decision affirming the conviction of a police officer for violating the CFAA for accessing a police license plate database he was authorized to use but used instead for non-law enforcement purposes. (See U.S. v. Van Buren, 940 F. 3d 1192 (11th Cir. 2019), pet. for cert. granted Van Buren v. U.S., No. 19-783 (Apr. 20, 2020)). The issue presented is: “Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.”

The defendant Van Buren argued that he is innocent because he accessed only databases that he was authorized to use, even though he did so for an inappropriate reason.  He contended that the CFAA was being interpreted too broadly and that such a precedent could subject individuals to criminal liability merely for violating corporate computer use policies. During oral argument, Van Buren’s counsel suggested that such a wide interpretation of the CFAA was turning the statute into a “sweeping Internet police mandate” and that the Court shouldn’t construe a statute “simply on the assumption the government will use it responsibly.”  In rebuttal, the Government countered that Van Buren’s misuse of access for personal gain was the type of “serious breaches of trust by insiders” that statutory language is designed to cover.

The CFAA does not define “authorization” (but courts have generally interpreted it to mean to access a computer with sanction or permission), but the Act defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). As we explained in our last post on the emerging CFAA issue, in the criminal context circuit courts are split on how to interpret the “unauthorized access” or “exceeding unauthorized access” provisions with respect to accessing a database with an improper purpose or against posted policies.

Although it is a criminal case, the Supreme Court has the opportunity to clarify the meaning of “exceeds authorized access” under the CFAA and perhaps bring more legal certainty to “unauthorized access” claims advanced against entities engaged in unwanted data scraping.  Interestingly, during oral argument, there was an exchange between the the Deputy Solicitor General arguing on behalf of the Government and Chief Justice Roberts that touched on what “authorization” means with respect to public websites:

CHIEF JUSTICE ROBERTS: Mr. Feigin, is your friend correct that everyone who violates a website’s terms of service or a workplace computer use policy is violating the CFAA?

FEIGIN: Absolutely not, Your Honor. […] First of all, on the public website, that is not a system that requires authorization. It’s not one that uses required credentials that reflect some specific individualized consideration.

CHIEF JUSTICE ROBERTS: Okay. Then limit my — my question to any computer system where you have to, you know, log on.

FEIGIN: So, Your Honor, I don’t think all log –all systems that require you to log in would be authorization-based systems because what Congress was driving at here are inside –­

­CHIEF JUSTICE ROBERTS: All right. Well, then every — every system that has a password.

FEIGIN: No, Your Honor, and let me explain why. What Congress was aiming at here were people who were  specifically trusted, people akin to employees, the kind of person you — that had actually been specifically  considered and individually authorized.

While prognosticating on how the Court will rule based on the tone and substance of the oral argument is an inexact science, it appeared that that the Justices encountered some difficulty parsing the ambiguity in the statute surrounding “authorization.”  Indeed, as Justice Alito commented: “Well, I find this a very difficult case to decide based on the briefs that we’ve received,” even adding that “I don’t really understand the potential scope of this statute, without having an idea about exactly what all of those terms mean.”  Thus, we will simply have to wait until next year to see how the Supreme Court interprets “exceeding authorized access.”

Final Thoughts

When first enacted in 1984 the CFAA was originally directed at serious “hacking” activities into government networks, inspired by the pre-digital era movie War Games, where a teenager hacks into the U.S. military missile system NORAD and nearly starts a global thermonuclear war while playing a simulated game with the computer (“Shall we play a game?).  But, we live in a different world now and the CFAA has also changed. Over the past three decades, Congress has expanded the statute and added a civil right of action, and technology and the way we store and access data have become more advanced.  As a result, the language of the CFAA is susceptible to broader application and has been brought to bear in many contexts beyond traditional outside hacking scenarios. With the Van Buren case, the Supreme Court has the opportunity to rule on the contours of “unauthorized access” and thus bring some clarity beyond the criminal context. However, criminal convictions present different equities than civil cases, and it remains to be seen if the Court’s opinion will resolve questions surrounding civil liability that we’ve been seeing in many scraping disputes, including the ongoing hiQ dispute (which itself is before the Supreme Court on a petition for cert.).

© 2020 Proskauer Rose LLP.

For more articles on SCOTUS, visit the National Law Review litigation section.

Happy Thanksgiving TCPAworld!: Here Are the Top 10 TCPA Stories to be Grateful For This Time of Year

I know that many of you have the sense that its all-bad-news-all-the-time around here and feel like there are simply no silver linings to be found– but there is ALWAYS something to be thankful for in life, and TCPAWorld is no exception.

And I know, I know, you’re all very thankful the Czar– and I’m thankful for you too. But this isn’t a hugathon folks, its a learn-all-about-it-athon. So without further adieu, here are the top 10 TCPA stories you should be thankful for this year:

No. 10: There’s a Great Book Out About the TCPA and It is Really Quite Funny

I know most of you spend those long winter nights catching up on old Unprecedented episodes with the family and perusing TCPAWorld stories you may have missed throughout there year, but you can add another festive activity to your eggnog-laden December evenings: reading Dennis Brown’s self-published TCPA masterpiece “Telephone Terrorism– The Story of Robocalls and the TCPA.”

Great book. Great subject matter. Really funny. The only downside is that its too quick of a read– I blew through it in a single afternoon and I was left wanting more.

