Tag: Consumer Protection

Supreme Court to Decide Who Can Sue Under Privacy Law

Does a consumer, as an individual, have standing to sue a consumer reporting agency for a “knowing violation” of the Fair Credit Reporting Act (“FCRA”), even if the individual may not have suffered any “actual damages”?

The question will be decided by the U.S. Supreme Court in Spokeo, Inc. v. Robins, 742 F.3d 409 (9th Cir. 2014), cert. granted, 2015 U.S. LEXIS 2947 (U.S. Apr. 27, 2015) (No. 13-1339). The Court’s decision will have far-reaching implications for suits under the FCRA and other statutes that regulate privacy and consumer credit information.

FCRA

Enacted in 1970, the Fair Credit Reporting Act obligates consumer reporting agencies to maintain procedures to assure the “maximum possible accuracy” of any consumer report it creates. Under the statute, consumer reporting agencies are persons who regularly engage “in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” Information about a consumer is considered to be a consumer report when a consumer reporting agency has communicated that information to another party and “is used or expected to be used or collected” for certain purposes, such as extending credit, underwriting insurance, or considering an applicant for employment. The information in a consumer report must relate to a “consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.”

Under the FCRA, consumers may bring a private cause of action for alleged violations of their FCRA rights resulting from a consumer reporting agency’s negligent or willful actions. For a negligent violation, the consumer may recover the actual damages he or she may have sustained. For a “willful” or “knowing” violation, a consumer may recover either actual damages or statutory monetary damages of $100 to $1,000.

Background

Spokeo is a website that aggregates personal data from public records that it sells for many purposes, including employment screening. The information provided on the site may include an individual’s contact information, age, address, income, credit status, ethnicity, religion, photographs, and social media use.

Spokeo, Inc., has the dubious distinction of receiving the first fine ($800,000) from the Federal Trade Commission (“FTC”) for FCRA violations involving the sale of Internet and social media data in the employment screening context. The FTC alleged that the company was a consumer reporting agency and that it failed to comply with the FCRA’s requirements when it marketed consumer information to companies in the human resources, background screening, and recruiting industries.

Conflict in Circuit Courts

In Robins v. Spokeo, Inc., Thomas Robins had alleged several FCRA violations, including the reckless production of false information to potential employers. Robins did not allege he had suffered or was about to suffer any actual or imminent harm resulting from the information that was produced, raising only the possibility of a future injury.

The U.S. Court of Appeals for the Ninth Circuit, based in San Francisco, held that allegations of willful FCRA violations are sufficient to confer Article III standing to sue upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of the statute. In other words, the consumer need not allege any resulting damage caused by a violation; the “knowing violation” of a consumer’s FCRA rights alone, the Ninth Circuit held, injures the consumer. The Ninth Circuit’s holding is consistent with other circuits that have addressed the issue. See e.g., Beaudry v. TeleCheck Servs., Inc., 579 F.3d 702, 705-07 (6th Cir. 2009). It refused to follow the U.S. Court of Appeals for the Eighth Circuit in finding that one “reasonable reading of the [FCRA] could still require proof of actual damages but simply substitute statutory rather than actual damages for the purpose of calculating the damage award.” Dowell v. Wells Fargo Bank, NA, 517 F.3d 1024, 1026 (8th Cir. 2008).

The constitutional question before the U.S. Supreme Court is the scope of Congress’ authority to confer Article III standing, particularly, whether a violation of consumers’ statutory rights under the FCRA are the type of injury for which Congress may create a private cause of action to redress. In Beaudry, the Sixth Circuit identified two limitations on Congress’ ability to confer standing:

  1. the plaintiff must be “among the injured,” and

  2. the statutory right must protect against harm to an individual rather than a collective.

The defendant companies in Beaudry provided check-verification services. They had failed to account for a change in the numbering system for Tennessee driver’s licenses. This led to reports incorrectly identifying consumers as first-time check-writers.

The Sixth Circuit did not require the plaintiffs in Beaudry to allege the consequential damages resulting from the incorrect information. Instead, it held that the FCRA “does not require a consumer to wait for consequential harm” (such as the denial of credit) before bringing suit under FCRA for failure to implement reasonable procedures in the preparation of consumer reports. The Ninth Circuit endorsed this position, holding that the other standing requirements of causation and redressability are satisfied “[w]hen the injury in fact is the violation of a statutory right that [is] inferred from the existence of a private cause of action.”

Authored by: Jason C. Gavejian and Tyler Philippi of Jackson Lewis P.C.

Jackson Lewis P.C. © 2015

CPSC & DOJ Sue Michaels Stores for Failing to Report Product Safety Hazard and Filing Misleading Information

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

For the first time in recent memory, the Department of Justice (DOJ) and Consumer Product Safety Commission (CPSC) jointly announced the filing of a lawsuit in federal court for the imposition of a civil penalty and injunctive relief for violation of the Consumer Product Safety Act (CPSA). The lawsuit is against arts and crafts retailer Michaels Stores and its subsidiary Michaels Stores Procurement Co. Inc. (collectively, “Michaels” or “the Company”)  for failing to timely report a potential product safety hazard to the CPSC. Unlike other CPSC civil penalty actions involving DOJ, this penalty does not already have a negotiated consent decree in place and it appears that the case could be fully litigated.

