Tag: Consumer Protection

FCC’s Enforcement Bureau Commends PayPal for Modifying its User Agreement

We previously advised that the FCC’s Enforcement Bureau, in an unusual move, on June 11 published a letter it sent to PayPal warning that PayPal’s proposed changes to its User Agreement that contained robocall contact provisions might violate the TCPA.

FCC_LogoThese proposed revisions conveyed user consent for PayPal to contact its users via “autodialed or prerecorded calls and text messages … at any telephone number provided … or otherwise obtained” to notify consumers about their accounts, to troubleshoot problems, resolve disputes, collect debts, and poll for opinions, among other things. The Bureau’s letter highlighted concerns with the broad consent specified for the receipt of autodialed or prerecorded telemarketing messages and the apparent lack of notice as to a consumer’s right to refuse to provide consent to receive these types of calls.

On June 29, prior to the revisions coming into effect, PayPal posted a notice on its blog stating: “In sending our customers a notice about upcoming changes to our User Agreement we used language that did not clearly communicate how we intend to contact them.” PayPal clarified that it would modify its User Agreement to specify the circumstances under which it would make robocalls to its users, including for important non-marketing reasons relating to misuse of an account, as well as to specify that continued use of PayPal products and services would not require users to consent to receive robocalls.

The FCC’s Enforcement Bureau immediately put out a statement commending PayPal for its decision to modify its proposed contact language, noting that these changes to the User Agreement represented “significant and welcome improvements.” The Bureau’s very public actions on this matter signal to businesses everywhere of the need to review existing “consent to contact” policies. Certainly the FCC’s yet to be released Declaratory Ruling on TCPA matters that was voted on during a contentious FCC Open Meeting on June 18 may also invite that opportunity.

ARTICLE BY Laura H. Phillips of Drinker Biddle & Reath LLP

©2015 Drinker Biddle & Reath LLP. All Rights Reserved

On National Bourbon Day, Maker’s Mark Toasts to Consumer Protection Reform

June 14th is National Bourbon Day, so it’s a nice time to highlight the resolve of the recent class action lawsuit filed against Maker’s Mark, one of America’s favorite whiskeys, by two consumers who said the company falsely advertised its product as “handmade.”

The suit seized on the word “handmade” used in Maker’s Mark advertising, claiming consumers had been misled. U.S. District Judge Robert Hinkle ruled on behalf of Maker’s Mark, stating that “no reasonable person would understand ‘handmade’ in this context to mean literally made by hand.”

This case is representative of an increasingly common national trend. Similar suits have recently been filed against Tito’s Handmade Vodka and Jim Beam Bourbon.

Consumer advocates say that these class action lawsuits are the most effective way to hold companies accountable for what they allege to be misleading marketing. But real-life consumers, those the litigation is supposed to protect, are often harmed as defendants’ legal costs and sometimes multimillion-dollar verdicts or settlements are passed on in the form of higher prices and fewer choices.

So all across the country, state policymakers are rethinking and reforming their respective consumer protection acts (CPAs) to their original mission of preventing and punishing truly deceptive business practices.

Most state CPAs were modeled on the Federal Trade Commission Act when they were first enacted in the 1960s and 1970s. But since then, many of these laws have come to include expansive amendments and judicial interpretations that now allow lawsuits like the one aimed at Maker’s Mark.

Emory University law professor Joanna Shepherd’s white paper, Consumer Protection Acts or Consumer Litigation Acts?, was published last year and demonstrates this devolution. It begins with the origins of the federal law a century ago when “Congress first sought to define and deter” a “new class of consumer harms” that arose as “the merchant-consumer relationship” evolved rapidly, along with new products and services, retail models, and credit-based payment systems. “Unfair and deceptive acts or practices in or affecting commerce” were prohibited by the broadly worded new law.

But to prevent litigious mischief, Congress purposely limited enforcement of the law to its newly created FTC, prohibiting private lawsuits out of fear that “a certain class of lawyers” would otherwise “arise to ply the vocation of hunting up and working of such suits,” the number of which “no man can estimate,” warned Sen. William J. Stone (D-MO) prior to the act’s 1914 passage.

Fifty years later, the states were no longer willing to leave consumer protection entirely to the federal government. Eventually all 50 states and the District of Columbia adopted their own consumer protection statutes and authorized state attorneys general to enforce them.

By the 1980s, however, many state CPAs were being expanded well beyond their original scope. No longer were these laws enforced primarily by state attorneys general seeking injunctive relief in the public interest. Now they permitted and even promoted private lawsuits seeking significant awards for sometimes theoretical damages and inflated attorney’s fees. Incredibly, some plaintiffs no longer have to prove injuries, demonstrate that they relied on allegedly deceptive representations, or even behaved reasonably in order to prevail in lawsuits.

But here’s to judges like Judge Hinkle who require plaintiffs to explain precisely how they were misled by innocuous advertising terms like “handmade.”  And here’s to those state lawmakers working to refocus their consumer protection laws in the interest of consumers who were truly misled into making a purchase and suffered an actual injury as a result.

Happy National Bourbon Day, everyone.

ARTICLE BY Sherman Joyce of American Tort Reform Association
Copyright © 2015 American Tort Reform Association

FCC Chairman Proposes New TCPA Rules

The FCC is ready to rule on long-standing petitions seeking clarifications of the Telephone Consumer Protection Act and related FCC regulations. On May 27, 2015, FCC Chairman Tom Wheeler circulated a proposed regulatory ruling to fellow commissioners, which would address issues raised in more than 20 pending petitions. The fact sheet summarizing the chairman’s proposal foreshadows bad news for legitimate businesses using automatic telephone dialing technology.

FCC_Logo

The fact sheet lumps scammer calls like those from perky “Rachel” of the mysterious and ambiguous “Cardholder Services” with those from legitimate businesses. The fact sheet cites the 214,000 consumer complaints about robocalls. No breakdown is given as to how many of these complaints involved con artists and how many related to businesses calling, for example, to collect debt. The tone of the fact sheet provides no comfort. Its preamble states the plan is to “close loopholes and strengthen consumer protections.”

The FCC will vote on the new proposal during its Open Commission Meeting scheduled for June 18, 2015. In the meantime, companies using automatic telephone dialing technology should plan to take action to comply with whatever comes from the FCC. There will be no notice and comment period and whatever passes at the Open Commission Meeting will become effective immediately upon release.

New Provisions

If Chairman Wheeler’s proposals are adopted without changes, the new rules will provide:

  • Wireless and wired telephone consumers will have the right to revoke their consent to receive calls and text messages sent from autodialers in any reasonable way at any time. Many courts have concluded that consumers have a right to revoke consent. Some have said that revocation must be in writing. Some have said consent, once given, cannot be taken back. If this proposal passes, all courts likely will hold that consent may be revoked in any reasonable way at any time. This rule will have consequences beyond TCPA exposure. For example, it is likely to increase the cost of credit because creditors and debt collectors will have to employ more people to manually dial debtors who have failed to meet their obligations and utter the words, “Stop calling me!”

  • To prevent “inheriting” consent for unwanted calls from a previous subscriber, callers will be required to stop calling reassigned wireless and wired telephone numbers after a single request. It is not clear from the fact sheet what the individual on the other end of the line must say to notify the caller that they are not the person they seek to reach.

  • The TCPA currently prohibits the use of automatic telephone dialing systems to call wireless phones and to leave prerecorded telemarketing messages on landlines without consent. The current definition of an “automatic telephone dialing system” under the TCPA is “equipment which has the capacity to (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” A 2003 FCC ruling focused on the use of the word “capacity” in the definition and broadly extended the definition to cover autodialers used to dial specific numbers. This ruling has resulted in inconsistent court decisions over whether a dialer must have a present capacity to so dial or whether a future capacity is sufficient for to trigger TCPA coverage. The new proposal appears to attempt to resolve the ambiguity by amending the definition of an “automatic telephone dialing system” to mean “any technology with the capacity to dial random or sequential numbers.” That is not much help. The industry needs an answer on the present versus future capacity issue. As it stands now, a court could conclude that a smartphone is an automatic telephone dialing system. The tone of the fact sheet suggests that this problem is not going to be solved in a way that is favorable to industry.

Existing Provisions Under TCPA

Chairman Wheeler’s proposal also provides for some very limited and specific exceptions for “urgent circumstances,” which may include free calls or text messages to wireless devices that alert consumers of potential fraud or that remind them of urgent medication refills. Consumers will still have an opportunity to opt-out of these types of calls and texts.

  • The new proposal will also leave many of the existing provisions of the TCPA intact:

  • The FTC will continue to administer the National Do-Not-Call Registry to prevent unwanted telemarketing calls

  • Wireless and home phone subscribers can continue to prevent telemarketing robocalls made without prior written consent

  • Autodialed and prerecorded telemarketing and information calls and text messages to mobile phones will still require prior consent

  • Political calls will still be subject to restrictions on prerecorded, artificial voice, and autodialed calls to wireless phones, but will continue to not be subject to the National Do-Not-Call Registry because they do not contain telephone solicitations as defined by FCC regulations

  • Consumers will still have a private right of action for violations of the TCPA along with statutory penalties

Implications

If adopted, the new regulations may significantly restrict the use of autodialing technologies by business. However, the devil will be in the details. Organizations should review the owners’ manual that came with their dialer. What can it actually do? In other words, what is its present and future capacity? Have those answers ready so you can act when the FCC rules. Companies should also have proper processes and systems in place to meet the consumer opt-out requirements of any new regulations. Policies should address steps to take when a called party claims that the number called no longer belongs to your intended recipient.

One thing is certain about these new rules, they will not stop scammers who use spoofed caller IDs and originate calls from outside of the United States and, therefore, outside of the jurisdiction of the FCC and/or FTC. They will just make to harder and more expensive for legitimate businesses to reach their customers.

ARTICLE BY Chanley T. HowellMichael C. Lueder & Steven Millendorf of Foley & Lardner LLP

© 2015 Foley & Lardner LLP

Are Cosmetics Gaining Higher Congressional and FDA Scrutiny?

Currently, FDA regulates cosmetics to ensure they are not adulterated or misbranded, but does not have the authority to order cosmetic recalls or require adverse event reporting.  Senators Dianne Feinstein (D-CA) and Susan Collins (R-ME) seek to change that.

On April 20, 2015, they introduced the Personal Care Products Safety Act (S.1014). The Act, if passed, would modify Chapter VI of the Federal Food, Drug, and Cosmetic Act (FDCA) to strengthen FDA’s oversight of, and regulatory authority over, cosmetic products.

Title I of the Act (“Cosmetic Safety”) gives FDA authority to order cosmetic recalls, as well as require manufacturers to:

  1. Report adverse events,

  2. Label ingredients not appropriate for children,

  3. Post complete label information (including ingredients and product warnings) online, and

  4. Register their facilities with FDA.

In addition to this significant new authority over manufacturers, the Act also requires FDA to work with industry and consumer groups to annually select and review at least 5 ingredients or non-functional constituents.

The first 5 ingredients, if the law is passed, will be:

  1. Diazolidinyl urea

  2. Lead acetate

  3. Methylene glycol/methanediol/formaldehyde

  4. Propyl paraben

  5. Quaternium-15

Title II of the Act (“Fees Related to Cosmetic Safety”) outlines the costs associated with enforcement of the new standards. With an annual implementation cost estimated at $20.6 million, it is to be funded by annual fees from all registered owners or operators of cosmetic facilities engaged in manufacturing or processing in the United States.

The Act has wide industry support, including the Personal Care Products Council (a 600+ member company trade association), large cosmetics manufacturers, and consumer groups.  Since it was introduced, it has gained two co-sponsors, Senators Barbara Boxer (D-CA) and Amy Klobuchar (D-MN).

The Act is consistent with FDA’s current priorities related to cosmetics.  Two of these priorities have been reporting of adverse events (with the majority of issues seen in hair care products), and maintaining a distinct line between over-the-counter drugs and cosmetics, because cosmetics need not currently undergo the additional scrutiny that OTC drugs must.

More information on the Personal Care Products Safety Act can be found in Senator Feinstein’s statement upon its introduction.

ARTICLE BY Michelle Gillette & Katherine Fox of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
©1994-2015 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Maker’s Mark Defeats “Handmade” Class Action Lawsuit

Could consumers have plausibly believed that one of the country’s top-selling bourbon brands is “handmade”?  Not according to one federal district court in Florida, which recently dismissed a class action alleging Maker’s Mark deceived consumers by labeling its whiskey as “handmade.” The decision by U.S. District Judge Robert Hinkle comes on the heels of a California federal court’s decision not to dismiss outright a similar consumer class action involving Tito’s Handmade Vodka.  Compare Salters v. Beam Suntory, Inc., 14-cv-659, Dkt. 31, (N.D. Fla. May 1, 2015) with Hofmann v. Fifth Generation, Inc., 14-cv-2569, Dkt. 15 (S.D. Cal. Mar. 18, 2015)).  These divergent opinions suggest that courts are still puzzling over just how much credence to grant putative class claims based on allegedly deceptive liquor labels at the motion to dismiss stage, particularly under the U.S. Supreme Court’s decision in Bell Atlantic Corp v. Twombly, 550 U.S. 544 (2007).  In Twombly, the Court made clear that plaintiffs must include enough facts in a complaint to make their claim to relief not just conceivable, but plausible—or else face dismissal.

Salters, the Florida case, is part of a wave of recently filed class actions accusing alcoholic beverage producers of violating state consumer protection statutes.  In the typical case, as here, the plaintiffs claim to have purchased the brand in reliance on allegedly deceptive labeling and contend they would not have purchased it or would have paid less otherwise.  The Salters plaintiffs claimed they were damaged because Maker’s Mark sold “their ‘handmade’ Whisky to consumers with the false representation that the Whisky was ‘handmade’ when, in actuality, the Whisky is made via a highly-mechanized process, which is devoid of human hands.”

Judge Hinkle flatly rejected the idea that this could support a claim.  Citing Twombly, he noted that although whether a label is false or misleading is generally a question of fact, a motion to dismiss should be granted if the complaint’s factual allegations do not “render plaintiffs’ entitlement to relief plausible.”  The court observed that taken literally, all bourbon is handmade, because it is not a naturally occurring product; construed less literally, which was apparently the plaintiffs’ approach, “no reasonable consumer could believe” that bourbon could be made by hand, presumably without commercial-scale equipment, “at the volume required for a nationally marketed brand like Maker’s Mark.”  In any event, court found the plaintiffs’ claims implausible under any definition of “handmade,” writing:

In sum, no reasonable person would understand “handmade” in this context to mean literally made by hand.  No reasonable person would understand “handmade” in this context to mean substantial equipment was not used.  If “handmade” means only made from scratch, or in small units, or in a carefully monitored process, then the plaintiffs have alleged no facts plausibly suggesting that statement is untrue.  If “handmade” is understood to mean something else . . . the statement is the kind of puffery that cannot support claims of this kind.

The court appears to have concluded that when applied to a product as popular as Maker’s Mark, the word “handmade” is more an unactionable “general, undefined statement that connotes greater value,” like describing a bourbon as “smooth,” than a factual representation easily capable of being false or misleading.  Though this may pass the common sense test, it is less clear whether other courts will agree.  In the Tito’s case, for instance, the court declined to accept at the motion to dismiss stage an argument similar to the one that persuaded the Maker’s Mark judge, holding that “the representation that vodka that is (allegedly) mass-produced in automated modern stills from commercially manufactured neutral grain spirit is nonetheless “Handmade” in old-fashioned pot stills arguably could mislead a reasonable consumer.”

These cases highlight the need to carefully examine product labeling and advertising claims and consider whether consumers (or plaintiffs’ attorneys) could challenge them as untrue.  This is relatively simple when claims involve factual issues such as where a product is produced, but less so with words like “handmade,” which could arguably qualify as either non-actionable “puffery” or a quantifiable claim.

ARTICLE BY Jennifer Aronoff of McDermott Will & Emery
© 2015 McDermott Will & Emery

Supreme Court to Decide Who Can Sue Under Privacy Law

Does a consumer, as an individual, have standing to sue a consumer reporting agency for a “knowing violation” of the Fair Credit Reporting Act (“FCRA”), even if the individual may not have suffered any “actual damages”?

The question will be decided by the U.S. Supreme Court in Spokeo, Inc. v. Robins, 742 F.3d 409 (9th Cir. 2014), cert. granted, 2015 U.S. LEXIS 2947 (U.S. Apr. 27, 2015) (No. 13-1339). The Court’s decision will have far-reaching implications for suits under the FCRA and other statutes that regulate privacy and consumer credit information.

FCRA

Enacted in 1970, the Fair Credit Reporting Act obligates consumer reporting agencies to maintain procedures to assure the “maximum possible accuracy” of any consumer report it creates. Under the statute, consumer reporting agencies are persons who regularly engage “in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” Information about a consumer is considered to be a consumer report when a consumer reporting agency has communicated that information to another party and “is used or expected to be used or collected” for certain purposes, such as extending credit, underwriting insurance, or considering an applicant for employment. The information in a consumer report must relate to a “consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.”

Under the FCRA, consumers may bring a private cause of action for alleged violations of their FCRA rights resulting from a consumer reporting agency’s negligent or willful actions. For a negligent violation, the consumer may recover the actual damages he or she may have sustained. For a “willful” or “knowing” violation, a consumer may recover either actual damages or statutory monetary damages of $100 to $1,000.

Background

Spokeo is a website that aggregates personal data from public records that it sells for many purposes, including employment screening. The information provided on the site may include an individual’s contact information, age, address, income, credit status, ethnicity, religion, photographs, and social media use.

Spokeo, Inc., has the dubious distinction of receiving the first fine ($800,000) from the Federal Trade Commission (“FTC”) for FCRA violations involving the sale of Internet and social media data in the employment screening context. The FTC alleged that the company was a consumer reporting agency and that it failed to comply with the FCRA’s requirements when it marketed consumer information to companies in the human resources, background screening, and recruiting industries.

Conflict in Circuit Courts

In Robins v. Spokeo, Inc., Thomas Robins had alleged several FCRA violations, including the reckless production of false information to potential employers. Robins did not allege he had suffered or was about to suffer any actual or imminent harm resulting from the information that was produced, raising only the possibility of a future injury.

The U.S. Court of Appeals for the Ninth Circuit, based in San Francisco, held that allegations of willful FCRA violations are sufficient to confer Article III standing to sue upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of the statute. In other words, the consumer need not allege any resulting damage caused by a violation; the “knowing violation” of a consumer’s FCRA rights alone, the Ninth Circuit held, injures the consumer. The Ninth Circuit’s holding is consistent with other circuits that have addressed the issue. See e.g., Beaudry v. TeleCheck Servs., Inc., 579 F.3d 702, 705-07 (6th Cir. 2009). It refused to follow the U.S. Court of Appeals for the Eighth Circuit in finding that one “reasonable reading of the [FCRA] could still require proof of actual damages but simply substitute statutory rather than actual damages for the purpose of calculating the damage award.” Dowell v. Wells Fargo Bank, NA, 517 F.3d 1024, 1026 (8th Cir. 2008).

The constitutional question before the U.S. Supreme Court is the scope of Congress’ authority to confer Article III standing, particularly, whether a violation of consumers’ statutory rights under the FCRA are the type of injury for which Congress may create a private cause of action to redress. In Beaudry, the Sixth Circuit identified two limitations on Congress’ ability to confer standing:

  1. the plaintiff must be “among the injured,” and

  2. the statutory right must protect against harm to an individual rather than a collective.

The defendant companies in Beaudry provided check-verification services. They had failed to account for a change in the numbering system for Tennessee driver’s licenses. This led to reports incorrectly identifying consumers as first-time check-writers.

The Sixth Circuit did not require the plaintiffs in Beaudry to allege the consequential damages resulting from the incorrect information. Instead, it held that the FCRA “does not require a consumer to wait for consequential harm” (such as the denial of credit) before bringing suit under FCRA for failure to implement reasonable procedures in the preparation of consumer reports. The Ninth Circuit endorsed this position, holding that the other standing requirements of causation and redressability are satisfied “[w]hen the injury in fact is the violation of a statutory right that [is] inferred from the existence of a private cause of action.”

Authored by: Jason C. Gavejian and Tyler Philippi of Jackson Lewis P.C.

Jackson Lewis P.C. © 2015

CPSC & DOJ Sue Michaels Stores for Failing to Report Product Safety Hazard and Filing Misleading Information

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

For the first time in recent memory, the Department of Justice (DOJ) and Consumer Product Safety Commission (CPSC) jointly announced the filing of a lawsuit in federal court for the imposition of a civil penalty and injunctive relief for violation of the Consumer Product Safety Act (CPSA). The lawsuit is against arts and crafts retailer Michaels Stores and its subsidiary Michaels Stores Procurement Co. Inc. (collectively, “Michaels” or “the Company”)  for failing to timely report a potential product safety hazard to the CPSC. Unlike other CPSC civil penalty actions involving DOJ, this penalty does not already have a negotiated consent decree in place and it appears that the case could be fully litigated.

The complaint alleges that Michaels knowingly violated the CPSA by failing to timely report to the CPSC that the glass walls of certain vases were too thin to withstand normal handling, thereby posing a laceration hazard to consumers.  According to the complaint, multiple consumers suffered injuries, including nerve damage and hand surgeries, from 2007 to late 2009.

Michaels allegedly did not report the potential defect to the Commission until February 2010.  Of course, we only know one side of the allegations, and Michaels will respond to those allegations in the coming weeks. The Company did state that “it believes the facts will show it acted promptly and appropriately.”

WaterNotably, the complaint also alleges that when Michaels filed an initial report with the CPSC in 2010, it provided “only the limited information required to be furnished by distributors and retailers” under the CPSA.  However, and critically, as the complaint sets forth in more detail, manufacturers—whose definition under the CPSA includes importers of record—are required to provide more information to the Commission than retailers.

According to the government, Michaels’ report conveyed the false impression that the Company did not import the vases, even though the Company was the importer of record and thus was required to submit significantly more information as themanufacturer of the vases.  The lawsuit alleges that Michaels made this misrepresentation in order to avoid the responsibility of undertaking a product recall.

As for the remedy, the government is seeking a civil penalty (in an unidentified amount) and various forms of injunctive relief, including the enactment of a stringent compliance program to ensure future compliance with CPSC reporting obligations.  This requested relief is similar to what the CPSC has required in almost all civil penalty agreements with other companies over the past few years.

What makes this complaint so newsworthy is that the government and Michaels plan to litigate the imposition of a civil penalty.  As noted above, this is not a frequent occurrence because companies tend to settle civil penalty claims rather than litigate. Given how infrequently civil penalties are litigated and the lack of any legal precedent guiding civil penalty negotiations under the heightened $15 million penalty limits, any judgment likely would have a wide-ranging impact on all future civil penalty negotiations between companies and the CPSC.

As we have previously stated, we expect the Commission to remain active in 2015 in bringing enforcement actions against companies for violations of the CPSA and other safety statutes.

We will watch this case closely and update our readers on any noteworthy developments.

ARTICLE BY

Matthew Cohen
Matthew R. Howsare
Charles A. Samuels
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Consumer Product Matters Blog

CPSC & DOJ Sue Michaels Stores for Failing to Report Product Safety Hazard and Filing Misleading Information

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

For the first time in recent memory, the Department of Justice (DOJ) and Consumer Product Safety Commission (CPSC) jointly announced the filing of a lawsuit in federal court for the imposition of a civil penalty and injunctive relief for violation of the Consumer Product Safety Act (CPSA). The lawsuit is against arts and crafts retailer Michaels Stores and its subsidiary Michaels Stores Procurement Co. Inc. (collectively, “Michaels” or “the Company”)  for failing to timely report a potential product safety hazard to the CPSC. Unlike other CPSC civil penalty actions involving DOJ, this penalty does not already have a negotiated consent decree in place and it appears that the case could be fully litigated.

The complaint alleges that Michaels knowingly violated the CPSA by failing to timely report to the CPSC that the glass walls of certain vases were too thin to withstand normal handling, thereby posing a laceration hazard to consumers.  According to the complaint, multiple consumers suffered injuries, including nerve damage and hand surgeries, from 2007 to late 2009.

Michaels allegedly did not report the potential defect to the Commission until February 2010.  Of course, we only know one side of the allegations, and Michaels will respond to those allegations in the coming weeks. The Company did state that “it believes the facts will show it acted promptly and appropriately.”

WaterNotably, the complaint also alleges that when Michaels filed an initial report with the CPSC in 2010, it provided “only the limited information required to be furnished by distributors and retailers” under the CPSA.  However, and critically, as the complaint sets forth in more detail, manufacturers—whose definition under the CPSA includes importers of record—are required to provide more information to the Commission than retailers.

According to the government, Michaels’ report conveyed the false impression that the Company did not import the vases, even though the Company was the importer of record and thus was required to submit significantly more information as themanufacturer of the vases.  The lawsuit alleges that Michaels made this misrepresentation in order to avoid the responsibility of undertaking a product recall.

As for the remedy, the government is seeking a civil penalty (in an unidentified amount) and various forms of injunctive relief, including the enactment of a stringent compliance program to ensure future compliance with CPSC reporting obligations.  This requested relief is similar to what the CPSC has required in almost all civil penalty agreements with other companies over the past few years.

What makes this complaint so newsworthy is that the government and Michaels plan to litigate the imposition of a civil penalty.  As noted above, this is not a frequent occurrence because companies tend to settle civil penalty claims rather than litigate. Given how infrequently civil penalties are litigated and the lack of any legal precedent guiding civil penalty negotiations under the heightened $15 million penalty limits, any judgment likely would have a wide-ranging impact on all future civil penalty negotiations between companies and the CPSC.

As we have previously stated, we expect the Commission to remain active in 2015 in bringing enforcement actions against companies for violations of the CPSA and other safety statutes.

We will watch this case closely and update our readers on any noteworthy developments.

ARTICLE BY

Matthew Cohen
Matthew R. Howsare
Charles A. Samuels
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Consumer Product Matters Blog

New Data Security Bill Seeks Uniformity in Protection of Consumers’ Personal Information

Morgan, Lewis & Bockius LLP.

Last week, House lawmakers floated a bipartisan bill titled the Data Security and Breach Notification Act (the Bill). The Bill comes on the heels of legislation proposed by US President Barack Obama, which we recently discussed in a previous post. The Bill would require certain entities that collect and maintain consumers’ personal information to maintain reasonable data security measures in light of the applicable context, to promptly investigate a security breach, and to notify affected individuals of the breach in detail. In our Contract Corner series, we have examined contract provisions related to cybersecurity, including addressing a security incident if one occurs.

Some notable aspects of the Bill include the following:

  • Notification to individuals affected by a breach would generally be required within 30 days after a company has begun taking investigatory and corrective measures (rather than based on the date of the breach’s discovery).

  • Notification to the Federal Trade Commission (FTC) and the Secret Service or the Federal Bureau of Investigation would be required if the number of individuals whose personal information was (or there is a reasonable basis to conclude was) leaked exceeds 10,000.

  • To advance uniform and consistently applied standards throughout the United Sates, the Bill would preempt state data security and notification laws. However, the scope of preemption continues to be discussed, and certain entities would be excluded from the Bill’s requirements, including entities subject to existing data security regulatory regimes (e.g., entities covered by the Health Insurance Portability and Accountability Act).

  • Violations of the Bill would be enforced by the FTC or state attorneys general (and not by a private right of action).

ARTICLE BY

Michael L. Pillion
A. Benjamin Klaber
Morgan, Lewis & Bockius LLP

California To Expand Its Data Breach Notification Rules

Sheppard Mullin Law Firm

California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information.  AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer.  The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.”  It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”

The use and placement of the phrase “if any” in the statute does create some ambiguity.  The statute, however, speaks in mandatory terms when it states the notification “shall include” an offer of these services.  Its plain language also suggests the phrase “if any” is directed to the question of whether appropriate identity theft or mitigation services exist and are available – not whether or not they must be offered.  A review of the measure’s legislative history confirms this.  The Committee analyses all discuss this element of the statute as “requiring” an offer of services.  Indeed, the legislative analysis immediately following the addition of the phrase “if any” defined the problem under existing law to be that it does not require any prevention or mitigation steps and states that this measure (AB 1710) addresses this issue by requiring an offer of appropriate “identity theft prevention and mitigation services, if any are available,…”  This interpretation is also consistent with the fact that an offer is only required when the breach involves disclosure of highly sensitive information that tends to lead to identity theft or credit card fraud, i.e., the customer’s social security, driver’s license or California identification number.

The standard of whether or not such services would, to some degree, be appropriate will not likely be the primary conversation that this amendment sparks.  The more lively topic will likely be who is the “source of the breach” (and even then the offer is only required when you are both the source of the breach and the party giving notice under the statute) and what standards apply for determining “appropriate” services.  The legislative history is not as equally helpful on these questions.  Thus, until the scope of this new requirement becomes more clear, businesses involved in a breach under the statute need to carefully think through the risks of offering certain services when providing notice.

These new rules take effect on January 1, 2015.  To review the amended statute or its legislative history click here.

ARTICLE BY

Brian R. Blackman
OF
Sheppard, Mullin, Richter & Hampton LLP