Maybe 2021 will see the Czar writing his own TCPA novel? We’ll see if holiday wishes really do come true.

No. 9: At Least One Court Has Found that Knowledge of TCPA Violations Alone is not Enough to Hold a Corporate Officer Personally Liable for the TCPA

I’ve said it before and I’ll say it again– the rule holding corporate officers and employees personally liable for TCPA violations by the company is amongst the most unfair rules in the entire legal world. It makes no sense that folks trying to help companies comply with the TCPA might be held personally liable for accidental violations. Gross.

The Seventh Circuit Court of Appeals has pushed back a bit against this rule, however, and determined that mere knowledge of a TCPA violation alone does not trigger personal liability.

Give how disastrous personal liability can be for employees working for companies facing TCPA risk, any ruling ameliorating tis profoundly unfair rule is truly something to be thankful for.

No. 8: Courts Are (Slowly) Catching on to the Idea that Responses to Consumer Requests for Information About a Product or Service Are Not Marketing Messages

The line between marketing and informational messages can sometime be extremely blurry. And when you consider that courts are supposed to apply “common sense” in assessing whether a neutral message might yet have been sent with a “dual purpose” to market, or as a “pretext,” it starts to feel like determining if a message might be marketing is a bit of a crap shoot.

Still the law is slowly trending toward a workable framework in which responses to consumer requests for information are not treated as marketing (requiring WRITTEN consent)– but rather as informational calls (requiring the consumer to have merely supplied their phone number in requesting information.) This is a huge deal for direct mailers or advertisers that field massive numbers of inbound calls from consumers seeking information and then have to return those phone calls–often without express written consent. Its also important for folks whose disclosures don’t quite live up to the letter of the law for marketing purposes. Either way its nice to see “common sense” is slowly starting to be applied with a little common sense.

No. 7: The FCC Clarifies that P2P Texting Does not Violate the TCPA– Sort Of

I remember reading the Marks ruling for the first time and getting extremely excited at the beginning of the ruling– when the Ninth Circuit held that the FCC’s earlier braod TCPA rulings had been set aide by ACA Int’l–only to have my excitement turn to shock and ultimately agony as I read the rest of the opinion.

Reading the FCC’s recent P2P rulings was a similar experience, only a bit watered down. The ruling was seemingly great for businesses and candidates using P2P text solutions, but somehow the language didn’t quite match what the ruling seemed to be saying– if you know what I mean. Read one way the ruling is a huge win authorizing P2P texts across the broad. Read another way the ruling simply confirmed that texts launched by the manual entry of an entire phone number and an entire message didn’t violate the TCPA so long as the system didn’t otherwise have the capacity to act as an ATDS–which is not really very helpful at all.

While courts are struggling with what, exactly, the ruling means– we should all be thankful that the FCC certainly seems to have blessed P2P texting platforms, even if the language of the ruling is somewhat open to interpretation.

No. 6: Some Manufactured TCPA Lawsuits Are Getting the Boot

Ever since my huge win back in Stoops, manufactured TCPA lawsuits should be subject to dismissal. Unfortunately, TCPA defendants have–by and large–not leveraged the case properly, resulting in an avalanche of decisions distinguishing Stoops and allowing repeat TCPA litigators to continue to thrive in the courtroom.

But as two recent court decisions prove, leveraging Stoops properly can lead to big wins– such as where a Plaintiff engages in conduct designed specifically to attract more TCPA violations, or uses a business number specifically to set a trap for marketers. 

No. 5: TCPA Filings are Flat Year Over Year–And Declining

TCPA filings are up a meager 4% year to date over last year. But there were a huge number of early-year filings but they have mostly dwindled as the year has run on.

Indeed the last couple of months have seen a sharp decline in TCPA filings as Plaintiff’s lawyers keep their powder dry and await the big SCOTUS ATDS ruling. In fact, I have talked to a number of TCPA plaintiffs lawyers who openly admit they are holding on to TCPA suits that will be filed, if at all, only after the Supreme Court hands down its big Facebook ATDS ruling (more on that below).

Even if the low TCPA count this year might be a bit of a mirage–and TCPAWorld might be facing a huge surge next year–the brief respite is still something to be thankful for.

No. 4: The Eleventh Circuit Court of Appeals

One of the things callers should be MOST thankful for this year is that the entire Eleventh Circuit Court of Appeal woke up some sleepy Tuesday in September, went to its toolshed, found a flamethrower, and decided to torch TCPA class actions in the jurisdiction.

For about a year now the Eleventh Circuit has systematically dismantled the TCPA machine that had built up in Florida. It was a remarkable turn of events–worthy of its own TCPA novel– as the once-friendliest jurisdiction for TCPA suits flipped on a dime and became the ultimate Defense paradise.  

No. 3: Facebook Looks Like a Heavy Favorite to Win Its SCOTUS ATDS Appeal

Hopefully I didn’t just jinx them, but Facebook is really looking strong headed into oral argument on December 8, 2020. With Justice Barrett–the former Seventh Circuit Court of Appeals judge that wrote the defense-friendly Gadelhak decision— installed at the Supreme Court, Facebook is playing with a stacked deck. But the incredibly persuasive work by the U.S. Government (i.e. the Solicitor General’s office) is the real ace in the hole here.

