Acting Chairman of the Federal Trade Commission, Maureen Ohlhausen, answered questions about the FTC’s current role in data privacy before a crowded audience at the April 2017 IAPP Global Privacy Summit in D.C. Below are some take-aways we wanted to share from Commissioner Ohlhausen’s talk:
- Even if out of ISP oversight, the FTC is actively engaged in data privacy enforcement through its consumer protection role.
Ohlhausen expressed disappointment that FTC had to step out of ISP oversight in 2015, when the FCC reclassified broadband as a common carrier service (the reclassification means the FCC, no longer the FTC, has authority over privacy and data security enforcement of ISPs). But she said that the FTC is still active through holding companies to their data privacy policies and claims: “We enforce promises. We hold companies to their promises, even in technologically advanced areas.” She noted that FTC enforcement actions derive not only from consumer complaints, but that the FTC is getting cases from computer researchers and marketplace competitors.
- FTC to present positive findings from its enforcement actions.
Ohlhausen and her staff are considering changing up what they present publicly on their investigation findings. Normally, the FTC publishes what it has found companies doing wrong, but Ohlhausen believes the public could benefit from what the FTC has found companies doing right. The FTC therefore may be bolstering its public messages on enforcement actions with this positive twist.
- How FCC and FTC oversight of ISPs differs.
Ohlhausen noted that the FCC has ended up with a different approach to data security oversight. For instances, they have taken a different view on what constitutes sensitive data and on what types of opt-ins and opt-outs are permissible. She expressed concern that, with the Open Internet Order, which revoked FTC Privacy Rules, no one is really watching the hen house. She hopes either Congress or the FCC will reconsider the FTC’s role: The FCC could rescind its reclassification or Congress could rescind the FCC’s common carrier authority of broadband services.
- The Privacy Shield and the FTC’s role in working with Europe.
Ohlhausen noted that the current Administration seems committed to the Privacy Shield. She believes that the Privacy Shield meets Europe’s needs and further that the FTC has an important role to fill in (1) ensuring how information is disseminated and (2) enforcement. For instance, the FTC can provide guidance on how to inform EU consumers on the parameters of the Privacy Shield. Moreover, the FTC will enforce Privacy Shield violations—based on deception for failure to comply. She is optimistic that the Shield will withstand court challenges, in contrast to the Safe Harbor, which was negotiated in a different environment.
- Chinese forays into privacy.
Ohlhausen, who was heading to Beijing the day after her IAPP talk, expressed interest in Chinese developments in privacy regulation: where a communist country’s government controls so much, there still can be a real interest in privacy for the consumer. She noted that some international companies have concerns over whether they will be disadvantaged by Chinese privacy laws.
- Privacy and overlap with other areas of law
When asked whether privacy laws, such as anti-discrimination provisions contained in the GDPR, are carrying more water than just privacy, Ohlhausen noted that there is some overlap, such as with the Fair Credit Reporting Act and Civil Rights Act. She took the discussion as an opportunity to highlight the importance of balancing fear of the unknown against the benefits of innovation: it is good to identify the bad things that can happen. But we also need to weigh that against the good things. While consumer protection is important, we also want a competitive marketplace, and want to encourage innovation.
 A side note on the FCC reclassification: a persistent theme in Ohlhausen’s talk was expressing hope that the FTC would get authority back over ISPs.
Over the past several years, the Federal Communications Commission (“FCC”) took an expansive view of its rules under the Telephone Consumer Protection Act of 1991 (“TCPA”). The TCPA bars certain calls, texts and faxes without prior express consent and requires disclosures and opt-out procedures. While the FCC and state attorney generals may enforce the TCPA, the law’s truth “teeth” come in the form of private lawsuits where statutory damages allow up to $1500 per call/text/fax advertisement. Organizations in every industry, including hospitality, financial services, retail, and healthcare, have settled TCPA lawsuits for millions of dollars.
