California Ruling Requires TransUnion to Pay Record $60M for FCRA Violations; Suit Alleged Consumer Reports Erroneously Linked Consumers to Criminals in OFAC Database

A California jury in federal court ruled on Tuesday, June 20, that TransUnion violated the Fair Credit Reporting Act (FCRA) by erroneously linking certain consumers with similarly named terrorists and criminals in the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC’s) database.  The jury awarded statutory and punitive damages in excess of $60 million, which could set a record for the largest FCRA verdict to date.

Initially filed in 2012, plaintiffs alleged that TransUnion willfully violated FCRA by failing to maintain reasonable procedures to assure maximum possible accuracy of the consumer reports it sold, and by failing to provide required disclosures to consumers.  TransUnion offers an add-on service to its standard consumer reports whereby it would check consumers against OFAC’s “Specially Designated Nationals and Blocked Persons List” (SDN), which lists terrorists, drug traffickers, and other criminals.  Companies that do business with individuals on the SDN face strict liability penalties approaching $290,000 per transaction, so companies have a strong incentive to cross-reference the SDN before undertaking certain transactions – depending on the type of transaction and other factors.

The case arose out of so-called “false positives,” whereby TransUnion would find and report a potential match to the SDN but that match would subsequently be found to be erroneous.  For example, lead plaintiff Sergio L. Ramirez was prevented from buying a car in 2011 because TransUnion told lenders that he potentially matched two individuals on the OFAC list.  Ramirez and other class members alleged that TransUnion failed to take reasonable steps, such as also cross-referencing date of birth or other information available on the SDN, before reporting the match on the consumer report.  TransUnion countered that it did all that was feasible for the time period in question to achieve maximum accuracy, as required by FCRA, while still helping its clients comply with OFAC regulations and avoid criminal penalties.

The case provides an interesting example of the competing legal obligations that a company can face under different statutes, and of the need to stay abreast of constantly evolving technology that informs the relevant legal standard.  Determining how to screen potential customers for OFAC compliance and use consumer reports consistent with FCRA depends on a number of factors, including the technology available at the time and the type and scope of transaction at issue.

Kelley Drye’s Export Controls and Sanctions Compliance Group regularly assists clients with obligations in connection with OFAC screening, and Kelley Drye’s Consumer Financial Protection Regulation regularly advises clients on FCRA compliance.    


CPSC Requests Feedback to Reduce Compliance Burdens

Have ideas to lighten the load for complying with consumer product safety regulations? The Consumer Product Safety Commission (“CPSC” or “Commission”) wants to hear about them.  The Commission has asked for comments and suggestions for ways it could potentially reduce burdens and costs of its existing rules, regulations or practices without harming consumers. CPSC requests that any submissions include information and data in support of the suggestions.

The CPSC is open to any proposals. According to Acting Chairman Ann Marie Buerkle, “The agency’s recent request for information seeking public input on ways to potentially reduce burdens and costs is not limited to existing rules. CPSC is interested in hearing any and all ideas, big or small, that might help ease regulatory burdens without compromising safety.” Acting Chairman Buerkle, who was nominated to the Commission by President Obama in 2013, has said that “seeking to reduce regulatory burdens is responsible governance.” The request for suggestions is in line with Buerkle’s general policy of promoting transparency and collaboration with the industry. For a further discussion of her policies, see our previous post here.

Submissions are due by September 30. This is an opportunity for companies to provide feedback in a collaborative, constructive context.  We will continue to track the comments and provide updates on any important developments.

Summer Associate Carmen Tracy contributed to this post. Ms. Tracy is not a practicing attorney and is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

Instagram Announces a New Tool for Influencers

Last year, we posted that four consumer groups had sent letters to FTC, encouraging the agency to “investigate and bring enforcement actions related to the practice of non-Instagram Paid Partnershipdisclosed advertising through influencer user profiles on Instagram.” Earlier this year, the FTC responded by sending more than 90 letters to companies and influencers, reminding recipients of their obligation to disclose when posts are sponsored. Some of the letters addressed how the disclosures should appear on the Instagram platform. Now, Instagram is testing a tool designed to make the disclosures easier.

Instagram recently announced that that users will soon start to see a new “Paid partnership with” tag on posts and stories. This feature is intended to “help creators more clearly communicate to their followers when they are working in partnership with a business.” In addition to helping companies comply with FTC requirements, this tool is expected to offer other benefits. For example, when “partners use this tag, they will both have access to Insights to track exactly how their branded content posts and stories are performing. Creators will continue to see metrics in their Instagram Insights, and business partners will see shared reach and engagement metrics in their Facebook Page Insights.”

Currently, the tool is only available to a select number of users, but Instagram plans to collect feedback and to make the tool – along with an official policy – more widely available in the coming months.

FTC Submits Comments on IoT Device Security to NTIA Working Group

On Monday, the FTC submitted comments to the draft National Telecommunications and Information Administration (NTIA) guidance intended to improve Internet of Things (IoT) device security and increase consumer transparency. While recognizing the benefits (and proliferation) of IoT devices, the Commission’s comments caution that such benefits can only be realized when device manufacturers both incorporate – and adequately inform consumers of – reasonable security measures.

The comments begin by highlighting several “lessons learned” from FTC enforcement actions involving IoT devices such as home security cameras, baby monitors, and smart TVs. Specifically, the Commission explains that such actions emphasize the need for manufacturers to take reasonable security measures and to continuously manage security risks. The comments, in addition, note the several policy initiatives, consumer and business educational materials, and company-specific guidance (in lieu of enforcement) intended to assist IoT manufacturers with device security.

The Commission also recommends several changes to the NTIA guidance’s “Elements of Updatability”:

  • Edits to “Key Elements” Prior to Purchase – The Elements of Updatability recommend three pre-sale “key elements”: (1) disclosure of whether the device can receive security upgrades, (2) disclosure of how the device receives such upgrades, and (3) the anticipated timeline for the end of security support. The FTC recommends that manufacturers disclose the minimum support period, rather than an anticipated timeline, as well as disclose if the device will lose functionality or become highly vulnerable when security support ends.
  • Edits to “Additional Elements” Before or After Purchase – The FTC adds several “additional elements” that manufacturers should consider conveying to consumers, either before or after purchase. Such additional elements include (1) adopting a uniform notification method to, for example, notify consumers of updates (if updates are not automatic); (2) enabling consumers to sign-up for affirmative security support notifications that are separate from marketing communications; and (3) providing real-time notifications when support is about to end.
  • Omission of One “Additional Element” – The FTC also advises omission of the “additional element” describing the update process, explaining that such description imposes costs on manufacturers with little benefit to consumers who can “feel overburdened by choice and ignore critical information.”

Lessons from the World of Trampoline Marketing

Last year, we wrote about an NAD case involving trampoline marketing. The Trampoline Safety website featured reviews designed to help buyers purchase a trampoline. But unless website visitors looked closely at a disclosure at the bottom of the site, they probably wouldn’t have realized that trampolines that had received the highest ratings were made by the same company doing the ratings. The NAD thought this was a problem because most visitors would assume that the site was independent, when it really wasn’t.

Yesterday, the FTC announced a settlement in another case involving trampolines. In this case, a company sold trampolines on a website that included logos from Fake Sealseemingly-independent entities. A click on one of those logos led to ratings sites that were — you guessed it — run by same the company selling the trampolines. Moreover, one of the company’s owners posted positive reviews of his company’s products and negative reviews of competing products on various sites, without disclosing his identify.

The problem here should be obvious, and the terms of the settlement are designed to ensure that the company does not mislead consumers into thinking that reviews are independent, impartial, or come from a third-party expert when they really come from the company or its employees. In many cases, that means the company will have to a include a clear and conspicuous disclosure explaining the relationship between any reviewer and the company.

Because most companies will never engage in the type of conduct alleged by the FTC, it may be tempting to dismiss this case as irrelevant. But keep in mind that some of the key principles underlying this case frequently present themselves in more mundane situations. Plenty of reputable companies have been investigated for allegedly failing to clearly disclose the connections or incentives behind reviews.

Fallout from Target’s 2013 Data Breach includes an $18 Million Multistate AG Settlement

Target Corporation agreed to an $18.5 million settlement with 46 State Attorneys General and the Attorney General of the District of Columbia this week, resolving allegations that the company failed to provide reasonable data security to its customers, as demonstrated by the Target’s 2013 holiday data breach that affected more than 60 million customers.

Background. In November 2013, hackers accessed Target’s customer service database using legitimate credentials stolen from a third-party vendor.  The breach affected the personal information of over 60 million customers and the payment card accounts of over 41 million customers.  The information accessed included full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, card-validation value codes, and encrypted debit PINs.

Settlement Terms. The conditions of the settlement agreement, some of which will be effective for a five (5) year period, require Target to:

  • Implement a comprehensive information security program. Target must develop, implement, and maintain a comprehensive information security program and employ an executive for that purpose that will advise Target’s CEO and Board of Directors.
  • Encrypt and protect Cardholder data. Target must maintain encryption protocols and policies, and comply with the Payment Card Industry Data Security Standard.
  • Implement other technological safeguard measures. Target must implement specific safeguards including: implementing reasonable access restricting mechanisms and appropriate systems to collect logs and monitor network activity; managing and documenting changes to network systems; adopting improved industry-accepted payment card security technologies and; using encryption or similar masking techniques to devalue payment card information.

The $18.5 million settlement is the largest multistate data breach settlement to date and yet another multistate settlement concerning a breach more than three years old.  Companies can review FTC guidance on protecting personal information, as well as the California Data Breach Report, and this settlement for general guidance on legal expectations to protect customer financial and personal information and the potential fallout for failing to do so.

CPSC Acting Chairman Ann Marie Buerkle Emphasizes Collaboration, Balance, and Education

Acting Chairman of the Consumer Product Safety Commission (“CPSC”) Ann Marie Buerkle highlighted her priorities and recent noteworthy developments in a recent newsletter.  She emphasized her desire to collaborate with stakeholders, to take a “balanced and reasonable approach” to regulation when data justifies rulemaking, and to use information campaigns to educate consumers and industry. She shared a few rulemaking updates, including movement on the revocation of the magnet standard from the CFR, oral presentations on the NPRM for portable generators, and progress on the NPR related to table saws.

Buerkle noted the following upcoming events:

  • Monthly educational webinar series sponsored by the CPSC’s Small Business Ombudsman. Last month they provided an overview of updates to the toy standard. More industry-specific resources to come.
  • Solicitation of stakeholder feedback on test burden reduction, recall effectiveness, and the FY 2018 & 2019 priorities. Stay tuned regarding these opportunities once dates are finalized.

Buerkle also noted two key staffing changes:

  • Robert Kaye was named Director of the Office of Compliance and Field Operations.  Mr. Kaye joined the CPSC from the Department of Education, but had spent most of his career at the FTC where he most recently was Chief Litigation Counsel in the Bureau of Consumer Protection.
  • Jim Joholske was promoted to Director of the Office of Import Surveillance. Mr. Joholske had been the deputy head of the Import Surveillance Office since it was first created as a division of Compliance a decade ago.

Chairman Buerkle has repeatedly emphasized transparency and encouraged stakeholders to share feedback with her and her staff about the CPSC’s performance.  We encourage companies and other entities to take her up on that offer, whether through formal submissions such as comments to proposed rulemaking or through informal channels. Anyone interested in subscribing to the periodic newsletter can call the CPSC at 301-504-7978 or send an email via the contact form on the website.

One Employee in Europe Could Trigger New EU Data Protection Obligations


An Update on the New EU General Data Protection Regulation

On 16 April 2016, the EU adopted the General Data Protection Regulation (‘GDPR’) which largely rewrites and harmonizes the European legal framework of data protection. The new regulation will become applicable in May 2018, but given the scope and complexity of the GDPR it is important to prepare for this legal change well in advance.

Global scope?

With the GDPR, there will be a substantial expansion of the territorial scope of the EU data protection obligations, which may impact US companies and employers who were previously not affected by EU data protection rules. In determining its geographical reach, the GDPR considers not only the location of the processing, but also the location of the individual whose data is being processed. In this context, if your group of companies has one EU-based employee, the GDPR could be applicable to your organization. Note that the GDPR would also be triggered by processing personal data of EU-based customers.

Processing information?

If your group of companies has one EU-based employee, and it processes (i.e., collect, use, transfer or electronically store) personal data of this employee the GDPR may apply. ‘Personal data’ includes information that is typically considered personal such as an employee’s name, address, income details and medical condition, but also includes not always considered personal such as an employee’s computer or device IP address device identifiers, or other ‘unique identifiers.’ Even if you as an employer offer certain services which give you access to such personal data, such as an IT helpdesk, server access, etc., the GDPR could apply to you.

What do I need to do?

First, you should determine whether your group of companies has EU-based employees or is otherwise processing information related to EU-based employees.

If you have EU-based employees and are processing such information, you should conduct an internal GDPR review to determine which department or which companies (e.g. IT help desk, HR, accounting, etc.) are in scope for GDPR compliance obligations, evaluate current compliance and gaps to be resolved by May 2018, and set up the necessary structure for compliance with the GDPR. The level of data protection in the EU is considered (by the EU) to be higher than in the US and US companies should be prepared for the disclosures, specific guarantees, and obligations under the GDPR. Depending on the circumstances, the GDPR will even require US based companies with access to personal information to designate a representative based in an EU country to act as the point of contact for the relevant data protection authorities. Given the technical and detailed requirements companies may benefit from the use of targeted guidance.


The global reach of the GDPR calls into question the enforceability on US-based employers. Violating the GDPR can result in penalties of up to € 20 million or 4% of the annual worldwide turnover of the company (i.e., annual worldwide gross income), whichever is higher.

Bottom line?

The GDPR will not apply until 25 May 2018, but the time for action is now. All HR departments and/or employers should carry out a data review and assess whether the GDPR is applicable and what impact it has on its activities, this in order to implement the necessary changes in time.

If you need additional guidance, an employment attorney will be able to provide guidance both on US and EU aspects of data protection law.

Bill Potentially Impacting “Made in USA” Claims Undergoing Committee Review


The U.S. Senate Committee on Commerce, Science, and Transportation has scheduled a reading this week of the proposed S. 118 Reinforcing American-Made Products Act of 2017.   The bill proposes to amend the Violent Crime Control and Law Enforcement Act of 1994 to require the Federal Trade Commission’s regulation of the labeling of products as “Made in the U.S.A.” or “Made in America” to supersede any state laws regarding the extent to which a product is introduced, delivered, sold, advertised, or offered for sale in interstate or foreign commerce with such a label in order to represent that the product was in whole or substantial part of domestic origin.  The bill’s sponsors include the following: Sens. Mike Lee (R-Utah), Shelley Moore Capito (R-W.V.), Susan Collins (R-Maine), Deb Fischer (R-Neb.), Angus King (I-Maine).

The FTC has been a consistent enforcer of its “Made in USA” advertising policies in recent years, having issued 57 investigation closing letters between 2014 and 2016 alone. In 2017, the agency has already released ten closing letters regarding “Made in USA” claims to companies selling everything from pillows to water filters to standing desks. As domestic manufacturing has received more attention from the Trump administration, many companies are wondering whether they can say their product is “Made in the USA” and, for some, whether they can sell that product to the government under the provisions of the Buy American Act.

We will tackle just these issues in our upcoming webinar “Buy American, Hire American: Is Your (Or Your Competitor’s) Product Really ‘Made in the USA’?” on Wednesday, May 17, at Noon-1:00 Eastern.  More information and registration details are here.

Indiana Amends Telemarketing Law, Bringing New Disclosure Requirements and DNC Vicarious Liability

Last month, the Indiana Governor signed into law House Bill No. 1444, which amends Indiana’s “do not call” statute and extends liability beyond the telephone solicitor, to individuals or entities that “directly or indirectly control” the telephone solicitor. The amendments take effect July 1, 2017 and affect entities that target Indiana consumers via telephone solicitation, regardless of the location of the entity.

Additional Disclosure Requirements. Currently, telephone solicitors must provide Indiana consumers with two types of information: (1) the solicitor’s first and last name, and (2) the name of the business on whose behalf the solicitor is calling. Under the amended law, solicitors must also immediately disclose their employer’s name or the entity with which they have contracted.

Vicarious Liability. The amendment also extends vicarious liability to individuals and entities that have direct or indirect control of the telephone solicitor, regardless of where such persons or entities are located or domiciled. Civil penalties, however, will not apply if the individual or entity can establish that they did not know and, with reasonable care, could not have known of the violation.

House Bill No. 1444 also amends the definition of “caller” under Indiana’s Regulation of Automatic Dialing Machines, to include officers of a corporation or LLC that are involved in or have notice of prohibited conduct and fail to take reasonable steps to prevent it.

Enforcement and Penalties. Failure to comply with Indiana’s telemarketing law is a deceptive act, for which the Indiana Attorney General may seek a $10,000 civil penalty for the first violation, and $25,000 for each violation thereafter. By expanding liability to principals with direct or indirect control, the Indiana Attorney General now has a wider net to cast in prosecutions for “do not call” violations.

For businesses placing telemarketing calls to Indiana consumers, it would be wise to review current calling practices and make appropriate adjustments as necessary, including with respect to managing risk associated with third parties who arguably may be calling on the business’s behalf.