The TCPAWorld.com probability dial–which once showed Duguid as a slight favorite following the AAPC ruling–is now suggesting an 85% chance of victory for Facebook. That’s a big swing in our analytic simulation model, which doesn’t actually exist.

And remember, if Facebook pulls it off it was all thanks to TCPAWorld.com convincing the Supremes to take the appeal in the first place. That’s how I remember it anyway.

No. 2: All Robocalling Sins Have Been Wiped Away for a Long Four Years –According to Some Courts Anyway 

Undoubtedly the biggest TCPA story of 2020 is the Supreme Court’s big ruling in AAPC and the profound impact it (may have) had on liability for calls made prior to July 6, 2020. 

Like so much else in TCPAWorld, the impact of AAPC turns on your point of view. From one perspective the Supreme Court ruling was a ho-hum decision isolating a single exemption for First Amendment review and severing it when things didn’t line up for it. From another perspective–mine–it was a free-speech-killing first-of-its-kind ruling that turned the First Amendment into an ironing board. But from another–critical–perspective it was a ruling in which the U.S. Supreme Court determined the entire TCPA was unconstitutional and had to save the enactment by severing a content-specific exemption.

This later perspective is what animates two huge district court rulings that have determined that all calls made between November, 2015 and July, 2020 are simply not actionable. This is so because the TCPA was unconsttutional during that entire timeframe. This remarkable ruling means that the vast majority of calls made during the height of the Robocall epidemic of the 20teens are simply beyond the reach of plaintiff’s lawyers.

As I have suggested previously, by wiping out TRILLIONS in TCPA exposure the rule of Creasy and Lindenbaum amount to one of the largest wealth transfers (or at least, risk write downs) in human history. These are remarkable rulings, that are truly worth giving thanks for.

No 1: TCPAWorld.com Keeps Cranking out the Must-Read Content– and the VIDEOS

Rather obviously the thing TCPAWorld denizens should be most thankful for this year-and every year–is the hard working team here at Squire Patton Boggs and TCPAWorld.com. Not only do we deliver great first-in-the-nation wins, we break down every TCPA story as it happens, virtually in real time. And we’re not going to stop any time soon.

Plus, when COVID hit we moved to VIDEO podcasts to better engage with you folks and have been pumping out free webinars and learning sessions to make sure that YOU are armed with the information you need to protect yourself in the turbulent TCPA world.

And of course, we do it all for free. With no barriers to content. No unnecessary sign ups. No advertising. No pop up adds. No data sales. No nothing.

So when you raise your glass of cider over that delectable Thanksgiving feast on Thursday, you’ll be forgiven if TCPAWorld.com enters into the discussion of the list of things you’re most thankful for this year.

And we, of course, are endlessly thankful for each of you as well.

I guess this was a hugathon after all.

Stay grateful TCPAWorld.

© Copyright 2020 Squire Patton Boggs (US) LLP

CPSC Issues COVID-19 Consumer Products Guidance, Further Muddying the Regulatory Waters and Increasing Scrutiny of COVID-19 Products

As the COVID-19 pandemic continues, and with an incoming Biden administration that is expected to step up efforts to control the spread of the virus, use of personal protective equipment (“PPE”) and cleaning/disinfectant products has never been more important or widespread among the public.  However, in late October, the Consumer Product Safety Commission (“CPSC”) issued guidance on its website asserting that certain consumer protection rules within its jurisdiction apply to PPE, and reminding consumers of the CPSC laws that apply to cleaning/disinfectant products (the “COVID Guidance”).

The CPSC commissioners disagree about the import or official applicability of the COVID Guidance, and questions abound as to how it interplays with FDA regulations issued by the U.S. Food and Drug Administration (“FDA”), including Emergency Use Authorizations (“EUA”), as well as EPA regulations on disinfectant products – not to mention how or whether the COVID Guidance impacts the protections afforded by the Public Readiness and Emergency Preparedness Act (the “PREP Act”).  But in any case, the guidance unquestionably heightens scrutiny around COVID-related products, and likely will give consumer plaintiffs’ attorneys additional lawsuit fodder – so manufacturers should understand it.

Broadly, the COVID Guidance covers two broad categories of products: face coverings, gowns, gloves (i.e., PPE), and cleaning/disinfectant products.

Face Coverings, Gowns, and Gloves

Under the COVID Guidance, face coverings, gowns, and gloves designed for consumer use are considered “articles of wearing apparel” and therefore must (1) comply with the flammability requirements of the Flammable Fabrics Act; and (2) be tested to either 16 C.F.R. Part 1610 (Standard for the Flammability of Clothing Textiles) or Part 1611 (Standard for the Flammability of Vinyl Plastic Film), depending on the materials used for construction.  Further, U.S. manufacturers and importers of these products must issue a General Certificate of Conformity (“GCC”) certifying that these clothing articles meet all applicable requirements.

The COVID Guidance imposes additional requirements for PPE apparel designed specifically for children’s use (i.e., ages 12 and under).  Under the Consumer Product Safety Act (“CPSA”), all children’s products must bear permanent tracking information, meet total lead content limits, and meet lead in paint or similar surface coating limits (if either a paint or surface coating is present on the product).  Product testing must take place at a CPSC-accepted testing lab, and U.S. manufacturers/importers of these products must also issue a Children’s Product Certificate.

