New FCC Rules on CPNI Will Impact ISP’s and Businesses Who Rely on Internet Tracking Data

April 2nd, 2015 by Jia-Ming Shang

By now, most people know that in its recent Open Internet Order adopted on February 26, 2015, the FCC reclassified internet access services as common carrier “telecommunications services” subject to FCC jurisdiction under the Telecommunications Act of 1996.  The Order imposes a new regulatory framework on internet providers and, among many other things, augurs a sea change in how internet providers and their business partners may use certain data, including a class of information called Customer Proprietary Network Information (“CPNI”).

CPNI is defined as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.”  See 2007 FCC CPNI Order.

Outside of telecom insiders, most people have probably never heard of CPNI or the FCC’s specific regulations on their use.  But later this month, new rules on collection, disclosure, consent and use of CPNI in the internet context will be take center stage as the FCC decides whether and to what extent previously-exempt internet service providers and their business partners are bound by CPNI rules that phone and cable companies have observed for years.

Of course, the Devil’s in the details.  Current CPNI rules, for example, prevent phone companies from sharing the phone numbers a customer calls or receives without express consent.  How that rule translates in the internet context, where the entire notion of internet marketing relies on some measure of tracking, is less clear.  But some restrictions on the current system is likely, with the FCC indicating that many of the same consumer privacy concerns applicable to phone companies are present with internet providers:

[c]onsumers’ privacy needs are no less important when consumers communicate over and use broadband Internet access than when they rely on [telephone] services.  As broadband Internet access service users access and distribute information online, the information is sent through their broadband provider.  Broadband providers serve as a necessary conduit for information passing between an Internet user and Internet sites or other Internet users, and are in a position to obtain vast amounts of personal and proprietary information about their customers. Absent appropriate privacy protections, use or disclosure of that information could be at odds with those customers’ interests.

Feb. 26, 2015 Open Internet Order, para. 463.

In short, if your business relies on or uses tracking data on consumer internet traffic or behavior in any way (e.g., customized ad buys, cookies, big data algorithms, mobile payments processing), there’s a good chance that the forthcoming new CPNI rules will affect you in some way.

For now, ISP’s have a reprieve, and the FCC has stated that it will forbear from applying its existing rules because they are “not well suited to broadband Internet access service.”  In particular, the FCC found that existing rules are more focused on concerns that have been associated with voice telephone service and do not address many of the types of sensitive information to which broadband providers (more so than phone companies) are likely to have access.

These comments suggest the possibility that the new CPNI rules may be more strict than the current ones for phone companies.  FCC Chairman Tom Wheeler has announced that the agency will hold a workshop on April 28 for stakeholders to discuss details, with final rules probably coming out in Q3 or Q4 of 2015.

Second Circuit Joins Chorus In Favor Of CDA Immunity

April 1st, 2015 by Afigo Fadahunsi

In Ricci v. GoDaddy.com, the United State Court of Appeals for the Second Circuit affirmed a dismissal of defamation claims against GoDaddy.com, a website host, invoking the immunity and preemption provisions of the Communications Decency Act (“CDA”), 47 U.S.C. § 230. The lawsuit against GoDaddy stemmed from an “offline” dispute between the Ricci plaintiffs and the Teamsters’ Union, to which Mr. Ricci belonged. Following Mr. Ricci’s refusal to endorse the union president at the time, Ricci endured various forms of retaliation from union leadership, including the union’s publication of newsletters containing offensive and defamatory statements about the Riccis. The newsletters were posted onto a website hosted on GoDaddy’s servers.

In the Complaint, the Ricci’s acknowledged that GoDaddy had no role in creating the alleged defamatory letters. Rather, the Riccis sought to impose liability upon GoDaddy because it hosted the website on which the newsletters were republished, refused to remove the newsletters, and refused to investigate the plaintiffs’ complaints about the statements in the newsletters. The trial court dismissed the Riccis’ suit based on CDA immunity, and the Second Circuit affirmed.