Businesses viewed recent FCC rulings for the most part as pro-plaintiff, encouraging additional class action lawsuits. In July 2015, for instance, the FCC issued an “omnibus” declaratory ruling in which it expanded certain definitions and interpreted the TCPA in ways seen as empowering the plaintiffs’ bar. However, the FCC’s TCPA rules do not go unchecked, as they are subject to challenge in the courts. The D.C. Circuit recently sent a message to the FCC, ruling in Bais Yaakov of Spring Valley v. Federal Communications Commission that the agency’s 2006 rule requiring an opt-out notice on “solicited” facsimile advertisements ignored clear statutory language. The D.C Circuit’s ruling demonstrates that the court will invalidate FCC rules and interpretations when the agency exceeds statutory authority, even if the FCC may think it is making good policy. It also suggests that the D.C. Circuit may be ready to give a defiant “thumbs down” to significant parts of the FCC’s July 2015 order. A decision is expected on that appeal at any time and we anticipate that the D.C. Circuit will invalidate several aspects of that ruling. This action would have a tremendous impact on pending TCPA litigation and may curb the TCPA gravy train on which several class action firms have already ridden.
The TCPA, as amended by Congress through the Junk Fax Prevention Act, prohibits (among other things) sending an unsolicited advertisement to a fax machine. An “unsolicited advertisement,” as defined in the TCPA is “any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person’s prior express invitation or permission, in writing or otherwise.” Thus, the law allows fax advertisements transmitted with permission (“solicited faxes”). The law also contains another exception to the unsolicited fax advertisement ban where there is an established business relationship with the recipient (“EBR faxes”), provided the recipient voluntarily communicated the fax number or made it available, and a conspicuous opt-out notice meeting certain statutory requirements appears on the fax.
In 2006, the FCC ruled that “solicited” faxes – i.e. those fax advertisements for which the sender received prior consent – require the opt-out notice and associated opt-out procedures. The TCPA, in contrast, only mandates the opt-out notice for the EBR faxes. The 2006 ruling resulted in litigation against companies like Anda (a generic drug seller) that had permission to fax advertisements. Anda had valid permission from pharmacies to fax advertisements regarding time-sensitive topics such as pricing information and weekly specials. Plaintiffs nevertheless sued Anda in a $150 million class action lawsuit because Anda allegedly had not included the opt-out notice. Anda subsequently sought a ruling from the FCC clarifying that solicited faxes did not require the opt-out.
In the category of “sometimes when you ask, you get the answer you don’t want,” the FCC ruled that the opt-out notice applied to solicited and EBR faxes. However, the FCC stated it would waive application for faxes sent before April 30, 2015. The two Republican commissioners (including now Chairman Pai) vigorously dissented. Anda then appealed to the D.C. Circuit.
Late last month, the D.C. Circuit vacated the 2006 solicited fax rule and remanded it to the agency. The court focused on the TCPA’s statutory language, noting that the opt-out notice requirement only appears in the EBR fax provision. “Although the Act requires an opt-out notice on unsolicited fax advertisements, the Act does not require a similar opt-out notice on solicited fax advertisements…Nor does the Act grant the FCC authority to require opt-out notices on solicited fax advertisements.” The appeals court concluded that the case was quite simple – the FCC can only take action that Congress authorized. Congress did not authorize an opt-out notice requirement for solicited fax advertisements. Under an existing rule, senders must still allow recipients to opt-out if they no longer want to receive solicited faxes. But the FCC cannot require the opt-out notice on those solicited fax advertisements. Consequently, companies should not be liable under the TCPA for not including the opt-out notice on solicited fax advertisements.
While the FCC understandably wants to protect consumers and businesses from unsolicited calls, texts, and faxed advertisements – the agency must respect its authority and the limits to that authority. In other words, the FCC cannot choose how the TCPA “should” read. Congress made that choice.
With TCPA litigation continuing to explode, this ruling provides some comfort that the FCC will not go unchecked in its recent, broad TCPA interpretations. And, with the high stakes appeal of the 2015 Omnibus Ruling pending before the same court, there are strong signs that the D. C. Circuit will push the FCC back on its expansive interpretations of autodialer and liability for calls to reassigned numbers, among other challenged rules. Companies involved in ongoing TCPA litigation involving the challenged interpretations may want to seek stays from their courts or arbitrators pending the outcome of the next appeal.