Cleaning Solutions

Household cleaning solutions – for example, hand sanitizers and soaps – are primarily regulated by the FDA, but also fall under the jurisdiction of the CPSC if they constitute a “hazardous substance” under the Federal Hazardous Substances Act (“FHSA”).  Generally, the FHSA defines a “hazardous substance” as (1) a substance (or mixture of substances) that may cause substantial personal injury or substantial illness during customary or reasonably foreseeable handling or use, including reasonably foreseeable ingestion by children; and (2) the substance (or mixture of substances) is toxic, corrosive, an irritant, a strong sensitizer, is flammable or combustible, or generates pressure through decomposition, heat, or other means.  The FHSA requires that hazardous substances bear prominent warnings on their labels – for example, “KEEP OUT OF REACH OF CHILDREN,” “DANGER”, and “HARMFUL OR FATAL IF SWALLOWED,” among others.

© 2020 Foley & Lardner LLP
For more articles on the CPSC, visit the National Law Review Consumer Protection section.

“Jury Trials are Innately Human Experiences.”

Judge Rodney Gilstrap of the US District Court for the Eastern District of Texas as capitulated, postponing his upcoming trials until March. His order includes some interesting commentary in the footnotes.

Of remote proceedings, Judge Gilstrap writes:

This approach, while adequate in a strict sense, allowed the Court to move forward virtually, albeit with regularly unwelcomed losses of audio, video, or both, including unfixable lagtime between audio and video where lips would move. . . lips would stop . . . and sound would follow. The virtual proceedings detracted from the typical administration of justice, depriving the Court of the ability to observe such critical factors as intonation, body-language, attitude, demeanor, and similar vocal and other physical nuance and those quasi-intangibles that normally breathe life and meaning into the written briefing filed on the docket. This approach also unavoidably hampered the Court’s ability to interject questions and have an easy dialogue with counsel. In some instances, virtual proceedings before this Court were infected by the necessarily casual features of home life, such as intrusions of advocates’ spouses, children, and family pets. While such happenings may be an increasing norm of remote work in many contexts, they stand in stark contrast to the formality and solemnity in which Court proceedings traditionally are and must be conducted. Such problems are only magnified in complex proceedings with many moving parts.

On the safety precautions he had put in place for his pandemic trials, Judge Gilstrap writes:

These safety protocols included but were not limited to: taking temperatures of all entrants to court facilities; requiring masks and in some cases gloves; installing industrial air filtration devices in courtrooms; spacing in-person lawyers, parties, witnesses and jurors; installing plexiglass barriers around witness stands, jury boxes and elsewhere; limiting the number of participants physically present in court; periodic and repeated deep cleaning of jury rooms, restrooms and other common facilities; written questionnaires to venire members regarding their personal circumstances related to the virus sent and answered prior to their appearance; sequestering of jurors and providing individualized meals during trials to avoid exposure within communities during lunch breaks; and myriad other measures.

For Judge Gilstrap, remote trials are not a viable solution. He writes: “While some motion practice may be adequately addressed via virtual proceedings, the Court believes that the fair adjudication of the rights of the parties, as envisioned by the Framers and embodied in the Sixth and Seventh Amendments.” Then comes this footnote:

Jury trials are innately human experiences. More is often communicated in a courtroom non-verbally than verbally. Such a human experience must allow for the look and feel of direct human interaction. Such factors as cadence, tone, inflection, delivery, and facial expression are as vital to due process as is the applicable statute or case law. When Daniel Webster argued the Dartmouth College case, John Marshall cried from the bench. Trustees of Dartmouth College v. Woodward, 17 U.S. 518 (1819). Our history is replete with such examples of the humanity engrained in the American jury trial. This Court is persuaded that the remote, sterile, and disjointed reality of virtual proceedings cannot at present replicate the totality of human experience embodied in and required by our Sixth and Seventh Amendments.

© 2020 McDermott Will & Emery
For more articles on jury trials, visit the National Law Review Litigation / Trial Practice section.

Opioids, Sober Homes and “Telefraud”: An Overview of the DOJ 2020 Healthcare Fraud Takedown

In September 2020, the U.S. Department of Justice (“DOJ”) and the U.S. Department of Health and Human Services (“HHS”) Office of Inspector General (“OIG”) announced its annual healthcare-relatedtakedown.” The takedown, which involved enforcement actions that actually occurred over numerous months preceding the press event (and as such, the reference to a “takedown” is a misnomer”) targeted alleged schemes that related to opioid distribution, substance abuse treatment facilities (“sober homes”), and telehealth providers, the latter of which served as the focus of the enforcement activity. In all, 345 defendants, across 51 judicial districts were charged with allegedly submitting more than $6 billion in false and fraudulent claims to federal health care programs and to private payers and almost 75% of that amount involve telefraud.

As we have previously reported, opioids have been a large focus of DOJ in the past few years in an attempt to stem the opioid epidemic through increased enforcement and this takedown is a continuation of those efforts. DOJ stated that the charges involved in the opioid-related takedown involved the submission of $800 million in false and fraudulent claims to Medicare, Medicaid, TRICARE, and private insurance companies for treatments that were allegedly medically unnecessary and often never provided. DOJ also continued the trend of charging medical professionals with the illegal distribution of opioids (or operating pill mills). Providers need to be mindful of safe opioid prescribing guidelines, develop and implement rigorous compliance programs, and keep up to date on ever shifting federal and state laws in this area.

