The National Law Forum

The European Union’s General Data Protection Regulation, or GDPR, went into effect on May 25, 2018.  These regulations apply to companies doing business in the European Union or to companies who have data of EU citizens for any reason, demanding compliance with stringent, uniform data regulations. GDPR creates a brand new framework with high expectations for the companies that it impacts. For many companies, compliance with GDPR is daunting.  Tanya Forsheit, Chair of the Privacy & Data Security Group at top law firm Frankfurt Kurnit Klein + Selz, a privacy and cybersecurity attorney with over 20 years of experience advising on these issues, says, “GDPR is completely different than anything we have in the US. There is really no comparison in the US to the GDPR.”

Forsheit elaborates: “GDPR requires companies who are subject to it to have very robust that allow individuals, consumers, employers to certain rights to access their data, to see their data, where it goes and how it is used.”  In many ways, GDPR was a wake-up call to companies–and in order to comply, the companies had to take a hard look at their data flows and processes.  Additionally, Forsheit points out, “Under GDPR, you don’t do anything unless you have a lawful basis for processing the data, or consent from individuals to do certain kinds of things, requiring a legitimate interest.”  Anything else–all the different ways data can be parsed and put to work, requires affirmative consent.  (For more information on consent under GDPR, check out our article GDPR on Consent)

Data Breaches: Inevitable?

Even before GDPR, companies lived in fear of a data breach.  Consumers are more sensitive to the cybersecurity of the companies that they interact with, and large companies have felt consequences–litigation, as well as a lack of trust and a decline in the public’s willingness to offer up their information of these data breaches.  With the increasing prevalence of our lives online, and the value of information has increased–hackers and data breaches are a part of doing business in today’s world.  In many instances, data breaches aren’t a matter of “if” anymore, it’s a matter of “when.”

In response, companies have begun to create cybersecurity action plans to streamline a response to a data breach incident.  In the United States, many states have implemented legislation requiring companies to inform consumers of data breach incidents within a set timeframe upon discovery of the incident.  As of now, all 50 states have a data breach notification law—Forsheit says, “US has had data breach laws since 2003, California was first, Alabama was the last” and the result is a patchwork of regulations companies must follow to remain compliant in the event of a data breach.

GDPR on Data Breach Notification: A High Standard

However, GDPR has kicked things up a notch by creating a sense of urgency with data breaches, requiring a 72 hour notice period after discovery of the breach. Data Breach notification under GDPR creates a high standard for notifying individuals of a data breach.  Article 33 of GDPR states the data breach notification requirements as:

• In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
• The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

GDPR  goes on to explain that the notification of the data breach to the regulating authority should include broad information about who was affected by the breach as well as approximate numbers of records concerned, and the contact information for a point of contact where the regulator can obtain more information. Additionally, the data controller should also provide the possible consequences of the data breach, as well as efforts taken by the controller to rectify the situation, including any mitigating offers to those affected by the breach. If this information is not available immediately, it should be provided in phases in a timely manner. (For a discussion of some of the terms related to GDPR, please see our article on GDPR compliance.)

In some ways, the US is prepared for the data breach notification provision under GDPR.  Forsheit says, “We do have those kinds [data breach notification]  obligations under state laws, so that part of it is not new, however, it is completely different under GDPR.  GDPR has a 72 hour notification regulation to regulators, while in the US you must notify individuals.”  Additionally, GDPR has the wrinkle of not requiring notification if  “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” requiring an additional level of analysis.

The Wisdom of a Cyber-Incident Plan

These factors increase the importance of a Cyber-Incident Response Plan for companies and organizations. Forsheit says that many cyber-insurance providers require an incident plan before offering coverage.  With GDPR, such plans have only become more important.