Your business booked a large charity event. However, the customer contact turns out to be a nightmare. She complains (during and after the event) that the service was slow, the food looked and tasted like a frozen meal, and the drinks were watered down. She even claims she was overcharged. You reviewed the situation and, while you disagree, you offer her a credit. She declines and instead decides to post scathing reviews on Yelp, TripAdvisor, and several other review sites. She also gets her friends to post similar reviews. You remember, however, that the booking contract this irate customer signed barred her from posting negative reviews and imposes a $200 per negative review penalty. You ring up your attorney and ask her to send Ms. Nasty Customer a demand. Your lawyer tells you there may be a problem with this approach – under a new law signed by President Obama in December, the Consumer Review Fairness Act of 2016 – form contracts restricting reviews or imposing penalties are void.
Exceptions and Carve-Outs
There are several significant exceptions to the new law, offering some protections to organizations. First, individually-negotiated agreements are not covered by the new legislation. Second, Congress carved out employer-employee and independent contractor agreements from the “form contract” definition. Thus, under the new Act, employment provisions barring negative online reviews of an employer are not void. However, the National Labor Relations Board strongly disfavors restrictions on employees’ rights to discuss wages and working conditions in public forum. Further, some states may also seek to bar restrictions on online reviews. California and Maryland already have enacted laws barring non-disparagement clauses in consumer contracts.
Third, the Act does not bar an organization or individual from suing for defamation, libel, or slander. Thus, companies may still file suit for reviews containing false statements (and presumably include a clause in a form agreement or terms and conditions addressing such statements). Fourth, the law preserves any confidentiality required by law – such as HIPPA. Fifth, the Act expressly allows a party to remove or to refuse to display on a website/webpage operated by that party the content of a “covered communication” : (1) that contains personal information or the likeness of another person; (2) is libelous, harassing, abusive, obscene, vulgar, sexually explicit “or is inappropriate with respect to race, gender, sexuality, ethnicity or other “intrinsic characteristic”; or (3) that is false or misleading. Thus, companies that host their own webpages for customer comments and interactions may remove customer reviews meeting these standards. It would also appear lawful to advise customers in company terms and conditions or form contracts that such content may be reviewed.
Congress further created a carve-out from the Act’s consumer review protections for trade secrets or commercial or financial information considered privileged or confidential, personnel and medical files where disclosure would result in an invasion of personal privacy, records compiled for law enforcement purposes, content that is unlawful, and content containing computer viruses, worms, or other damaging code.
Federal Trade Commission Enforcement
The Federal Trade Commission (“FTC”) will enforce the Consumer Review Fairness Act of 2016. State Attorney Generals may also bring a civil action in federal court to obtain relief for their residents. The new law requires the FTC (within 60 days) to conduct education and outreach to businesses, including non-binding “best practices” for complying with the Act. Companies get 90 days (until March 14, 2017) before their contracts containing the now-proscribed practices are considered void.
The FTC may target a few “brand name” organizations in early enforcement actions to garner industry attention. Companies should be aware, however, that they retain the right to object to assessments that are exempted, including those that disclose confidential or personal information, or that are defamatory, misleading, obscene, vulgar, or unrelated to the products and services offered on the company’s webpage. So, while consumers cannot be penalized through a form contract by posting reviews, their rights to post are not unfettered. Contrary to the popular adage, as the Union Street Guest House learned, not all press is good press – and companies may still address false or defamatory reviews and those reviews containing other exempted content.
A famous Homeland episode involved a terrorist gaining access to the Vice-President’s pacemaker. Accessing medical devices to wreak havoc was one of the motivations behind certain provisions of the Digital Millennium Copyright Act (aka the DMCA). The DMCA makes it “illegal to circumvent technological measures used to prevent unauthorized access to copyrighted works.” Section 1201 of the DMCA allows for exemptions to be made every three years. Recently, a number of exemptions were adopted to the DMCA’s anti-circumvention statute for numerous technologies, including personal medical devices. Although the exemptions went into effect on October 28, 2015, there were stipulations that delayed implementation until very recently. A number of safeguards remain in place, but safeguards to protect cybercrime in the healthcare context remain compelling.
What does this mean for patients who are using portable medical devices?
The exemption removes the barrier for researchers to set-up controlled experiments that can aim to improve potential vulnerabilities in the security of these devices. The exemption relates to researching medical devices and reads as follows: “Literary works consisting of compilations of data generated by medical devices that are wholly or partially implanted in the body or by their corresponding personal monitoring systems, where such circumvention is undertaken by a patient for the sole purpose of lawfully accessing the data generated by his or her own device or monitoring system.” In order to conduct research using this type of data, the research environment must meet certain criteria. Those criteria include the following: (1) the computer program, or any devices on which the programs run, must be “lawfully acquired,” (2) during the research, the device or computer program should operate “solely for the purpose of good-faith security research,” and (3) the research must not have begun before October 28, 2016.
How does this open up the field for more research opportunities?
The exemption rule allows for “good-faith research” which is defined as “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.” What this means in the real world is that security researchers can, in a controlled manner and environment, access medical devices to search for vulnerabilities so that vulnerable software can be quickly patched. The exemption allows for researchers to publicly talk about and share details of their vulnerability research without facing legal repercussions.
Why do we need this type of research?
A cybercrime-wave impacted the healthcare sector in 2016. According to TrapX there was 63% year over year growth in attacks against the healthcare sector. Many of these cyber intrusions leveraged back-doors into medical devices like X-ray machines and blood gas analyzers. These devices are vulnerable to compromise as they lack the memory space necessary for cybersecurity software and are rarely updated. The dramatic ransomware attack against Medstar which crippled their hospitals’ networks underscored the defenselessness of the sector. The culture of the healthcare sector has been to adopt technology with minimal regard to the cybersecurity of those networks. The cybercrime community took note in 2016, and the ransomware attacks against the healthcare sector served as a canary in the coal mine. The vulnerability of medical devices poses a systemic risk to the sector’s digital health.
Historically, medical device manufacturers have been resistant to allow outside security experts to look at their code for fear that flaws in their software will be revealed and expose them to regulatory scrutiny or lawsuits. More recently, some of the larger medical device manufacturers (e.g. Philips and Dräger) have published a coordinated vulnerability disclosure policy, which essentially invites researchers to look for software flaws in their devices, as well as a public statement about of how the companies will handle reported vulnerabilities. For device manufacturers it is important to note that the FDA is encouraging this type of research to increase patient safety and reduce cybersecurity threats.
Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures for the Center for Devices and Radiological Health, a division of the FDA, stated that “The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices.” On December 29, 2016 the FDA issued the final guidance “Postmarket Management of Cybersecurity in Medical Devices”. What this means is the device manufacturers may need to report post-market modifications to devices already in the field related to cybersecurity to the FDA (pursuant to Part 806 of the Food, Drug & Cosmetic Act (for device manufacturers this reporting relates to compliance with the quality system regulations)). Device manufacturers need to take into account security considerations through a product’s entire lifecycle, starting with its development to ensure proper performance and functionality if a hospital’s network is hacked. The FDA indicated that most routine updates or patches will not trigger a reporting responsibility, but the guidance leaves open the possibility that changes made to prevent or fix cybersecurity vulnerabilities will trigger reporting. As a result of this guidance, it is important for manufacturers to coordinate their cybersecurity efforts. This relatively new exemption can help foster that dialogue and introduce research into vulnerabilities to reduce the threat of future cyber-attacks on critical medical devices used by patients. In 2017, an individual’s physical well-being is going to dependent on the digital health of medical devices.
What Proactive Risk Management Steps Can Be Taken in 2017 to Increase Security?
Listed below are some proactive steps that medical device manufacturers can take to decrease the risk of cybersecurity vulnerabilities and attacks. With the advent of new research into cybersecurity, the hope is that additional technology improvements will take place to allow for even further safety and evolution of security for medical devices.
Proactive Risk Management for 2017
- Require regular penetration tests of medical devices and networks which develop and utilize them.
- Deploy a DeceptionGrid.