Tied into the opioid crisis has been the rise in popularity of treatment for drug and/or alcohol addiction as well as the necessary costs of testing and treatment of those patients. The “sober homes” cases announced by DOJ include charges against more than a dozen individuals in connection with more than $845 million of allegedly false and fraudulent claims for tests and treatments. The subjects of the charges include physicians, owners and operators of substance abuse treatment facilities, as well as patient recruiters. Those providers in the substance abuse treatment space should be mindful of providing appropriate utilization of therapies and tests and actively monitor their patient generation/marketing activities for fraud and abuse implications.

Over the past few years, we have been predicting that telehealth is ripe for enforcement. Although we have seen enforcement activity involving telehealth providers in the past, this is the first time that DOJ/HHS has focused so sharply on telehealth providers as the target of a major takedown. The 2020 Takedown is a warning to those in the telehealth industry to pay special attention to compliance infrastructures and efforts especially as use of telehealth to serve patients expands, and related regulations loosen in light of the COVID-19 pandemic.

©2020 Epstein Becker & Green, P.C. All rights reserved.
For more articles on telefraud, visit the National Law Review Health Law & Managed Care section.

Supreme Court Considers Religious Exemptions to Nondiscrimination Laws

On November 4, the Supreme Court heard oral arguments in Fulton v. City of Philadelphia, the most recent case to address how the First Amendment’s Religious Free Exercise Clause interacts with antidiscrimination laws as applied to religious entities. The case centers on foster care and certification of couples to be foster parents, but the case could have wide-ranging impacts on public accommodation and employment law, especially in the field of government contracts.

When the City of Philadelphia’s Department of Human Services removes children from their parents’ homes, it seeks to place those children temporarily with foster parents. But the city does not find those foster parents itself. Rather, it contracts with private agencies like Catholic Social Services to find suitable foster parents. The private organizations are responsible for doing home visits and the other steps necessary to approve individuals and couples as foster parents, and the city pays them for these services. In 2018, Catholic Social Services admitted to the City that it would not consider any same-sex couples as potential foster parents, which the City concluded was a violation of both its Fair Practices Ordinance and the terms of the contract between the City and Catholic Social Services. Thus, the City stated that it would only renew Catholic Social Services’ contract for certifying foster parents if the organization agreed to consider same-sex couples on the same grounds as opposite-sex couples. Catholic Social Services refused and sued the City, claiming that the City infringed on its right to free exercise of religion under the First Amendment.

The City won in both the federal district and appeals courts, and the Supreme Court agreed to hear the case to answer three questions relating to what a free exercise plaintiff must prove to win a discrimination case, whether the Supreme Court should overturn its prior case Employment Division v. Smith, and what conditions a government agency can place on its contracts with private agencies.

Employment Division v. Smith and the Current State of Free Exercise Law

Employment Division v. Smith, decided in 1990, dealt with two men who were fired from their jobs at a drug rehabilitation center because they had used peyote, which was against state law, and were then denied unemployment benefits since they had been fired for misconduct. But the men had used peyote as part of a religious ceremony, and claimed that the state violated the First Amendment when it denied them unemployment benefits based on their religious use of peyote. In an opinion written by Justice Scalia, the Supreme Court held that the Free Exercise Clause of the First Amendment prohibited governments from singling out religious conduct for regulation, but did not require governments to create religious exemptions from all of its laws. As long as the law was generally applicable to all religious and non-religious individuals alike, and neutral toward religion, meaning not intended to interfere with religious practice, the law met the requirements of the Free Exercise Clause. In other words, as long as Oregon’s peyote ban applied to all citizens, not just members of a certain religious group, and as long as that law was written for a neutral reason like promoting health and safety as opposed to a legislative desire to stop a religious practice, the law was constitutional and could be applied to both religious and non-religious individuals. The fact that the law incidentally infringed on religious practice did not make it invalid.

Congress responded to Employment Division v. Smith by passing the Religious Freedom Restoration Act of 1993, or RFRA. This bill stated that the “Government shall not substantially burden a person’s exercise of religion even if the burden results from a rule of general applicability.” It introduced a requirement that a person with a religious objection to a law must be exempted from that law unless the government had a compelling interest in passing the law, and the law was the least restrictive means of achieving that goal. This test is known as strict scrutiny, and is very difficult to meet, although religious employers do not always win when they invoke RFRA. For example in Bostock v. Clayton County Georgia, where the Supreme Court held that Title VII prohibits employers from discriminating on the basis of sexual orientation or gender identity, one of the employers had made a RFRA claim which failed in the lower court because Title VII did not substantially burden the employer’s religious exercise and met strict scrutiny regardless. Additionally, many federal circuits only apply RFRA to cases in which the federal government is a party, such as when the Equal Employment Opportunity Commission brings the action to enforce Title VII, but not when a private employee files the lawsuit.

While RFRA originally applied to both state and federal laws, the Supreme Court later said that it could only apply to federal laws. This meant that while federal laws would have to either meet RFRA’s strict scrutiny test or create religious exemptions, state laws only had to meet Employment Division v. Smith’s test that they be neutral toward religion and generally applicable to everyone—or whatever higher standard the state sets for its own laws.

