Mid-Year Recap: Think Beyond US State Laws!

Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.

On the industry law, there has been activity focused on data brokers, those in the health space, and for those that sell motor vehicles. The FTC has focused on the activities of data brokers this year, beginning the year with a settlement with lead-generation company Response Tree. It also settled with X-Mode Social over the company’s collection and use of sensitive information. There have also been ongoing regulation and scrutiny of companies in the health space, including HHS’s new AI transparency rule. Finally, in this area is a new law in Utah, with a Motor Vehicle Data Protection Act applicable to data systems used by car dealers to house consumer information.

On the activity side, there has been less news, although in this area the “activity” of protecting information (or failing to do so) has continued to receive regulatory focus. This includes the SEC’s new cybersecurity reporting obligations for public companies, as well as minor modifications to Utah’s data breach notification law.

Finally, there have been new laws directed to particular individuals. In particular, laws intended to protect children. These include social media laws in Florida and Utah, effective January 1, 2025 and October 1, 2024 respectively. These are similar to attempts to regulate social media’s collection of information from children in Arkansas, California, Ohio and Texas, but the drafters hope sufficiently different to survive challenges currently being faced by those laws. The FTC is also exploring updates to its decades’ old Children’s Online Privacy Protection Act.

Putting It Into Practice: As we approach the mid-point of the year, now is a good time to look back at privacy developments over the past six months. There have been many developments in the privacy patchwork, and companies may want to take the time now to ensure that their privacy programs have incorporated and addressed those laws’ obligations.

Listen to this post

FCC Adopts Updated Data Breach Notification Rules

On December 13, 2023, the Federal Communications Commission (FCC) voted to update its 16-year old data breach notification rules (the “Rules”). Pursuant to the FCC update, providers of telecommunications, Voice over Internet Protocol (VoIP) and telecommunications relay services (TRS) are now required to notify the FCC of a data breach, in addition to existing obligations to notify affected customers, the FBI and the U.S. Secret Service.

The updated Rules introduce a new customer notification timing requirement, requiring notice of a data breach to affected customers without unreasonable delay after notification to the FCC and law enforcement agencies, and in no case more than 30 days after the reasonable determination of a breach. The new Rules also expand the definition of “breach” to include “inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.” The updated Rules further introduce a harm threshold, whereby customer notification is not required if a carrier or TRS provider can “reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach,” or where the breach solely involves encrypted data and the encryption key was not affected.

911 Network Reliability Deadline Approaching

Earlier this monththe FCC announced that its 2022 911 Reliability Certification System is now open for Covered 911 Service Providers to file annual reliability certifications.  The filings are due on October 17, 2022.  Failure to submit the certification may result in FCC enforcement action.

Background

In 2013, the FCC adopted rules aimed at improving the reliability and redundancy of the nation’s 911 network.  Those rules require Covered 911 Service Providers (“C9SP”) to take steps that promote reliable 911 service with respect to three network elements: circuit auditing, central-office backup power, and diverse network monitoring.  The Commission identified these three network elements as vulnerabilities following a derecho storm in 2012 that significantly impacted 911 service along the eastern seaboard.

Applicability. The rules apply to all C9SPs, which are defined as any entity that provides 911, E911, or NG911 capabilities such as call routing, automatic location information (ALI), automatic number identification (ANI), or the functional equivalent of those capabilities, directly to a public safety answering point (PSAP).

Certification. The rules require C9SPs to certify annually that they have met the FCC’s safe harbor provisions for each of these elements or have taken reasonable alternative measures in lieu of those safe harbor protections.  The certification must be made under penalty of perjury by a corporate officer with supervisory and budgetary authority over network operations.

In 2018 and 2020, the FCC sought comment on changes to the 911 reliability certification rules, but the rules have not yet been updated as a result of those proceedings.

Enforcement Against Noncompliant Providers

Last year, the FCC entered into eight consent decrees with Covered 911 Service Providers that failed to submit their reliability certifications in 2019, 2020, or both.  A Consent Decree typically requires the recipient to admit it violated an FCC rule, pay a fine to the federal government, and implement a Compliance Plan to guard against future rule violations.  These Compliance Plans required the C9SPs to designate a compliance officer, establish new operating procedures, and develop and distribute a compliance manual to all employees.

Additionally, the providers were required to establish and implement a compliance training program, file periodic compliance reports with the FCC detailing the steps the provider has taken to comply with the 911 rules, and report any noncompliance with 911 rules within 15 days of discovering such noncompliance.

Looking Forward

C9SPs have about one month to confirm compliance with the reliability rules and submit a required certification.  Based on the FCC’s enforcement efforts last year, C9SPs would be well-advised to work diligently to meet this upcoming deadline.

© 2022 Keller and Heckman LLP

Retaining a Cell Tower Lease When Selling Property

When selling property with a cell tower lease, keeping the lease is a good option. Done properly, you get the best of both worlds: full value for the property and ongoing lease payments, with the option to sell the lease in the future should you desire.

Selling a property and cell lease together will rarely yield the full value for the lease; however, selling the lease in advance of selling the property may also not be attractive. You may not have other places to invest the proceeds where you will get the same return, for example, and taxes can take a big bite. Additional options, such as 1031 like-kind exchanges, are complicated with short deadlines.

Increasingly, real estate investors are opting to sell property — commercial, residential, land for development and, in a unique case, an office condo — but keeping the cell leases and future leasing rights.

To do this successfully, you should aim to establish balance with purchasers by retaining sufficient future rights to (1) renew the lease, (2) expand it some, and (3) satisfy their requirements for paying full value of the lease, should you decide to sell it in the future. You do not want to grant yourself so many rights that it interferes with a purchaser’s ordinary use and development of the property in question, thus decreasing its selling price.

Essentially, you are trying to attain the balance that would occur in a well-drafted cell lease sale to a third party, whereby keeping the lease is the equivalent of “selling” to yourself!

Specific subject areas where rights must be balanced include:

  • Permitted and restricted uses by both parties within the leased area;
  • Restrictions on uses or devices allowed on portions of the property outside the leased area, such as Wi-Fi using radio frequencies, which cell companies and lease purchasers alike desire;
  • Access rights and rights-of-way for tenants and utilities, as well as who pays for same;
  • Height and building envelope restrictions on new construction outside the leased area;
  • Property owner approval rights of changes in the leased area, and;
  • Relocation.
© 2022 Varnum LLP
For more articles about telecommunications, visit the NLR Cybersecurity, Media & FCC section.

FCC: The New Data Security Sheriff In Town

Proskauer Law firm

Data security seems to make headlines nearly every week, but last Friday, a new player entered the ring.  The Federal Communications Commission (“FCC”) took its first foray into the regulation of data security, an area that has been dominated by the Federal Trade Commission.  In its 3-2 vote, the FCC did not tread lightly – it assessed a $10 million fine on two telecommunications companies for failing to adequately safeguard customers’ personal information.

The companies, TerraCom, Inc. and YourTel America, Inc., provide telecommunications services to qualifying low-income consumers for a reduced charge.  The FCC found that the companies collected the names, addresses, Social Security numbers, driver’s licenses, and other personal information of over 300,000 consumers.  The data was stored on Internet servers without password protection or encryption, allowing public access to the data through Internet search engines.  This, the FCC found, exposed consumers to “an unacceptable risk of identity theft.”

The FCC charged the companies with violation of Section 222(a) of the Communications Act, which it interpreted to impose a duty on telecommunications carriers to protect customers’ “private information that customers have an interest in protecting from public exposure,” whether for economic or personal reasons.  Additionally, the companies were charged with violation of Section 201(b), which requires carriers to treat such information in a “just and reasonable” manner.

The companies were determined to have violated Sections 201(b) and 222(a) by failing to employ “even the most basic and readily available technologies and securities features.”  The companies further violated Section 201(b), the FCC found, by misrepresenting in their privacy policies and statements on their websites that they employ reasonable and updated security measures, and by failing to notify all of the affected customers of the data breach.

Commissioners Ajit Pai and Michael O’Rielly dissented, arguing that, among other things, the FCC had not before interpreted the Communications Act to impose an enforceable duty to employ data security measures and notify customers in the event of a breach.  Though now that the FCC has so-interpreted the Act, we can expect the FCC to keep its eye on data security.

The FCC made clear that protection of consumer information is “a fundamental obligation of all telecommunications carriers.”  Friday’s decision also makes clear that the FCC will enforce notification duties in the event of a breach, and will look closely at carriers’ privacy policies and online statements regarding data security.

OF

Think Tanks Ask Supreme Court to Clarify Definition of “Foreign Official” in FCPA (Foreign Corrupt Practices Act)

Katten Muchin Law Firm

Two think tanks, the Washington Legal Foundation and the Independence Institute, have filed anamicus brief in the Supreme Court on behalf of petitioners Joel Esquenazi and Carlos Rodriguez, who were recently convicted of violating the Foreign Corrupt Practices Act (FCPA). The amiciseek clarity of the definition of “foreign official” in the FCPA.  The FCPA prohibits certain persons or entities, including US businesses, from paying a “foreign official” for the purpose of obtaining or retaining business. The FCPA defines “foreign official” to include “any officer or employee of a foreign government or any department, agency, or instrumentality thereof.”

Esquenazi and Rodriguez were executives of Terra Telecommunications Corp., a Florida company that purchased phone time from foreign vendors and resold the time to US customers. Terra conducted business with Haiti-owned vendor Telecommunications D’Haiti S.A. (Haiti Teleco). Prosecutors argued that Esquenazi and Rodriguez made payments to Haiti Teleco officers to obtain lower rates. To determine whether Haiti Teleco was an “instrumentality” under the FCPA, the trial court instructed the jury to consider whether the company “provided services to the citizens and inhabitants of Haiti,” and whether it was majority owned by the Haitian government. Defendants were convicted, and Esquenazi was sentenced to 15 years’ imprisonment and Rodriguez received seven years’ imprisonment. The US Court of Appeals for the Eleventh Circuit affirmed, finding that an “instrumentality” is “an entity controlled by the government of a foreign country that performs a function the controlling government treats as its own,” and setting forth a list of factors.

Amici contend that the business community needs concrete guidance in this undeveloped area. They argue that the Eleventh Circuit’s definition is overly broad because (1) Haiti Teleco was never designated a government entity; (2) Haiti Teleco issues common stock, and the government was not an initial stockholder; and (3) Haiti Teleco, as a telephone service provider, does not perform a traditional government function.

Brief for Esquenazi and Rodriguez as Amici Curiae Supporting Petitioners, Esquenazi, et al. v. U.S., Sup. Ct. No. 14-189 (Aug. 14, 2014).

ARTICLE BY

OF