Fallout from Target’s 2013 Data Breach includes an $18 Million Multistate AG Settlement

Target Corporation agreed to an $18.5 million settlement with 46 State Attorneys General and the Attorney General of the District of Columbia this week, resolving allegations that the company failed to provide reasonable data security to its customers, as demonstrated by the Target’s 2013 holiday data breach that affected more than 60 million customers.

Background. In November 2013, hackers accessed Target’s customer service database using legitimate credentials stolen from a third-party vendor.  The breach affected the personal information of over 60 million customers and the payment card accounts of over 41 million customers.  The information accessed included full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, card-validation value codes, and encrypted debit PINs.

Settlement Terms. The conditions of the settlement agreement, some of which will be effective for a five (5) year period, require Target to:

  • Implement a comprehensive information security program. Target must develop, implement, and maintain a comprehensive information security program and employ an executive for that purpose that will advise Target’s CEO and Board of Directors.
  • Encrypt and protect Cardholder data. Target must maintain encryption protocols and policies, and comply with the Payment Card Industry Data Security Standard.
  • Implement other technological safeguard measures. Target must implement specific safeguards including: implementing reasonable access restricting mechanisms and appropriate systems to collect logs and monitor network activity; managing and documenting changes to network systems; adopting improved industry-accepted payment card security technologies and; using encryption or similar masking techniques to devalue payment card information.

The $18.5 million settlement is the largest multistate data breach settlement to date and yet another multistate settlement concerning a breach more than three years old.  Companies can review FTC guidance on protecting personal information, as well as the California Data Breach Report, and this settlement for general guidance on legal expectations to protect customer financial and personal information and the potential fallout for failing to do so.

CPSC Acting Chairman Ann Marie Buerkle Emphasizes Collaboration, Balance, and Education

Acting Chairman of the Consumer Product Safety Commission (“CPSC”) Ann Marie Buerkle highlighted her priorities and recent noteworthy developments in a recent newsletter.  She emphasized her desire to collaborate with stakeholders, to take a “balanced and reasonable approach” to regulation when data justifies rulemaking, and to use information campaigns to educate consumers and industry. She shared a few rulemaking updates, including movement on the revocation of the magnet standard from the CFR, oral presentations on the NPRM for portable generators, and progress on the NPR related to table saws.

Buerkle noted the following upcoming events:

  • Monthly educational webinar series sponsored by the CPSC’s Small Business Ombudsman. Last month they provided an overview of updates to the toy standard. More industry-specific resources to come.
  • Solicitation of stakeholder feedback on test burden reduction, recall effectiveness, and the FY 2018 & 2019 priorities. Stay tuned regarding these opportunities once dates are finalized.

Buerkle also noted two key staffing changes:

  • Robert Kaye was named Director of the Office of Compliance and Field Operations.  Mr. Kaye joined the CPSC from the Department of Education, but had spent most of his career at the FTC where he most recently was Chief Litigation Counsel in the Bureau of Consumer Protection.
  • Jim Joholske was promoted to Director of the Office of Import Surveillance. Mr. Joholske had been the deputy head of the Import Surveillance Office since it was first created as a division of Compliance a decade ago.

Chairman Buerkle has repeatedly emphasized transparency and encouraged stakeholders to share feedback with her and her staff about the CPSC’s performance.  We encourage companies and other entities to take her up on that offer, whether through formal submissions such as comments to proposed rulemaking or through informal channels. Anyone interested in subscribing to the periodic newsletter can call the CPSC at 301-504-7978 or send an email via the contact form on the website.

One Employee in Europe Could Trigger New EU Data Protection Obligations

Flag_of_Europe_svg

An Update on the New EU General Data Protection Regulation

On 16 April 2016, the EU adopted the General Data Protection Regulation (‘GDPR’) which largely rewrites and harmonizes the European legal framework of data protection. The new regulation will become applicable in May 2018, but given the scope and complexity of the GDPR it is important to prepare for this legal change well in advance.

Global scope?

With the GDPR, there will be a substantial expansion of the territorial scope of the EU data protection obligations, which may impact US companies and employers who were previously not affected by EU data protection rules. In determining its geographical reach, the GDPR considers not only the location of the processing, but also the location of the individual whose data is being processed. In this context, if your group of companies has one EU-based employee, the GDPR could be applicable to your organization. Note that the GDPR would also be triggered by processing personal data of EU-based customers.

Processing information?

If your group of companies has one EU-based employee, and it processes (i.e., collect, use, transfer or electronically store) personal data of this employee the GDPR may apply. ‘Personal data’ includes information that is typically considered personal such as an employee’s name, address, income details and medical condition, but also includes not always considered personal such as an employee’s computer or device IP address device identifiers, or other ‘unique identifiers.’ Even if you as an employer offer certain services which give you access to such personal data, such as an IT helpdesk, server access, etc., the GDPR could apply to you.

What do I need to do?

First, you should determine whether your group of companies has EU-based employees or is otherwise processing information related to EU-based employees.

If you have EU-based employees and are processing such information, you should conduct an internal GDPR review to determine which department or which companies (e.g. IT help desk, HR, accounting, etc.) are in scope for GDPR compliance obligations, evaluate current compliance and gaps to be resolved by May 2018, and set up the necessary structure for compliance with the GDPR. The level of data protection in the EU is considered (by the EU) to be higher than in the US and US companies should be prepared for the disclosures, specific guarantees, and obligations under the GDPR. Depending on the circumstances, the GDPR will even require US based companies with access to personal information to designate a representative based in an EU country to act as the point of contact for the relevant data protection authorities. Given the technical and detailed requirements companies may benefit from the use of targeted guidance.

Sanctions?

The global reach of the GDPR calls into question the enforceability on US-based employers. Violating the GDPR can result in penalties of up to € 20 million or 4% of the annual worldwide turnover of the company (i.e., annual worldwide gross income), whichever is higher.

Bottom line?

The GDPR will not apply until 25 May 2018, but the time for action is now. All HR departments and/or employers should carry out a data review and assess whether the GDPR is applicable and what impact it has on its activities, this in order to implement the necessary changes in time.

If you need additional guidance, an employment attorney will be able to provide guidance both on US and EU aspects of data protection law.

Bill Potentially Impacting “Made in USA” Claims Undergoing Committee Review

1235px-Flag_of_the_United_States_svg

The U.S. Senate Committee on Commerce, Science, and Transportation has scheduled a reading this week of the proposed S. 118 Reinforcing American-Made Products Act of 2017.   The bill proposes to amend the Violent Crime Control and Law Enforcement Act of 1994 to require the Federal Trade Commission’s regulation of the labeling of products as “Made in the U.S.A.” or “Made in America” to supersede any state laws regarding the extent to which a product is introduced, delivered, sold, advertised, or offered for sale in interstate or foreign commerce with such a label in order to represent that the product was in whole or substantial part of domestic origin.  The bill’s sponsors include the following: Sens. Mike Lee (R-Utah), Shelley Moore Capito (R-W.V.), Susan Collins (R-Maine), Deb Fischer (R-Neb.), Angus King (I-Maine).

The FTC has been a consistent enforcer of its “Made in USA” advertising policies in recent years, having issued 57 investigation closing letters between 2014 and 2016 alone. In 2017, the agency has already released ten closing letters regarding “Made in USA” claims to companies selling everything from pillows to water filters to standing desks. As domestic manufacturing has received more attention from the Trump administration, many companies are wondering whether they can say their product is “Made in the USA” and, for some, whether they can sell that product to the government under the provisions of the Buy American Act.

We will tackle just these issues in our upcoming webinar “Buy American, Hire American: Is Your (Or Your Competitor’s) Product Really ‘Made in the USA’?” on Wednesday, May 17, at Noon-1:00 Eastern.  More information and registration details are here.

Indiana Amends Telemarketing Law, Bringing New Disclosure Requirements and DNC Vicarious Liability

Last month, the Indiana Governor signed into law House Bill No. 1444, which amends Indiana’s “do not call” statute and extends liability beyond the telephone solicitor, to individuals or entities that “directly or indirectly control” the telephone solicitor. The amendments take effect July 1, 2017 and affect entities that target Indiana consumers via telephone solicitation, regardless of the location of the entity.

Additional Disclosure Requirements. Currently, telephone solicitors must provide Indiana consumers with two types of information: (1) the solicitor’s first and last name, and (2) the name of the business on whose behalf the solicitor is calling. Under the amended law, solicitors must also immediately disclose their employer’s name or the entity with which they have contracted.

Vicarious Liability. The amendment also extends vicarious liability to individuals and entities that have direct or indirect control of the telephone solicitor, regardless of where such persons or entities are located or domiciled. Civil penalties, however, will not apply if the individual or entity can establish that they did not know and, with reasonable care, could not have known of the violation.

House Bill No. 1444 also amends the definition of “caller” under Indiana’s Regulation of Automatic Dialing Machines, to include officers of a corporation or LLC that are involved in or have notice of prohibited conduct and fail to take reasonable steps to prevent it.

Enforcement and Penalties. Failure to comply with Indiana’s telemarketing law is a deceptive act, for which the Indiana Attorney General may seek a $10,000 civil penalty for the first violation, and $25,000 for each violation thereafter. By expanding liability to principals with direct or indirect control, the Indiana Attorney General now has a wider net to cast in prosecutions for “do not call” violations.

For businesses placing telemarketing calls to Indiana consumers, it would be wise to review current calling practices and make appropriate adjustments as necessary, including with respect to managing risk associated with third parties who arguably may be calling on the business’s behalf.

 

Ninth Circuit Grants FTC Request for Rehearing En Banc of AT&T Throttling Case, Setting Aside Earlier Opinion

On May 9, 2017, the U.S. Court of Appeals for the Ninth Circuit issued an order granting a Federal Trade Commission (FTC) request for rehearing en banc of the court’s earlier decision to dismiss an FTC case against AT&T Mobility over allegedly “unfair and deceptive” throttling practices in connection with wireless data services provided to AT&T’s customers with unlimited data plans.  In a brief order, Chief Judge Thomas noted that “[t]he three-judge panel disposition in this case shall not be cited as precedent by or to any court of the Ninth Circuit.”

The original Ninth Circuit decision was notable because it held that the “common carrier exemption” in section 5 of the FTC Act—which excludes common carriers from FTC jurisdiction—was “status based” rather than “activity based,” and as such AT&T was not subject to the FTC’s jurisdiction even for non-common-carrier activities.  The original decision had the effect of resetting the jurisdictional boundaries between the FTC and the Federal Communications Commission (FCC) and removing a wide swath of the telecommunications and technology ecosystem from the FTC’s jurisdictional reach.

In a statement, FCC Chairman Ajit Pai applauded today’s order, noting that it will make it “easier for the FTC to protect consumers’ online privacy” and “strengthens the case for the FCC to reverse its 2015 Title II Order,” which classified broadband Internet access service (BIAS) as a common carriage “telecommunications service” and established the FCC’s current open Internet rule framework.  The 2015 Title II Order is now the subject of a draft Notice of Proposed Rulemaking scheduled for a Commission vote at its May 18, 2017 open meeting.

Judge Upholds FTC Staff Opinion that Avatar Calls are Prerecorded Messages under TSR

Yesterday, a D.C. district court upheld a recent opinion letter issued by FTC staff that extended robocalling restrictions to telemarketing calls that use so-called soundboard technology or “avatars.”  This technology generally allows a live agent to communicate with a call recipient by playing recorded audio snippets instead of using his or her own live voice.

In September 2009, the FTC staff had taken the position that avatar calls were not considered prerecorded messages under the Telemarketing Sales Rule (TSR).  See FTC Staff Opinion Letter to Call Assistant LLC (Sept. 11, 2009).  In November 2016, however, the FTC decided to revoke its previous letter, explaining that it is now the FTC staff’s opinion that outbound telemarketing calls that utilize avatars are subject to the TSR’s prerecorded call provisions. See FTC Staff Opinion Letter to Call Assistant LLC (Nov. 10, 2016).

The 2016 opinion letter explained that the staff’s change in position is due to the increasing volume of consumer complaints, the increase in how this technology has allegedly been abused by using it to conduct multiple calls at the same time without giving appropriate responses to consumers, and that the soundboard technology does “deliver a prerecorded message” under the statutory language used in the TSR.  The staff said that, even with a 1-to-1 limitation in place (i.e., using the technology to place one call at a time), this would not change the staff’s analysis.

A trade group representing companies that manufacture and use soundboard technology had challenged the FTC staff’s opinion letter, stating that the FTC: (1) circumvented the Administrative Procedures Act’s (APA) notice-and-comment requirements, and (2) violated the First Amendment by exempting pre-recorded solicitation calls between a non-profit charitable organization and its existing donors, but failing to exempt such calls to potential first-time contributors.  The court rejected both claims in Soundboard Ass’n v. FTC, No. 1:17-cv-00150 (D.D.C. Apr. 24, 2017).

First, the court found that, although the November 2016 letter is a final, reviewable agency action, it was at most an interpretive rule that the FTC was not required to issue through notice and comment under the APA.  Second, the court concluded that the letter did no more than subject soundboard calls to valid time, place, and manner restrictions. The court explained that the exemption provided to pre-recorded calls on behalf of charitable organizations to existing donors, but not to charitable organizations’ calls to potential, first-time donors, is a content-neutral regulation of speech that easily satisfies the requisite intermediate scrutiny.

Bottom Line: Companies that use soundboard technology will need prior written consent and will need to comply with the prerecorded message requirements under the TSR effective May 12, 2017, per the FTC’s grace period for compliance (as well as the TSR’s abandoned call provisions, as applicable).

“Geofencing” and Health-Related Targeted Advertising: Massachusetts AG Has Something to Say

Earlier this month, the Massachusetts Attorney General announced that her office had reached a settlement with a digital advertising company, Copley Advertising, Inc. (Copley), prohibiting the company from using mobile geofencing technology to target women at or near Massachusetts healthcare facilities to infer the health status, medical condition, or medical treatment of an individual.

Geofencing technology, as the name implies, takes account of a mobile user’s geolocation and enables advertising companies to tag smartphones within a geographic virtual fence and push targeted messages to consumers. Mobile advertisers can place targeted ads within the apps and browsers of these tagged consumer smartphones when users are in the virtual fence and, in some cases, for up to a month after the user has left the virtual fence.

In the advertising campaign at issue, Copley set mobile geofences at or near healthcare facilities to “abortion-minded women” who were sitting in waiting rooms at health clinics in a number of cities around the country.  The potentially unwanted ads included prompts such as “Pregnancy Help,” “You Have Choices,” and “You’re Not Alone,” that, when clicked, took the consumer to a webpage with abortion alternatives. According to Copley’s representations, the advertising company had not yet engaged in geofencing campaigns near Massachusetts clinics.

The Assurance of Discontinuance resolves the Massachusetts Attorney General Office’s allegations that Copley’s advertising practices would violate consumer protection laws  by:

  • Tracking consumers’ geolocation near or within medical facilities,
  • Disclosing that information to third-party advertisers, and
  • Targeting consumers with potentially unwanted advertising based on inferences about a private and sensitive health condition without the consumer’s consent.

The settlement is a good reminder for both advertisers and ad tech to consider the privacy implications of targeted advertising, whether in geofencing or other digital marketing strategies, and how privacy and broader consumer protection laws may apply.

FTC Staff Reminds Brands and Influencers About Disclosure Requirements

In November, we posted that four consumer groups had sent letters to FTC, encouraging the agency to investigate and bring enforcement actions regarding the use of influencers on secretsInstagram. In what may be a response to that encouragement, the FTC just announced that it had sent more than 90 letters to companies and influencers, reminding the recipients of their legal obligations.

The letters state that consumers need to know if there is a material connection between a company and an influencer who promotes the company’s products or services. Unless the connection is otherwise evident from the context, the influencer is required “clearly and conspicuously” disclose the connection.

There are at least four noteworthy aspects to these letters:

  • Thus far, the FTC’s enforcement efforts have been focused primarily on companies. Some of these letters, though, were sent to celebrities, athletes, and other influencers. This could signal broader enforcement in the future.
  • The letters address some issues that are unique to Instagram. Consumers who view Instagram posts on mobile devices typically see only the first three lines of a longer post, unless they click “more.” When making endorsements on Instagram, influencers should generally disclose any material connection above the “more” button, so that the disclosure is less likely to be missed.
  • The letters also noted that when posts include multiple tags, hashtags, or links, readers may just skip over them, especially when they appear at the end of a long post. It’s important to ensure that important disclosures don’t get lost in the mix. This might require leading with the important disclosures or making sure that they otherwise stand out.
  • Some of the letters addressed particular disclosures that the staff believes are not sufficiently clear. For example, some letters pointed out that consumers may not understand a disclosure like “#sp,” “Thanks [Brand],” or “#partner” in an Instagram post to mean that the post is sponsored. Although there’s no one-size-fits-all way to make that disclosure, a term that is subject to multiple interpretations may not be sufficient.

These types of letters are often a precursor to more formal action, so this might be a good time to revisit your influencer agreements and campaigns.

California Last State to Join Multistate Settlement of Western Union Fraud Schemes

Western UnionLast week, California became the 50th state to join the multistate settlement with Western Union over its alleged complicity in fraud-induced wire transfers.  This followed Western Union’s $5 million agreement with 49 state and the District of Columbia for costs and fees in January, not to mention a whopping $586 million in settlement agreements with the United States DOJ and FTC.  While DOJ brought wire fraud and anti-money laundering charges against Western Union, and the FTC alleged violations of Section 5 of the FTC Act, and the Telemarketing Sales Rule, the states raised violations of their respective consumer protection laws.  California brought its complaint pursuant to the Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200-17209 (“UCL”), its analog to the FTC Act.

Some quick background on the UCL:

  • Traditionally, the UCL is thought to prohibit unfair competition, which includes unfair, deceptive, misleading, or false advertising.  § 17200; see Lavie v. Procter & Gamble Co., 105 Cal. App. 4th 496, 512 (2003) (whether “the ordinary consumer acting reasonably under the circumstances” is likely to be deceived).
  • But the UCL also forbids business activity unconnected with advertising when such activity constitutes an “unlawful” or “unfair” business practice that either violates another law or violates an established public policy.  § 17200; see e.g., In re Anthem Data Breach Litig., 162 F. Supp. 3d 953, 990 (N.D. Cal. 2016); Ballard v. Equifax Check Servs., Inc., 158 F. Supp. 2d 1163, 1176 (E.D. Cal. 2001).  Some common defenses to these claims include compliance with the underlying law, the practice is not unfair or is justified, and federal preemption.
  • The UCL provides private plaintiffs with the ability to bring claims for restitution and injunctive relief, while the government can also impose civil penalties of up to $2,500 per violation.  §§ 17203, 17206; see e.g., People v. JTH Tax, Inc., 212 Cal. App. 4th 1219, 1254 (2013) (“[T]he court could have imposed penalties of over $9 million, but only imposed penalties of $715,344 for these advertisements.”).

Here, the California Attorney General alleged that Western Union, during the course of its money transferring services, failed to scrutinize and stop complicit agents that did not comply with anti-money laundering policies, inadequately trained, vetted and reported agents, and overall did not “prevent fraudulent telemarketers, sellers, and con artists from using Western Union’s money transfer system to perpetrate their frauds.”  In other words, Western Union exposed its customers to fraud in violation of the UCL.

As part of the global settlement, Western Union agreed to implement a comprehensive anti-fraud program to detect and prevent future incidents.  California consumers who made a wire transfer through Western Union are entitled to a share of the DOJ restitution fund and may be eligible for more than $65 million in refunds.  The California Department of Justice also may recoup costs and fees from the $5 million multistate fund.

Bottom line: the UCL is a dynamic enforcement mechanism with the potential to curtail many different types of business activities that seemingly harm consumers, and provides the Attorney General with the ability to inflict stiff penalties for violations.

LexBlog