Revisiting Employment Division v. Smith

In Fulton v. City of Philadelphia, both sides argue that they can win under Employment Division v. Smith. The City of Philadelphia argues that its requirements that foster care agencies not discriminate against potential parents based on sexual orientation, as contained in its Fair Practices Ordinance and the service contracts, are generally applicable to all foster care agencies, and have the neutral goal of stopping discrimination as opposed to infringing on religious practice. Catholic Social Services claims that the nondiscrimination provisions are intended to infringe on religious practices, and that they are not generally applied by the city, which allows foster care agencies to consider other protected categories like race and disability in narrow circumstances, but do not provide an exception to the sexual orientation nondiscrimination policy for religious objectors.

But in the event that argument fails, Catholic Social Services also asked the Supreme Court to revisit its decision in Employment Division v. Smith, and to replace that precedent with the strict scrutiny standard established by RFRA. A decision by the Supreme Court that the First Amendment requires religious exemptions from neutral laws of general applicability unless the law is the least restrictive means of serving a compelling governmental interest would not only extend the strict scrutiny test to state and local laws like the Philadelphia Fair Practices Ordinance, it would elevate it from a legislative mandate that any future Congress can overturn to a constitutional holding that only the Supreme Court or a constitutional amendment could undo. It would also go against legislative and judicial history tracing back to our country’s founding, which traditionally indicates that the Free Exercise Clause does not require religious exemptions from neutral and generally applicable laws, as First Amendment scholars argued in an amicus brief, and as Justice Scalia noted in Employment Division v. Smith itself.

Control over Government Contracts

Another dimension of the Fulton v. City of Philadelphia case is that the City is acting not only as a regulator enforcing its Fair Practices Ordinance, but also as a market participant paying—or not paying—Catholic Social Services to perform a vital function on behalf of the city government. And the Supreme Court has stated in various cases that a government has the power to decide how it wants its work to be carried out by private contractors, even if there is some conflict with religious exercise. So, if that principle is followed, even if the Fair Practices Ordinance were required to include an exemption for those who religiously oppose same-sex marriage, the City could still grant contracts for its foster care program only to those organizations that agree not to discriminate against same-sex couples. Catholic Social Services argues that this too would violate the First Amendment, and that governments must grant exceptions to contractors based on honestly held religious beliefs.

Possible Impacts of Fulton v. City of Philadelphia on Employment Law

With a six to three conservative majority on the high Court, it is likely that Catholic Social Services will win this case, although it is far from clear on what ground the Court will base its decision. At oral argument the Justices spent little time asking about whether they should overrule Employment Division v. Smith, which indicates that they may take a more moderate approach such as narrowing the situations in which Smith applies or introducing some sort of balancing test for courts to apply when religious beliefs conflict with nondiscrimination laws. But whatever ground it rules on, the decision is likely to chip away at employment protections for workers in at least some contexts, as the decision will apply not only to organizations discriminating against clients, but also against employers discriminating against employees, based on their religious beliefs.

A full overruling of Smith would mean that all state, local, and federal employment nondiscrimination laws must include exemptions for religious employers based on their firmly held religious beliefs. A ruling that governments must provide such exceptions in their contracts with private entities would allow greater discrimination in a huge portion of the economy. In fiscal year 2019 the federal government entered into nearly six million contracts for services from private entities, spending almost $600 billion on those contracts. The federal, state, and local governments contract with private entities for a huge range of things, from production of military supplies and energy to provision of day care through Head Start and running private prisons. As a group of businesses ranging from tech giants Apple and Google to retailers Macy’s and Levi Strauss argued in an amicus brief, a ruling for Catholic Social Services could create unfair competition for government contracts where employers with religious objections—ranging from entities like Catholic Social Services, which is run by the Archdiocese of Philadelphia, to corporations like Hobby Lobby that are owned by a small number of religious adherents—are not required to comply with all neutral laws, and could make it difficult to recruit employees to locations where those employees might be denied public services by the only government contractor in town. And as 160 members of Congress argued, an expansion of religious exemptions would greatly infringe on Congress’s ability to eradicate discrimination, especially in the contracts it funds through taxpayer money.

And as the City of Philadelphia stressed at oral argument, these exemptions for religious employers and service providers would not only pertain to sexual orientation discrimination. Rather, religious entities would be allowed to discriminate against employees and clients based on any sincerely held religious belief, including beliefs about the superiority of certain religions, genders, or races. And while everyone was in agreement that the government has a compelling interest in eradicating racial discrimination, meaning that a ban on race discrimination would pass strict scrutiny against religious objections, the attorneys representing Catholic Social Services would not state whether the government had a compelling interest in eradicating other forms of discrimination, a question that is less clear from prior Supreme Court cases. The Supreme Court’s decisions on the “Ministerial Exception” already allow religious employers to discriminate on any grounds against those employees they consider ministers, such as teachers in a Catholic school who play a role in spreading the faith, but this decision could expand the license to discriminate beyond those who qualify as “ministers.” The Supreme Court explicitly declined to address the employer’s religious objections to Title VII in Bostock v. Clayton County, Georgia, but a ruling in Fulton could fill in that gap now that the question of religious objections to neutral laws is properly before the Court.

Decisions from the Supreme Court involving LGBTQ rights typically come out at the end of the term in June, but the Court’s decision could be published any time between now and then.

Katz, Marshall & Banks, LLP
For more articles on SCOTUS, visit the National Law Review Litigation / Trial Practice section

UK Settlement Highlights International Enforcement Linked to “Car Wash” Investigation

The UK Serious Fraud Office (the “SFO”) has reached a £1.2 million civil recovery settlement with Julio Faerman, a Brazilian national linked to the sprawling “Operation Car Wash” investigation involving the Brazilian state-owned oil company, Petrobras.