The CDA shields hosts like GoDaddy from publisher liability (with respect to third-party or user-generated web content) when it acts in the capacity as the provider of an interactive computer service. Section 230 offers broad protection to website operators and courts have typically rejected any interpretation that renders meaningless the core immunity provided by Section 230(c), or clouds the vision of an uninhibited and open Internet. Section 230(c)(1) provides that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by an information content provider.” Section 230(e)(3) further states that “[n]o cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.”

In its first opinion construing the immunity provisions of the CDA, the Second Circuit made three critical points in its ruling: First, “a plaintiff defamed on the internet can sue the original speaker, but typically cannot sue the messenger.” The Riccis’ should have pursued defamation claims only against the union, and not against GoDaddy. Second, GoDaddy did not play a role in creating the alleged defamatory newsletters. Since GoDaddy was sued in its capacity as a provider of an “interactive computer service,” it is immune from defamation liability under the CDA. Third, an interactive computer service like GoDaddy can win a Section 230 lawsuit on a motion to dismiss. According to the court, although preemption under the CDA is an affirmative defense, “it can still support a motion to dismiss if the statute’s barrier to suit is evident from the face of the complaint.” The court found that the defect was patently evident in the Riccis’ case.

FTC Advises That Mergers Don’t Eliminate Privacy Promises of Acquired Companies

March 28th, 2015 by Paul Pittman

The FTC recently posted comments on its business blog about the responsibility of companies to comply with privacy representations made to prior customers on how the companies will collect, use or disclose personal information, following a merger or change in ownership. Noting that companies must keep their promises to customers regarding the privacy of the personal information, the FTC identified three options for a company to consider when merging or changing ownership:

• Companies can continue to honor the privacy promises made to consumers before the merger or acquisition;

• To change the privacy promises already made to consumers, such as sharing personal information with third parties, companies will need to inform consumers and get their express affirmative consent to opt in to any new practices;

• To change how information is collected in the future, companies need to provide consumers with notice of the change and a choice of whether to agree to the collection. According to the FTC, simply revising the language in a privacy policy or user agreement isn’t sufficient because existing customers may have viewed the original policy and may reasonably assume it’s still in effect. Further, the notice and choice must be sufficiently prominent and robust to ensure that existing customers can see the notice and easily exercise their choices.

The FTC’s commentary and cites to specific case examples can be found at

https://www.ftc.gov/news-events/blogs/business-blog/2015/03/mergers-privacy-promises?utm_source=govdelivery

Net Neutrality: More Winners Than Losers

March 17th, 2015 by John Stephens

On March 12, 2015, The Federal Communications Commission (FCC) released the full text of the Net Neutrality rules it approved last month. Net Neutrality essentially means an open Internet where all traffic is equal, anyone can publish content, and everyone has access to media. The new rules are not a guarantee that the Internet will remain neutral as there will very likely be legal challenges to the proposal, but for now, things should remain pretty much the same in cyber-world. This post will explain Net Neutrality, the FCC’s new rules and explain how Net Neutrality benefits most.

The agency’s move to reclassify broadband Internet as a “telecommunications service,” which gives it more legal muscle to force broadband providers to treat all Web traffic equally, was given the green light in a high-profile party-line vote on Feb. 26, 2015 but the agency took two weeks to incorporate dissenting opinions from Republican commissioners and meet other procedural requirements.

History of Net Neutrality

Fundamentally, Net Neutrality is the idea that broadband providers deliver every Internet site’s traffic without discrimination. At its core, Net Neutrality demands equality in the treatment of consumers who pay for the same or a greater quality of service, permitting peer-to-peer communication in any platform of the consumers’ choosing, regardless of the amount of content transmitted or bandwidth utilized.

Prior to the new rules, the FCC classified broadband providers as information services under Title I of the Communications Act of 1934.   In the past 10 years, the FCC twice issued Net Neutrality principles under Title I, each time losing to challenges by broadband providers like Verizon. In the most recent challenge, Verizon v. FCC, 740 F.3d 623 (D.C. Cir. 2014), the Court of Appeals for the District of Columbia Circuit rejected the FCC’s second set of proposed Net Neutrality regulations because the rules treated broadband providers as entities regulated under Title II of the Act.

FCC’s New Rules

The court in Verizon held that the FCC had regulatory power to impose Net Neutrality standards, but not under Title I. The court effectively invited the FCC to adopt a Title II regulatory program. The newly-proposed rules accept the court’s invitation by declaring the Internet to be a public utility under Title II.  Under the proposed neutrality rules, any retail broadband service Americans buy from a cable operator, telecommunications company or a wireless operator would be reclassified as a telecommunications service, instead of a lightly-regulated information service.

The new rules provide:

•No blocking: Broadband providers will not be able to block access to legal content, applications, services or non-harmful devices.

•No throttling: Broadband providers will not be able “impair or degrade” lawful Internet traffic on the basis of content, applications, services or non-harmful devices.

•No paid prioritization: Broadband providers may not favor some lawful Internet traffic over other lawful traffic in exchange for payment, i.e., there will be no “fast lanes.” Broadband providers will also be barred from prioritizing content and services of their affiliates.

•The commission’s new rules would also include a “standard for future conduct,” with the rationale being that because the Internet is always evolving, “there must be a known standard by which to determine whether new practices are appropriate or not.

Legal Challenges Ahead

The FCC’s proposal is leveraging two main elements of legal authority: Title II of the Communications Act and Section 706 of the Telecommunications Act of 1996. By using these two provisions, the FCC said the “proposal provides the broad legal certainty required for rules guaranteeing an open Internet.”

Already, reports have emerged that the broadband providers AT&T and Verizon are ready to launch legal challenges to the FCC’s proposal. The reason why broadband providers have been so adamantly opposed to an open Internet is obvious and summed up well by SBC CEO Ed Whitacre in a 2005 interview with Business Week:

We own the pipes and we should be able to control the traffic that flows through them!… How do you think they’re going to get to customers? Through a broadband pipe. Cable companies have them. We have them. Now what they would like to do is use my pipes free, but I ain’t going to let them do that because we have spent this capital and we have to have a return on it.

Besides these broadband providers, the FCC’s proposal is being challenged by a group of Republican lawmakers that have proposed another method to ensure the openness of the Internet while not permitting the agency to reclassify broadband as a utility under Title II of the Communications

The Future

Critics of the rules, like AT&T, quickly jumped on the release of the rules as another chance to criticize the agency’s approach and to lightly threaten litigation.

“Unfortunately, the order released today begins a period of uncertainty that will damage broadband investment in the United States,” AT&T Senior Executive Vice President Jim Cicconi said. “Ultimately, though, we are confident the issue will be resolved by bipartisan action by Congress or a future FCC, or by the courts.”

It’s unclear when that legal action might come, but Thursday’s release does move the FCC’s rules forward through the process of becoming law. Barring any unforeseen complications, they could be finalized, and published in the Federal Register, by the end of the month. Certain transparency requirements in the new rules will face additional procedures at the Office of Management and Budget, which could delay things further.

After they’re published, the rules will take effect in 60 days. Internet service providers or other interested parties will also have 30 days from the date of publication to file a lawsuit. Before then, they can also petition the FCC to stay the rules pending judicial review.

The FCC’s decision to support Net Neutrality brings to a close an era of uncertainty as to exactly what position the FCC would take on the issue. The FCC’s action set sustainable rules of the cyber roads that should protect free expression, continue to encourage and reward innovation and grow our economy.

Does the E.U. “Right to be Forgotten” Pose a Threat to Companies in U.S.?

March 8th, 2015 by Paul Pittman

Even observed from “across the pond,” the right of European Union (“E.U.”) consumers to compel an Internet search engine to de-link specific personal information of the consumer from certain search results – the “Right to be Forgotten” – has garnered considerable attention in the United States (“U.S.”). Until recently, the “Right to Be Forgotten” seemed to be a concept that arose solely in the E.U. However late last year a French court, relying on the “Right to Be Forgotten,” issued an injunction requiring Google to remove allegedly defamatory material linked to a Danish lawyer employed in France from its search engine worldwide. The French court’s order raises a significant question of whether a U.S. court would enforce a E.U. “Right to Be Forgotten” order.

The Right to be Forgotten

Last May, the Court of Justice of the European Union (“CJEU”) ruled in Google Spain v. AEPD and Mario Costeja Gonzalez that E.U. data subjects have a privacy right to request that Internet search engines such as Google, remove certain search results linking to third party websites containing personal information deemed “inadequate, irrelevant or no longer relevant” absent an overriding public interest in the information. The decision has become synonymous with a “Right to Be Forgotten” and is based on an action by a Spanish citizen (Mario Gonzalez) to force Google Inc. to remove links in its search engine to an old article reporting that Gonzalez’s home was repossessed to pay off social security debts.

Since the decision in Google Spain, Google has received more than 201,194 requests to de-link information and has removed the search results in 42 percent of cases. When Google grants a removal request it typically only removes the personal data from the servers facing the specific E.U. country. The information may still be visible in other E.U. countries and in the U.S. It is this practice that likely led to the dispute in the French case last year.

French Court Places “Right to Be Forgotten” Demand on Google’s U.S. Operations

In August 2013, Dan Shefat filed a lawsuit seeking to de-link materials that were used in a “defamation campaign” by an unknown individual against his law firm on blogs and websites. A French court granted Shefat’s request, under the “Right to be Forgotten”, and ordered both Google France and Google, Inc. – the U.S. based operator of Google’s search engine – to de-link the material from search results involving Shefat’s name, worldwide. Google complied with the court’s order, by removing the link on its Google France search engine but refused to de-link the materials on its Google Inc. search engine. In September 2014, on Shefat’s request, the Paris Tribunal de Grande Instance issued an injunction requiring Google Inc. to remove links to the materials worldwide and imposed a fine of 1,000 euros per day on Google France until Google Inc. complies. Google recently confirmed that it would only remove search results from European websites, but reserved the right to re-review its policy in the future.

Notably, while very little guidance on applying the “Right to be Forgotten” directive existed at the time the French court issued its ruling, it appears to be consistent with guidelines published by the Article 29 Working Party shortly after the decision. Those guidelines allow E.U. courts to broadly extend their jurisdiction by requiring companies to remove contested links from all domains, not just those in the E.U. Under these guidelines, the search results and content on a U.S. facing search engine, that also operates an E.U. facing search engine would be subject to a de-linking request pursuant to the “Right to be Forgotten.” The Article 29 Working Party recently issued letters to several search engines reminding them of this policy.

Data Privacy in E.U. and U.S.

Predicting whether a U.S. court would enforce a “Right to be Forgotten” order should begin with an understanding of the differences between the privacy regimes of the two sovereigns. Both regimes are based on principles of freedom of expression, access to information, fairness, notice and consent.

As the Google Spain case illustrates, the E.U. data privacy regime favors consumer privacy. Data privacy in the E.U. is generally governed by Directive 95/46/EC, a comprehensive statute that regulates the processing and transfer of personal data in E.U. member states (“Data Protection Directive”). The Data Protection Directive is enforced by data protection authorities in each E.U. member state who also implement and enforce their own national data protection laws. While the Data Protection Directive has been the law of the land for nearly 20 years the General Data Privacy Regulation, approved by the European Commission on March 12, 2014, is set to supersede the Data Protection Directive.

On the other hand, the U.S. data privacy regime encourages access to information and free expression. U.S. privacy laws are a medley of state and federal laws, and administrative decisions, targeting specific data for protection including personal, financial, health and children’s data. Although U.S. privacy laws also consider consumer privacy, there is equal if not overriding concern with ensuring these laws do not inhibit the right to free speech and freedom of expression established by the First Amendment of the U.S. Constitution. In fact, with regard to search engine search results, U.S. courts have held that search engine results are constitutionally protected activity under the First Amendment.

Nonetheless, some U.S. laws extend protections similar to those under the E.U.’s Right to be Forgotten, at least with regard to children and minors. Federal law, such as the Children’s Online Privacy Protection Act (“COPPA”) and proposed amendments, and state law, such as the Privacy Rights for California Minors in the Digital World that went into effect this month generally allow the removal of certain online personal information about children or minors. In addition, although the regulatory focus in the U.S. is currently on minors there does appear to be a general interest by the U.S. public for a Right to be Forgotten law.

Is the Right to be Forgotten Enforceable in the U.S.?

Putting aside issues of international comity, ultimately, a U.S. court’s willingness to enforce the “Right to be Forgotten” directive could depend on whether there are similarities between the privacy protection sought by the E.U. court and the protections provided by analogous privacy laws in the U.S.

Given the First Amendment implications of censoring online content and the search results of an Internet search engine, a U.S. court may be hesitant to enforce the order issued by the French court requiring Google Inc. to de-link the defamatory material from the search results in its U.S. search engine. The French court’s decision is consistent with E.U. privacy principles that focus on the privacy rights of the consumer, but gives little regard to the principle of freedom of expression – a principle a U.S. court is likely to find overriding. In addition, adopting a “Right to be Forgotten” principle is inconsistent with U.S. public policy of transparency and accuracy in information about citizens. Practically, however, Google may have no choice but to comply with the “Right to be Forgotten” order in an effort to preserve its business operations in E.U. countries.

This does not mean that a U.S. court is likely to decline to enforce a “Right to be Forgotten” directive in all situations. A U.S. court might be willing to enforce a “Right to be Forgotten” directive in situations where a E.U. member country seeks to enforce the directive against a U.S. company’s U.S. operations with regard to materials concerning children or minors. The current and proposed legislation in the U.S. allowing the removal of online information relating to children and minors suggests that U.S. courts may be willing to provide such relief, especially where it is consistent with these laws.

Needless to say, the question will only be answered if a E.U. member state entity petitions a U.S. court to enforce a “Right to be Forgotten” order. Any such case should be closely followed as it could have a significant impact on the jurisdictional reach of the E.U. over U.S. companies operating in their countries as well as provide some insight on how U.S. court’s perceive the “Right to be Forgotten.”

This article was published in The Privacy Advisor for the International Association of Privacy Professionals on February 24, 2015.

Illinois Federal Court Leaves AMEX to Defend TCPA Claims Based on Third Party Actions

March 7th, 2015 by Paul Pittman

Recently, an Illinois federal court denied American Express’ (“AMEX”) motion for partial summary judgment, finding that AMEX can be directly liable under the Telephone Consumer Protection Act (“TCPA”) for debt collection and telemarketing calls made on its behalf. The court’s decision alleges that West Asset Management made debt collections calls on AMEX’s behalf to plaintiffs Jennifer Ossola and Scott Dolemba, and that Alorica placed telemarketing phone calls for AMEX to plaintiff Joetta Callentine.

Ossola filed suit in July 2013, claiming that AMEX used an autodialer to call her cellphone many times over a four year period – even though she was not the debtor that AMEX was seeking to reach. Callentine alleges that AMEX violated the TCPA by having West Asset Management and Alorica make debt collection calls to her cellphone that were intended for her deceased mother. Dolemba claims that he also received a call from West Asset Management in June 2013.

The Illinois court held that it is irrelevant whether AMEX or the third-party vendors West Asset Management Inc. and Alorica Inc., made the calls: AMEX as the primary creditor can still be liable for debt collection calls made on its behalf. Plaintiffs are still conducting discovery over the role American Express played in making the telemarketing calls.

The plaintiffs propose a national class of non AMEX customers who received autodialed debt collection calls or telemarketing calls from AMEX, Alorica or West Asset Management, after July 2009. This decision means that AMEX may have to defend against these class claims for actions taken by a third party, which should serve as a warning to companies enlisting third parties for their debt collection and telemarketing service.

New California Privacy & Protection Act Proposes Standards for Personal Information Encryption, Bans Sales of Voice-Recording TVs, Criminalizes Vehicle Hacking, and Slew of Other Privacy-Related Measures

February 28th, 2015 by Nora Wetzel

New legislation proposed in California includes a package of privacy-related bills referred to as the California Privacy & Protection Act.

The bills proposed include:

  • Encryption: A.B. 83 would set encryption standards for personal information stored in the cloud. The bill’s author rejected a specific standard in favor of a “reasonably prudent encryption standard” to flex with technology developments. The bill would also require entities who suffer a data breach to disclose the code vulnerability that caused the breach. The disclosure requirement’s purpose is to prevent additional breaches by allowing other entities to search for the code vulnerability in their systems. The current draft of the bill does not yet provide the specifics regarding encryption standards or the code disclosure.
  • Voice Collecting TV Sales: a yet-to-be-proposed bill would ban the sale of televisions that record customers’ voices when a TV’s voice recognition feature is not in use. There has been much recent publicity surrounding Samsung’s Smart TVs which feature voice recognition tools that may record and transmit consumers’ conversations, even when the tools are not in use. A consumer privacy group, the Electronic Privacy Information Center (EPIC), has urged the FTC to investigate Samsung TV’s alleged recording of consumers’ private in-home conversations despite the fact that Samsung’s privacy policy informs customers that their personal information may be captured and transmitted by the voice recognition features. The recent attention to the voice recognition component of Samsung’s TVs may have spurred California lawmakers to target this issue.
  • Collection of Vehicle Data: S.B. 206 would prohibit public agencies from collecting information from a vehicle’s diagnostic system unnecessary to the state’s emission prevention program such as data related to a vehicle’s location or driving speed.
  • Hacking Vehicles: a yet-to-be-proposed bill would criminalize hacking into a vehicle’s computer system. If the breach causes the driver to lose control of the car, the offense would be a felony while mere access without taking control or causing injury would be a misdemeanor. Since the bill has not been drafted yet, what defines losing control or mere access is unclear.
  • Drones over Schools: S.B. 271 would bar the use of drones over public schools covering grades kindergarten through high school, except that the ban would not apply to drones operated by law enforcement during a public safety emergency.
  • Retention of Blood Samples: A.B. 170 would require California’s Department of Public Health to inform parents about collection and retention of blood samples taken from newborns for a genetic screening program. The bill would also require the Department to provide information describing the program and informing parents of their right and the child’s right (upon reaching adulthood) to request the blood sample be destroyed and/or not be used for research.  
  • Police Body Cameras: a bill yet-to-be- introduced would require law enforcement agencies to develop and make publicly available policies regarding the usage of body cameras. The proposed bill would provide that body camera footage recorded inside homes when there is no arrest does not constitute public data and cannot be subject to the California Public Records Act.

Other privacy-related measures are included in the package of legislation proposed by Assemblyman Mike Gatto and Senator Ted Gaines. The final versions of the California Privacy & Protection Act is not yet available as several bills must be drafted or undergo further drafting while proceeding through committees. Nevertheless, it is worth paying attention to this Act, particularly with respect to the proposed encryption standards, to assess any compliance gaps once the Act is finalized and passed into law.

President Obama Issues Executive Order Urging Companies to Share Cybersecurity Threat Data

February 25th, 2015 by Jason Joyal

Speaking at the White House’s Summit on Cybersecurity and Consumer Protection at Stanford University this month, President Obama announced that an Executive Order was signed on February 13, urging private sector companies to share information about cybersecurity efforts and incidents.  Highlighting recent high-profile data breaches, President Obama stated that rapid information sharing is an essential element of effective cybersecurity, because it enables U.S. companies to work together to respond to threats, rather than operating alone.  The order encourages and promotes sharing of information on cybersecurity threats within the private sector and between  private sector companies and various government agencies.  Specifically, the Executive Order aims to accomplish four things:

  • Encourage Private-Sector Cybersecurity Collaboration

This Executive Order encourages the development of information sharing and analysis organizations (“ISAOs”) to serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and government.  While several industries, including banking and retail, have already set up Information Sharing and Analysis Centers in order to facilitate the exchange of threat data within their sector, the ISAOs are intended to encourage the development of broader information-sharing in response to a specific emerging cyber threat.  According to the White House, an ISAO could be a not-for-profit community, a membership organization, or a single company facilitating sharing among its customers or partners.  And each ISAO can choose to be governed by a set of voluntary standards created by non profit organizations funded by the Department of Homeland Security.

  • Enable Better Private-Public Information Sharing

The Executive Order clarifies the Department of Homeland Security’s authority to enter into agreements with ISAOs, and increases collaboration between ISAOs and the federal government by fastracking the mechanism by which the National Cybersecurity and Communications Integration Center enters into information sharing agreements with ISAOs.  The Executive Order also intends to streamline private sector companies’ ability to access classified cybersecurity threat information.  To that end, it adds the Department of Homeland Security to the list of Federal agencies that approve classified information sharing arrangements and takes steps to ensure that information sharing entities can appropriately access classified cybersecurity threat information.

  • Provide Strong Privacy and Civil Liberties Protections

To ensure that information sharing enabled by this order will include strong protections for privacy and civil liberties, private sector ISAOs will agree to abide by a common set of voluntary standards for ISAO and member participation, which will include privacy protections, such as limiting the data they collect and retain, and disposing of it once they no longer need it (commonly referred to as “data minimization”).  In addition, the White House suggests that agencies collaborating with ISAOs  coordinate their activities with their senior agency officials for privacy and civil liberties and ensure that appropriate protections are in place.

  • Pave the Way for Future Legislation

The Executive Order compliments the White House’s cybersecurity legislative proposals made earlier this year.  The White House views the instant order as one capable of paving the way for new legislation, by establishing the concept of ISAOs as a framework for the targeted liability protections that the current administration has long asserted are pivotal to incentivizing and expanding information sharing.

This Executive Order creates hope that by sharing data and cybersecurity knowledge, companies will be more proactive rather than reactive in dealing with data breaches.  While the Executive Order, and in particular the use of ISAOs, is intended to encourage the development of broader information-sharing in response to a specific emerging cyber threat, several questions have already emerged.  According to some, forcing companies to disclose information when data is breached may actually further invade consumer privacy and potentially open up additional avenues for customer concern and confusion.  Such would be the case where, for example, a company shares too much of its consumer information.  As a result, companies should become familiar with this Executive Order over the next few months to understand their options in the face of a cybersecurity threat.

SMS to Customers Seeking “Opt-In” for Advertisements May Violate TCPA

February 15th, 2015 by Jia-Ming Shang

Customers who walked into a Bebe clothing store, purchased clothing, provided their phone numbers during the sale, and later received a text inviting them to “opt-in” to a list for additional discounts have a claim against Bebe under the Telephone Consumer Protection Act, 47 U.S.C. § 227 ( “TCPA”).  The offending message at issue read:

From: 423-23

bebe: Get on the list! Reply YES to confirm opt-in. 10% OFF regprice

in-store/online. Restrictions apply. 2msg/mo, w/latest offers.

Msg&data rates may apply.

The TCPA prohibits the use of an “automatic telephone dialing system” to place certain calls to cellular telephones without the recipient’s “prior express consent.” 47 U.S.C. § 227(b)(1).  The Ninth Circuit has held that a “a text message is a ‘call’ within the meaning of the TCPA.”  Satterfield v. Simon & Schuster, Inc., 569 F.3d 946, 952 (9th Cir. 2009).  Statutory damages up to $1500 may be awarded in the event of knowing or willful violations. 47 U.S.C. § 227(b)(3)

According to a February 2, 2015 decision from the Northern District of California denying Bebe’s motion to dismiss and allowing a putative class action to proceed to discovery, customers who received the text message suffered an invasion of privacy sufficient for Article III standing and subject matter jurisdiction, even if the text message did not result in messaging fees or other economic injury. Melita Meyer v. Bebe Stores, Inc., No. 14-cv-00267-YGR (Doc. 57).

FCC regulations implementing the TCPA require express written consent by consumers to receive “any material advertising the commercial availability or quality of any property, goods, or services” or “the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.” 47 C.F.R. § 64.1200(a)(2), (f).

Finding that the text message constituted an advertisement and that plaintiff had not given her written permission to receive the messages, the Court dismissed Bebe’s motion to dismiss.  The Court hinted that Bebe may have avoided liability if the message served an “administrative function of facilitating plaintiff’s possible opt-in” to further communications, but that advertising elements of the message such as “10% OFF regprice” combined with functional elements inviting recipients to opt-in at best made the message dual purpose, and therefore subject to the TCPA limitations. Chesbro v. Best Buy Stores, L.P., 705 F.3d 913, 917 (9th Cir. 2012) ( “The FCC has determined that so-called ‘dual purpose’ calls, those with both a customer service or informational component as well as a marketing component, are prohibited.”)

Retailers and consumer-facing businesses must remember that despite the convenience and ease of reaching customers through mobile devices and social media, any use by a business of any consumer information such as phone numbers, emails, social media handles, or other identifying information is fraught with regulatory limitations and traps for the unwary.  In Bebe’s case, eliminating a few words from the text message to remove the advertising related language may have avoided a world of trouble.

Anthem Data Breach Spawns Class Action Suits and “Phishing” Scams

February 11th, 2015 by Paul Pittman

Last week, Anthem Inc. – the nation’s second largest health insurer – reported a data breach involving the disclosure of the personal information of over 80 million patients and employees. Plaintiffs wasted little time seeking redress, bringing class action lawsuits a day later in Alabama, Georgia and California federal courts alleging that Anthem failed to adequately protect its customers and employees. The Anthem data breach continues a long line of corporate data breaches in the past year, including the Target data breach, that have impacted millions of customers and employees of the hacked companies. Notably, cybercriminals have revealed a new way to profit from the fallout that occurs with a data breach.

According to Anthem, hackers executed a “very sophisticated attack” to infiltrate Anthem’s information technology system, where they accessed the names, addresses, birthdays, Social Security numbers, income data and other personal details of about 80 million current and former customers and employees. The hackers, however, do not appear to have collected health information. Anthem claims it immediately instituted data breach response measures by identifying and notifying consumers about the breach, offering credit monitoring services and setting up a toll-free number for individuals impacted by the breach – although at least ten state attorneys general have accused Anthem of failing to follow through with these measures in the past week.

The general allegations in the class action complaints in California, Alabama and Georgia are similar, but the causes of action asserted in each lawsuit differ slightly. The class plaintiff for the California action, Samantha Kirby, alleges that Anthem didn’t have proper security procedures in place and waited too long to tell customers about the breach. The putative class in the California action includes all California Anthem customers affected by the breach and alleges that Anthem is liable for negligence, bailment, conversion, invasion of privacy, and violations of the California Confidentiality of Medical Information Act and Unfair Competition Law.

The class plaintiff for the Alabama action, Danny Juliano, alleges that the insurer failed to properly encrypt user data and failed to protect consumers. The Alabama putative class claims include all Anthem customers nationwide and the complaint asserts claims of invasion of privacy, unjust enrichment, negligence, wantonness and violations of the Fair Credit Reporting Act.

The class plaintiffs for the Georgia action, Joseph D’Angelo III, Shawn Haggerty, Charity Latimer, Kurt McLaughlin, Tamara Nedlouf and John Thomas II allege that Anthem failed in their duty to protect customers’ personal information. The Georgia plaintiffs claim that Anthem has previously failed to adequately protect the personal information of its customers, citing a settlement Anthem entered into with the California state attorney general in 2012 over the disclosure of 30,000 social security numbers, among other examples. The Georgia complaint asserts causes of action for violation of seven state data breach laws, negligence, bailment, breach of contract and implied contract.

While plaintiffs seek redress for the data breach, cybercriminals have moved in to compound the injury by instituting a “phishing” scam against former and current Anthem customers. Anthem has confirmed that it did not distribute emails that prompted recipients to click a link to access a free credit monitoring service. Anthem indicated that it would notify affected customers and offer them credit monitoring by contacting them through U.S. mail, not email. In response to the “phishing” attack, Anthem warned customers to avoid clicking on any of the email’s links, replying to the email or opening any attachments.

The Anthem data breach provides yet another example of the varying issues that can arise when a company’s information technology system is hacked. As if identifying an intrusion, mitigating any loss of information and notifying affected consumers weren’t enough, companies now have to battle cybercriminals who prey on the very data protection mechanisms companies institute to protect consumers. Hacker’s use of “phishing” scams to target unsuspecting Anthem customers waiting for assistance following a breach further drives home the need for companies to evolve, just as the cybercriminals do, to respond to these challenges.

About Us
Sedgwick provides trial, appellate, litigation management, counseling, risk management and transactional legal services to the world’s leading companies. With more than 350 attorneys in offices throughout North America and Europe, Sedgwick's collective experience spans the globe and virtually every industry. more >

Search
Subscribe
Subscribe via RSS Feed
Receive blog updates via email: