The U.S. Supreme Court issued an important decision last week that solidified the approach taken by federal courts to deny Article III standing to plaintiffs in data breach and data privacy cases. The decision in Clapper v. Amnesty Int’l USA, No. 11-1025, (February 26, 2013) dealt a serious blow to plaintiff’s ability to seek redress for the unauthorized collection of their personal information (“PI”) and fortified defendants’ ability to have these claims dismissed at the pleadings stage.

In Clapper, plaintiffs – consisting of attorneys and human rights, labor, and media organizations – challenged the constitutionality of a federal surveillance statute that authorized the surveillance of non U.S. citizens located abroad. Plaintiffs alleged that they engaged in sensitive communications with foreigners who would likely be monitored under the statute. Initially the Second Circuit held, in a novel ruling, that plaintiffs had standing to challenge the constitutionality of the federal foreign surveillance statute based on an objectively reasonable fear that their particular communications would be monitored. The Second Circuit found that the plaintiffs’ reasonable fear of being monitored, and the expenses incurred by plaintiffs to mitigate the likelihood of surveillance, was sufficient to establish an injury in fact to confer Article III standing.

In a 5-4 decision, the Supreme Court disagreed. The Court found that respondents’ fear of injury (surveillance) was too speculative and that the objectively reasonable standard applied by the Second Circuit was inconsistent with the Supreme Court requirement that a threatened injury by certainly impending to confer Article III standing. The Court determined that respondents’ fear relied upon a highly attenuated chain of possibilities that did not satisfy the certainly impending requirement. The Court noted that it is “reluctant to endorse standing theories that require guesswork as to how independent decisionmakers will exercise their judgment.” The Court also rejected respondents’ attempts to establish standing by pointing to ongoing costs incurred to mitigate the likelihood that their communications would be intercepted, such as flying overseas to meet with contacts in person rather than over the telephone. The Court held that “respondents cannot manufacture standing by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”

What does all this have to do with data breach and data privacy? Typically, plaintiff’s claims in data breach and data privacy cases are based on a fear of future injury or harm associated with the unauthorized collection and use of their personal information, such as the sale of PI to third party advertisers or identity theft. Courts have routinely dismissed plaintiffs’ claims based solely on a fear of injury or harm, which underscored the significance of the Second Circuit finding of Article III standing based on a fear of injury. However, by rejecting the Second Circuit ruling, the Supreme Court solidified the requirement that consumer data privacy plaintiffs must establish an injury in fact, that is actual or certainly impending, and beyond mere speculation (or fear) in order to obtain Article III standing. In addition, the Court’s rejection of the use of expenses incurred by a plaintiff to mitigate the occurrence of the injury feared, as proof of injury, removed another tool from plaintiffs’ dwindling arsenal for clearing the pleading stage in data privacy and data breach cases.

Ultimately, the Clapper decision provides a strong defense for companies who are currently faced, or will be faced, with claims relating to data breach or data privacy cases. Given the rise in cyber attacks and claims of unauthorized collection and use of consumer data, Clapper should play an important role in shaping consumer data privacy litigation going forward. However, it is worth mentioning that although the Supreme Court cited the certainly impending standard for determining Article III standing for a risk or fear of injury, the Court did not provide much guidance about how to apply the standard. The Court simply noted that the fear of injury in the Clapper case was highly speculative and relied on a highly attenuated chain of possibilities. Consequently, we can expect the certainly impending standard to be a major point of contention going forward as courts straddle the line in determining whether a plaintiff’s fear of injury meets the standard.

In the meantime, defendants should utilize Clapper in eliminating plaintiffs’ consumer data privacy claims, by focusing their defense on establishing how unlikely a plaintiff is to be actually injured by the data breach or violation of the plaintiff’s data privacy. The Clapper decision suggests that defendants in data breach and data privacy cases who can identify and expand on the multitude of factors that would have to occur for an injury to be found, while noting the various independent decisions that must be made along the way, will have a good shot at eliminating Article III standing based on a risk or fear of injury.

Through its Office for Civil Rights (OCR), the U.S. Department of Health and Human Services (HHS) has been steadily increasing its enforcement efforts over the last few years.  Its most recent settlement against Hospice of Northern Idaho (HONI) demonstrates that there is no such thing as too small when it comes to OCR oversight.  HHS announced that HONI agreed to pay $50,000 in “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.”  Setting aside the irony of a breach involving “unprotected . . . protected” data, the settlement is notable for indicating a more aggressive posture by HHS in investigating and enforcing HIPAA Privacy and Security Rules violations.  The breach was caused by an unencrypted laptop stolen from a HONI employee’s car in June 2010, but was not reported to HHS until the end of 2010 because the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule does not require covered entities to report a breach of under 500 individuals on an annual basis.

 The OCS cited HONI for: 

• Failing to conduct a risk analysis to safeguard ePHI;
• Failing to have in place policies and procedures to address mobile device security as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and;
• Failing to implement security measures to address the risk of losing patient health information.

In addition to the monetary penalty, a provision of the settlement required HONI to enter into a two-year corrective action plan.  The agreement does not require HONI to provide free credit watch services for breach victims, which is often the case.

The HONI settlement is just the most recent in a steady uptick of HHS enforcement measures.  As of December 31, 2012, HHS/OCR has investigated and resolved more than 18,122 cases by requiring various healthcare organizations or their business associates to alter their HIPAA compliance practices.  Some of the more notable recent examples include the following:

• HHS entered into a $1.5 million settlement and corrective action plan with Blue Cross Blue Shield of Tennessee in March of 2012 arising from the theft of 57 unencrypted computer hard drives containing the PHI of over a million individuals.
• Shortly thereafter, in April 2012, HHS brought one of the first enforcement actions against a physician practice, Phoenix Cardiac Surgery, P.C., for posting PHI on a publicly accessible Internet-based calendar.  The physician group paid a $100,000 settlement and entered into a corrective action plan that required it to develop and maintain HIPAA-compliant written security and privacy policies, submit them to OCR for approval and obtain compliance certification from all employees who use or disclose PHI.
• A couple months later in June 2012, HHS brought its first enforcement action against a state agency, the Alaska Department of Health and Social Services (ADHS), for a potential data breach resulting from a stolen USB drive that may have contained unencrypted ePHI.  ADHS agreed to pay a $1.7 million settlement and also entered into a corrective action plan.

In addition to enforcement actions, HHS has been aggressively pursuing HIPAA compliance audits.  OCR established a pilot program under which it audited 115 covered entities from November 2011 through December 2012, to be followed by a permanent audit program in 2013. The pilot program audited a broad array of covered entities and, upon its conclusion, OCR said the audits uncovered a number of deficiencies among healthcare organizations, including inadequate risk analysis, outmoded policies and procedures and a lack of contingency plan. 

Companies operating in the healthcare sphere can expect continued investigations, enforcement measures and audits from OCR in 2013.  This is especially true since HHS just released the HIPAA Omnibus Final Rule, which updates HIPAA Privacy and Security Rules and breach notification requirements.

December 12, 2012 by Matthew Fischer

On December 6, California Attorney General Kamala Harris initiated the first enforcement action under California’s Online Privacy Protection Act (CalOPPA) in San Francisco Superior Court. The complaint filed against Delta Air Lines Inc. asserts that the airline’s operation of its mobile app called “Fly Delta” violates both CalOPPA and California’s unfair competition law (UCL).

CalOPPA requires an operator of a commercial website or online service that collects personally identifiable information (PII) through the Internet about consumers residing in California who use or visits its website to “conspicuously post” a privacy policy. The Act defines PII as: a first and last name; a home or other physical address; an email address; a telephone number; a social security number; any other identifier that permits the physical or online contacting of an individual or; information concerning a user that a website or online service collects from the user and maintains in personally identifiable form in combination with any of the aforementioned identifiers.

Under the Act, an operator must post a privacy policy within 30 days after notification of non-compliance. However, enforcement against a company that fails to comply with a posted privacy policy (either knowingly or negligently and materially) does not require a 30 day notification. On October 26, the AG’s office issued warning letters to over 100 popular mobile app developers that did not have compliant privacy policies, giving them the statutory 30 days to comply or explain why their apps are not covered by CalOPPA. Delta acknowledged receipt of the letter on October 30 and stated that it would “provide the requested information” but, for whatever reason, did not do so within the 30 day window. Delta did publish a privacy policy for the Fly Delta app shortly after the lawsuit was filed.

The complaint alleges that, while Delta maintains a privacy policy on its website, the policy “does not mention the Fly Delta app, and is not reasonably accessible to consumers of the Fly Delta app.” The Fly Delta app collects such PII as a user’s full name, telephone number, email address, frequent flyer account number and PIN code, photographs and geo-location, yet, according to the complaint, a privacy policy does not exist “in the application itself, in the platform stores from which the application may be downloaded, or on Delta’s website.” To that end, the complaint avers that “the Delta website privacy policy does not indicate that it collects geo-location data or photographs.”

CalOPPA was enacted in 2004, before the smartphone revolution, so it does not specifically target smartphones or mobile applications. While the Act does not expressly apply to mobile apps, the California AG takes the position that it does and cites to the fact that mobile applications are deemed “online services” under the federal Children’s Online Privacy Protection Act (COPPA) in support of its position.

Companies can expect more enforcement actions from California’s AG, as well as from other state AGs and federal agencies such as the Federal Trade Commission (FTC). In fact, the FTC just released a report that says a large number of mobile apps that target children collect and share PII with third parties without parental disclosure and the agency plans to launch an investigation into potential COPPA violations. California has been leading the charge with respect to privacy enforcement and Kamala Harris has clearly staked out the privacy arena as a critical part of her administration’s enforcement agenda. In February, she struck an agreement to improve privacy protections with six of the largest mobile and social app companies: Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion, and Facebook joined the settlement in June. Over the summer, Harris formed a new Privacy Enforcement and Protection Unit charged with regulating privacy issues and enforcing California’s various privacy laws.

So what does this all mean for businesses? There are a number of takeaways for companies with an online and/or mobile presence:

• Do not ignore your privacy obligations because enforcement actions will only continue to increase in the coming months. The consequences of non-compliance can be severe. The AG seeks penalties against Delta in the amount of $250,000 for each violation, which it asserts occurs each time the app has been downloaded since its launch in 2010. This could easily result in billions of dollars in fines. Delta may also find itself the target of civil class actions under California’s UCL, although class members would still have to overcome the Article III standing hurdle by showing a resulting harm.

• While the first CalOPPA enforcement action happened to be against an app developer, the statute was crafted with websites in mind and any company that maintains a website that collects PII of a California resident must have a privacy policy “conspicuously posted” on its website that complies with the Act.

• Having a CalOPPA-compliant privacy policy is only the first step, however, and a policy can actually create liability for a company if it is not followed. Under CalOPPA’s provisions, the AG’s office is not obliged to issue a 30 day warning if it determines that a company is willfully, or negligently and materially, failing to comply with its posted policy. Policies should be crafted with the involvement of technology personnel and reviewed and updated annually to ensure they mirror the company’s practices involving the collection and sharing of PII.

• If a business has a mobile app that collects PII (and most do) then, at a minimum, the privacy policy on the website should cover the mobile app. Yet, California’s AG seems to have an expectation that the privacy policy should be posted within the app itself, which raises a number of complexities. The limited space on the screen of a smartphone makes it difficult to post a policy “conspicuously,” especially when the prime screen space is understandably devoted to the main purpose of the app: to promote the service and/or product and drive sales. The policy should be written in plain (i.e., non-technical) language and should not be stuck at the end of lengthy text that takes forever to scroll through, nor should it be buried several pages into the app.

The tension between online behavioral advertising and the many user benefits generated through the personalization of an individual’s online experience versus mounting state and federal agency privacy concerns will only continue to grow. Companies doing business on the Internet and the mobile space should regularly assess and modify their privacy practices to avoid being the target of a future enforcement action.

