California To Expand Its Data Breach Notification Rules

Sheppard Mullin Law Firm

California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information.  AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer.  The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.”  It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”

The use and placement of the phrase “if any” in the statute does create some ambiguity.  The statute, however, speaks in mandatory terms when it states the notification “shall include” an offer of these services.  Its plain language also suggests the phrase “if any” is directed to the question of whether appropriate identity theft or mitigation services exist and are available – not whether or not they must be offered.  A review of the measure’s legislative history confirms this.  The Committee analyses all discuss this element of the statute as “requiring” an offer of services.  Indeed, the legislative analysis immediately following the addition of the phrase “if any” defined the problem under existing law to be that it does not require any prevention or mitigation steps and states that this measure (AB 1710) addresses this issue by requiring an offer of appropriate “identity theft prevention and mitigation services, if any are available,…”  This interpretation is also consistent with the fact that an offer is only required when the breach involves disclosure of highly sensitive information that tends to lead to identity theft or credit card fraud, i.e., the customer’s social security, driver’s license or California identification number.

The standard of whether or not such services would, to some degree, be appropriate will not likely be the primary conversation that this amendment sparks.  The more lively topic will likely be who is the “source of the breach” (and even then the offer is only required when you are both the source of the breach and the party giving notice under the statute) and what standards apply for determining “appropriate” services.  The legislative history is not as equally helpful on these questions.  Thus, until the scope of this new requirement becomes more clear, businesses involved in a breach under the statute need to carefully think through the risks of offering certain services when providing notice.

These new rules take effect on January 1, 2015.  To review the amended statute or its legislative history click here.

Dodd-Frank Whistleblower Litigation Heating Up

Barnes Thornburg

The past few months have been busy for courts and the SEC dealing with securities whistleblowers. The Supreme Court’s potentially landmark decision in Lawson v. FMR LLC back in March already seems like almost ancient history.  In that decision, the Supreme Court concluded that Sarbanes-Oxley’s whistleblower protection provision (18 U.S.C. §1514A) protected not simply employees of public companies but also employees of private contractors and subcontractors, like law firms, accounting firms, and the like, who worked for public companies. (And according to Justice Sotomayor’s dissent, it might even extend to housekeepers and gardeners of employees of public companies).

Since then, a lot has happened in the world of whistleblowers. Much of the activity has focused on Dodd-Frank’s whistleblower-protection provisions, rather than Sarbanes-Oxley. This may be because Dodd-Frank has greater financial incentives for plaintiffs, or because some courts have concluded that it does not require an employee to report first to an enforcement agency. The following are some interesting developments:

What is a “whistleblower” under Dodd-Frank?

This seemingly straightforward question has generated a number of opinions from courts and the SEC. The Dodd-Frank Act’s whistleblower-protection provision, enacted in 2010, focuses on a potentially different “whistleblower” population than Sarbanes-Oxley does. Sarbanes-Oxley’s provision focuses particularly on whistleblower disclosures regarding certain enumerated activities (securities fraud, bank fraud, mail or wire fraud, or any violation of an SEC rule or regulation), and it protects those who disclose to a person with supervisory authority over the employee, or to the SEC, or to Congress.

On the other hand, Dodd-Frank’s provision (15 U.S.C. §78u-6 or Section 21F) defines a “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission.”  15 U.S.C. §78u-6(a)(6).  It then prohibits, and provides a private cause of action for, adverse employment actions against a whistleblower for acts done by him or her in “provid[ing] information to the Commission,” “initiat[ing], testif[ing] in, or assist[ing] in” any investigation or action of the Commission, or in making disclosures required or protected under Sarbanes-Oxley, the Exchange Act or the Commission’s rules.  15 U.S.C. §78u-6(h)(1). A textual reading of these provisions suggests that a “whistleblower” has to provide information relating to a violation of the securities laws to the SEC.  If the whistleblower does so, an employer cannot discriminate against the whistleblower for engaging in those protected actions.

However, after the passage of Dodd-Frank, the SEC promulgated rules explicating its interpretation of Section 21F. Some of these rules might require providing information to the SEC, but others could be construed more broadly to encompass those who simply report internally or report to some other entity.  Compare Rule 21F-2(a)(1), (b)(1), and (c)(3), 17 C.F.R. §240.21F-2(a)(1), (b)(1), and (c)(3). The SEC’s comments to these rules also said that they apply to “individuals who report to persons or governmental authorities other than the Commission.”

Therefore, one issue beginning to percolate up to the appellate courts is whether Dodd-Frank’s anti-retaliation provisions consider someone who reports alleged misconduct to their employers or other entities, but not the SEC, to be a “whistleblower.” The only circuit court to have squarely addressed the issue (the Fifth Circuit in Asadi v. G.E. Energy (USA) LLC) concluded that Dodd-Frank’s provision only applies to those who actually provide information to the SEC.

In doing so, the Fifth Circuit relied heavily on the “plain language and structure” of the statutory text, concluding that it unambiguously required the employee to provide information to the SEC.  Several district courts, including in Colorado, Florida and the Northern District of California, have concurred with this analysis.

More, however, have concluded that Dodd-Frank is ambiguous on this point and therefore have given Chevrondeference to the SEC’s interpretation as set forth in its own regulations. District courts, including in the Southern District of New York, New Jersey, Massachusetts, Tennessee and Connecticut, have adopted this view. The SEC has also weighed in, arguing (in an amicus brief to the Second Circuit) that whistleblowers should be entitled to protection regardless of whether they disclose to their employers or the SEC.  The agency said that Asadi was wrongly decided and, under its view, employees that report internally should get the same protections that those who report to the SEC receive. The Second Circuit’s decision in that case (Liu v. Siemens AG) did not address this issue at all.

Finally, last week, the Eighth Circuit also decided not to take on this question. It opted not to hear an interlocutory appeal, in Bussing v. COR Securities Holdings Inc., in which an employee at a securities clearing firm provided information about possible FINRA violations to her employer and to FINRA, rather than the SEC, and was allegedly fired for it. The district court concluded that the fact that she failed to report to the SEC did not exclude her from the whistleblower protections under Dodd-Frank. It reasoned that Congress did not intend, in enacting Dodd-Frank, to encourage employees to circumvent internal reporting channels in order to obtain the protections of Dodd-Frank’s whistleblower protection.  In doing so, however, the district court did not conclude that the statute was ambiguous and rely on the SEC’s interpretation.

A related question is what must an employee report to be a “whistleblower” under Dodd-Frank. Thus far, if a whistleblower reports something other than a violation of the securities laws, that is not protected. So, for example, an alleged TILA violation or an alleged violation of certain banking laws have been found to be not protected.

These issues will take time to shake out. While more courts thus far have adopted, or ruled consistently with, the SEC’s interpretation, as the Florida district court stated, “[t]he fact that numerous courts have interpreted the same statutory language differently does not render the statute ambiguous.”

Does Dodd-Frank’s whistleblower protection apply extraterritorially?

In August, the Second Circuit decided Liu. Rather than focus on who can be a whistleblower, the Court concluded that Dodd-Frank’s whistleblower-protection provisions do not apply to conduct occurring exclusively extraterritorially. In Liu, a former Siemens employee alleged that he was terminated for reporting alleged violations of the FCPA at a Siemens subsidiary in China.  The Second Circuit relied extensively on the Supreme Court’s Morrison v. Nat’l Aust. Bank case in reaching its decision. In Morrison, the Court reaffirmed the presumption that federal statutes do not apply extraterritorially absent clear direction from Congress.

The Second Circuit in Liu, despite Liu’s argument that other Dodd-Frank provisions applied extraterritorially and SEC regulations interpreting the whistleblower provisions at least suggested that the bounty provisions applied extraterritorially, disag
reed. The court concluded that it need not defer to the SEC’s interpretation of who can be a whistleblower because it believed that Section 21F was not ambiguous.  It also concluded that the anti-retaliation provisions would be more burdensome if applied outside the country than the bounty provisions, so it did not feel the need to construe the two different aspects of the whistleblower provisions identically.  And finally, the SEC , in its amicus brief, did not address either the extraterritorial reach of the provisions or Morrison, so the Second Circuit apparently felt no need to defer to the agency’s view on extraterritoriality.

Liu involved facts that occurred entirely extraterritorially. He was a foreign worker employed abroad by a foreign corporation, where the alleged wrongdoing, the alleged disclosures, and the alleged discrimination all occurred abroad. Whether adding some domestic connection changes this result remains for future courts to consider.

The SEC’s Use Of The Anti-Retaliation Provision In An Enforcement Action

In June, the SEC filed, and settled, its first Dodd-Frank anti-retaliation enforcement action. The Commission filed an action against Paradigm Capital Management, Inc., and its principal Candace Weir, asserting that they retaliated against a Paradigm employee who reported certain principal transactions, prohibited under the Investment Advisers Act, to the SEC. Notably, that alleged retaliation did not include terminating the whistleblower’s employment or diminishing his compensation; it did, however, include removing him as the firm’s head trader, reconfiguring his job responsibilities and stripping him of supervisory responsibility. Without admitting or denying the SEC’s allegations, both respondents agreed to cease and desist from committing any future Exchange Act violations, retain an independent compliance consultant, and pay $2.2 million in fines and penalties.  This matter marks the first time the Commission has asserted Dodd-Frank’s whistleblower provisions in an enforcement action, rather than a private party doing so in civil litigation.

The SEC Announces Several Interesting Dodd-Frank Bounties

Under Dodd-Frank, whistleblowers who provide the SEC with “high-quality,” “original” information that leads to an enforcement action netting over $1 million in sanctions can receive an award of 10-30 percent of the amount collected. The SEC recently awarded bounties to whistleblowers in circumstances suggesting the agency wants to encourage a broad range of whistleblowers with credible, inside information.

In July, the agency awarded more than $400,000 to a whistleblower who appears not to have provided his information to the SEC voluntarily.  Instead, the whistleblower had attempted to encourage his employer to correct various compliance issues internally. Those efforts apparently resulted in a third-party apprising an SRO of the employer’s issues and the whistleblower’s efforts to correct them. The SEC’s subsequent follow-up on the SRO’s inquiry resulted in the enforcement action. Even though the “whistleblower” did not initiate communication with the SEC about these compliance issues, for his efforts, the agency nonetheless awarded him a bounty.

Then, just recently, the SEC announced its first whistleblower award to a company employee who performed audit and compliance functions. The agency awarded the compliance staffer more than $300,000 after the employee first reported wrongdoing internally, and then, when the company failed to take remedial action after 120 days, reported the activity to the SEC. Compliance personnel, unlike most employees, generally have a waiting period before they can report out, unless they have a reasonable basis to believe investors or the company have a substantial risk of harm.

With a statute as sprawling as Dodd-Frank, and potentially significant bounty awards at stake, opinions interpreting Dodd-Frank’s whistleblower provisions are bound to proliferate. Check back soon for further developments.

 
ARTICLE BY

 
OF 

European Commission Discusses Big Data

Morgan Lewis logo

The European Commission (the Commission) recently issued a press release recognizing the potential of data collection and exploitation (or “big data”) and urging governments to embrace the positive aspects of big data.

The Commission summarized four main problems that have been identified in public consultations on big data:

  • Lack of cross-border coordination
  • Insufficient infrastructure and funding opportunities
  • A shortage of data experts and related skills
  • A fragmented and overly complex legal environment

To address these issues, the Commission proposed the following:

  • A public-private partnership to fund big data initiatives
  • An open big data incubator program
  • New rules on data ownership and liability for data provision
  • Mapping of data standards
  • A series of educational programs to increase the number of skilled data workers
  • A network of data processing facilities in different member states

The Commission stated that, in order to help EU citizens and businesses more quickly reap the full potential of data, it will work with the European Parliament and the European Council to successfully complete the reform of the EU’s data protection rules. The Commission will also work toward the final adoption of the directive on network and information security to ensure the high level of trust that is fundamental for a thriving data-driven economy.

Of:

 

Price Comparison Advertising – Massachusetts Law

GT Law

Retailers doing business in Massachusetts should ensure that their price comparison advertising complies with Massachusetts law, particularly 940 C.M.R. § 6.05 (Section 6.05). Otherwise, they may face a civil enforcement action by the Massachusetts Office of the Attorney General (MA AGO), a putative class action brought by a consumer under the Massachusetts Consumer Protection Act – Chapter 93A, or even a civil action brought by a competitor alleging unfair and deceptive trade practices.

What is price comparison advertising?

As defined in Section 6.05, price comparison advertising “is a form of advertising used in the sale of products whereby current prices are compared with the seller’s former or future prices, the prices of other sellers, or other stated values to demonstrate price reductions or cost savings.” According to the regulation, which was promulgated by the MA AGO, (1) “price comparisons based on false, arbitrary or inflated prices or values deceive or mislead the public” and (2) “[a]buse also occurs when sellers fail to disclose material information which is important to enable consumers to understand the price comparison.” To protect against this alleged deception and abuse, Section 6.05 regulates price comparison advertising.

Which practices does Section 6.05 deem unfair or deceptive?

Section 6.05 is divided into various sections (as more fully described below) that provide retailers with guidance concerning what the MA AGO deems to be unlawful. Violations of Section 6.05 may be enforced by the MA AGO in a civil enforcement action as well as by consumers, who may seek to assert claims individually and on behalf of all those “similarly situated” under Chapter 93A.  Massachusetts law even supports civil actions brought by competitors harmed by unlawful advertising practices.

Specifically, Section 6.05 provides that the following are unfair or deceptive acts:

  • Unidentified Price Comparisons. Sellers cannot state or imply that they are offering any product savings by making a direct or indirect price comparison, unless they “clearly and conspicuously”1   describe the basis for the comparison; providedhowever, that sellers may claim a savings or make such a comparison (without disclosing the basis) if they are making a comparison to their own “former price” (as determined by Section 6.05(3)).
  • Comparison to Seller’s Own Former Prices. Sellers cannot compare their current price with their own former price for any product, unless such former price is a “bona fide, actual price” that they had offered “openly and in good faith for a reasonably substantial period of time in the recent past” to the public.2
  • Introductory Offers and Future Price Comparisons. Sellers cannot make an introductory offer or compare their current product price with a future product price unless (i) the future price takes effect immediately after the sale and not later than 60 calendar days after “the dissemination date of the introductory offer or price comparison” and (ii) following the effective date of the future price, the product is offered “openly and in good faith” at that price for at least equal to  the period of time offered at the introductory price, but not less than 14 days (except for certain circumstances).3
  • Use of “Sale” Terminology. Sellers cannot use the words “priced for sale,” “on sale,” “sale,” “selling out,” “clearance,” “reduced,” “liquidation,” “must sell,” “must be sacrificed,” “now only $X,” or other terms which state or imply a price savings unless certain specific factors listed in Section 6.05 are met.4
  • Use of “List Price” or Similar Comparisons. Sellers cannot compare their current product price with a “list price,” “manufacturer’s suggested retail price” or similar term, unless the list or manufacturer’s suggested retail price is the price charged for the advertised product by a reasonable number of sellers in the seller’s trade area as of a particular “measurement date” determined by Section 6.05.5
  • Comparison to Other Seller’s Price for Identical Product. Sellers cannot compare their price with another seller’s price for an identical product, unless the stated higher comparative price is at or below the price at which the identical product is being offered in the seller’s trade area as of the “measurement date” or other specifically identified period under certain circumstances.6
  • Comparison to Seller’s Own or Other Seller’s Price for Comparable Product. Sellers cannot compare their price with their own price or another seller’s price for a comparable product unless the comparable product is being offered for sale as of the “measurement date,” or other specifically identified period, at the stated higher comparative price, unless certain factors are met.7
  • Price Comparisons on Price Tickets or Labels. Sellers cannot imprint or attach any ticket or label to a product that contains a fictitious or inflated price which is capable of being used by sellers as a basis for offering fictitious price reductions.8
  • Range of Savings or Price Reduction Claims. Sellers cannot state or imply that any products are being offered for sale at a range of prices or at a range of percentage or fractional discounts unless various factors are met.9
  • Use of Terms “Wholesale” or “At Cost.” Sellers cannot state or imply that any product is being offered at or near a “wholesale” price or “at cost” (or words of similar meaning) unless the price is, in fact, either at or below the price paid by the seller at wholesale, or, in the case of a service, the seller’s cost for the service excluding overhead and profit.
  • Use of Terms “Two for the Price of One” or “Buy One – Get One Free.” Sellers cannot state or imply that products are being offered at the usual price of a smaller number of the same or a different product unless (i) they clearly and conspicuously disclose all material sale conditions being imposed; (ii) the price advertised as the usual price for the smaller number of products is their own “former price”; and (iii) the products are of substantially the same quality, grade, material and craftsmanship as the seller offered prior to the advertisement.
  • Use of Term “If Purchased Separately.”  Sellers cannot make any price comparison based on the difference between the price of a system, set or group of products and the price of the products “if purchased separately” (or words of similar meaning) unless: (i) a reasonable number of sellers in the trade area are currently offering the products as separate items at or above the stated separate purchase price as of the “measurement date”; or (ii) they have actually sold or offered the products for sale as separate items at the stated separate purchase price.
  • Prices for Parts or Units of Sets or Systems. Sellers cannot advertise a price for any product that normally sells as part of a pair, system, or set without clearly and conspicuously disclosing that the price stated is the price per item or unit only, and not the price for the pair, system or set.
  • Gifts. Sellers cannot state or imply that any product is being offered for free or at a reduced price (“a gift”) in conjunction with the purchase of another product unless various factors are met.10
  • Use of Disclaimers. Sellers cannot use a price comparison that is prohibited even if the advertisement contains disclaimers or explanatory language.
  • Are there any other requirements11  that sellers should consider when assessing their price comparison advertising?
  • Record Keeping Requirements. Sellers must maintain records for a period of six months after the last dissemination of subject advertisements and provide those records to the MA AGO, upon request, to substantiate the propriety of such advertisements.12
  • Deceptive Pricing Generally, Examples, and Loss Leaders. Although not contained within Section 6.05 itself, the MA AGO has adopted a more general regulation dealing with “Deceptive Pricing” set forth in 940 C.M.R. § 3.13(2).13  This subsection describes generally what the MA AGO deems deceptive and provides some examples. In addition, related § 3.13(3) prohibits sellers from selling or offering for sale so-called “loss leaders” to induce a buyer to make a purchase of a product sold only in combination with other merchandise on which the seller recovers such loss.
Article By:


1 “Clearly and conspicuously” means that “the material representation being disclosed is of such size, color, contrast or audibility and is so presented as to be readily noticed and understood by a reasonable person to whom it is being disclosed.” Section 6.01 provides guidelines for determining if disclosures are proper. 

2 Section 6.05(3) lists various factors that are considered when determining whether a “former price” is a “bona fide, actual price.” Section 6.05(4) provides certain safe harbors for comparison prices.  A complete list of factors and a description of the safe harbors are contained in 940 C.M.R. §§ 6.05(3)(a) and 6.05(4), which are available at  http://www.mass.gov/ago/government-resources/ags-regulations/940-cmr-600.html  (MA AGO’s Website). 

3 These circumstances and exceptions for certain offers limited to certain consumers who are deemed “first time purchasers” as defined in the regulation are contained in 940 C.M.R. § 6.05(5), which is available at  the MA AGO’s Website. Also, Section 6.05(5) contains separate requirements for health clubs. 

4 These factors are contained in 940 C.M.R. § 6.05(6), which is available at the MA AGO’s Website. 

5 Section 6.05(7) contains separate requirements for manufacturers or franchisors. Also, the “measurement date” is defined in Section 6.01. 

6 These requirements are contained in 940 C.M.R. § 6.05(8), which is available at the MA AGO’s Website. 

7 These factors are contained in 940 C.M.R. § 6.05(9), which is available at the MA AGO’s Website. 

8 There are certain exceptions for prices that are pre-ticketed by manufacturers or other sellers, as contained in 940 C.M.R. § 6.05(10), which is available at the MA AGO’s Website. 

9 These factors are contained in 940 C.M.R. § 6.05(11), which is available at the MA AGO’s Website. 

10 These factors are contained in 940 C.M.R. § 6.05(16), which is available at the MA AGO’s Website. 

11 This advisory does not contain an all-inclusive list of the MA AGO’s advertising regulations and requirements. Sellers, among other things, should be aware of additional requirements set forth in 940 C.M.R. § 3.00 (General Regulations) and 940 C.M.R. § 6.00 (Retail Advertising). 

12 940 C.M.R. § 6.14 contains specific and detailed record retention requirements for price comparison advertising, which is available at the MA AGO’s Website. 

13 This more general regulation is available at http://www.mass.gov/ago/government-resources/ags-regulations/940-cmr-3-00/940-cmr-300.html. 

HEARTBLEED: A Lawyer’s Perspective on the Biggest Programming Error in History

Jackson Lewis Logo

By now you have probably heard about Heartbleed, which is the biggest security threat to the Internet that we have ever seen. The bottom line of Heartbleed is that for the past two years most web sites claiming to besecure, shown by the HTTPS address (the S added to the end of the usual HTTP address was intended to indicate a web secured by encryption), have not been secure at all. Information on those webs could easily have beenbled out by any semi-skilled hacker who discovered the defect. That includes your user names and passwords, maybe even your credit card and bank account information.

For this reason every security expert that I follow, or have talked to about this threat, advises everyone to change ALL of their online passwords. No one knows who might have acquired this information in the past two years. Unfortunately, the nature of this software defect made it possible to steal data in an untraceable manner. Although most web sites have upgraded their software by now, they were exposed for two years. The only safe thing to do is assume your personal information has been compromised.

Change All of Your Passwords

After you go out and change all of your passwords – YES – DO IT NOW – please come back and I will share some information on Heartbleed that you may not find anywhere else. I will share a quick overview of a lawyer’s perspective on a disaster like this and what I think we should do about it.

Rules of the Internet

One of the things e-discovery lawyers like me are very interested in, and concerned about, is data security. Heartblead is the biggest threat anyone has ever seen to our collective online security, so I have made a point of trying to learn everything I could about it. My research is ongoing, but I have already published on detailed report on my personal blog. I have also been pondering policy changes, and changes in the laws governing the Internet that be should made to avoid this kind of breach in the future.

I have been thinking about laws and the Internet since the early 1990s. As I said then, the Internet is not a no-mans-land of irresponsibility. It has laws and is subject to laws, not only laws of countries, but of multiple independent non-profit groups such as ICANN. I first pointed this out out as a young lawyer in my 1996 book for MacMillan, Your Cyber Rights and Responsibilities: The Law of the Internet, Chapter 3 of Que’s Special Edition Using the Internet. Anyone who commits crimes on the Internet must and will be prosecuted, no matter where their bodies are located. The same goes for negligent actors, be they human, corporate, or robot. I fully expect that several law suits will be filed as a result of Heartbleed. Time will tell if any of them succeed. Many of the facts are still unknown.

One Small Group Is to Blame for Heartbleed

The surprising thing I learned in researching Heartbleed is that this huge data breach was caused by a small mistake in software programming by a small unincorporated association called OpenSSL. This is the group that maintains the open source that two-thirds of the Internet relies upon for encryption, in other words, to secure web sites from data breach. It is free software and the people who write the code are unpaid volunteers.

According to the Washington Post, OpenSSL‘s headquarters — to the extent one exists at all — is the home of the group’s only employee, a part timer at that, located on Sugarloaf Mountain, Maryland. He lives and works amid racks of servers and an industrial-grade Internet connection. Craig Timberg, Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass (Washington Post, 4/9/14).

The mistake that caused Heartbleed was made by a lone math student in Münster, Germany. He submitted an add-on to the code that was supposed to correct prior mistakes he had found. His add on contained what he later described as a trivial error. Trivial or not, this is the biggest software coding error of all time based upon impact. What makes the whole thing suspicious is that he made this submission at one minute before midnight on New Year’s Eve 2011.

Once the code was received by OpenSSL, it was reviewed by it before it was added onto the next version of the software. Here is where we learn another surprising fact, it was only reviewed by one person, and he again missed the simple error. Then the revised code with hidden defect was released onto an unsuspecting world. No one detected it until March 2014 when paid Google security employees finally noticed the blunder. So much for the basic crowd sourcing rationale behind the open source software movement.

Conclusion

Placing the reliance of the security of the Internet on only one open source group, OpenSSL, a group with only four core members, is too high a risk in today’s world. It may have made sense back in the early nineties when an open Internet first started, but not now. Heartbleed proves this. This is why I have called upon leaders of the Internet, including open source advocates, privacy experts, academics, governments, political leaders and lawyers to meet to consider various solutions to tighten the security of the Internet. We cannot continue business as usual when it comes to Internet data security.

Article By:

Of: 

California Proposes Enhanced Prop. 65 Warnings and Possible Online Disclosures – Dietary Supplements and Foods Specially Targeted

GT Law

The California Office of Environmental Health Hazard Assessment (OEHHA)announced on March 7, 2014, that it is considering implementation of the most significant changes to Prop. 65 regulations in more than two decades.  OEHHA has posted the draft regulation and Initial Statement of Reasons on its website.

Passed by voters in 1986, Prop. 65 requires warnings prior to exposures to chemicals listed by OEHHA as “known to the State” to cause cancer or reproductive harm.  The law, which carries the potential penalty of $2,500 for each violation, may be and routinely is enforced by entrepreneurial private plaintiffs who are permitted to bring legal actions against alleged violators with minimal evidence.  OEHHA’s proposed regulations will affect almost every industry subject to Prop. 65 and nearly every aspect of compliance.  In all but a few cases, OEHHA’s changes have the capacity to make compliance with Prop. 65 costlier, riskier, and more disruptive to companies doing business in California.

Four Important Provisions Affecting Food and Dietary Supplements

In its far-reaching proposal, OEHHA aims a number of significant changes directly at food and dietary supplement manufacturers, distributors, and retailers.  Four specific proposals stand out as impactful for the industry:

  1. Chemical Identification: Under OEHHA’s proposal, warning labels would have to specifically identify the chemical in question if it is on a proposed list of 12 “common” substances.  One substance on OEHHA’s list, lead, is sometimes naturally occurring in the ingredients used to produce dietary supplements and has been the source of considerable litigation and expense for the industry.  In OEHHA’s draft regulation, products requiring a warning for lead would have to “conspicuously” state its presence in the product.
  2. Display Requirements: For foods not already subject to a consent judgment, the “safe-harbor” warning language must also be enhanced with specific information about the chemical in question, specific text sizing, and the phrase “Cancer [and/or] Reproductive Hazard.” Even where a food supplier has data showing that the chemical poses no actual health threat, a private plaintiff may still litigate knowing that the costly burden of showing no significant risk is borne by defendants.  Unless modified or declared preempted by federal law, OEHHA’s regulation would virtually ensure that this language will be required for food and supplement packaging in California.
  3. Online Reporting: OEHHA would also mandate reporting of exposure data to the agency for its website if a new Prop. 65 warning does not contain 10 details specified by OEHHA.  The details include, among others, the name of the chemical at issue, anticipated exposure routes, exposure levels, and options for minimizing exposure.  Businesses that fail to provide the required detail, no matter how misleading it might be to the consumer, must disclose the additional information to OEHHA and will likely see such data published online.
  4. More Litigation: Despite statements from the agency to the contrary, OEHHA’s complex rules would encourage even more litigation from an already active community of plaintiffs.  OEHHA’s draft litigation reform, a “cure” or fix-it period for retailers with fewer than 25 employees, would do little to stem the current tide of lawsuits, the vast majority of which are ultimately directed at and defended by suppliers.  Additionally, by replacing the generic safe-harbor warning with specific requirements, a regulatory safe-harbor warning would no longer provide a safe harbor from liability or deter plaintiffs from alleging violations for exposures to unspecified or newly listed chemicals.

What You Can Do

Businesses which stand to be affected by OEHHA’s plans, including those operated out of state, have an opportunity to voice their concerns to the agency.

OEHHA will hold a public workshop on April 14, 2014 to discuss the proposed regulations.  In addition, OEHHA is accepting written comments from the public until May 14, 2014.  Unless OEHHA is convinced to delay or withdraw its plans, formal regulations will likely be proposed in the summer of 2014.

Because OEHHA’s proposals are currently in the preliminary stages, interested parties have a time critical opportunity to engage the agency and encourage it to address specific concerns.  Companies that manufacture distribute, or retail dietary supplements in California should consider retaining experienced counsel to analyze the impact of the proposals on their business and to participate in the public comment period on their behalf.   Given the potentially far-reaching consequences of the proposed changes on the individual companies and the industry at large, interested parties should be diligent in bringing their concerns to OEHHA as early and as persuasively as possible.

Article By:

Of:

California District Court Holds that Providing Cellphone Number for an Online Purchase Constitutes “Prior Express Consent” Under TCPA – Telephone Consumer Protection Act

DrinkerBiddle

 

A federal district court in California recently ruled that a consumer who voluntarily provided a cellphone number in order to complete an online purchase gave “prior express consent” to receive a text message from the business’s vendors under the TCPA. See Baird v. Sabre, Inc., No. CV 13-999 SVW, 2014 WL 320205 (C.D. Cal. Jan. 28, 2014).

In Baird, the plaintiff booked flights through the Hawaiian Airlines website. In order to complete her purchase, the plaintiff provided her cellphone number. Several weeks later she received a text message from the airline’s vendor, Sabre, Inc., inviting the plaintiff to receive flight notification services by replying “yes.” The plaintiff did not respond and no further messages were sent. The plaintiff sued the vendor claiming that it violated the TCPA by sending the single text message.

The central issue in Baird was whether, by providing her cellphone number to the airline, the plaintiff gave “prior express consent” to receive autodialed calls from the vendor under the TCPA. In 1992, the FCC promulgated TCPA implementing rules, including a ruling that “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.” In re Rules & Reg’s Implementing the Tel. Consumer Prot. Act of 1991, 7 F.C.C.R. 8752, 8769 ¶ 31 (1992) (“1992 FCC Order”). In support of this ruling, the FCC cited to a House Report stating that when a person provides their phone number to a business, “the called party has in essence requested the contact by providing the caller with their telephone number for use in normal business communications.” Id. (citing H.R.Rep. No. 102–317, at 13 (1991)).

The court found that, while the 1992 FCC Order “is not a model of clarity,” it shows that the “FCC intended to provide a definition of the term ‘prior express consent.’” Id. at *5. Under that definition, the court held that the plaintiff consented to being contacted on her cellphone by an automated dialing machine when she provided the number to Hawaiian Airlines during the online reservation process. Id. at *6. Under the existing TCPA jurisprudence, a text message is a “call.” Id. at *1. Furthermore, although the plaintiff only provided her cellphone number to the airline (and not to Sabre, Inc., the vendor), the court concluded that “[n]o reasonable consumer could believe that consenting to be contacted by an airline company about a scheduled flight requires that all communications be made by direct employees of the airline, but never by any contractors performing services for the airline.” Id. at *6. The Judge was likewise unmoved by the fact that the plaintiff was required to provide a phone number (though not necessarily a cellphone number) to complete the online ticket purchase. Indeed, the court observed that the affirmative act of providing her cellphone number was an inherently “voluntary” act and that, had the plaintiff objected, she could simply have chosen not to fly Hawaiian Airlines. Id.

Baird does not address the October 2013 TCPA regulatory amendments that require “prior express written consent” for certain types of calls made to cellular phones and residential lines (a topic that previously has been covered on this blog). See 47 CFR § 64.1200(a)(2), (3) (emphasis added). “Prior express written consent” is defined as “an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial prerecorded voice, and the telephone number to which the signatory authorized such advertisements or telemarketing messages to be delivered.” 47 CFR § 64.1200(f)(8). Whether the Baird rationale would help in a “prior express written consent” case likely would depend on the underlying facts such as whether the consumer/plaintiff agreed when making a purchase to be contacted by the merchant at the phone number provided, and whether the consumer/plaintiff provided an electronic signature. See 47 CFR § 64.1200(f)(8)(ii).

Nonetheless, Baird is a significant win for the TCPA defense bar and significantly reduces TCPA risk for the defendants making non-telemarketing calls (or texts) to cellphones using an automated dialer (for which “prior express consent” is the principal affirmative defense). If that cellphone number is given by the consumer voluntarily (and, given the expansive logic of Baird, we wonder when it could be considered “coerced”), the defendant has obtained express consent. Baird leaves open a number of questions worth watching, including how far removed the third-party contractor can be from the company to whom a cellphone number was voluntarily provided. Judge Wilson seemed to think it was obvious to the consumer that a third-party might be utilized by an airline to provide flight status information, but how far does that go? We’ll be watching.

Article By:

Of:

Drinker Biddle & Reath LLP

To 8-K, or not to 8-K? For Target, that is indeed the question.


MintzLogo2010_Black

As anyone with a pulse and a computer, television or carrier pigeon knows, Target Corporation (NYSE: TGT) suffered a major data breach in December – the extent of which is still being uncovered – and pegs the latest number of customers that have had their personal information stolen anywhere from 70 to 110 million.  As a public company, a breach of this magnitude should be material enough to warrant a Form 8-K filing, right?  As of this post, Target doesn’t seem to think so.

Form 8-K contains mandatory disclosure requirements when certain enumerated events occur, as in the entry into a material definitive agreement (Item 1.01) or the resignation of a director (Item 5.02).  Reporting an event such as the Target data breach would likely fall under Item 8.01 of Form 8-K, which is used to report “Other Events.”  Item 8.01 permits the registrant, at its option, to disclose any events not otherwise called for by another Form 8-K Item that the registrant “deems of importance to security holders,” and is an entirely voluntary filing.

Although filing under Item 8.01 of Form 8-K is voluntary, other companies that have suffered smaller data breaches have opted to file an 8-K to disclose such breaches, including The TJX Companies, Inc.’s (NYSE: TJX) breach disclosed in an 8-K in January, 2007, and Morningstar, Inc.’s (NASDAQ: MORN) more recent breach disclosed in an 8-K in July, 2013.  Target’s securities lawyers may believe that the breach is not “important to security holders,” or  is not sufficiently material enough to the roughly $38 billion company to warrant the filing of an 8-K, but 70 to 110 million affected customers is hardly immaterial, even for Target.   In a statement released January 10, Target warned that the costs related to the breach “may have a material adverse effect on Target’s results of operations in fourth quarter 2013 and/or future periods.”

Indeed, Target evidently determined when filing its Form 10-K for 2012 that the risk of a data security breach was material enough to warrant disclosure in its risk factors:

If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.”

The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant.  If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.” (emphasis added)

Of course, there is no time limit for filing under Item 8.01 of Form 8-K due to it being a voluntary filing, so a filing may still be forthcoming from Target.  In any event, one can only imagine that the risk factor language above will look very different in Target’s next Form 10-K filing in two months.

Article by:

Of:

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Consumer Financial Protection Bureau Issues New Rule Regarding Consumer Mortgage Transaction Forms

Michael Best Logo

 

On November 20, 2013 the Consumer Financial Protection Bureau (CFPB) issued a rule that will simplify and improve disclosure forms for consumer mortgage transactions. This rule implements the Dodd-Frank Act’s directive to integrate mortgage loan disclosures required by the Truth In Lending Act (TILA) and the Real Estate Settlement Procedures Act (RESPA). The two new disclosures are the Loan Estimate, which must be given three business days after application, and the Closing Disclosure, which must be given three business days before closing.

The Loan Estimate form replaces two current federal forms, the Good Faith Estimate designed by the U.S. Department of Housing (HUD) under RESPA and the “early” Truth in Lending disclosure required by TILA. The Closing Disclosure form replaces the current form used to close a loan, the HUD-1, which was designed by HUD under RESPA. It also replaces the revised Truth in Lending disclosure designed by the Federal Reserve Board under TILA.

These new rules apply to most closed-end consumer mortgages. They do not apply to home equity lines of credit, reverse mortgages or mortgages secured by mobile homes or by dwellings not attached to real property. To assist lenders, the final rule and official interpretations contain detailed instructions as to how these forms should be completed.

To permit time for lenders to come into compliance, the final rule will be effective on August 1, 2015.

Article by:

Jon G. Furlow

Of:

Michael Best & Friedrich LLP

New Federal Communication Commission (FCC) Rules to Protect Telephone Consumers from Autodial/Robocalls

Lewis & Roca

On October 16, 2013, new Federal Communication Commission rules took effect to further protect consumers under the Telephone Consumer Protection Act of 1991 (TCPA). See 47 U.S.C. § 227; 47 C.F.R. § 64.1200. The changes ordered by the FCC are designed to protect consumers from unwanted autodialed or pre-recorded telemarketing calls, also known as “telemarketing robocalls.” The new TCPA rules accomplish four main things: (1) require prior written consent for all autodialed or pre-recorded telemarketing calls to wireless numbers and residential lines; (2) require mechanisms to be in place that allow consumers to opt out of future robocalls even if during the middle of a current robocall; (3) limit permissible abandoned calls on a per-calling campaign basis in order to discourage intrusive calling campaigns; and (4) exempt from TCPA requirements calls made to residential lines by health care related entities governed by the Health Insurance Portability and Accountability Act of 1996. None of the FCC’s actions change the requirements for prerecorded messages that are non-telemarketing, informational calls such as calls by or on behalf of tax-exempt organizations, calls for political purposes, and calls for other non-commercial purposes including those to people in emergency situations.

Under the FCC’s new rules, “prior written consent” will require two things: a clear and conspicuous disclosure that by providing consent the consumer will receive auto-dialed or prerecorded calls on behalf of a specific seller, and a clear an unambiguous acknowledgement that the consumer agrees to receive such calls at the mobile number. The content and form of consent may include an electronic or digital form of signature such as the FTC has recognized under the E-SIGN Act. See Electronic Signatures in Global and National Commerce Act, 15 U.S.C. § 7001 et seq. However, prior written consent may be terminated at any time. In addition, the written agreement must be obtained “without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.” 16 C.F.R. § 310.4(b)(v)(A)(ii).

Read the full rule here.

Article By: