NAD Inhibits Growth of Bacteria (Claims)

The NAD recently analyzed whether Petmate had adequate substantiation to support claims that certain cat litter pans had “built-in antimicrobial protection” and that they could “inhibit bacteria growth.” Although the decision is most directly relevant to companies that make antimicrobial claims, it also contains information that’s relevant to any company that uses tests to substantiate claims.

There’s a lot going on in this case, but here are five key points from an advertising law perspective:

  • Petmate argued that product testing was not necessary because the Microban ingredient in its litter pans had been tested. The NAD disagreed, noting that just because a product is treated with an EPA registered pesticide does not, by itself, substantiate a product performance claim. Testing on the product is necessary.
  • The NAD reiterated that in order to make a “health-related claim,” such as the antimicrobial claims on the cat litter pans, an advertiser must have “competent and reliable scientific evidence.” This generally requires well-controlled studies with results that are statistically significance at the 95% confidence level.
  • Petmate submitted the results of a test conducted pursuant to an industry standard test designed to assess antimicrobial activity. The NAD was concerned, however, that the standard was designed to assess that activity on textile Although Petmate argued that the test was also valid for plastic materials, such as cat litter pans, the NAD was not convinced.
  • The NAD observed that the tests were conducted by Petmate’s supplier of Microban, the antimicrobial ingredient in its litter pans. Although the NAD prefers independent third-party tests, it will accept in-house testing as long as there is “evidence that adequate controls and safeguards were implemented to prevent bias.” Here, the NAD did not find such evidence.
  • Even if the NAD had accepted the tests, it noted that results must translate into a meaningful benefit for consumers. Here, the NAD found that there was no evidence demonstrating that consumers would perceive a difference due to the inclusion of the antimicrobial agent in the Petmate litter pans.

Keep in mind that if you make antimicrobial claims, you also need to worry about EPA regulations. While companies that manufacture and sell “treated articles” (with only non-public health claims) do not have to obtain independent registrations for products that incorporate an EPA-approved antimicrobial, they do have to comply with the conditions of the registration for the EPA-approved additive, including the types of claims that can be made and the products/materials in which the additive can be used. In addition, EPA regulations restrict how treated articles may be advertised. For example, antimicrobial claims should be printed in type of the same size, style, and color, and “should not be given any greater prominence than any other described product feature.”

Andrew Smith Named Director of FTC’s Bureau of Consumer Protection

Andrew Smith was recently named Director of the FTC’s Bureau of Consumer Protection. With a strong background in financial matters, businesses can expect Smith to focus on issues affecting consumer financial services.

Smith is not a stranger to federal positions. Although most recently a Partner in the Regulatory and Public Policy Group at Covington & Burling LLP and Co-Chair of the firm’s Financial Services Group, Smith previously held roles as Senior Counsel and Acting Assistant General Counsel at the SEC from 1997 to 2000 and as the Assistant to the Director of the Bureau of Consumer Protection from 2001 to 2005. During Smith’s time at the FTC, he focused largely on consumer financial protection policy—mainly through enforcement and rulemaking. For example, while serving as the program manager for the Fair and Accurate Credit Transactions Act of 2003, Smith helped to draft ten rules and six studies.

Smith’s interest in financial services has followed him throughout his career. His practice at Covington focused specifically on financial privacy—including regulatory compliance, consumer financial services laws, and enforcement actions and investigations. He also serves as the Chair of the ABA’s Consumer Financial Services Committee.

Notably, in January of this year, Smith testified before the House of Representatives Subcommittee on Financial Institutions and Consumer Credit about fintech policy. His statements suggest that he is in favor of an increased role of fintech in the banking industry, although he proposes passing legislation that clarifies the role of banks as lenders, regardless of the vendor or service provider. Further indications of Smith’s interest in the fintech space come from an editorial he authored in The Hill in February of this year. He advocates collaboration between fintech and banks to offer the middle class more financial options, e.g., point-of-sale lending. In Smith’s words, “the future of banking is the internet, and brick-and-mortar is the past.” His piece supports the Modernizing Borrower Credit Opportunities Act of 2017, a bipartisan bill to regulate the fintech industry introduced in November of 2017.

Another indication of Smith’s likely priorities as Bureau Director may be the people he worked with during his prior stint at the FTC. For example, he worked closely with Howard Beales who served as the Director of the Bureau of Consumer Protection from 2001 to 2004. Regarding advertising specifically, Beales advocates for a flexible “reasonable basis” standard for substantiation requirements, as opposed to more stringent evidentiary standards. This position favors the view that consumers benefit from having access to information. Having served with Beales, Smith may take a similar approach to substantiation requirements as Director.

Despite Smith’s previous experience, however, his appointment has not been without controversy. While at Covington, Smith represented Facebook, Uber, and Equifax in both investigations and FTC settlements regarding data breaches. Although Smith plans to recuse himself from these high profile cases in his new role, opponents have noted that Smith’s representation of these companies may put him at odds with the FTC’s consumer protection mission. Senator Richard Blumenthal stated that he could “imagine worse choices [for Bureau Director], but not many,” noting that Smith was “on the wrong side of [the] issues” in his testimony on behalf of Equifax last fall. During that testimony, Smith indicated that credit bureaus should not have a fiduciary duty to consumers from whom they collect data, and that current industry regulations were satisfactory to protect consumers. Senator Elizabeth Warren called Smith’s appointment “corruption, plain and simple,” referring to him as “Equifax’s hired gun.” Further, David Vladeck, who was Bureau Director from 2009 to 2012, noted that Smith’s recusing himself from some of the agency’s most important cases is an unusual position for someone in his role and wondered “how far-reaching the recusals will be.”

The FTC’s newly-appointed Democratic Commissioners had similar concerns, turning a usually perfunctory vote into a point of contention. Rebecca Slaughter noted that appointing a Director “who is barred from leading on data privacy and security matters that affect so many consumers, command so much public attention, and implicate such key areas of the law potentially undermines the public’s confidence in the commission’s ability to fulfill its mission.” Rohit Chopra, a fellow Democrat, agreed, noting that Smith’s conflicts “[raise] many questions,” and would put Smith “on the sidelines” in some of the agency’s most important cases. He also noted that FTC Chairman Joe Simons made the pick without a Commission meeting. Simons, however, called the appointment a “source of unnecessary controversy,” indicating that “it is impossible to attract high caliber professionals to the FTC without encountering some conflicts,” and noting that the agency can readily handle recusals.

Although we may have some insight into Smith’s new role as Director, his position on consumer protection issues outside of the financial industry, and the effects of his recusals, are left to be seen. We can expect, however, that helping to regulate fintech, and other financial security issues, will likely be high on his list of things to do.

Happy Chickens in a Line (Claim)

The NAD recently announced a decision in which it analyzed whether consumers would interpret claims in two commercials about Perdue’s happy chickens and organic practices to apply to all of the company’s chickens or only some of them. Even if you aren’t trying to measure the satisfaction of your own poultry, the decision includes some valuable insights into the NAD’s views on “line claims.”

One commercial shows Jim Perdue and his sons, each wearing a shirt with a Perdue logo, going about their daily tasks. They talk about “organic free-range chickens” that are “non-GMO, 100% vegetarian-fed, raised with no antibiotics,” as they drive up to a barn with the Perdue Harvestland Organic logo. The general Perdue brand logo appears on screen before flipping to the Perdue Harvestland Organic logo, as a voiceover states: “Perdue. Raising more organic chickens than anyone in America.”

One key question for the NAD was whether the commercial communicated that all Perdue chickens are raised organically (which is not true) or only that Harvestland Organic chickens are raised organically (which is true). Although the advertiser provided a survey demonstrating that consumers only took away the latter, narrower, claim from the commercial, the NAD found flaws in the survey and ultimately determined that consumers could interpret the commercial more broadly.

The NAD noted that the commercial featured numerous “visual and verbal general brand references to Perdue, while presenting only momentary visual references to Harvestland Organic, the sub-brand to which Perdue’s organic claim pertains.” In addition, although “Perdue” was mentioned in the audio, the sub-brand was not. Because of this, “consumers may understand all of Perdue’s chickens to be organic, rather than only the ones it offers through its Harvestland Organic sub-brand.”

If you make a claim that applies only to some of your products, you need to be careful not to suggest it applies to your whole line products. Whether or not your ad will be read to present a “line claim” will depend on various factors, including whether you make general brand references and what products you show. This case demonstrates that the line – no pun intended – between line claims and narrower claims isn’t always very clear, so it pays to be careful.

Florida AG Files Complaint Against Restaurant for Allegedly Deceptive “Locally Sourced” and “Sustainable” Claims

Florida attorney general Pam Bondi filed a complaint last week against Icebox Cafe, L.C. alleging that the restaurant violated Florida’s Deceptive and Unfair Trade Practices Act by making misleading claims that its food products were “locally-sourced” and “sustainable.”  The defendant operates a self-proclaimed “farm-to-table” restaurant in Miami Beach, along with select locations at airports.

According to the complaint, Icebox sought to capitalize on the market for locally sourced and sustainable food products by making false and misleading claims.  For example, the Icebox Miami airport location claimed that its menu items were “farm-to-terminal” and “local,” but the company’s invoices indicate that almost none of the products were sourced from local farms and distributors, according to the action.  The complaint also alleges that defendant’s menus contained representations that its products were from specific local farms and distributors, but its invoices again belied this assertion.

The complaint additionally identifies allegedly misleading claims about “wild” salmon and other fish that had been purportedly caught the same day it was sold to consumers.  While the complaint doesn’t address the substantiation that the advertiser would have needed to support these claims, general advertising law principles require advertisers to have a reasonable basis to support such claims.  The Florida AG points to Icebox’s invoices as evidence that the defendant lacked such a basis and could not support the claims.

The action is an important reminder that advertisers must consider how consumers are likely to interpret “locally sourced” and “sustainable” claims and ensure that they have substantiation to support those takeaways before making the claims.  Unlike many claims for food products that are expressly defined by federal and/or state law, claims about local sourcing and sustainability are not generally defined.  The action here, therefore, reinforces the need to consider substantiation both for claims subject to explicit standards and claims related to undefined terms that may be subject to varying interpretations by different consumers.

In this case, the complaint suggests that the defendant’s invoices demonstrate that the claims were outright false, but one could imagine an instance where some consumers might consider the food sufficiently “local” and others might view the claim as deceptive.  For example, is fish sold in Miami but harvested in north Florida “local”?  What makes a product “sustainable”?  Consumer perception evidence could be useful in these closer calls.  It will be interesting to see whether the terms of any settlement effectively set a new standard for these terms in Florida.  Until then, the lesson for advertisers everywhere is to be precise when using such undefined but attractive language.

 

Why So BLU?: FTC Settles Privacy and Data Security Claims with Mobile Company; Fencing-In Relief Requires Consumer Opt-In to Data Sharing

Earlier this week, the FTC settled its case with BLU Products, Inc., a cell phone company the FTC claimed misled consumers about its privacy and data security practices. According to the agency, the company represented that it did not collect unnecessary personal information and that it imposed specific data security procedures to protect consumers’ personal information. But the FTC claimed not so fast, alleging that BLU allowed one of its partners, an advertising software company, to collect sensitive consumer information such as text message contents and call logs with full telephone numbers. The FTC also alleged that BLU failed to implement the security features it represented to consumers, allowing the company’s devices to be subject to security vulnerabilities that could allow third parties to gain full access to the devices.

In settling the case, BLU agreed not to misrepresent its data collection or data security practices. The order also requires BLU to clearly and conspicuously disclose: (1) all of the “covered information” that the company collects, uses, or shares; (2) any third parties that will receive this “covered information”; and (3) all purposes for collecting, using, or sharing such information. This disclosure must be separate from the company’s privacy policy or terms of use and the company must obtain the consumer’s affirmative express consent to the collection, use, and sharing of such information. “Covered Information” is defined as geolocation information, text message content, audio conversations, photographs, or video communications from or about a consumer or their device. Continue Reading

Senate Confirms Full Slate of New FTC Commissioners

The Senate yesterday confirmed all five nominees to the Federal Trade Commission by voice vote, which means the five-person body will soon be restored to full capacity after over a year with only two Commissioners.  Current Chair Ohlhausen released a statement congratulating incoming Chair Joseph Simons and soon-to-be new Commissioners Noah Phillips, Becca Slaughter, Rohit Chopra, and Christine Wilson.

Ohlhausen’s statement suggests that she intends to remain at the Commission until confirmed by the Senate to her nomination as a Judge on the U.S. Court of Federal Claims – with Wilson set to fill Ohlhausen’s seat once she departs.  Current Commissioner McSweeny recently announced that she intended to depart the Commission tomorrow, April 27, and that she hoped the Senate would move expeditiously in the confirmation process.

As we previously discussed here and here, the new Chair and Commissioners will bring a breadth of knowledge and experience to the FTC.  While working in private practice for the majority of his career, incoming Chair Simons also has significant experience at the Commission, having served as Director of the Bureau of Competition from June 2001 to August 2003 and in other roles at the FTC in the late 1980s.  Wilson, currently a Senior Vice President at Delta Airlines, overlapped with Simons during his most recent stint at the Commission while Wilson served as Chief of Staff to then-Chair Timothy Muris.

The other three Commissioners have not previously served at the FTC, but have notable expertise and experience in other areas.  Chopra, the only non-lawyer of the bunch, comes most recently from the Consumer Federation of America and previously served as Assistant Director at the Consumer Financial Protection Bureau.  Phillips and Slaughter will be departing legal positions on the Hill – Phillips serving as Chief Counsel to Senator Cornyn and Slaughter as Chief Counsel to Senator Schumer.  As the fifth and final nominee, Slaughter was unanimously reported out of the Commerce Committee earlier this week.

The new slate of Commissioners is expected to shake things up at the FTC.  While generally avoiding firm policy positions or legal interpretations during the confirmation process, the appointees affirmed their commitment to vigorously enforcing consumer protection and antitrust laws and expressed distinct interests in specialized topics such as big data and interconnected devices.  Now that the confirmation process has run its course, the coming days are likely to shed more light on the key priorities for the new Chair and Commissioners.

FTC Files Complaint Against Lending Club for Allegedly Deceptive and Unfair Online Loan Practices

The FTC today filed a complaint against Lending Club alleging that it deceived consumers by advertising loans with “no hidden fees” and subsequently concealing substantial loan origination fees.  The complaint points to consumer complaints and internal compliance documents as evidence that Lending Club knew that consumers were being misled and continued to misrepresent the loans anyway.

The complaint charges four distinct violations:

  • Deception regarding up-front fees.  While advertising loans with “no hidden fees,” the Commission alleged that Lending Club actually charged substantial loan origination fees (on average, about 5% of the loan amount) and failed to clearly and conspicuously disclose those fees – both in advertising and throughout the application and approval process.  The complaint provides screenshots of the consumer experience from advertisement to sign-up to approval.  In both the desktop and mobile environment, the FTC charged that consumers were deceived because they would need to do either of the following to learn about the fee: (1) hover over a hyperlink explaining advertised APR to learn that the represented rate includes the loan origination fee; or (2) scroll to the bottom of the loan approval page and notice the fee disclosure embedded in the middle of a text heavy page.  The FTC cited frequent consumer complaints and internal compliance documents referencing potential deception to argue that Lending Club knew it was deceiving consumers and decided to continue its practices anyway.
  • Deception regarding loan approval.  The complaint also alleges that Lending Club made deceptive representations that loans were “on the way” or were “100% backed,” notwithstanding that it knew that a more significant approval step had yet to be completed and many consumers would not ultimately obtain the allegedly approved loans.  According to the complaint, Lending Club uses a two-step “front-end” and “back-end” approval process and misleadingly suggested that consumers were approved after just the first step, despite knowing many consumers would be rejected after the “back-end” step.
  • Unfair billing practices.  The complaint also alleges that Lending Club engaged in unfair acts by withdrawing money from consumers’ bank accounts without authorization, or in amounts in excess from consumers’ authorizations.  Many of these unauthorized charges occurred after consumers had already paid off their loans with Lending Club, according to the complaint.
  • Gramm-Leach-Bliley Act (GLBA) violations.  Lastly, the complaint alleges that Lending Club violated GLBA by failing to deliver initial privacy notices to consumers as required under GLBA and FTC and CFPB implementing regulations.  The complaint explains that Lending Club was subject to GLBA because it is a financial institution under the Act in that it services loans, notwithstanding that the loans are actually made by a third-party bank.  The GLBA allegations are a good reminder that the definition of “financial institution” under GLBA is a tricky one that is distinct from similar definitions under other statutes.

The complaint was filed without a consent judgment in federal court in the Northern District of California, and was approved by both remaining Commissioners, Chair Ohlhausen and Commissioner McSweeny.  McSweeny recently announced that she will leave the Commission at the end of this week on April 27.  Five new Commissioners nominated by President Trump are presently awaiting a full Senate confirmation vote.

New Article on Whether A Single FTC Commissioner Constitute A Quorum

FTC Commissioner Terrell McSweeny is scheduled to resign effective April 28 and may leave with acting Chairman Maureen Ohlhausen as the sole commissioner. Law360  published an article by partner John Villafranco and professor Stephen Calkins that discusses whether the FTC can take formal action by a 1-0 vote and when does a commission cease being a commission? To read the full article, please click here.

Ding Dong, TCCWNA Class Actions Are Dead.

Today, the New Jersey Supreme Court issued a much-anticipated decision construing New Jersey’s Truth-in-Consumer Contract, Warranty, and Notice Act (“TCCWNA”). The decision affirmed that one who has not suffered actual harm from an allegedly unlawful provision in a contract or notice is not “aggrieved” and therefore cannot sue under the TCCWNA.  Importantly, the Court held that the harm need not necessarily be monetary, but it does have to exist.  This unanimous decision should bring an end to the recent wave of speculative class action lawsuits asserting TCCWNA claims based, for example, on standard provisions in online Terms of Service.

The TCCWNA, as discussed in prior posts here and here, imposes a steep $100-per-violation penalty whenever a “contract” or “notice” contains a term that violates “clearly established” New Jersey or federal law.  If a contract or notice says that some of its terms may not apply in “some states,” without specifically identifying provisions that are unlawful and thus inapplicable in New Jersey, the same $100 penalty attaches.  In a landmark decision last October, the New Jersey Supreme Court curtailed the circumstances in which TCCWNA claims can be pursued on behalf of a class by holding that the statute’s requirement that a consumer must be “aggrieved” requires proof that every putative class member at least was “presented with” the offending notice (in that case a restaurant menu).  The court also put real teeth in the requirement that the “right” a notice supposedly violates must be “clearly established.”

The October decision did not address other important TCCWNA issues, including whether one can be an “aggrieved consumer” without having suffered any actual harm. Just after oral argument in the October-decided case, however the Supreme Court accepted a certified question from the Third Circuit Court of Appeals as to whether one without damages can sue under the TCCWNA.

In Spade v. Select Comfort Corp., the plaintiffs purchased an allegedly faulty adjustable bed and received a refund after the defendant could not fix it.  The plaintiffs nevertheless sued the seller under the TCCWNA, contending that its contract failed to conform to New Jersey regulations for selling household furniture regarding delivery timing.  A district judge dismissed those claims, finding the consumers were not “aggrieved” because they received their refund and because their claim against the seller had nothing to do with delivery timing.

In Wenger v. Bob’s Discount Furniture LLC, the plaintiffs ordered goods from the defendant and received them without complaint, but still sued under the TCCWNA based on allegedly unlawful aspects of the customer agreement, including font size, the company’s refund policy, and several of the contract’s other provisions.  The same district judge dismissed those claims, too, on essentially the same basis, and both cases found their way to the Third Circuit.

On November 23, 2016, the Third Circuit asked the New Jersey Supreme Court to decide whether (1) a consumer who receives a non-conforming contract, but who has not suffered any adverse consequences, is “aggrieved” and therefore can sue under the TCCWNA; and (2) a contract provision that violates the state’s Furniture Delivery Regulations satisfies the “clearly established right” provision of the TCCWNA. That is what led to today’s decision.

The Supreme Court answered the first question by holding that contracts containing provisions at odds with regulations do violate the TCCWNA.  That aspect of today’s ruling cannot be ignored.  Among other things, it means that the New Jersey Attorney General’s Office absolutely can pursue businesses for TCCWNA violations if they include such unlawful provisions.

The Court very clearly and strongly held, however, that consumers cannot sue unless they are “aggrieved.” The plaintiffs tried to define “aggrieved” to mean anyone who is offered or enters into a contract containing an offending term, but the Court held that such an expansive interpretation would effectively write the word “aggrieved” out of the statute.  The term “aggrieved consumer,” the Court held, must “denote[] a consumer who has suffered some form of harm as a result of the defendant’s conduct.”

Although there is much for the business community to celebrate in today’s decision, attention must be paid to the last section of the Court’s opinion, beginning with “[w]e do not, however, view [cognizable] harm to be limited to injury compensable by monetary damages.” TCCWNA, the Court held, “contemplates that a consumer may be entitled to a remedy notwithstanding the absence of proof of monetary damages.”  This might include, for example, someone who received a late delivery and was dissuaded from seeking a refund because an unlawful provision told her she could not do so.  Allegations like this would seem to be highly individualized, however, and therefore not proper subjects for class actions.

Wenger and Spade now return to the Third Circuit, which presumably will uphold the district court’s dismissals.  A cascade of dismissals of other suits then should follow.

Data Breach Notification Law Roundup

Just when you think you have it all under control, the data breach notification law landscape changes – again. Over the past few weeks, several data breach notification statutes were updated, including an effective date for Canada’s mandatory breach notification obligations, as well as the adoption of legislation in the two holdout states (Alabama and South Dakota). Here is the latest:

  • Canada: On March 26, the Governor General in Council, on recommendation of the Minister of Industry, set November 1, 2018, as the effective date for the mandatory data breach notification obligations in the Digital Privacy Act 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). Beginning November 1, any organization must report to the Privacy Commissioner if it has a reasonable belief that a breach of information under its control creates a real risk of “significant harm” to Canadian residents, as well as notify affected individuals. The term “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business, or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. The notice to affected individuals must contain sufficient information to allow the individual to understand the significance of the breach and to take any steps to mitigate or reduce the risk of any resulting harm.
  • Alabama: On May 1, 2018, the Alabama Data Breach Notification Act will take effect, requiring that companies provide notice of the unauthorized acquisition of electronic data containing sensitive personally identifiable information that is reasonably likely to cause substantial harm. The term “sensitive personally identifiable information” includes an Alabama resident’s first name or first initial and last name in combination with Social Security or tax identification number; driver’s license or other unique government-issued identification number; financial account number in combination with the required security code, access code, password, expiration date, or PIN; medical and health insurance information; or online account credentials. The Act sets a 45-day time limit for consumer and Attorney General (if more than 1,000 Alabama residents are affected) notice. The consumer notice must contain (1) the estimated date(s) of the breach; (2) a description of the affected information; (3) a general description of the remedial actions taken; (4) a general description of the steps consumers can take to protect themselves from identity theft; and (5) the company’s contact information. The Attorney General notice must contain (1) a synopsis of the event surrounding the breach at the time notice is provided; (2) the approximate number of affected Alabama residents; (3) any free services offered to affected individuals, and instructions on how to use those services; and (4) the name, address, telephone number, and email address of the company’s point person for the breach. A violation of the Act will constitute an unlawful trade practice under the Alabama Deceptive Trade Practices Act, subject to a civil penalty of up to $5,000 per day.
  • South Dakota: On March 21, South Dakota enacted S.B. 62. Effective July 1, 2018, the statute will require that companies provide notice of the unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) that materially compromises the security, confidentiality, or integrity of personal or protected information. The statute (1) contains expanded definitions of personal and protected information, which include health information, an employer-assigned ID number in combination with the required security code, access code, password, or biometric data, and online account credentials; and (2) sets a 60-day time limit for consumer notice, unless legitimate law enforcement needs require a longer timer period. Attorney General notice is required if the number of affected South Dakota residents exceeds 250. Violators are liable for a civil penalty of up to $10,000 per day per violation.
  • Oregon: On March 16, Oregon enacted amendments to its data breach notification law, which take effect June 2, 2018. The amendments clarify that personal information includes an Oregon resident’s first name or first initial and last name in combination with any information or combination of information that would permit access to her financial account, and require consumer and Attorney General (if the number of affected residents exceeds 250) notice within 45 days of discovery of a breach. Additionally, if a company provides free credit monitoring or identity theft prevention and mitigation services, it may not require that consumers provide a credit or debit card number (or any fee) to take advantage of those free services. Likely prompted by the Experian data breach, the amendments also prohibit consumer reporting agencies from charging a fee for a consumer to place or lift a security freeze. Previously, the statute capped such fees at $10.
  • Arizona: On April 5, the Arizona Governor received H.B. 2154, which if enacted, would (1) expand the definition of personal information to include a private key unique to an individual and used to authenticate or sign an electronic record, medical and health insurance information, passport and taxpayer identification number, unique biometric data, and online account credentials; and (2) require notification to affected consumers, as well as the Attorney General and the three largest credit reporting agencies if more than 1,000 Arizona residents are affected, within 45 days. Such notices would need to include the approximate date of the breach; a brief description of the affected personal information; the toll-free numbers for the three largest CRAs; and the toll-free number, address, and website address for the FTC. Importantly, these amendments would also create notice provisions specific to online account credentials and clarify that notice should not be made to the affected account, and should prompt the individual to (1) immediately change her password or security question and answer, and (2) take appropriate steps to protect the affected account and all other online accounts with the affected account credentials. If Arizona adopts these amendments, it will become the twelfth state to require notice in the event of a breach of online account credentials – joining California, Delaware, Florida, Illinois, Maryland, Nebraska, Nevada, Rhode Island, and Wyoming, and most recently, Alabama and South Dakota.

These developments demonstrate that data breach notification statutes are evolving, often in response to high-profile data breaches and/or concerns about a specific industry or a specific type of data – such as online account credentials. We expect U.S. states to continue to update these laws, and in particular, to (1) expand the definition of personal information to include medical and health insurance information, biometric data, and online account credentials; (2) require notice to consumers and/or regulators within a specific time period; (3) impose data security requirements; and (4) address concerns with specific industries, such as credit reporting agencies. Stay tuned for more updates!

LexBlog