A number of lawsuits have been filed (wild understatement – truly hundreds) in recent years under the Telephone Consumer Protection Act (TCPA), a federal law that regulates certain forms of direct marketing.  While the law was originally passed in the early nineties (well before the advent of cell phones), many lawsuits have been filed in recent years asserting that companies’ mobile marketing campaigns are illegal.  For instance, by now most marketers have heard about the TCPA lawsuit pending against Papa John’s in Seattle; in that case, the judge just certified the case as a class action meaning that the plaintiff can represent a class of other persons who received similar unsolicited texts from PJ’s franchisees.  Based on the ruling, all persons in the United States of America who were sent, to their cellular telephone numbers, at least one unsolicited text message that marketed a Papa John’s branded product, good, or service through OnTime4U, a text marketing vendor, could be awarded $500 or more in damages per text, a total of up to $250 million, if the lawsuit is successful.  It is important to note that PJ’s (the franchisor) contends that it had no involvement in the mobile campaign at issue.  An individual franchisee’s decision to send unsolicited texts can subject many entities to potential liability.  It can be very difficult (and expensive) for a franchisor to prove a negative – that is, that it had no involvement in a mobile campaign that was not compliant with the TCPA.

Marketers should also keep in mind that merely because consumers provide their contact information (including mobile number) that does not mean that they have consented to receive unsolicited marketing messages on their mobile devices.  For instance, in the PJ’s case, the franchisees provided their marketing company – OnTime4U – with lists of telephone numbers of individuals who had purchased pizza from them, generated out of a proprietary Papa John’s “point of sale data entry system” that tracks customer and order information.  The marketing services provider allegedly told PJ’s franchisees that it was legal to send texts without express customer consent because there was an existing business relationship as a result of the provision of the numbers in the context of ordering pizzas for delivery. 

That is not the widely accepted view of consent under the law.  However, as we will detail in a soon-to-be-published post, at least one federal judge has recently ruled that the provision of a mobile user’s number – without more – was sufficient to evidence prior express consent to receive text messages because “distributing one’s cell number is an invitation to be called.”  That case, Pinkard v. Wal-Mart, expressly put the burden on plaintiff (the subscriber) to limit the scope of consent provided by provision of her cell number.

If the PJ’s lawsuit is successful, it would result in the largest verdict to date under the TCPA.  However, high recoveries are not uncommon.  For example, in August, Jiffy Lube’s largest U.S. franchisee agreed to pay $47 million to settle a similar text messaging class action and the International Academy of Design and Technology settled a text messaging class action for $20 million.  Sallie Mae recently settled a case for $20+M as well.

Based on these lawsuits, there are a few considerations to keep in mind:

1.     Text messages are calls under the law.

2.     Unsolicited text messages ARE illegal.

3.     Express prior consent is required to send text messages – buying a pizza (or other similar business transaction) does not establish consent to receive text messages. 

4.     Express consent requires clear and conspicuous disclosure by the company, providing a short code by which a consumer can opt-in, and providing an opt-out mechanism in each and every text sent.

5.     Be cognizant of potential application of the TCPA (as well as other privacy considerations) in every proposed mobile marketing campaigns.  For example, whether an invitation to forward a text to a friend implicates the TCPA?  The friend who receives the text may complain that he or she did not consent to the text (even though coming from their friend and not the company) and thus sue under the TCPA.  Or, whether an invitation to a customer to text a particular short code to receive an immediate coupon constitutes sufficient disclosure of terms and conditions of mobile program such that the subscriber’s consent was sufficiently informed?

6.     Franchisors may be liable even if they had no involvement in the challenged text messaging campaigns – franchisees should be informed of the risks of text messaging campaigns.

7.     Consult with legal counsel before going live with any marketing campaign or providing consumer data to any third-party, including marketing services providers. 

8.     Maintain any and all information regarding a proposed mobile campaign.  Specifically, do NOT instruct vendor or franchisees to destroy lists previously used or to delete information – this only causes more problems if and when litigation ensues

For additional information regarding TCPA lawsuits, please see:

http://www.sdma.com/mobile-marketing-class-actions-20-novel-tcpa-claims-08-08-2012/

We wanted to take a minute amidst all of the recent flurry of TCPA activity (don’t worry, we will return to it in the next post) to mention yet another privacy bill introduced in Congress recently.  Below is a post from Meg Daday, an associate in our Chicago office, regarding the Mobile Device Privacy Act.

* * * * *  

Hailing a taxi, depositing a check, losing weight – you name it, there’s an app for it.  However, according to Rep. Ed Markey (D – Mass.) these apps “very commonly access our sensitive information – our location, our photos, Web browsing, history” and “do this without prior notice and even when the app isn’t currently being used.”

 On September 12, 2012, Markey, the co-chair of the Bi-Partisan Congressional Privacy Caucus, introduced the Mobile Device Privacy Act, H.R. 6377, which requires the Federal Trade Commission, in consultation with the Federal Communications Commission, to require that mobile phone manufacturers, service providers, operating systems, and application developers make disclosures in a “clear and conspicuous manner” at the point of sale or download about any “monitoring software” the entity installs on a mobile device.  “Monitoring software” is defined as software that “has the capability to monitor the usage” of the mobile device or the location of its user, and to transmit that information to another device or system.  The bill requires device sellers and app developers to obtain the user’s “express consent” before monitoring or transmitting any information collected.  Consumers must be allowed to terminate the collection and transmission of data at any time.

The legislation requires first and third parties that collect personal information to have policies in place to secure the data and a process for disposing of or permanently deleting such information.  It further requires all third-party agreements for the transmission of information to be filed with the FTC and/or FCC and allows the FTC, FCC, and state attorneys general to take actions against mobile companies that violate the regulations.  Notably, it also allows consumers to file private rights of action against mobile companies to obtain injunctive relief, actual monetary loss from the violation and/or up to $1000 in damages for each violation, treble damages for “wilful and knowing” violations, costs and attorney’s fees.

 The bill is a result of controversy last year over Carrier IQ, software that wireless operators installed on smartphones in order to help track network congestion and end-user quality problems.  Although the software was intended to improve service, Android developer Trevor Eckhart posted a video showing how the software logged text messages, web searches and other activities without the user’s knowledge or permission.  Wireless carriers have stated that they have disabled Carrier IQ so that diagnostic information and data are no longer being collected.

There has been a tremendous amount of media attention in recent days on the class certification decision in Agne v. Papa John’s International, Inc., Case No. 2:10-cv-01139. 

The facts are relatively straightforward and sadly not uncommon (the decision is available here: PapaJohn’sClassCert[1]).  Plaintiff Agne (2 other plaintiffs were subsequently added but the Court did not consider their claims for purposes of the motion for class certification) alleges that she received unsolicited telephone calls on her cellular telephones in April 2010.   According to the complaint, when these calls connected, plaintiffs received unsolicited visual text messages.  Plaintiffs allege the text messages were sent using a device that made automated calls.

 The complaint further alleges that, beginning in about October 2009, Papa John’s and its Washington-based franchisees engaged OnTime4U to send pre-recorded, unsolicited text messages to cellular telephones.  Specifically, it alleges that the Washington-based franchisees paid OnTime4U to send approximately 30,000 unsolicited text messages in November 2009 and at least 35,000 text messages in April 2010.  Evidence was presented that OnTime4U told Papa John’s franchisees that it was legal to send texts without express customer consent because there was an existing business relationship between the customers and the Papa John’s restaurants. 

Additionally, although Papa John’s did not contract with OnTime4U, there is significant evidence that Papa John’s Franchise Business Directors (“FBDs”) encouraged its franchisees to utilize its services.  For example, there is evidence that OnTime4U made a presentation promoting its services at the fall 2009 Papa John’s “Operator’s Summit” in Las Vegas.  Papa John’s eventually disavowed the program by sending a memorandum to its corporate stores and franchisees on April 27, 2010.  The memorandum directed that “all franchisees … who have shared customer data (particularly telephone numbers) with OnTime4U … take all necessary steps to reclaim this data and/or have the vendor permanently delete it from the vendors [sic] system as well as demand that the vendor not share the data with anyone.”  OnTime4U informed Plaintiff’s counsel that it destroyed the call lists at the behest of Papa John’s.

The court certified the following two classes:

National Class:

All persons in the United States of America who were sent, to their cellular telephone numbers, at least one unsolicited text message that marketed a Papa John’s branded product, good, or service through OnTime4U.

Washington Sub-class:

All persons in Washington State who were sent, to their cellular telephone numbers, at least one unsolicited text message that marketed a Papa John’s branded product, good, or service through OnTime4U. 

In its opposing the motion for class certification, Papa John’s challenged Plaintiff’s standing in several respects.  First, Papa John’s argued that Plaintiff’s injury is not fairly traceable to any Papa John’s franchisees other than the Washington-area franchisees.  However, the court held that Plaintiff’s lack of standing to sue non-named franchisees does not defeat her standing to sue on behalf of either of her proposed classes. 

Papa John’s also argued that Plaintiff lacks standing because Plaintiff’s only contacts with Defendants arose from a franchisee-level decision to engage OnTime4U.  However, the court held that whether Papa John’s had any involvement in the franchise-level decisions to contract with OnTime4U and the extent of the involvement is a central disputed issue in the case that was not ripe for resolution at the class certification stage. 

The Washington-area franchisees argued that class certification was inappropriate because the majority of the two proposed classes suffered no injury by these franchisees and therefore lack standing to be included in any class certified as to them.  However, according to the Court, there is conflicting case law as to whether a putative class representative is required to show only that she has standing or must also show that all members of the class have standing.  However, the court stated that it need not reach this issue because every proposed class member has standing to sue OnTime4U, so the Article III standing requirement was satisfied.

Turning to the Rule 23(a) prerequisites, the court easily found that the requirements of (1) numerosity; (3) typicality; and (4) adequacy, and the implied prerequisite that the class be ascertainable, were met.

With respect to the commonality requirement, the court identified the following common questions of law and fact:

(1)   Whether OnTime4U’s contention that buying a pizza is sufficient to establish a business relationship is valid as a matter of law;

(2)   Whether an established business relationship is a defense to sending text messages to a cellular phone without express consent under the TCPA;

(3)   Whether OnTime4U’s system of transmission qualifies as an “automatic dialing system” under the TCPA;

(4)   Whether Papa John’s controlled, participated in, or authorized OnTime4U’s text blast campaign; and

(5)   Whether Papa John’s is vicariously liable for the acts of its franchisees.

Citing Dukes v. Wal-mart, Papa John’s argued that whether it was sufficiently involved in marketing decisions of various franchisees to establish its liability would require individual inquiries that undermine commonality.  However, the court held that, unlike in Dukes, the Papa John’s plaintiffs alleged that Papa John’s FBDs encouraged franchisees to enlist OnTime4U to send text messages to their customers.

The court similarly overruled Papa John’s arguments with respect to the Rule 23(b) requirements of predominance and superiority.  The Court rejected Papa John’s argument that individualized inquiries predominated over common issues.  It stated that Papa John’s is in the best position to present evidence of individual consent and will not be precluded from presenting admissible evidence of individual consent if and when individual class members are permitted to present claims.  With respect to superiority, the court disagreed that the $500 in statutory damages provides sufficient incentive for individuals to bring claims in small claims courts.

The Payment Card Industry Security Standards Council (PCI SSC) recently issued guidelines for mobile payment acceptance security.  The “PCI Mobile Payment Acceptance Security Guidelines” provide smart phone manufacturers and mobile app developers’ best practices on security controls to help facilitate consumer mobile payment transactions.  The PCI SSC oversees the Payment Card Industry data-security standards (PCI DSS), which include standards for secure payments software and PIN-based transaction devices.   The Council previously published related guidelines such as the application of data standards to mobile payment acceptance using the Payment Application Data Security Standard (PA-DSS), leveraging the PIN Transaction Security (PTS) and Point-to-Point Encryption (P2PE) standards to secure payments on smart phones.  The latest guidelines are intended to address software security problems that have started to creep into the plethora of new programs and apps designed to process payments on smart phones.  

The three main objectives delineated in the guidelines include:

1. Protect sensitive account data from being intercepted when entered into a mobile device used for payment processing.  Viable protection options include encryption or establishing a secure path between the data entry mechanism (i.e., the keypad) and the mobile unit that stores memory.

2. Prevent sensitive account data from being compromised while stored inside the mobile device. The guidelines recommend a strategy that allows for: secure distribution of account data; secure access to and storage of account data; controls over account data while in use and; prevention of unintentional data disclosures.  Account data should be temporarily stored in a secured environment before processing and authorization and should not be accessible to third parties. If data is stored on the mobile device after authentication, data should be rendered unreadable or encrypted.  Other means to prevent unauthorized access are the implementation of design features such as secure lock screens and time-sensitive sessions requiring logins.  Server-side control options include an access control list, the ability to monitor system events and distinguish normal from abnormal events and the ability to report abnormal events that may indicate a system breach or data leak (e.g., encryption key changes, invalid login attempts and app updates). 

3. Protect sensitive account data during transmission out of the mobile device, usually through encryption.  One way to do so is to prevent unauthorized logical device access by implementing design features that prevent unauthorized access, including secure lock screens and time-sensitive sessions requiring logins.

Another security measure identified in the guidelines is the remote disablement of stolen or lost devices, which will become a significant feature over time as tablet computers are increasingly used by merchants in lieu of the more conventional point-of-sale (POS) terminals in retail store and restaurants.  As merchants increase their usage of mobile devices in the POS process, the potential for those devices to go missing will correspondingly increase but, unlike a standard POS terminal at a fixed check-out location, a missing mobile device may not be detected for hours, which greatly enhances the potential damage since that mobile device can then be used as a skimmer if a thief is able to access the credit and debit card numbers entered from past sales.   

Some in the industry have criticized the guidelines as being too summary in nature and thin on substance, but that is the reality when offering general guidelines.  Specific security solutions will be dependent upon the particular software, app and/or mobile device in use. 

I wanted to draw folks attention to a recent decision from a federal district court in West Virginia.  The case, Mey v. Pinnacle Security, LLC, 2012 WL 4009718, is significant because it grants summary judgment in favor of a defendant in a TCPA robocall class action.  The reasoning is very interesting; basically, the Court says that plaintiff must prove vicarious liability against the defendant because the provision plaintiff sued under — 47 U.S.C. 227(b)(1)(A)(iii)  — does NOT provide for “on behalf of liability,” i.e., strict liability.  This is so impotant because oftentimes companies are named in TCPA class actions despite having no knowledge of or control over the campaigns at issue (not to mention the fact that available defenses under the TCPA are extremely circumscribed).

At the risk of losing readers with some legalese, 227(b)(1)(A)(iii) states that “it shall be unlawful for any person . . . to make any call . . . to any telephone number assigned to a . . . cellular telephone service . . . for which the party is charged for the call.”  227(b)(3) provides for a provide right of action for violations of sub-section 227(b)(1) and recovery actual damages or $500, whichever is greater.

Now compare that sub-section with 227(c), entitled “Protection of Subscriber Privacy Rights.”  Unlike 227(b), 227(c)(5) explicitly provides for “on behalf of liability;” “A person who has received more than one telephone call within any 12-month period by or on behalf of the same entity in violation of the regulations prescribed under this sub-section [(c) not 227(b)] may . . . bring an action to recover for actual money monetary loss from such a violation or to receive up to $500 in damages for each such violation, whichever is greater.” 

The Plaintiff argued that certain statements by the FCC indicated that 227(b)(3) should also provide for on behalf of liability.  The Court rejected this argument saying that only final rules and not requests for comment by the FCC are entitled to Chevron deference.  Thus, the Court concluded that in order to establish liability under 227(b)(3) a plaintiff must show that the actual caller (the marketing services provider) acted “as an agent” of the defendant, that the defendant had the right to control the caller and the manner and means of the solicitation campaign they conducted.  In the Pinnacle case, the court granted defendant’s motion for summary judgment reasoning that plaintiff had failed to establish a genuine issue of material fact with regard to defendant’s ability to control the manner and means of the calls allegedly made on its behalf.  The SJ order is available here: Mey-SJ-Order.

In unrelated news, I was quoted in a Law360 article published today regarding the FCC’s Petition for re-hearing in a 6th Circuit decision affirming the dismissal of a TCPA case brought against Clear Channel for a so-called “dual purpose call.”  The FCC contends that under the Hobbs Act district courts do not have the authority to interpret and decide upon FCC rules promulgated pursuant to its rulemaking authority.  The article is available here - FCC-Hobbs-Act, and the FCC’s Petition is available here: FCC-Petition.

The FTC is hosting its robo-call summit in DC today.  We will have a run down of what transpired up shortly.

The Ninth Circuit just handed a somewhat interesting decision in a TCPA robo-call class action against Best Buy.  In the case — Chesbro v. Best Buy, plaintiff received automated phone calls on his residential line from Best Buy regarding his enrollment in Best Buy’s Rewards Zone program (RZP) – after he asked to be placed on the company’s DNC list.  Chesbro filed suit in Washington state court, Best Buy removed to federal court and then moved to dismiss under FRCP 12(c) arguing that the call was not a solicitation.  The trial court converted the motion into one for summary judgment and granted judgment in Best Buy’s favor.  On appeal, the Ninth Circuit focused on whether Best Buy made the calls for advertising purposes or whether the calls were purely informational.  The court held that the call was made for advertising purposes.  The salient quote that may have application for future TPCA cases is:

“We approach the problem with a measure of common sense.  The robot-calls urged the listener to “redeem” his Reward Zone points, directed him to a website where he could further engage with the RZP, and thanked him for “shopping at Best Buy.”  Redeeming Reward Zone points required going to a Best Buy store and making further purchases of Best Buy’s goods.  There was no other use for the Reward Zone points. Thus, the calls encouraged the listener to make future purchases at Best Buy.  Neither the statute nor the regulations [of the TCPA] require an explicit mention of a good, product or service where the implication is clear from the context.  Any additional information provided in the calls does not inoculate them.”

Slip op. at 12572 (emphasis added).  The Court also noted that so-called “dual purpose” calls, those with both a customer service or informational component as a marketing component, are prohibited.  Id. at *12570 (citing 2003 FCC Report and Order).

In summary fashion, the court also held that there was no evidence that plaintiff ever gave prior consent to receive the calls.  See id. (“Any assertion that Chesbro either consented to receiving these communications or that the communications were not unsolicited is unpersuasive on this summary judgment record.  Chesbro repeatedly and expressly asked not to be contacted.”).

The takeaway from this case is that nearly any call will be construed to be a solicitation.  The FCC regs state that a truly informational call is something akin to a call announcing a school closure.  Thus, the informational, non-solicitation defense in the TCPA robo-call context is very, very limited.

More to come …

Recently, a copyright infringement lawsuit was filed against Twitter by Christopher Boffoli regarding Twitter’s failure to take down links to his photographic art work that have been posted by Twitter users and hosted on Twitter’s servers. Boffoli is the creator of the “Disparity Series” of art photographs, which feature miniature figures in poses on fruit. Boffoli’s photos have been featured in magazines, newspapers and on television. Boffoli has also registered these photographs with the U.S. Copyright Office.

Boffoli claims that he sent Twitter four notices over a five week period pursuant to the Digital Millenium Copyright Act (“DMCA”) to take down the infringing material, but that Twitter failed to remove the posted works. Boffoli seeks injunctive relief requiring Twitter to remove the posted works, and any damages stemming from Twitter’s alleged copyright infringement.

Twitter’s failure to remove the allegedly infringing postings, puts it at risk for liability for copyright infringement. The DMCA provides a safe harbor against copyright infringement for service providers, such as Twitter, who provide an online service on which copyrighted materials might be posted by users. The DMCA allows for a copyright holder to send the service provider (i.e. Twitter) a notice that infringing content has been posted on their site (“takedown notice”), at which point the service provider can avoid liability for copyright infringement by removing the content from its site. If the service provider fails to comply with the takedown notice, they could be liable for copyright infringement. In addition, as articulated in Viacom Int’l Inc. v. YouTube, Inc., a service provider who has actual or “red flag” (i.e. apparent or objective) knowledge that infringing content is being posted to its site may be liable for copyright infringement if they do not remove the infringing content, regardless of whether a DMCA takedown notice has been issued.

Twitter’s decision to forego the protections of the DMCA by declining to comply with Boffoli’s DMCA takedown notice in such a high profile case is risky, but it is also telling. Social media service providers such as Twitter and Pinterest thrive off of their users’ ability to share information and content. However the ability of users to post content, and the service provider’s liability associated with the posted content, are constantly and increasingly in conflict. Twitter could be positioning itself in a fight over the parameters of the “fair use” of content on their (or other) website(s), where there is no clear economic gain being derived from the content being posted by users. Twitter’s stance could signal the beginning of a shift in how social media companies will respond to allegedly infringing content posted to their sites.

Since the complaint was filed, Twitter has removed some of the images that were hosted by Twitter, but many still remain. How Twitter will respond to the complaint, and where this dispute lands remains to be seen. Nonetheless, the potential ramifications to ordinary users and businesses that use Twitter and other social media websites could be significant, and could shape the way content is used on social media. Stay tuned.