Lawyer Bot Short-Circuited by Class Action Alleging Unauthorized Practice of Law

Many of us are wondering how long it will take for ChatGPT, the revolutionary chatbot by OpenAI, to take our jobs. The answer: perhaps, not as soon as we fear!

On March 3, 2023, Chicago law firm Edelson P.C. filed a complaint against DoNotPay, self-described as “the world’s first robot lawyer.” Edelson may have short-circuited the automated barrister’s circuits by filing a lawsuit alleging the unauthorized practice of law.

DoNotPay is marketed as an AI program intended to assist users in need of legal services, but who do not wish to hire a lawyer. The organization was founded in 2015 to assist users in disputing parking tickets. Since then, DoNotPay’s services have expanded significantly. The company’s website offers to help users fight corporations, overcome bureaucratic obstacles, locate cash and “sue anyone.”

In spite of those lofty promises, Edelson’s complaint counters by pointing out certain deficiencies, stating, “[u]nfortunately for its customers, DoNotPay is not actually a robot, a lawyer, or a law firm. DoNotPay does not have a law degree, is not barred in any jurisdiction and is not supervised by any lawyer.”

The suit was brought by plaintiff Jonathan Faridian, who claims to have used DoNotPay for legal drafting projects, demand letters, one small claims court filing and drafting an employment discrimination complaint. Faridian’s complaint explains he was under the impression that he was purchasing legal documents from an attorney, only to later discover that the “substandard” outcomes generated did not comport with his expectations.

When asked for comment, DoNotPay’s representative denied Faridian’s allegations, explaining the organization intends to defend itself “vigorously.”

© 2023 Wilson Elser

Locking Tik Tok? White House Requires Removal of TikTok App from Federal IT

On February 28, the White House issuedmemorandum giving federal employees 30 days to remove the TikTok application from any government devices. This memo is the result of an act passed by Congress that requires the removal of TikTok from any federal information technology. The act responded to concerns that the Chinese government may use data from TikTok for intelligence gathering on Americans.

I’m Not a Federal Employee — Why Does It Matter?

The White House Memo clearly covers all employees of federal agencies. However, it also covers any information technology used by a contractor who is using federal information technology.  As such, if you are a federal contractor using some sort of computer software or technology that is required by the U.S. government, you must remove TikTok in the next 30 days.

The limited exceptions to the removal mandate require federal government approval. The memo mentions national security interests and activities, law enforcement work, and security research as possible exceptions. However, there is a process to apply for an exception – it is not automatic.

Takeaways

Even if you are not a federal employee or a government contractor, this memo would be a good starting place to look back at your company’s social media policies and cell phone use procedures. Do you want TikTok (or any other social media app) on your devices? Many companies have found themselves in PR trouble due to lapses in enforcement of these types of rules. In addition, excessive use of social media in the workplace has been shown to be a drag on productivity.

© 2023 Bradley Arant Boult Cummings LLP

MAXIMUM PRESSURE: Stratics Networks Hit With Massive DOJ Complaint Related to RVM Use by Customers and The Heat is Really On Platforms Right Now

So just last month the covered the story of Phone Burner being absolutely destroyed by a recent FCC order directing carriers to stop carrying its traffic. It be came the most read story EVER on TCPAWorld.com.

This one might be even bigger.

Before I get to the punchline, bear with me for a second.

Ringless voicemail.

I have been saying for many years that these things are covered by the TCPA. The Courts have said it. The FCC has said it.

But the ringless voicemail providers, by and large, refused to get the message. As recently as late last year I still have people coming to me telling me that this platform or that service was telling them that the TCPA does not apply to ringless voicemail. And I have personally heard sales pitches within the last couple of years where a ringless voicemail provider told potential customers the TCPA does not apply to the technology.

Lies, lies and more lies. And I hate lies.

The argument for RVM not being covered by the TCPA is a dreadful one. Some lawyer–NOT ME– long ago prepared a white paper suggesting that because voicemail is a title III information service and not a title II communication service that, somehow, that means the direct drop process to leave a voicemail also wasn’t a communication. Its nuts. Totally irrational. And beyond that, it was just dumb.

There was a better rationale for the argument–that the messages traversed business class landlines and not cellular networks–but that argument, too, has been rejected in recent years.

Anyhoo, RVM are definitely covered by the TCPA and that is a fact that has been known for many years. But that did not stop one major RVM provider from–allegedly–allowing its users to blast folks without consent.

And here is where we get to the big news: On Friday the Department of Justice filed a massive complaint–on referral from the FTC–against a debt relief company that was allegedly violating the TSR by sending RVMs without consent and failing to include content required by the TSR in the message.

Please notice that the complaint was NOT just filed against the debt relief company. It was filed against Stratics Networks–the wholesale carrier that permitted the traffic and also, apparently, supplied the RVM platform that was used to send the messages. But the complaint was also filed against the intermediary VOIP service provider, Netlatitude, Inc.–and its president Kurt S. Hannigan personally (!),  that provided access to the debt relief company through Stratics (or perhaps vice versa.)

The actual wrongdoers were apparently a debt relief company called Tek Ventures, LLC, doing business as Provident Solutions and a marketing company hired by Provident–Atlas Marketing Partners, Inc.

A bunch of other players, including INDIVIDUALS are also named as the FTC and DOJ really came to play with a sledgehammer here.

Each of these companies (and people) are alleged to have done something a bit different wrong. And its worth seeing how the government is going after each member of the alleged illegal robocall ring.

Of most interest to me–and I suspect most of you–is the case against Stratics. Like Phone Burner, Stratics is a very well known platform out there. Big footprint. And it is perceived to be a fairly compliant player.

Out of the gate, some of the allegations of the Complaint seek to impose a MUCH broader set of requirements on a carrier than have ever been seen before. For instance, the DOJ complains:

  • Despite acknowledging in its terms and conditions of service that its customers must “obtain the prior written consent from each recipient to contact such recipient” “[w]here required by applicable law or regulation,” Stratics Networks did not have evidence of such consent and did not request or require that its customers submit such evidence;

  • Stratics Networks has access to the prerecorded messages its customers upload to its RVM platform and reserves the right to audit its customers’ accounts in its terms and conditions of service, but it does not conduct due diligence to ensure that the messages actually identified the seller or caller, or to prohibit the transmission of prerecorded messages that failed to do so, or to ensure that that the call recipient had given express consent to receive the call; and

  • Stratics did not “require[]” and “ensur[e] that users  obtain prior express written consent from recipients, scrub lists of uploaded phone numbers against the DNC Registry, or otherwise comply with the TSR as a condition of using the platform.

But, so what?

A carrier owes no duty to at law to review the content of messages sent over its network. Gees, it would be a huge violation of privacy if it did. And sure an RVM platform may have access to the voicemails that were uploaded but since when is it required to review those and provide compliance advice? That’s just plain nuts.

Further, the fact that Stratics required consent for users of its platform is plenty. Folks use AUPs and disclosures to assure their platforms are not being misused. Since when does the law require them to actually possess consent–or “require” and “ensure” compliance– before allowing someone to use their network? Since never. And its just nuts for the FTC and DOJ to suggest otherwise.

Outside of really extreme cases, a carrier is still just a carrier. And a platform is still just a platform. Sure there can be times when these companies are so involved with messages–or know (we’ll get to that) of abuses–such that they are responsible as if they had sent them. But in the ordinary course these folks have NO DUTY to ensure…. anything.

So I’m a bit perturbed by the insinuation that these allegations, alone, make Stratics blameworthy. They speak to duties that do not exist in the law. If the DOJ and FTC doesn’t like the current state of the law they should take it up with Congress (or, in the case of the FTC, start an NPRM process, hint hint.)

But other allegations are more damaging–particularly those related to the knowledge Stratics had about the use of its platform. And, here again, we see the ITG playing a big role.

Per the Complaint, “Stratics Networks received numerous Traceback Requests from USTelecom’s ITG alerting it to suspected illegal robocall traffic delivered via Stratics Networks’ RVM platform service and seeking its assistance in identifying the source(s) (i.e., upstream carrier or originating end-user) of these “likely illegal” robocalls, including over 30 such requests between August 2019 and February 2021.”

Now 30 requests may seem like a lot, but you have to keep in mind how active the ITG is. They’re firing off a ton of “tickets” every single day. So I’m not convinced that 30 tickets over a year and a half is really that big of a deal. Plus, these tickets are directed at the content of user messages traversing the Stratics network–it does not mean that any of these were actually Stratics customers. (BTW, the DOJ was kind enough to name a bunch of the ticket sources: “Atlas Marketing, Telecord, Telesero, Health Innovations, National Homebuyers, Elite Processing, Deltracon, Technest Limited, Shamoon Ahmad, Progressive Promoting, Nitzke Enterprize, Care Advocacy Solutions, and PubClub.” Hope your name isn’t in there!)

So, again, I don’t love the government’s case so far. But it does get stronger. For instance:

  • In some instances, even when Stratics Networks did identify the RVM customers responsible for these illegal robocalls, Stratics Networks allowed these RVM customers to open additional accounts and/or continue utilizing its RVM platform service for several weeks or months without suspending or terminating their RVM accounts.

  • In some instances, Stratics Networks did not suspend these RVM customers’ accounts until after it received a civil investigative demand from the FTC in November 2020 inquiring about prerecorded messages delivered using its RVM platform service.

Ok, now the government is getting closer. The case law is reasonably clear that where a carrier or platform knows of illegal traffic on its network it does need to take some action to prevent it. If Stratics allowed customers who were committing violations to open new accounts or run new campaigns that could be a problem, unless it did extra heightened diligence to assure compliance.

But now, the big allegations:

  • Several of US Telecom’s ITG’s Traceback Requests to Stratics Networks concerned robocalls delivered over Stratics Networks’ RVM platform as part of the Atlas Defendants’ debt relief telemarketing campaign, including Traceback Requests Stratics Networks received between April and June 2020. These Traceback Requests indicated that they concerned a “DebtReduction-Hardship” or “DebtReduction CoronaHardship” campaign, and they noted that the robocalls delivered prerecorded messages offering preapproved loans and did not identify the caller.

  • Notwithstanding Stratics Networks’ representation to US Telecom’s ITG in response to a April 29, 2020 traceback request that it “ha[d] taken immediate action and triggered a full investigation” into the Traceback Request and “also suspended traffic,” Stratics Networks permitted Atlas Marketing to continue using its RVM platform service to deliver millions more robocalls for over five more months;

  • After April 29, 2020, Stratics Networks permitted Atlas Marketing to use its RVM service to deliver more than 23 million additional ringless voicemail robocalls to American consumers.

Ok so Stratics allowed 23 million voicemails by Atlas after telling the ITG it would suspend its traffic. Now that could be a problem. Especially if those 23MM voicemails violated the TSR and TCPA (although that fact is, perhaps tellingly, left out of the complaint.)

Notice the timing here also. ITG tickets went out in April, 2020. A CID followed in October, 2020. And then the complaint was filed in February, 2023 two and a half years later.

So all of you carriers and platforms that have received ITG tickets followed by CIDs, keep this in mind. Even if a year or more has passed, the FTC might still be working the case.

So what did Netlatitude do wrong? Well this appears to be a volume play. Specifically the FTC is concerned that Netlatitude allowed Atlas to send “136,000 robocalls” using Stratics Networks’ SIP termination service on just two days in September 2020.

Again, I kind of want to shrug at that. While high volume traffic can be a red flag, there is ZERO requirement a carrier decline to carry traffic merely because there might be a lot of it.

Netlatitude also apparently received several ITG tickets but it is not clear that they had anything to do with Atlas. So I am very fuzzy as to why Netlatitude is in the case–except that Stratics apparently pointed the finger at Netlatitude and its President.

As to the debt relief companies, the claims here are wide and varied. First, there is a claim of straight consumer deception. They allegedly promised consumers they’d be out of debt in two years and that monthly payments would be used in a way that turned out not to be true. Ok. Makes sense.

Next they allegedly sent voicemails that did not identify the sender and sent calls to numbers on the DNC list without consent. Again, pretty straightforward.

They also allegedly received a fee prior to providing debt relief, which is also not permitted. So… if true, open and shut case. I think.

In the end the government is asking for a bunch of stuff. Most damaging for Stratics is the injunctive relief provision:

A. Enter a permanent injunction to prevent future violations of the TSR and the FTC Act by Defendants;

B. Award monetary and other relief within the Court’s power to grant;

C. Award Plaintiff monetary civil penalties for every violation of the Telemarketing Sales Rule; and

D. Award Plaintiff such other and additional relief the Court may determine to
be just and proper

Lots of big take aways here. We already knew that carriers and platforms can’t turn a blind eye to bad traffic on their networks, but in this case the government seeks to go much further and impose duties on these companies to “require” and “ensure” only lawful traffic traverses their networks. That is just craziness and I think a lot of carriers will fold up shop if they suddenly become strictly liable for misconduct on their networks. Indeed, just 8 years ago carriers were completely beyond liability for traffic on their network and now they are to be treated as always liable for it? That is unfair and absurd.

Obviously those of you in the debt relief game need to pay careful attention here as well. NO cheating allowed. If you make a representation it has to be true. And don’t charge that fee up front–can get you into trouble.

Notice also that NONE of these claims are brought under the TCPA. But some could have been. The TCPA also prevents the use of RVMs to to cell phones without the proper level of consent. And the TCPA bans solicitations to residential numbers on the DNC list. I presume the DOJ didn’t want to tangle with any additional issues here–or perhaps the FTC did not want to tread on the FCC’s toes by moving into TCPA issues. Unclear to me.

But what IS clear to me is that this complaint is a huge deal and should really have every carrier and platform out there asking itself what the future may hold…

Read the complaint here: Complaint Against Stratics, et al.

© 2023 Troutman Firm

SUPERBOWL CIPA SUNDAY: Does Samsung’s Website Chat Feature Violate CIPA?

Happy CIPA and Super Bowl Sunday TCPA World!

So, Samsung is under the spotlight with a new CIPA case brought by a self-proclaimed “tester.” You know like Rosa Parks?? Back to that in a bit.

The California Invasion of Privacy Act (“CIPA”) prohibits both wiretapping and eavesdropping of electronic communications without the consent of all parties to the communication. The Plaintiff’s bar is zoning in to CIPA with the Javier ruling.

If you recall, Javier found that “[T]hough written in terms of wiretapping, Section 631(a) applies to Internet communications. It makes liable anyone who ‘reads, or attempts to read, or to learn the contents’ of a communication ‘without the consent of all parties to the communication.’ Javier v. Assurance IQ, LLC, 2022 WL 1744107, at *1 (9th Cir. 2022).

Here, Plaintiff Garcia claims that Defendant both wiretaps the conversations of all website visitors and allows a third party to eavesdrop on the conversations in real time during transmission. Garcia v. Samsung Electronics America, Inc.

To enable the wiretapping, Plaintiff claims that Defendant has covertly embedded software code that functions as a device and contrivance into its website that automatically intercepts, records and creates transcripts of all conversations using the website chat feature.

To enable the eavesdropping, Defendant allows at least one independent third-party vendor to secretly intercept (during transmission and in real time), eavesdrop upon, and store transcripts of Defendant’s chat communications with unsuspecting website visitors – even when such conversations are private and deeply personal.

But Plaintiff currently proceeds in an individual action but if Samsung does not take appropriate steps to fully remedy the harm caused by its wrongful conduct, then Garcia will file an amended Complaint on behalf of a class of similarly aggrieved consumers.

Now back to Civil Rights.

According to this Complaint, Garcia is like Rosa Parks, you know, the civil rights activist. Why?

Well, because “Civil rights icon Rosa Parks was acting as a “tester” when she initiated the Montgomery Bus Boycott in 1955, as she voluntarily subjected herself to an illegal practice to obtain standing to challenge the practice in Court.”

Because Wiretapping and civil rights are similar right??

Disgusted.

The Plaintiff’s bar has no problem muddying the waters to appeal to the courts.

Do better.

CIPA is some dangerous stuff. Websites use chat features to engage with consumers all the time. It seems like it is easier to communicate via chat or text than to sit on a call waiting for an agent – assuming you get an agent. But maybe not?

Stay safe out there TCPA World!

Til next time Countess!! back to the game, GO EAGLES!!! #Phillyproud

© 2023 Troutman Firm

The Top 10 Do’s and Don’ts of Selling a Cell Lease

When you sell a cell lease, in addition to assigning the lease and rents to the purchaser, you also sell the purchaser the right to put communications antennas on your property for 50 years or more. Done properly, this can be very advantageous, but if done improperly, the right, coupled with its lengthy term, can be harmful, especially for valuable properties.

While the intricacies of such sales should be left to professionals (the sale documents are often 15-20 pages long to protect the property owner), here is a short list of items unique to cell lease sales which property owners should keep in mind. This list is based on years of experience helping clients sell over 100 leases.

  1. Sell the cell lease first if you will be selling the property with the lease. Recently, leases have sold for around 20 times annual revenues. Done properly, a lease sale will add dollar for dollar to the sales price of the property it’s on.
  2. Don’t use the documents from the purchaser without extensively revising them (we often toss them out and use our own documents). They are usually so overreaching that using them “as is” can reduce or destroy the value of the property with the lease.
  3. Include provisions protecting the future use, development and value of the property with the lease.
  4. Have a relocation provision so you can require the leased area to be moved to another location on the property if needed for the maintenance, repair or redevelopment of the property.

The following items are particularly important for areas where the leased space is on a building rather than for a tower on open land. Buildings are generally much more valuable than open land (so the potential harm from bad terms is greater), there often are two or more parcels being leased (equipment on the ground, antennas on the roof, cables in between) and property owners need to be specific on the rights being sold and retained.

  • Clearly describe, with engineering drawings if needed, the areas of the building the purchaser can use.
  • Spell out the types of communications uses the purchaser can conduct and the equipment it may place in these areas.
  • Also spell out the rights the building owner and tenants retain to use these same areas (as well as other parts of the building) for their antennas, HVAC, elevators, etc.
  • Describe the types of communications uses and radios that the building owner, residents and tenants have retained and do not violate the sale.
  • Attach engineering drawings showing the equipment currently on the building.
  • Require landlord approval of changes to the preceding and the reasons the approval can be withheld.
© 2022 Varnum LLP

911 Network Reliability Deadline Approaching

Earlier this monththe FCC announced that its 2022 911 Reliability Certification System is now open for Covered 911 Service Providers to file annual reliability certifications.  The filings are due on October 17, 2022.  Failure to submit the certification may result in FCC enforcement action.

Background

In 2013, the FCC adopted rules aimed at improving the reliability and redundancy of the nation’s 911 network.  Those rules require Covered 911 Service Providers (“C9SP”) to take steps that promote reliable 911 service with respect to three network elements: circuit auditing, central-office backup power, and diverse network monitoring.  The Commission identified these three network elements as vulnerabilities following a derecho storm in 2012 that significantly impacted 911 service along the eastern seaboard.

Applicability. The rules apply to all C9SPs, which are defined as any entity that provides 911, E911, or NG911 capabilities such as call routing, automatic location information (ALI), automatic number identification (ANI), or the functional equivalent of those capabilities, directly to a public safety answering point (PSAP).

Certification. The rules require C9SPs to certify annually that they have met the FCC’s safe harbor provisions for each of these elements or have taken reasonable alternative measures in lieu of those safe harbor protections.  The certification must be made under penalty of perjury by a corporate officer with supervisory and budgetary authority over network operations.

In 2018 and 2020, the FCC sought comment on changes to the 911 reliability certification rules, but the rules have not yet been updated as a result of those proceedings.

Enforcement Against Noncompliant Providers

Last year, the FCC entered into eight consent decrees with Covered 911 Service Providers that failed to submit their reliability certifications in 2019, 2020, or both.  A Consent Decree typically requires the recipient to admit it violated an FCC rule, pay a fine to the federal government, and implement a Compliance Plan to guard against future rule violations.  These Compliance Plans required the C9SPs to designate a compliance officer, establish new operating procedures, and develop and distribute a compliance manual to all employees.

Additionally, the providers were required to establish and implement a compliance training program, file periodic compliance reports with the FCC detailing the steps the provider has taken to comply with the 911 rules, and report any noncompliance with 911 rules within 15 days of discovering such noncompliance.

Looking Forward

C9SPs have about one month to confirm compliance with the reliability rules and submit a required certification.  Based on the FCC’s enforcement efforts last year, C9SPs would be well-advised to work diligently to meet this upcoming deadline.

© 2022 Keller and Heckman LLP

Speaker Pelosi Expresses Concerns With Federal Privacy Bill’s Preemption Provision

On Thursday, House Speaker Nancy Pelosi expressed concerns with certain features of the American Data Privacy and Protection Act (“ADPPA”) and its broad preemption provision, which as currently drafted would override the California Consumer Privacy Act (“CCPA”) and its subsequent voter- approved amendments.  The ADPPA was favorably reported by the House Committee on Energy and Commerce in July by a vote of 53-2.  The bill has not yet been scheduled for a vote on the House floor. Speaker Pelosi “commended” the Energy and Commerce Committee for its efforts, while also praising California Democrats for having “won the right for consumers for the first time to be able to seek damages in court for violations of their privacy rights.”  Speaker Pelosi noted that California leads the nation in protecting consumer privacy and it was “imperative that California continues offering and enforcing the nation’s strongest privacy rights.”

Speaker Pelosi stated that she and others would be working with Chairman Frank Pallone (D-NJ) to address concerns related to preserving  California privacy laws.  Although Speaker Pelosi’s comments cast doubt on the future of the ADPPA, we continue to believe that it will clear the House. We anticipate only modest tweaks to the preemption provision, which must be acceptable to the Republican leadership of the committee for the bill to move forward. As Speaker Pelosi noted, the bill contains a private right of action for consumers—the single most important provision to Republicans in return for strong preemption language. After more than a decade of effort, the Democratic leadership of the House will be hard pressed to let the perfect be the enemy of the really good.

© Copyright 2022 Squire Patton Boggs (US) LLP

Are You Ready for 2023? New Privacy Laws To Take Effect Next Year

Five new state omnibus privacy laws have been passed and will go into effect in 2023. Organizations should review their privacy practices and prepare for compliance with these new privacy laws.

What’s Happening?

While the US currently does not have a federal omnibus privacy law, states are beginning to pass privacy laws to address the processing of personal data. While California is the first state with an omnibus privacy law, it has now updated its law, and four additional states have joined in passing privacy legislation: Colorado, Connecticut, Utah, and Virginia. Read below to find out if the respective new laws will apply to your organization.

Which Organizations Must Comply?

The respective privacy laws will apply to organizations that meet particular thresholds. Notably, while most of the laws apply to for-profit businesses, we note that the Colorado Privacy Act also applies to non-profits. There are additional scope and exemptions to consider, but we provide a list of the applicable thresholds below.

The California Privacy Rights Act (CPRA) – Effective January 1, 2023

The CPRA applies to for-profit businesses that do business in California and meet any of the following:

  1. Have a gross annual revenue of over $25 million;
  2. Buy, receive, or sell the personal data of 100,000 or more California residents or households; or
  3. Derive 50% or more of their annual revenue from selling or sharing California residents’ personal data.

Virginia Consumer Data Protection Act (CDPA) – Effective January 1, 2023

The CDPA applies to businesses in Virginia, or businesses that produce products or services that are targeted to residents of Virginia, and that:

  1. During a calendar year, control or process the personal data of at least 100,000 Virginia residents, or
  2. Control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.

Colorado Privacy Act (CPA) – Effective July 1, 2023

The CPA applies to organizations that conduct business in Colorado or produce or deliver commercial products or services targeted to residents of Colorado and satisfy one of the following thresholds:

  1. Control or process the personal data of 100,000 Colorado residents or more during a calendar year, or
  2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 Colorado residents or more.

Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA) – Effective July 1, 2023

The CTPDA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Connecticut residents, or
  2. Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Connecticut residents.

Utah Consumer Privacy Act (UCPA) – Effective December 31, 2023

The UCPA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, has annual revenue of $25,000,000 or more, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Utah residents, or
  2. Derives over 50% of the gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents.

The Takeaway 

Organizations that fall under the scope of these respective new privacy laws should review and prepare their privacy programs. The list of updates may involve:

  • Making updates to privacy policies,
  • Implementing data subject request procedures,
  • How your business is handling AdTech, marketing, and cookies,
  • Reviewing and updating data processing agreements,
  • Reviewing data security standards, and
  • Providing training for employees.
© 2022 ArentFox Schiff LLP

Federal Bill Would Broaden FTC’s Role in Cybersecurity and Data Breach Disclosures

Last week, the House Energy and Commerce Committee advanced H.R. 4551, the “Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act” (“RANSOMWARE Act”).  H.R. 4551 was introduced by Consumer Protection and Commerce Ranking Member Gus Bilirakis (R-FL).

If it becomes law, H.R. 4551 would amend Section 14 of the U.S. SAFE WEB Act of 2006 to require not later than one year after its enactment, and every two years thereafter, the Federal Trade Commission (“FTC”) to transmit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report (the “FTC Report”).  The FTC Report would be focused on cross-border complaints received that involve ransomware or other cyber-related attacks committed by (i) Russia, China, North Korea, or Iran; or (ii) individuals or companies that are located in or have ties (direct or indirect) to those countries (collectively, the “Specified Entities”).

Among other matters, the FTC Report would include:

  • The number and details of cross-border complaints received by the FTC (including which such complaints were acted upon and which such complaints were not acted upon) that involve ransomware or other cyber-related attacks that were committed by the Specified Entities;
  • A description of trends in the number of cross-border complaints received by the FTC that relate to incidents that were committed by the Specified Entities;
  • Identification and details of foreign agencies, including foreign law enforcement agencies, located in Russia, China, North Korea, or Iran with which the FTC has cooperated and the results of such cooperation, including any foreign agency enforcement action or lack thereof;
  • A description of FTC litigation, in relation to cross-border complaints, brought in foreign courts and the results of such litigation;
  • Any recommendations for legislation that may advance the security of the United States and United States companies against ransomware and other cyber-related attacks; and
  • Any recommendations for United States citizens and United States businesses to implement best practices on mitigating ransomware and other cyber-related attacks

Cybersecurity is an area of recent federal government focus, with other measures recently taken by President Bidenthe Securities and Exchange Commissionthe Food and Drug Administration, and other stakeholders.

Additionally, H.R. 4551 is also consistent with the FTC’s focus on data privacy and cybersecurity.  The FTC has increasingly taken enforcement action against entities that failed to timely notify consumers and other relevant parties after data breaches and warned that it would continue to apply heightened scrutiny to unfair data security practices.

In May 2022, in a blog post titled “Security Beyond Prevention: The Importance of Effective Breach Disclosures,” the FTC’s Division of Privacy and Identity Protection had cautioned that “[t]he FTC has long stressed the importance of good incident response and breach disclosure as part of a reasonable information security program, and that, “[i]n some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.”

As readers of CPW know, state breach notification laws and sector-specific federal breach notification laws may require disclosure of some breaches.  However, as of May 2022 it is now expressly the position of the FTC that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.”  This is a significant development, as notwithstanding the absence of a uniform federal data breach statute, the FTC is anticipated to continue exercise its enforcement discretion under Section 5 concerning unfair and deceptive practices in the cybersecurity context.

© Copyright 2022 Squire Patton Boggs (US) LLP

Three Ways to Use LinkedIn’s Notifications Tab to Build Your Network and Business

Here’s an easy and effective way to leverage LinkedIn for business development and networking – use information and updates about your connections from the Notifications tab to build stronger relationships.

LinkedIn gives you many reasons to reach out to people in your professional network through the Notifications tab

These reasons range from new business, networking, jobs, referrals and branding opportunities.

Prompts from the LinkedIn Notifications tab about your connections’ birthdays, work anniversaries and new jobs can serve as powerful catalysts to get back in touch with your connections.

I have seen these prompts lead to new business and reignited relationships many times.

I call these notifications “low hanging fruit” because they require very little effort on your part and they’re easy to do, and can yield major benefits.

Marketing strategies don’t have to be complicated to be successful. We often overlook them when it’s so basic.

So how do you leverage them?

  1. For a work anniversary notification, you could say, “Hey Jim, I can’t believe it’s been X years since you joined your company! Time sure flies. How are you?” Then take it a step further, suggest an off-line conversation either in person, over the phone or via zoom.

  2. For a new job announcement try, “Congratulations on the new role – how is it going so far?” again offer to take the conversation off-line and have a separate conversation either in-person or virtually.  (Many people don’t send an email when they get a new job anymore – it’s up to us to do the due diligence to find out where they landed and then take the initiative to congratulate them on their job move).

  3. Wish your connections a happy birthday.  Just saying a simple “Happy birthday – I hope you’re having a great day – would love to take you for lunch or a drink to celebrate” is a great way to make someone’s day. Adding your birthday into LinkedIn works – I had about 200 LinkedIn birthday well wishes and one of them actually led to a new client.

Sometimes the basic actions that take just minutes are the most impactful.

Having reasons to reach out to your connections is powerful versus the dreaded “just checking in” email.

LinkedIn has made it even easier now to stay updated on others’ notifications by enabling us to follow certain individuals by clicking the bell on their profile.

No one knows who you are following, so use it strategically and follow your clients, referrals, VIP connections and even your competitors. You should also follow content creators whose information you find useful.

I’d love to hear how the Notifications section has worked for you.

Copyright © 2022, Stefanie M. Marrone. All Rights Reserved.