A cybersecurity incident plan should start at the beginning, and outline the way that a data breach will be detected or even what constitutes a data breach. Forsheit also says a cybersecurity response plan should contain information on what to do when a breach is discovered, who to call, what vendors to contact and perhaps even have plans in place or companies on retainer for such an incident to avoid confusion and to save time.  Forsheit says, “There are benefits to negotiating with vendors before you have a problem.” A bit of preparation can be helpful during a stressful situation, and having a plan in place can help eliminate mistakes.  For more information on Cybersecurity response plans and their key components, check out our article Preparation and Practice: Keys to Responding to a Cyber Security Incident.

In the latest decision in the concerning standing in data breach cases, the Fourth Circuit has vacated a district court’s dismissal and reinstated putative class action data breach litigation against the  National Board of Examiners in Optometry Inc.,. (“NBEO”).  In Hutton v. National Board of Examiners in Optometry, Inc., the court ruled that the plaintiffs alleged sufficient injury to meet the Article III standing requirement by virtue of hackers’ theft and misuse of plaintiffs personally identifiable information (“PII”), notwithstanding the absence of any allegation that the misuse had resulted in pecuniary loss to the plaintiffs.  In so ruling, the Fourth Circuit struck a middle course on the question of when misuse of sensitive PII results in a sufficient injury to confer standing to sue in federal court.

Plaintiffs in Hutton were optometrist members of the defendant NBEO.  They brought the lawsuit after NBEO members learned that credit cards had been opened in their names.  Doing so required access to PII, including members’ correct social security numbers and birthdates.  Members surmised that the NBEO, which collected such PII from its members, was the likely source of the PII used to open the credit cards, and the lawsuit ensued.

NBEO moved to dismiss, arguing that because plaintiffs were held harmless for the fraudulent credit card accounts, they had suffered no injury as a result of the data theft and, therefore, lacked standing to sue.  The trial judge in the District of Maryland agreed, and dismissed plaintiffs’ claims.  In order to establish Article III standing, the district court reasoned, a plaintiff must have suffered an injury that is concrete and actual or imminent, is traceable to the defendant, and is remediable by a favorable judicial decision. The court found that the plaintiffs were not injured because they neither incurred fraudulent charges nor had been denied credit. Applying reasoning from a prior Fourth Circuit decision, Beck v. McDonald, the trial court concluded that although the plaintiffs’ PII was compromised, it was not accompanied by misuse and, therefore, plaintiffs failed to satisfy the injury-in-fact requirement for standing.

On appeal, the Fourth Circuit rejected the lower court’s finding that the plaintiffs suffered no injury. The appellate panel distinguished this case from Beck, focusing on the plaintiffs’ allegations that they were victims of identity theft and credit card fraud. The appellate panel in Hutton found that identity theft and credit card fraud constituted misuse of the compromised personal information sufficient to satisfy the injury requirement of Article III standing. Furthermore, the court recognized that the plaintiffs incurred out-of-pocket expenses related to the effects of the data breach. The court found that these costs further supported that the plaintiffs’ have standing.

The result falls somewhere in the middle of the divide among the federal appellate circuits as to whether stolen PII results in a sufficient injury to give rise to standing. The D.C. Circuit recently aligned with the Sixth, Seventh, and Ninth Circuits, which have held that the threat of misuse of personal data is an injury sufficient to confer standing. The Second, Third, and Eighth Circuits, however, require actual misuse of personal information in order for a plaintiff to establish standing. Hutton reinforces the Fourth Circuit stance that misuse must accompany the compromise of personal data, but departs from other circuits requiring misuse in that there need not be any pecuniary loss for the misuse to confer standing.  The inconvenience of having to rectify fraudulent credit card accounts was deemed sufficient injury to trigger standing.  This signals further development of the standing issue in the lower courts which could, over time, influence the Supreme Court to agree to weigh in on this question.

Thanks to San Diego summer associate Kyle Hess for his contributions to this post.

Wednesday, June 12, Lowenstein & Sandler’s offices in New York City hosted the Gro Pro 20/20 conference, an event where high-level discussion of leadership, strategy and how to best position professional services organizations in today’s market.  The sessions were on-point and the audience interaction was lively, as CMO’s from all over the country came together to discuss the issues facing their firms and seek insight and ideas from their peers. What follows is a quick wrap-up of three of the major themes that emerged from these discussions.

The Nature of Change & Disruption in Professional Services

It was widely agreed that change is the new normal in professional services organizations and that acting on those changes–taking steps now, to prepare for the changes that are en route is crucial for survival.  Through panel discussions, the changes within in-house legal departments came up:  the fact that in-house legal departments are increasing their size and their scope, and spending less on outside counsel.  For example, in 2015, in-house legal departments covered an average of 5 practice groups–now, in 2018, they cover an average of 11.  For working with these companies, ways of delivering not just the legal answer, but the business answer–in easy to digest, easy to use formats is crucial.

Along with the change that is already happening for professional services organizations, there is also the change that is to come–scanning the landscape, disruption is inevitable in the industry.  Through a panel discussion, attendees took a deeper look at disruption and what brings it about–what gives companies like Uber & Lyft, Netflix & Amazon, WeWork and Air b’n’b,  the opportunity to swoop in and change the way things have always been done–and it was determined that being annoyed, being frustrated, putting up with “$hit” was what created the groundswell that fuels disruptors.  With nods around the room, and a discussion of “early indicators” of disruption, it was agreed that our industry was ripe for disruption–and the organizations that can evolve will do well.

Process, Deliverables, and Collaboration with Clients

Related to the need to provide the legal services companies want in an efficient, digestible way, much of the discussion at Gro Pro centered on the process.  Through insightful examples, attendees saw real-life implications of how this can play out–how organizations can provide the types of solutions that companies want, usually in connection with those companies.  To do this, professional service organizations need to focus on innovation in how they deliver the information–through the technology available to them, how can they condense and package the information so it becomes a tool, and not a stack of paper to be searched through.

But how to get there?  Speakers encouraged attendees to go through a “process map” process, where they could look at how things are done in their organization–to be clear–how things are done, not how they are “supposed to be done” and this process usually leads to identification of places where there can be efficiency gains.  In addition, going through this process with a client can help professional services organizations identify needs that the client has that are not being addressed–which can present an opportunity for cross-selling.

Branding as Opportunity

An in-depth, memorable discussion of branding also took place at Gro-Pro 20/20.  While branding brings to mind long, drawn-out discussions incorporating the phrase “I don’t like the orange” and “Can we do this in blue?” panelists pointed out that is not the way it needs to be.  For the longest time, many professional services organizations were using their talent as their major marketing asset.; however, tweaking that formula to offer your entire organization as a solutions-provider may be the way to move forward, according to the discussion.

With Branding in professional service organizations, the process is most powerful if it involves all levels of the organization discussing and analyzing who they are and what they do.  If everyone is involved, the concepts discussed in the somewhat aspirational conversation are more likely to take root and authentically represent the organization. And by aspirational, it can be a discussion of not just “who we are” but “who we want to be”; a way to spark ideas for the organization.  Much more than a discussion of typeface, it is a way to ask important questions of the organization and forge a path forward, and it can provide a map of authentic principles that the organization can use to guide decisions that need to be made further down the line.

Conclusion

The above is a small piece of some of the insights delivered at Gro Pro 20/20.  The panels were all thoughtful and provided food for thought on how organizations move forward as new technologies and changing environments modify the professional services ecosystem.

Summary

The challenges that the government faces in litigating vertical mergers was illustrated in the DOJ’s recent loss in its challenge of AT&T’s proposed acquisition of Time Warner. The result provides guidance for how companies can improve their odds of obtaining antitrust approval for similar transactions.

In Depth

The US Department of Justice’s (DOJ) loss in its challenge of AT&T’s proposed acquisition of Time Warner demonstrates the difficulties the government faces in litigating vertical mergers and provides a guide for how companies can improve their odds of obtaining antitrust approval for such transactions. This was the first litigated vertical merger case in four decades and the largest antitrust merger litigation under the Trump administration. Last week AT&T received the go ahead from Judge Richard J. Leon to proceed with the deal and the parties already closed the transaction. It is still unclear whether the DOJ will appeal the decision. Although this was a significant loss for the DOJ, Judge Leon’s opinion was narrowly tailored to the particular facts of the industry. Therefore it is questionable whether the opinion will have a significant impact on future vertical merger enforcement by the US antitrust regulators.

The DOJ’s main theory in the case was that the combination of AT&T’s video distribution services, namely DirecTV’s satellite TV offerings, and Time Warner’s video content would provide Time Warner with increased bargaining leverage when negotiating with other video distributors who are AT&T’s competitors. According to the DOJ, AT&T would have increased leverage over competitor video distributors because (1) some of the distributors’ customers would depart due to the lack of Time Warner’s networks in the distributor’s offering and (2) of the customers that left, some would sign up for AT&T’s competing video distribution services, DirecTV. Since both parties to the negotiation would recognize this change in negotiating position, AT&T’s prices for Time Warner content would increase.

Judge Leon held that the DOJ failed to meet its burden to show that AT&T’s acquisition of Time Warner would harm competition due to an increase in Time Warner’s bargaining leverage. Judge Leon did not dispute the DOJ’s theories on key legal principles, such as the relevant market, the burden of proof, and whether the DOJ’s bargaining model was a viable theory to challenge a transaction. Instead, he found that the facts did not support a finding that the transaction would lead to a substantial lessening of competition. First, the key documents used by the DOJ were regulatory filings by AT&T or Time Warner in prior vertical mergers in the video distribution industry. The statements in these regulatory filings were made in an effort to prevent a competitor from completing its acquisition. Even so, the statements only suggest that vertical integration “can” create an unfair advantage in negotiations, without saying that vertical integration “will” lead to increased prices for video content. Second, Judge Leon gave little weight to the testimony from AT&T’s competitors because, unlike with horizontal transactions, the affected “customers” of Time Warner were competitors of DirecTV and thus had a natural bias to oppose the transaction. In addition, Judge Leon found that the customer testimony was comprised largely of speculative statements that they would be harmed in negotiations without any quantitative analysis to support their assertions. Finally, Judge Leon found the DOJ’s economic analysis was based on flawed assumptions not supported by the record. Importantly, Judge Leon found that prior vertical mergers in the industry had not led to higher prices for customers.

The obvious question remains: what does this mean for other vertical transactions facing US antitrust review? For companies considering vertical mergers, there are three main takeaways from the case.

1.       The DOJ Faces a High Burden to Prove Harm to Competition in Vertical Cases

Throughout the course of the trial, the differences in the legal standards governing a horizontal merger and a vertical merger became clear. Judge Leon’s opinion specifically notes that the DOJ’s “‘familiar’ horizontal merger playbook is of little use.” Of course what Judge Leon is referring to is the government’s typical strategy in horizontal merger cases, which is to establish a presumption of competitive harm by introducing evidence that a merger will lead to undue levels of market concentration. Essentially, if the government proves its market, it is almost home. Leon notes that because this presumption is not in play in a vertical case, the DOJ “must make a ‘fact-specific’ showing that the effect of the proposed merger ‘is likely to be anticompetitive.’” This showing is “highly complex” and “institution specific.” Unlike in a horizontal case where the main disputes often relate to market definition, in a vertical case the debate will center on the competitive effects analysis.

Further complicating matters, there are clear efficiencies in vertical transactions that the government does not dispute. Indeed, in AT&T/Time Warner the DOJ credited more than $350 million in annual efficiencies resulting from the elimination of double marginalization (EDM). Judge Leon refers to this type of efficiency as a “standard benefit” associated with vertical mergers because a merger between two companies operating at different levels in the supply chain almost automatically removes some margin. Since this type of efficiency is not disputed by the DOJ, any claimed price increase resulting from a vertical merger has to outweigh the claimed efficiencies.

In future cases, the DOJ will need substantial evidence from ordinary course business documents, more testimony from uninterested third party witnesses, and sound economic analysis of the likely competitive harms to be successful in a vertical merger challenge. Vertical cases, especially those not based on a foreclosure theory, cannot rely on simply alleging that the combined entity has an important product or a high market share. Rather the government needs to show clear harms that outweigh the credited efficiencies. Overall, this means that a vertical merger case presents more difficulties for the DOJ than a horizontal case and poses a higher risk for the agency should the case go to trial.

2.       The Effectiveness of Increased Bargaining Leverage as a Theory of Vertical Harm Remains Uncertain

The DOJ’s theory in AT&T/Time Warner generally differs from its prior vertical merger enforcement. The main difference is that the DOJ did not allege that the merger would result in either foreclosing a vital input from downstream competitors or foreclosing a group of customers from upstream competitors. Instead the DOJ’s main theory was that AT&T’s ownership of Time Warner would provide Time Warner with increased bargaining leverage in negotiations with video distributors who are AT&T’s competitors. This theory posits that by raising costs to AT&T’s rivals, the proposed acquisition would harm competition and lead to price increases overall. The DOJ did not allege that AT&T would not continue to supply Time Warner content to its competitors.

As Judge Leon notes in his opinion, the DOJ could not point “to any prior trials in federal district court in which the Antitrust Division has successfully used this increased-leverage theory to block a proposed vertical merger.” (The US Federal Trade Commission [FTC] has used this theory to challenge several horizontal hospital transactions.) After this decision, it remains true that no court has ever blocked a vertical merger where the government’s theory is based on alleged increased costs to a rival without additional foreclosure allegations.

Nonetheless, Judge Leon did not reject an increased bargaining leverage theory as the basis for a vertical merger challenge. His opinion merely found that the facts here do not support a conclusion that there would, in fact, be increased bargaining leverage leading to higher prices or that this would outweigh any efficiencies. In the future, the DOJ will likely look for cases with stronger facts, including evidence of price increases from prior vertical mergers in the industry and more substantial economic analysis to show anticompetitive effects. However, for now, the effectiveness of an increased bargaining leverage theory, without additional foreclosure allegations, remains quite uncertain.

3.       DOJ and FTC May Be More Open to Conduct Remedies to Address Vertical Concerns When Presented with Litigation Risk

Since taking control of the Antitrust Division, Assistant Attorney General (AAG) Makan Delrahim has made his mark through a stricter policy on vertical merger remedies. Previously, the DOJ and FTC frequently accepted conduct remedies, such as non-discrimination commitments and information firewalls, to address potential concerns in vertical transactions. AAG Delrahim has made it clear that these types of remedies are strongly disfavored since they result in significant government oversight in an industry. The Trump administration views antitrust as law enforcement and does not want to take on a regulatory role in an industry due to a consent decree with continued monitoring of conduct remedies.

AT&T/Time Warner ended up as the test case for this new policy on vertical merger enforcement. The DOJ sought a structural remedy in the form of an injunction preventing the parties from merging or requiring a divestiture of Time Warner’s key assets in Turner Broadcasting. In doing so, the DOJ ignored behavioral commitments made by AT&T in the form of an arbitration agreement that it sent shortly before the DOJ filed its complaint to all relevant Time Warner customers. This arbitration agreement mirrored behavioral remedies used by the DOJ in prior cases in this industry.

With the court’s ruling against the DOJ, it is possible that the DOJ and FTC will be more cautious with vertical merger enforcement going forward since additional unfavorable precedent could harm the Trump administration’s larger policy goals. In cases where the proof of vertical harm is not abundantly clear, the DOJ and the FTC are faced with the choice to (1) accept conduct remedies; (2) spend significant agency resources to litigate the transaction, with the potential to generate additional bad precedent; or (3) clear the transaction. This is a difficult choice, but the AT&T/Time Warner ruling may make the litigation option less appealing.

With these lessons in mind, parties to vertical transactions should consider the following strategies to improve the odds of obtaining US antitrust clearance:

1. It is critical that merging parties have a strong, well-supported pro-competitive story. Judge Leon’s opinion demonstrates the importance for merging parties to document and conduct a thorough efficiencies analysis. The regulators and courts are likely to give greater deference to the cost savings in vertical mergers as compared to horizontal mergers.

2. In dynamic industries, where new technology or new competitors, are having an impact on competition, the merging parties’ internal documents should reflect the new changes or competition. Although Judge Leon did not dispute the DOJ’s alleged product market, he spent a large portion of the opinion discussing how the media industry was changing due to new competition from companies, such as Netflix, Google and others. These findings appeared to influence Judge Leon’s views on the benefits and rationale of the transaction.

3. Because the government’s witnesses for vertical merger challenges are typically competitors, merging parties should consider early in the review whether they can address the competitors’ concerns through a long-term contractual commitment or similar type of remedy. Although the US antitrust regulators may be reluctant to enter into a formal settlement with behavioral remedies, the US antitrust regulators are less likely to challenge a vertical merger without competitor complaints and testimony.

We often cover cases in which false advertising claims brought under state law are challenged as preempted by a federal regulatory scheme.  Poland Spring was a recent target of state law false advertising claims, and successfully obtained the dismissal of those claims on the ground that they were preempted by federal statute.  Patane v. Nestle Waters N. Am., 2018 WL 2271161 (D. Conn. May 17, 2018).

In consolidated actions, putative class action plaintiffs alleged that Poland Spring water is not actually 100% “spring water” as defined under the Food, Drug and Cosmetics Act (FDCA).  The Food & Drug Administration’s regulations define spring water as “deriv[ing] from an underground formation from which water flows naturally to the surface of the earth,” with a “natural force causing the water to flow to the surface through a natural orifice.”  The water may be collected by a tap and with an external hydraulic force, so long as the water has all the physical properties of the water that naturally flows to the surface, and so long as the water is collected by a “hydrogeologically valid method.”  Since the FDCA does not provide a private right of action for the violation of the regulations in question, plaintiffs asserted fraud, breach of contract, and consumer deception claims under various state laws.

The district court (Judge Jeffrey A. Meyer) held that plaintiffs’ claims were preempted by § 337(a) of the FDCA, which provides that only the federal government—not private parties—may enforce FDCA violations.  According to the court, § 337(a) impliedly preempts any claim under state law based solely on a violation of the FDCA.  Plaintiffs’ principal complaint was that Poland Spring did not comply with the FDA’s standards for spring water, and plaintiffs tellingly proclaimed that they sought to enforce those standards in the FDA’s stead.  Since all claims for relief hinged on the alleged non-compliance with FDA standards, all claims were dismissed as impliedly preempted.

Plaintiffs were given leave to replead any proper state claims that are not preempted.  Though not essential to its holding, the court also expounded upon § 343–1(a)(1) of the FDCA, which expressly preempts any state law from imposing any definition of “spring water” that is not identical to the FDCA definition.  According to the court, implied preemption under § 337(a) and express preemption under § 343–1(a)(1) result in a broad preemptive effect under which only a narrow range of state law claims can survive:  “In order to survive preemption, a state law claim must rely on an independent state law duty that parallels or mirrors the FDCA’s requirement for ‘spring water,’ but must not solely and exclusively rely on violations of the FDCA’s own requirements.”  Given the court’s dicta on the combined effect of express and implied preemption, if plaintiffs’ claims in their amended pleadings are again preempted, we might expect dismissal with prejudice.  Watch this space for further developments.