The complaint alleges that Michaels knowingly violated the CPSA by failing to timely report to the CPSC that the glass walls of certain vases were too thin to withstand normal handling, thereby posing a laceration hazard to consumers.  According to the complaint, multiple consumers suffered injuries, including nerve damage and hand surgeries, from 2007 to late 2009.

Michaels allegedly did not report the potential defect to the Commission until February 2010.  Of course, we only know one side of the allegations, and Michaels will respond to those allegations in the coming weeks. The Company did state that “it believes the facts will show it acted promptly and appropriately.”

WaterNotably, the complaint also alleges that when Michaels filed an initial report with the CPSC in 2010, it provided “only the limited information required to be furnished by distributors and retailers” under the CPSA.  However, and critically, as the complaint sets forth in more detail, manufacturers—whose definition under the CPSA includes importers of record—are required to provide more information to the Commission than retailers.

According to the government, Michaels’ report conveyed the false impression that the Company did not import the vases, even though the Company was the importer of record and thus was required to submit significantly more information as themanufacturer of the vases.  The lawsuit alleges that Michaels made this misrepresentation in order to avoid the responsibility of undertaking a product recall.

As for the remedy, the government is seeking a civil penalty (in an unidentified amount) and various forms of injunctive relief, including the enactment of a stringent compliance program to ensure future compliance with CPSC reporting obligations.  This requested relief is similar to what the CPSC has required in almost all civil penalty agreements with other companies over the past few years.

What makes this complaint so newsworthy is that the government and Michaels plan to litigate the imposition of a civil penalty.  As noted above, this is not a frequent occurrence because companies tend to settle civil penalty claims rather than litigate. Given how infrequently civil penalties are litigated and the lack of any legal precedent guiding civil penalty negotiations under the heightened $15 million penalty limits, any judgment likely would have a wide-ranging impact on all future civil penalty negotiations between companies and the CPSC.

As we have previously stated, we expect the Commission to remain active in 2015 in bringing enforcement actions against companies for violations of the CPSA and other safety statutes.

We will watch this case closely and update our readers on any noteworthy developments.

ARTICLE BY

Matthew Cohen
Matthew R. Howsare
Charles A. Samuels
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Consumer Product Matters Blog

CPSC & DOJ Sue Michaels Stores for Failing to Report Product Safety Hazard and Filing Misleading Information

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

For the first time in recent memory, the Department of Justice (DOJ) and Consumer Product Safety Commission (CPSC) jointly announced the filing of a lawsuit in federal court for the imposition of a civil penalty and injunctive relief for violation of the Consumer Product Safety Act (CPSA). The lawsuit is against arts and crafts retailer Michaels Stores and its subsidiary Michaels Stores Procurement Co. Inc. (collectively, “Michaels” or “the Company”)  for failing to timely report a potential product safety hazard to the CPSC. Unlike other CPSC civil penalty actions involving DOJ, this penalty does not already have a negotiated consent decree in place and it appears that the case could be fully litigated.

The complaint alleges that Michaels knowingly violated the CPSA by failing to timely report to the CPSC that the glass walls of certain vases were too thin to withstand normal handling, thereby posing a laceration hazard to consumers.  According to the complaint, multiple consumers suffered injuries, including nerve damage and hand surgeries, from 2007 to late 2009.

Michaels allegedly did not report the potential defect to the Commission until February 2010.  Of course, we only know one side of the allegations, and Michaels will respond to those allegations in the coming weeks. The Company did state that “it believes the facts will show it acted promptly and appropriately.”

WaterNotably, the complaint also alleges that when Michaels filed an initial report with the CPSC in 2010, it provided “only the limited information required to be furnished by distributors and retailers” under the CPSA.  However, and critically, as the complaint sets forth in more detail, manufacturers—whose definition under the CPSA includes importers of record—are required to provide more information to the Commission than retailers.

According to the government, Michaels’ report conveyed the false impression that the Company did not import the vases, even though the Company was the importer of record and thus was required to submit significantly more information as themanufacturer of the vases.  The lawsuit alleges that Michaels made this misrepresentation in order to avoid the responsibility of undertaking a product recall.

As for the remedy, the government is seeking a civil penalty (in an unidentified amount) and various forms of injunctive relief, including the enactment of a stringent compliance program to ensure future compliance with CPSC reporting obligations.  This requested relief is similar to what the CPSC has required in almost all civil penalty agreements with other companies over the past few years.

What makes this complaint so newsworthy is that the government and Michaels plan to litigate the imposition of a civil penalty.  As noted above, this is not a frequent occurrence because companies tend to settle civil penalty claims rather than litigate. Given how infrequently civil penalties are litigated and the lack of any legal precedent guiding civil penalty negotiations under the heightened $15 million penalty limits, any judgment likely would have a wide-ranging impact on all future civil penalty negotiations between companies and the CPSC.

As we have previously stated, we expect the Commission to remain active in 2015 in bringing enforcement actions against companies for violations of the CPSA and other safety statutes.

We will watch this case closely and update our readers on any noteworthy developments.

ARTICLE BY

Matthew Cohen
Matthew R. Howsare
Charles A. Samuels
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Consumer Product Matters Blog

New Data Security Bill Seeks Uniformity in Protection of Consumers’ Personal Information

Morgan, Lewis & Bockius LLP.

Last week, House lawmakers floated a bipartisan bill titled the Data Security and Breach Notification Act (the Bill). The Bill comes on the heels of legislation proposed by US President Barack Obama, which we recently discussed in a previous post. The Bill would require certain entities that collect and maintain consumers’ personal information to maintain reasonable data security measures in light of the applicable context, to promptly investigate a security breach, and to notify affected individuals of the breach in detail. In our Contract Corner series, we have examined contract provisions related to cybersecurity, including addressing a security incident if one occurs.

Some notable aspects of the Bill include the following:

  • Notification to individuals affected by a breach would generally be required within 30 days after a company has begun taking investigatory and corrective measures (rather than based on the date of the breach’s discovery).

  • Notification to the Federal Trade Commission (FTC) and the Secret Service or the Federal Bureau of Investigation would be required if the number of individuals whose personal information was (or there is a reasonable basis to conclude was) leaked exceeds 10,000.

  • To advance uniform and consistently applied standards throughout the United Sates, the Bill would preempt state data security and notification laws. However, the scope of preemption continues to be discussed, and certain entities would be excluded from the Bill’s requirements, including entities subject to existing data security regulatory regimes (e.g., entities covered by the Health Insurance Portability and Accountability Act).

  • Violations of the Bill would be enforced by the FTC or state attorneys general (and not by a private right of action).

ARTICLE BY

Michael L. Pillion
A. Benjamin Klaber
Morgan, Lewis & Bockius LLP

California To Expand Its Data Breach Notification Rules

Sheppard Mullin Law Firm

California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information.  AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer.  The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.”  It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”

The use and placement of the phrase “if any” in the statute does create some ambiguity.  The statute, however, speaks in mandatory terms when it states the notification “shall include” an offer of these services.  Its plain language also suggests the phrase “if any” is directed to the question of whether appropriate identity theft or mitigation services exist and are available – not whether or not they must be offered.  A review of the measure’s legislative history confirms this.  The Committee analyses all discuss this element of the statute as “requiring” an offer of services.  Indeed, the legislative analysis immediately following the addition of the phrase “if any” defined the problem under existing law to be that it does not require any prevention or mitigation steps and states that this measure (AB 1710) addresses this issue by requiring an offer of appropriate “identity theft prevention and mitigation services, if any are available,…”  This interpretation is also consistent with the fact that an offer is only required when the breach involves disclosure of highly sensitive information that tends to lead to identity theft or credit card fraud, i.e., the customer’s social security, driver’s license or California identification number.

The standard of whether or not such services would, to some degree, be appropriate will not likely be the primary conversation that this amendment sparks.  The more lively topic will likely be who is the “source of the breach” (and even then the offer is only required when you are both the source of the breach and the party giving notice under the statute) and what standards apply for determining “appropriate” services.  The legislative history is not as equally helpful on these questions.  Thus, until the scope of this new requirement becomes more clear, businesses involved in a breach under the statute need to carefully think through the risks of offering certain services when providing notice.

These new rules take effect on January 1, 2015.  To review the amended statute or its legislative history click here.

ARTICLE BY

Brian R. Blackman
OF
Sheppard, Mullin, Richter & Hampton LLP

Dodd-Frank Whistleblower Litigation Heating Up

Barnes Thornburg

The past few months have been busy for courts and the SEC dealing with securities whistleblowers. The Supreme Court’s potentially landmark decision in Lawson v. FMR LLC back in March already seems like almost ancient history.  In that decision, the Supreme Court concluded that Sarbanes-Oxley’s whistleblower protection provision (18 U.S.C. §1514A) protected not simply employees of public companies but also employees of private contractors and subcontractors, like law firms, accounting firms, and the like, who worked for public companies. (And according to Justice Sotomayor’s dissent, it might even extend to housekeepers and gardeners of employees of public companies).

Since then, a lot has happened in the world of whistleblowers. Much of the activity has focused on Dodd-Frank’s whistleblower-protection provisions, rather than Sarbanes-Oxley. This may be because Dodd-Frank has greater financial incentives for plaintiffs, or because some courts have concluded that it does not require an employee to report first to an enforcement agency. The following are some interesting developments:

What is a “whistleblower” under Dodd-Frank?

This seemingly straightforward question has generated a number of opinions from courts and the SEC. The Dodd-Frank Act’s whistleblower-protection provision, enacted in 2010, focuses on a potentially different “whistleblower” population than Sarbanes-Oxley does. Sarbanes-Oxley’s provision focuses particularly on whistleblower disclosures regarding certain enumerated activities (securities fraud, bank fraud, mail or wire fraud, or any violation of an SEC rule or regulation), and it protects those who disclose to a person with supervisory authority over the employee, or to the SEC, or to Congress.

On the other hand, Dodd-Frank’s provision (15 U.S.C. §78u-6 or Section 21F) defines a “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission.”  15 U.S.C. §78u-6(a)(6).  It then prohibits, and provides a private cause of action for, adverse employment actions against a whistleblower for acts done by him or her in “provid[ing] information to the Commission,” “initiat[ing], testif[ing] in, or assist[ing] in” any investigation or action of the Commission, or in making disclosures required or protected under Sarbanes-Oxley, the Exchange Act or the Commission’s rules.  15 U.S.C. §78u-6(h)(1). A textual reading of these provisions suggests that a “whistleblower” has to provide information relating to a violation of the securities laws to the SEC.  If the whistleblower does so, an employer cannot discriminate against the whistleblower for engaging in those protected actions.

However, after the passage of Dodd-Frank, the SEC promulgated rules explicating its interpretation of Section 21F. Some of these rules might require providing information to the SEC, but others could be construed more broadly to encompass those who simply report internally or report to some other entity.  Compare Rule 21F-2(a)(1), (b)(1), and (c)(3), 17 C.F.R. §240.21F-2(a)(1), (b)(1), and (c)(3). The SEC’s comments to these rules also said that they apply to “individuals who report to persons or governmental authorities other than the Commission.”

Therefore, one issue beginning to percolate up to the appellate courts is whether Dodd-Frank’s anti-retaliation provisions consider someone who reports alleged misconduct to their employers or other entities, but not the SEC, to be a “whistleblower.” The only circuit court to have squarely addressed the issue (the Fifth Circuit in Asadi v. G.E. Energy (USA) LLC) concluded that Dodd-Frank’s provision only applies to those who actually provide information to the SEC.

In doing so, the Fifth Circuit relied heavily on the “plain language and structure” of the statutory text, concluding that it unambiguously required the employee to provide information to the SEC.  Several district courts, including in Colorado, Florida and the Northern District of California, have concurred with this analysis.

More, however, have concluded that Dodd-Frank is ambiguous on this point and therefore have given Chevrondeference to the SEC’s interpretation as set forth in its own regulations. District courts, including in the Southern District of New York, New Jersey, Massachusetts, Tennessee and Connecticut, have adopted this view. The SEC has also weighed in, arguing (in an amicus brief to the Second Circuit) that whistleblowers should be entitled to protection regardless of whether they disclose to their employers or the SEC.  The agency said that Asadi was wrongly decided and, under its view, employees that report internally should get the same protections that those who report to the SEC receive. The Second Circuit’s decision in that case (Liu v. Siemens AG) did not address this issue at all.

Finally, last week, the Eighth Circuit also decided not to take on this question. It opted not to hear an interlocutory appeal, in Bussing v. COR Securities Holdings Inc., in which an employee at a securities clearing firm provided information about possible FINRA violations to her employer and to FINRA, rather than the SEC, and was allegedly fired for it. The district court concluded that the fact that she failed to report to the SEC did not exclude her from the whistleblower protections under Dodd-Frank. It reasoned that Congress did not intend, in enacting Dodd-Frank, to encourage employees to circumvent internal reporting channels in order to obtain the protections of Dodd-Frank’s whistleblower protection.  In doing so, however, the district court did not conclude that the statute was ambiguous and rely on the SEC’s interpretation.

A related question is what must an employee report to be a “whistleblower” under Dodd-Frank. Thus far, if a whistleblower reports something other than a violation of the securities laws, that is not protected. So, for example, an alleged TILA violation or an alleged violation of certain banking laws have been found to be not protected.

These issues will take time to shake out. While more courts thus far have adopted, or ruled consistently with, the SEC’s interpretation, as the Florida district court stated, “[t]he fact that numerous courts have interpreted the same statutory language differently does not render the statute ambiguous.”

Does Dodd-Frank’s whistleblower protection apply extraterritorially?

In August, the Second Circuit decided Liu. Rather than focus on who can be a whistleblower, the Court concluded that Dodd-Frank’s whistleblower-protection provisions do not apply to conduct occurring exclusively extraterritorially. In Liu, a former Siemens employee alleged that he was terminated for reporting alleged violations of the FCPA at a Siemens subsidiary in China.  The Second Circuit relied extensively on the Supreme Court’s Morrison v. Nat’l Aust. Bank case in reaching its decision. In Morrison, the Court reaffirmed the presumption that federal statutes do not apply extraterritorially absent clear direction from Congress.

The Second Circuit in Liu, despite Liu’s argument that other Dodd-Frank provisions applied extraterritorially and SEC regulations interpreting the whistleblower provisions at least suggested that the bounty provisions applied extraterritorially, disag
reed. The court concluded that it need not defer to the SEC’s interpretation of who can be a whistleblower because it believed that Section 21F was not ambiguous.  It also concluded that the anti-retaliation provisions would be more burdensome if applied outside the country than the bounty provisions, so it did not feel the need to construe the two different aspects of the whistleblower provisions identically.  And finally, the SEC , in its amicus brief, did not address either the extraterritorial reach of the provisions or Morrison, so the Second Circuit apparently felt no need to defer to the agency’s view on extraterritoriality.

Liu involved facts that occurred entirely extraterritorially. He was a foreign worker employed abroad by a foreign corporation, where the alleged wrongdoing, the alleged disclosures, and the alleged discrimination all occurred abroad. Whether adding some domestic connection changes this result remains for future courts to consider.

The SEC’s Use Of The Anti-Retaliation Provision In An Enforcement Action

In June, the SEC filed, and settled, its first Dodd-Frank anti-retaliation enforcement action. The Commission filed an action against Paradigm Capital Management, Inc., and its principal Candace Weir, asserting that they retaliated against a Paradigm employee who reported certain principal transactions, prohibited under the Investment Advisers Act, to the SEC. Notably, that alleged retaliation did not include terminating the whistleblower’s employment or diminishing his compensation; it did, however, include removing him as the firm’s head trader, reconfiguring his job responsibilities and stripping him of supervisory responsibility. Without admitting or denying the SEC’s allegations, both respondents agreed to cease and desist from committing any future Exchange Act violations, retain an independent compliance consultant, and pay $2.2 million in fines and penalties.  This matter marks the first time the Commission has asserted Dodd-Frank’s whistleblower provisions in an enforcement action, rather than a private party doing so in civil litigation.

The SEC Announces Several Interesting Dodd-Frank Bounties

Under Dodd-Frank, whistleblowers who provide the SEC with “high-quality,” “original” information that leads to an enforcement action netting over $1 million in sanctions can receive an award of 10-30 percent of the amount collected. The SEC recently awarded bounties to whistleblowers in circumstances suggesting the agency wants to encourage a broad range of whistleblowers with credible, inside information.

In July, the agency awarded more than $400,000 to a whistleblower who appears not to have provided his information to the SEC voluntarily.  Instead, the whistleblower had attempted to encourage his employer to correct various compliance issues internally. Those efforts apparently resulted in a third-party apprising an SRO of the employer’s issues and the whistleblower’s efforts to correct them. The SEC’s subsequent follow-up on the SRO’s inquiry resulted in the enforcement action. Even though the “whistleblower” did not initiate communication with the SEC about these compliance issues, for his efforts, the agency nonetheless awarded him a bounty.

Then, just recently, the SEC announced its first whistleblower award to a company employee who performed audit and compliance functions. The agency awarded the compliance staffer more than $300,000 after the employee first reported wrongdoing internally, and then, when the company failed to take remedial action after 120 days, reported the activity to the SEC. Compliance personnel, unlike most employees, generally have a waiting period before they can report out, unless they have a reasonable basis to believe investors or the company have a substantial risk of harm.

With a statute as sprawling as Dodd-Frank, and potentially significant bounty awards at stake, opinions interpreting Dodd-Frank’s whistleblower provisions are bound to proliferate. Check back soon for further developments.

 
ARTICLE BY

Brian E. Casey
 
OF 
Barnes & Thornburg LLP

European Commission Discusses Big Data

Morgan Lewis logo

The European Commission (the Commission) recently issued a press release recognizing the potential of data collection and exploitation (or “big data”) and urging governments to embrace the positive aspects of big data.

The Commission summarized four main problems that have been identified in public consultations on big data:

  • Lack of cross-border coordination
  • Insufficient infrastructure and funding opportunities
  • A shortage of data experts and related skills
  • A fragmented and overly complex legal environment

To address these issues, the Commission proposed the following:

  • A public-private partnership to fund big data initiatives
  • An open big data incubator program
  • New rules on data ownership and liability for data provision
  • Mapping of data standards
  • A series of educational programs to increase the number of skilled data workers
  • A network of data processing facilities in different member states

The Commission stated that, in order to help EU citizens and businesses more quickly reap the full potential of data, it will work with the European Parliament and the European Council to successfully complete the reform of the EU’s data protection rules. The Commission will also work toward the final adoption of the directive on network and information security to ensure the high level of trust that is fundamental for a thriving data-driven economy.

Article By:

Barbara Murphy Melby
Doneld G. Shelkey
Of:
Morgan, Lewis & Bockius LLP

 

Price Comparison Advertising – Massachusetts Law

GT Law

Retailers doing business in Massachusetts should ensure that their price comparison advertising complies with Massachusetts law, particularly 940 C.M.R. § 6.05 (Section 6.05). Otherwise, they may face a civil enforcement action by the Massachusetts Office of the Attorney General (MA AGO), a putative class action brought by a consumer under the Massachusetts Consumer Protection Act – Chapter 93A, or even a civil action brought by a competitor alleging unfair and deceptive trade practices.

What is price comparison advertising?

As defined in Section 6.05, price comparison advertising “is a form of advertising used in the sale of products whereby current prices are compared with the seller’s former or future prices, the prices of other sellers, or other stated values to demonstrate price reductions or cost savings.” According to the regulation, which was promulgated by the MA AGO, (1) “price comparisons based on false, arbitrary or inflated prices or values deceive or mislead the public” and (2) “[a]buse also occurs when sellers fail to disclose material information which is important to enable consumers to understand the price comparison.” To protect against this alleged deception and abuse, Section 6.05 regulates price comparison advertising.

Which practices does Section 6.05 deem unfair or deceptive?

Section 6.05 is divided into various sections (as more fully described below) that provide retailers with guidance concerning what the MA AGO deems to be unlawful. Violations of Section 6.05 may be enforced by the MA AGO in a civil enforcement action as well as by consumers, who may seek to assert claims individually and on behalf of all those “similarly situated” under Chapter 93A.  Massachusetts law even supports civil actions brought by competitors harmed by unlawful advertising practices.

Specifically, Section 6.05 provides that the following are unfair or deceptive acts:

  • Unidentified Price Comparisons. Sellers cannot state or imply that they are offering any product savings by making a direct or indirect price comparison, unless they “clearly and conspicuously”1   describe the basis for the comparison; providedhowever, that sellers may claim a savings or make such a comparison (without disclosing the basis) if they are making a comparison to their own “former price” (as determined by Section 6.05(3)).
  • Comparison to Seller’s Own Former Prices. Sellers cannot compare their current price with their own former price for any product, unless such former price is a “bona fide, actual price” that they had offered “openly and in good faith for a reasonably substantial period of time in the recent past” to the public.2
  • Introductory Offers and Future Price Comparisons. Sellers cannot make an introductory offer or compare their current product price with a future product price unless (i) the future price takes effect immediately after the sale and not later than 60 calendar days after “the dissemination date of the introductory offer or price comparison” and (ii) following the effective date of the future price, the product is offered “openly and in good faith” at that price for at least equal to  the period of time offered at the introductory price, but not less than 14 days (except for certain circumstances).3
  • Use of “Sale” Terminology. Sellers cannot use the words “priced for sale,” “on sale,” “sale,” “selling out,” “clearance,” “reduced,” “liquidation,” “must sell,” “must be sacrificed,” “now only $X,” or other terms which state or imply a price savings unless certain specific factors listed in Section 6.05 are met.4
  • Use of “List Price” or Similar Comparisons. Sellers cannot compare their current product price with a “list price,” “manufacturer’s suggested retail price” or similar term, unless the list or manufacturer’s suggested retail price is the price charged for the advertised product by a reasonable number of sellers in the seller’s trade area as of a particular “measurement date” determined by Section 6.05.5
  • Comparison to Other Seller’s Price for Identical Product. Sellers cannot compare their price with another seller’s price for an identical product, unless the stated higher comparative price is at or below the price at which the identical product is being offered in the seller’s trade area as of the “measurement date” or other specifically identified period under certain circumstances.6
  • Comparison to Seller’s Own or Other Seller’s Price for Comparable Product. Sellers cannot compare their price with their own price or another seller’s price for a comparable product unless the comparable product is being offered for sale as of the “measurement date,” or other specifically identified period, at the stated higher comparative price, unless certain factors are met.7
  • Price Comparisons on Price Tickets or Labels. Sellers cannot imprint or attach any ticket or label to a product that contains a fictitious or inflated price which is capable of being used by sellers as a basis for offering fictitious price reductions.8
  • Range of Savings or Price Reduction Claims. Sellers cannot state or imply that any products are being offered for sale at a range of prices or at a range of percentage or fractional discounts unless various factors are met.9
  • Use of Terms “Wholesale” or “At Cost.” Sellers cannot state or imply that any product is being offered at or near a “wholesale” price or “at cost” (or words of similar meaning) unless the price is, in fact, either at or below the price paid by the seller at wholesale, or, in the case of a service, the seller’s cost for the service excluding overhead and profit.
  • Use of Terms “Two for the Price of One” or “Buy One – Get One Free.” Sellers cannot state or imply that products are being offered at the usual price of a smaller number of the same or a different product unless (i) they clearly and conspicuously disclose all material sale conditions being imposed; (ii) the price advertised as the usual price for the smaller number of products is their own “former price”; and (iii) the products are of substantially the same quality, grade, material and craftsmanship as the seller offered prior to the advertisement.
  • Use of Term “If Purchased Separately.”  Sellers cannot make any price comparison based on the difference between the price of a system, set or group of products and the price of the products “if purchased separately” (or words of similar meaning) unless: (i) a reasonable number of sellers in the trade area are currently offering the products as separate items at or above the stated separate purchase price as of the “measurement date”; or (ii) they have actually sold or offered the products for sale as separate items at the stated separate purchase price.
  • Prices for Parts or Units of Sets or Systems. Sellers cannot advertise a price for any product that normally sells as part of a pair, system, or set without clearly and conspicuously disclosing that the price stated is the price per item or unit only, and not the price for the pair, system or set.
  • Gifts. Sellers cannot state or imply that any product is being offered for free or at a reduced price (“a gift”) in conjunction with the purchase of another product unless various factors are met.10
  • Use of Disclaimers. Sellers cannot use a price comparison that is prohibited even if the advertisement contains disclaimers or explanatory language.
  • Are there any other requirements11  that sellers should consider when assessing their price comparison advertising?
  • Record Keeping Requirements. Sellers must maintain records for a period of six months after the last dissemination of subject advertisements and provide those records to the MA AGO, upon request, to substantiate the propriety of such advertisements.12
  • Deceptive Pricing Generally, Examples, and Loss Leaders. Although not contained within Section 6.05 itself, the MA AGO has adopted a more general regulation dealing with “Deceptive Pricing” set forth in 940 C.M.R. § 3.13(2).13  This subsection describes generally what the MA AGO deems deceptive and provides some examples. In addition, related § 3.13(3) prohibits sellers from selling or offering for sale so-called “loss leaders” to induce a buyer to make a purchase of a product sold only in combination with other merchandise on which the seller recovers such loss.
Article By:

Michael E. Pastore
James P. Ponsetto
David G. Thomas
Of:
Greenberg Traurig, LLP

1 “Clearly and conspicuously” means that “the material representation being disclosed is of such size, color, contrast or audibility and is so presented as to be readily noticed and understood by a reasonable person to whom it is being disclosed.” Section 6.01 provides guidelines for determining if disclosures are proper. 

2 Section 6.05(3) lists various factors that are considered when determining whether a “former price” is a “bona fide, actual price.” Section 6.05(4) provides certain safe harbors for comparison prices.  A complete list of factors and a description of the safe harbors are contained in 940 C.M.R. §§ 6.05(3)(a) and 6.05(4), which are available at  http://www.mass.gov/ago/government-resources/ags-regulations/940-cmr-600.html  (MA AGO’s Website). 

3 These circumstances and exceptions for certain offers limited to certain consumers who are deemed “first time purchasers” as defined in the regulation are contained in 940 C.M.R. § 6.05(5), which is available at  the MA AGO’s Website. Also, Section 6.05(5) contains separate requirements for health clubs. 

4 These factors are contained in 940 C.M.R. § 6.05(6), which is available at the MA AGO’s Website. 

5 Section 6.05(7) contains separate requirements for manufacturers or franchisors. Also, the “measurement date” is defined in Section 6.01. 

6 These requirements are contained in 940 C.M.R. § 6.05(8), which is available at the MA AGO’s Website. 

7 These factors are contained in 940 C.M.R. § 6.05(9), which is available at the MA AGO’s Website. 

8 There are certain exceptions for prices that are pre-ticketed by manufacturers or other sellers, as contained in 940 C.M.R. § 6.05(10), which is available at the MA AGO’s Website. 

9 These factors are contained in 940 C.M.R. § 6.05(11), which is available at the MA AGO’s Website. 

10 These factors are contained in 940 C.M.R. § 6.05(16), which is available at the MA AGO’s Website. 

11 This advisory does not contain an all-inclusive list of the MA AGO’s advertising regulations and requirements. Sellers, among other things, should be aware of additional requirements set forth in 940 C.M.R. § 3.00 (General Regulations) and 940 C.M.R. § 6.00 (Retail Advertising). 

12 940 C.M.R. § 6.14 contains specific and detailed record retention requirements for price comparison advertising, which is available at the MA AGO’s Website. 

13 This more general regulation is available at http://www.mass.gov/ago/government-resources/ags-regulations/940-cmr-3-00/940-cmr-300.html. 

HEARTBLEED: A Lawyer’s Perspective on the Biggest Programming Error in History

Jackson Lewis Logo

By now you have probably heard about Heartbleed, which is the biggest security threat to the Internet that we have ever seen. The bottom line of Heartbleed is that for the past two years most web sites claiming to besecure, shown by the HTTPS address (the S added to the end of the usual HTTP address was intended to indicate a web secured by encryption), have not been secure at all. Information on those webs could easily have beenbled out by any semi-skilled hacker who discovered the defect. That includes your user names and passwords, maybe even your credit card and bank account information.

For this reason every security expert that I follow, or have talked to about this threat, advises everyone to change ALL of their online passwords. No one knows who might have acquired this information in the past two years. Unfortunately, the nature of this software defect made it possible to steal data in an untraceable manner. Although most web sites have upgraded their software by now, they were exposed for two years. The only safe thing to do is assume your personal information has been compromised.

Change All of Your Passwords

After you go out and change all of your passwords – YES – DO IT NOW – please come back and I will share some information on Heartbleed that you may not find anywhere else. I will share a quick overview of a lawyer’s perspective on a disaster like this and what I think we should do about it.

Rules of the Internet

One of the things e-discovery lawyers like me are very interested in, and concerned about, is data security. Heartblead is the biggest threat anyone has ever seen to our collective online security, so I have made a point of trying to learn everything I could about it. My research is ongoing, but I have already published on detailed report on my personal blog. I have also been pondering policy changes, and changes in the laws governing the Internet that be should made to avoid this kind of breach in the future.

I have been thinking about laws and the Internet since the early 1990s. As I said then, the Internet is not a no-mans-land of irresponsibility. It has laws and is subject to laws, not only laws of countries, but of multiple independent non-profit groups such as ICANN. I first pointed this out out as a young lawyer in my 1996 book for MacMillan, Your Cyber Rights and Responsibilities: The Law of the Internet, Chapter 3 of Que’s Special Edition Using the Internet. Anyone who commits crimes on the Internet must and will be prosecuted, no matter where their bodies are located. The same goes for negligent actors, be they human, corporate, or robot. I fully expect that several law suits will be filed as a result of Heartbleed. Time will tell if any of them succeed. Many of the facts are still unknown.

One Small Group Is to Blame for Heartbleed

The surprising thing I learned in researching Heartbleed is that this huge data breach was caused by a small mistake in software programming by a small unincorporated association called OpenSSL. This is the group that maintains the open source that two-thirds of the Internet relies upon for encryption, in other words, to secure web sites from data breach. It is free software and the people who write the code are unpaid volunteers.

According to the Washington Post, OpenSSL‘s headquarters — to the extent one exists at all — is the home of the group’s only employee, a part timer at that, located on Sugarloaf Mountain, Maryland. He lives and works amid racks of servers and an industrial-grade Internet connection. Craig Timberg, Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass (Washington Post, 4/9/14).

The mistake that caused Heartbleed was made by a lone math student in Münster, Germany. He submitted an add-on to the code that was supposed to correct prior mistakes he had found. His add on contained what he later described as a trivial error. Trivial or not, this is the biggest software coding error of all time based upon impact. What makes the whole thing suspicious is that he made this submission at one minute before midnight on New Year’s Eve 2011.

Once the code was received by OpenSSL, it was reviewed by it before it was added onto the next version of the software. Here is where we learn another surprising fact, it was only reviewed by one person, and he again missed the simple error. Then the revised code with hidden defect was released onto an unsuspecting world. No one detected it until March 2014 when paid Google security employees finally noticed the blunder. So much for the basic crowd sourcing rationale behind the open source software movement.

Conclusion

Placing the reliance of the security of the Internet on only one open source group, OpenSSL, a group with only four core members, is too high a risk in today’s world. It may have made sense back in the early nineties when an open Internet first started, but not now. Heartbleed proves this. This is why I have called upon leaders of the Internet, including open source advocates, privacy experts, academics, governments, political leaders and lawyers to meet to consider various solutions to tighten the security of the Internet. We cannot continue business as usual when it comes to Internet data security.

Article By:

Ralph C. Losey
Of: 
Jackson Lewis P.C.

California Proposes Enhanced Prop. 65 Warnings and Possible Online Disclosures – Dietary Supplements and Foods Specially Targeted

GT Law

The California Office of Environmental Health Hazard Assessment (OEHHA)announced on March 7, 2014, that it is considering implementation of the most significant changes to Prop. 65 regulations in more than two decades.  OEHHA has posted the draft regulation and Initial Statement of Reasons on its website.

Passed by voters in 1986, Prop. 65 requires warnings prior to exposures to chemicals listed by OEHHA as “known to the State” to cause cancer or reproductive harm.  The law, which carries the potential penalty of $2,500 for each violation, may be and routinely is enforced by entrepreneurial private plaintiffs who are permitted to bring legal actions against alleged violators with minimal evidence.  OEHHA’s proposed regulations will affect almost every industry subject to Prop. 65 and nearly every aspect of compliance.  In all but a few cases, OEHHA’s changes have the capacity to make compliance with Prop. 65 costlier, riskier, and more disruptive to companies doing business in California.

Four Important Provisions Affecting Food and Dietary Supplements

In its far-reaching proposal, OEHHA aims a number of significant changes directly at food and dietary supplement manufacturers, distributors, and retailers.  Four specific proposals stand out as impactful for the industry:

  1. Chemical Identification: Under OEHHA’s proposal, warning labels would have to specifically identify the chemical in question if it is on a proposed list of 12 “common” substances.  One substance on OEHHA’s list, lead, is sometimes naturally occurring in the ingredients used to produce dietary supplements and has been the source of considerable litigation and expense for the industry.  In OEHHA’s draft regulation, products requiring a warning for lead would have to “conspicuously” state its presence in the product.
  2. Display Requirements: For foods not already subject to a consent judgment, the “safe-harbor” warning language must also be enhanced with specific information about the chemical in question, specific text sizing, and the phrase “Cancer [and/or] Reproductive Hazard.” Even where a food supplier has data showing that the chemical poses no actual health threat, a private plaintiff may still litigate knowing that the costly burden of showing no significant risk is borne by defendants.  Unless modified or declared preempted by federal law, OEHHA’s regulation would virtually ensure that this language will be required for food and supplement packaging in California.
  3. Online Reporting: OEHHA would also mandate reporting of exposure data to the agency for its website if a new Prop. 65 warning does not contain 10 details specified by OEHHA.  The details include, among others, the name of the chemical at issue, anticipated exposure routes, exposure levels, and options for minimizing exposure.  Businesses that fail to provide the required detail, no matter how misleading it might be to the consumer, must disclose the additional information to OEHHA and will likely see such data published online.
  4. More Litigation: Despite statements from the agency to the contrary, OEHHA’s complex rules would encourage even more litigation from an already active community of plaintiffs.  OEHHA’s draft litigation reform, a “cure” or fix-it period for retailers with fewer than 25 employees, would do little to stem the current tide of lawsuits, the vast majority of which are ultimately directed at and defended by suppliers.  Additionally, by replacing the generic safe-harbor warning with specific requirements, a regulatory safe-harbor warning would no longer provide a safe harbor from liability or deter plaintiffs from alleging violations for exposures to unspecified or newly listed chemicals.

What You Can Do

Businesses which stand to be affected by OEHHA’s plans, including those operated out of state, have an opportunity to voice their concerns to the agency.

OEHHA will hold a public workshop on April 14, 2014 to discuss the proposed regulations.  In addition, OEHHA is accepting written comments from the public until May 14, 2014.  Unless OEHHA is convinced to delay or withdraw its plans, formal regulations will likely be proposed in the summer of 2014.

Because OEHHA’s proposals are currently in the preliminary stages, interested parties have a time critical opportunity to engage the agency and encourage it to address specific concerns.  Companies that manufacture distribute, or retail dietary supplements in California should consider retaining experienced counsel to analyze the impact of the proposals on their business and to participate in the public comment period on their behalf.   Given the potentially far-reaching consequences of the proposed changes on the individual companies and the industry at large, interested parties should be diligent in bringing their concerns to OEHHA as early and as persuasively as possible.

Article By:

James Mattesich
Justin J. Prochnow
Anthony J. Cortez
Greg Sperla
Of:
Greenberg Traurig, LLP