During its investigation into Faerman, the SFO obtained a freezing order and a disclosure order and was successful in resisting an application to set these aside despite some fairly significant procedural failings.

The settlement is a tangible demonstration of the SFO’s ongoing cooperation with Brazilian and other international law-enforcement counterparts. It also highlights the continued prominence of Brazil and Latin America in international anti-corruption enforcement.

Operation Car Wash (Lava Jato)

Operation Car Wash began in March 2014 and revealed that Petrobras officials, acting in concert with Brazil’s largest construction companies, engaged in a massive bribery scheme which facilitated the payment of hundreds of millions of dollars in bribes to Brazilian politicians through elaborate kickback schemes with contractors and suppliers. To date, the investigation has resulted in prison sentences for nearly 300 individuals and billions of dollars in fines and financial settlements with companies involved.1

Faerman acted as the Brazilian agent for the Dutch oil services company SBM Offshore NV. As part of a 2016 settlement with the Brazilian Public Prosecutor (MPF), Faerman admitted paying bribes to win lucrative Petrobras contracts. The Brazilian Authorities and media sources have suggested that Faerman also acted for other foreign companies implicated in Operation Car Wash, including Rolls-Royce, General Electric and the Norwegian company, Vertech.2

Faerman continues to be subject to a cooperation agreement with the Brazilian Authorities and paid a financial settlement of USD 54 million in 2016. Faerman is a Brazilian resident and is believed to be in custody there.

UK Civil Recovery Proceedings

Following the Brazilian settlement, the SFO opened its own civil recovery investigation into Faerman’s UK assets, which it suspected had been acquired with the proceeds of crime. The SFO investigation focused on a £4.25 million apartment located in Kensington, London as well as Swiss bank accounts and offshore vehicles, which it believed funded the purchase.

On 29 January 2019, following an oral hearing conducted in private and without notice, the SFO obtained a freezing order on the Kensington property, to prevent it being sold while the investigation proceeded. The SFO also obtained a Disclosure Order under the Proceeds of Crime Act 2002 (the “Order”) to enable the tracing of bribe-linked commissions paid to Faerman and to demonstrate that he used these sums to part-fund the purchase of the property. On 29 March, after a further application made without notice, both orders were amended to allow service on Faerman’s English and Brazilian lawyers in circumstances where personal service was possible but considered impractical.3

By letter to Faerman’s lawyers dated 3 May, the SFO served the Order, which contained a penal notice addressed to “Julio Faerman or any person served with a notice under this order” which set out potential criminal sanctions for failure to comply. On 25 July, the SFO served the Order again requesting the origin of certain funds. The copy of the Order attached to the second letter had the entire penal notice redacted. It was otherwise in the same mandatory terms.4

On 25 September 2019, Faerman’s solicitors objected on the basis that the SFO are not authorised to issue an information notice to someone outside the jurisdiction. On 5 November, the SFO responded, clarifying that they were aware that they could not force compliance and were requesting the information on a voluntary basis.

Faerman refused to provide the information requested and made an application to discharge the Order as unauthorised and defective, as the SFO could not properly serve an enforceable information notice on him or any other persons overseas citing the judgment of the UK Supreme Court in Perry.5  Further, Faerman argued that the SFO’s failure to bring the Supreme Court’s decision in Perry to the attention of the judge in the ex parte hearing constituted material non-disclosure and an abuse of the disclosure order procedure.

Despite acknowledging procedural failings by the SFO, Mrs Justice Cutts CDE dismissed Faerman’s application to discharge the Order on 10 July 2020. The Judge took the view that even if the judgment in Perry had been disclosed, the SFO’s application would nonetheless have been granted, albeit with a clarification that no information notice could be served on Faerman outside the jurisdiction. She considered that the SFO had not acted in bad faith, that Faerman had suffered no prejudice (because he had not supplied any information) and that there was a clear and compelling public interest in maintaining the Order.6

On 29 October 2020, the SFO signed a settlement agreement with Faerman. Under the terms of the settlement, the property freezing order and disclosure order will remain in place until Faerman pays the settlement amount of £1.2 million and £57,000 in SFO costs.7

International Corporation

In announcing the Faerman settlement, the SFO recognised assistance received from Office of the Attorney General of Switzerland (OAG) and the Dutch Investigation Service (FIOD). The SFO also has a strong working relationship with the Brazilian Authorities, as demonstrated by the £497 million Rolls Royce Deferred Prosecution Agreement from January 2017, which was accompanied by parallel settlements with the Brazilian MPF and the US Department of Justice (DOJ).8

International cooperation has been a critical feature of Operation Car Wash and looks set to continue. The Brazilian Authorities have communicated with law enforcement authorities in 61 jurisdictions. The Brazilian MPF has requested for assistance from the SFO on 16 occasions as part of the Car Wash Investigation alone. It has also received three requests for cooperation from the SFO as it continues to pursue its own investigations relating to that case. The MPF’s cooperation with the US DOJ is even more active with 58 requests made and 21 received to date.9

Looking Forward

It has been reported that Operation Car Wash is now encountering greater domestic resistance due to opposition from the Brazilian Congress, Supreme Court and officials close to President Jair Bolsonaro10. It is important to recognise, however, that the investigation has already been extraordinarily successful, continues to enjoy widespread popular support and has made Brazilian anti-corruption enforcement relevant on the international stage. Due to the enormous international scope of the investigation, the volume of information obtained through cooperating witnesses and the number of implicated companies and individuals, domestic and international enforcement will continue for the foreseeable future.

1   http://www.mpf.mp.br/grandes-casos/lava-jato/resultados

2   https://globalinvestigationsreview.com/rolls-royce-caught-in-cgu-petrobras-investigation

3   [2020] EWHC 1849 (Admin) – https://www.bailii.org/ew/cases/EWHC/Admin/2020/1849.html

4   Ibid.

5   [2012] UKSC 35

  [2020] EWHC 1849 (Admin) – https://www.bailii.org/ew/cases/EWHC/Admin/2020/1849.html

  https://www.sfo.gov.uk/download/sfo-v-faerman-signed-order/

8   https://www.sfo.gov.uk/2017/01/17/sfo-completes-497-25m-deferred-prosecution-agreement-rolls-royce-plc

  http://www.mpf.mp.br/grandes-casos/lava-jato/efeitos-no-exterior

10 https://www.ft.com/content/8f79871f-9dc4-4a97-9b26-79a7a9c2bf32

© Copyright 2020 Cadwalader, Wickersham & Taft LLP
ARTICLE BY Mark Beardsworth and  Duncan Grieve of  Cadwalader, Wickersham & Taft LLP

FTC Settlement with Zoom Concerning Alleged Data-Security Lapses

On November 9, 2020, the United States Federal Trade Commission (FTC) announced that it had entered into a consent agreement, subject to final approval, with videoconferencing company Zoom Video Communications, Inc. (Zoom). The consent agreement settles allegations that Zoom engaged in a series of deceptive and unfair practices that undermined the security of its users. The Commission voted 3–2 to accept the settlement, with Commissioners Chopra and Slaughter voting no and issuing dissenting statements asserting that the FTC’s action did not go far enough.

While the FTC generally does not identify what triggers a law enforcement action, there have been many news articles and a number of class actions filed in connection with Zoom’s data-security practices over the past six months that likely led to this action.

According to the complaint accompanying the consent agreement, the number of daily Zoom meetings grew from approximately 10 million in December 2019 to 300 million in April 2020. Zoom allows users to have one-on-one and group meetings, and users can also chat with others in the meeting, share their screens, and record videoconferences, among other things. Given the sensitive information that is often shared during a Zoom meeting—such as financial information, health information, proprietary business information, and trade secrets—appropriate data security is critical.

According to the FTC’s complaint, Zoom made numerous prominent representations touting the strength of its privacy and security measures employed to protect users’ personal information. These representations included claims relating to end-to-end encryption, as well as claims regarding the level of encryption. In addition, the complaint alleged that Zoom made deceptive claims regarding the secure storage for Zoom meeting recordings. The complaint also alleged that Zoom compromised the security of some users when it installed software called a ZoomOpener web server, which allowed Zoom to automatically launch and have a user join a meeting by bypassing an Apple Safari browser safeguard, which would have provided users with a warning box prior to launching the Zoom app.

The proposed settlement is consistent with many of the FTC’s recent data-security settlements and includes several of the newer provisions designed to strengthen such settlements. Specifically, the proposed settlement prohibits Zoom from misrepresenting its privacy and security practices in the future and requires Zoom to do the following:

  • Establish, implement, and maintain a comprehensive information security program that protects the security, confidentiality, and integrity of covered information, such as:
    • Security review for all new software
    • A vulnerability-management program for its internal networks
    • Security training for employees
    • Inventorying personal information stored in systems
    • Implementing data-deletion policies and other specific security measures, such as proper network segmentation and remote-access authentication
  • Obtain an initial security assessment and biennial data-security assessments for twenty years from an independent-third party Accessor.
  • Submit an annual certification from a senior corporate manager that it has implemented the requirements of this order.

Submit a report to the FTC upon the discovery of any covered incident. A covered incident is defined as an incident in which personal information is accessed or acquired without authorization and that requires reporting to any government entity.

As with a number of high-profile privacy or data-security settlements, the FTC’s Commissioners issued several separate statements expressing their views and their visions for the FTC’s privacy and data security program.

Notably, Commissioner Chopra issued a nine-page dissenting statement expressing concern with companies that, in the interest of acting and growing quickly, engage in deceptive practices, which he believes harms consumers and competition. Commissioner Chopra criticized the consent agreement because in his view it does not help affected parties, it does not include a monetary penalty, and thus it does not provide for meaningful accountability for Zoom. Finally, Commissioner Chopra stated that he believes that the Zoom settlement undermines the Commission’s effort to receive more authority from Congress to protect personal information.

Commissioner Slaughter also dissented, focusing her dissenting statement on her belief that the Commission’s action does not more robustly address the associated privacy issues connected to Zoom’s actions. In addition, Commissioner Slaughter took issue with the settlement’s failure to provide recourse for consumers.

The majority, Chairman Simons and Commissioners Phillips and Wilson, issued a statement indicating that they felt that the proposed relief “appropriately addresses the conduct alleged in the complaint and is an effective, efficient resolution of this investigation.”

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.
For more articles on Zoom litigation, visit the National Law Review Communications, Media & Internet section.