- Deploy User Entity Behavior Analytics
- Deploy two factor authentication (e.g. Biometrics) with contextual verification.
- Integrate Intrusion protection systems with breach detection systems.
Source: Strategic Cyber Ventures 2017
In January 2017, the Obama Administration will transfer power to the incoming Trump Administration, and Congress will convene with a Republican majority in both houses. Predictions abound as to what legislative and regulatory changes will transpire under the new administration. Earlier this month, WSJ Pro hosted a live video event to discuss how the election will impact financial regulation. Financial Regulation Editor Jacob Schlesinger moderated the discussion with two Washington financial-policy analysts: Brian Gardner of Keefe, Bruyette & Woods, and Ian Katz of Capital Alpha Partners. Both analysts expect aggressive deregulation of the financial sector according to the President-Elect’s promises during the campaign. Among the many topics covered, Gardner and Katz emphasized (i) potential changes to the Dodd-Frank Act, (ii) personnel changes at various agencies, including the Securities and Exchange Commission (SEC), and (iii) a more lenient approach to enforcement.
President-Elect Trump campaigned on a promise to get rid of the Dodd-Frank Act. Enacted in the wake of the 2008 recession, Dodd-Frank sought to limit the risks that banks can take and provided for consumer protection through the creation of the Consumer Financial Protection Bureau (CFPB). However Gardner and Katz agree that wholesale repeal of Dodd-Frank is unlikely, partly because Republicans will have a slim majority in the Senate and, thus, may lack the sixty votes needed to end a filibuster. If Senate Democrats unite in their opposition to repeal, they can prevent a vote altogether. Gardner and Katz think it more likely that the administration will modify Dodd-Frank at the margins.
Katz expects targeted efforts in that regard. For example, he predicts that the CFPB will be weakened, but not abolished. The new administration can weaken the Bureau by replacing its current single director with a Republican appointee, or by changing its structure to that of a commission with no more than three of five commissioners from either party. Given the President-Elect’s populist message, efforts to abolish the CFPB would be politically risky: the Bureau was established to protect consumers.
The administration could also target CFPB regulations. Gardner notes that promulgated rules will likely survive, but non-final rules may be withdrawn and rewritten. For example, in June 2016, CFPB proposed new restrictions on payday lending, but they have not yet been finalized. If the proposed rules are still pending in January 2017, the new administration may scrap them in favor of less onerous restrictions.
In addition to these modifications related to Dodd-Frank, Gardner and Katz discussed personnel changes at various agencies, including the Securities Exchange Commission (SEC). Although President-Elect Trump campaigned on a promise to “drain the swamp,” leaks from his transition team suggest he will rely to a great extent on veterans of past Republican administrations. Heading the efforts for independent regulators like the SEC, the Commodity Futures Trading Commission (CFTC), and the Federal Reserve is Paul Atkins, an ex-SEC Commissioner who disfavors regulation. Atkins almost certainly is looking for potential appointees who share his view. Gardner does not anticipate major shifts in the regulatory environment but, as Katz notes, individuals appointed to lead these agencies will set the tone and influence each agency’s enforcement priorities. Codified rules likely will remain, but agencies faced with close questions or grey areas of the law will probably resolve them in favor of industry.
All that said, President-Elect Trump’s candidacy did not unfold as many predicted. It will be interesting to see whether and how these expected changes to financial regulation materialize under the new administration.
The Federal Trade Commission (“FTC”) recently released a data breach guide for businesses, along with a video and blog to help companies following the immediate aftermath of a data breach. The FTC also provides a model data breach letter to notify individuals of a breach. The agency – which views itself as the nation’s primary “privacy police” has faced scrutiny from private parties and courts for allegedly enforcing privacy and data security standards without promulgating specific rules. The agency instead favors outreach efforts, such its blogs, guides and roundtables to educate industry and the public regarding what it views as best practices.
In this vein, the Guide and the model letter are not a “safe harbor” but offer suggestions on important steps that organizations can follow once they discover data breaches. The FTC emphasizes that the Guide does not pertain to the actual protection of personal information or prevention of breaches, because the agency has already issued separate guidance documents on those subjects. In fact, the FTC also recently updated its guide on protecting personal information.
Following a data breach, the Guide suggests key steps organizations can take, which include:
- Mobilizing the company’s breach response team to prevent further data loss – the team may include legal, information security, IT, human resources, communications, investor relations, and management; companies may consider hiring an independent forensics team;
- Securing physical areas – lock any physical areas affected by a breach; consider changing access codes;
- Taking affected equipment offline immediately – monitor all entry and exit points, and update authorized users’ credentials and passwords;
- Removing improperly posted information from the company’s website, for instance in a situation where personal information affected by the breach is posted on the company’s website. The FTC also advises companies to search the Internet to see if breached information has been posted on other websites and to contact the owners of those websites;
- Protecting evidence – the FTC reminds companies to retain forensic evidence (e. do not destroy it);
- Documenting the investigation, including interviewing people who discovered the breach and making sure employees (such as customer service representatives) know where to forward information that might assist the company in its investigation;
- Examining service provider relationships, to determine if providers have access to personal information and whether provider access privileges should be changed;
- Determining whether data was encrypted at the time of the breach (note: encryption may obviate the need for data breach reporting in many states);
- Implementing a communications plan that explains the data breach to employees, customers, investors, partners, and others such as the press. The FTC recommends “plain English” answers on a company’s website;
- Following legal requirements – such as state data breach notifications and notifying law enforcement;
- Offering at least a year of free credit monitoring – while not required, free monitoring has become standard and most regulators and consumers expect to see the offer in data breach notifications.
As to data breach notification letters, in addition to following the requirements of state laws, the FTC urges companies to advise people what steps they can take, based on the information exposed. When a breach compromises social security numbers, individuals should be directed to contact the credit bureaus to request fraud alerts or credit freezes. Since some scammers pounce on data breach victims, the FTC counsels organizations to tell consumers how they will be contacted going forward. For instance, if the company will never contact individuals by phone, the company should tell consumers that – so individuals can detect telephonic phishing schemes.
The FTC encourages businesses to use the Guide and its accompanying materials to educate employees and customers, such as through newsletters and websites. However, when facing an enforcement action or a lawsuit, will a company’s compliance with the Guide offer any relief from FTC or state Attorney General penalties or assist organizations in their defense in private data breach lawsuits? Ultimately, the crux of breach liability usually relates to how it occurred, but taking swift, corrective actions following a breach should aid an organization when dealing with regulators and third parties by showing good faith actions to prevent further damages. Conversely, a company that fails to take corrective actions can exacerbate a breach and further negatively impact affected individuals and the organization.
The FTC’s Guide and accompanying materials are helpful references, particularly for smaller businesses. As a practical matter, the words of advice I give companies facing a possible data breach is to first, take the time to determine what happened, how it happened, whether the breach continues, and what you can do to prevent it in the future. While several states require reporting within a set number of days (e.g., 45), the laws allow organizations time to conduct factual inquiries, take corrective measures, and prepare to notify affected individuals. Organizations should not rush through these key steps. Second, communication is key. A company facing a breach should develop a clear, consistent statement regarding the breach, the steps being taken and a single contact point. The lack of a communication plan or a consistent message can cause a huge loss of customer and employee confidence and raise regulators’ interest. Third, when preparing data breach notifications, organizations should note that it is likely that the letter will become public due to some states’ open records laws. Numerous websites exist that track and publicize data breaches, based upon information in the notifications – often including copies of the actual letters. Companies should not assume that regulators and consumers simply file the letters away. While your organization cannot prevent the publicity, having a clear, concise data breach notification that meets each state’s requirements without providing excess data will help the company through the process and associated publicity.
As Halloween has people thinking of ghosts and ghouls, creative plaintiffs’ attorneys have turned an arcane New Jersey law into a true source of fright for virtually anybody who offers services that are even potentially available within the Garden State.
The law at issue is the New Jersey Truth in Consumer Contract, Warranty, and Notice Act (“TCCWNA”), which was enacted in 1981 with good intentions: to prevent businesses from advertising terms that violate state law in order to cow consumers into doing business under those terms even though they were unenforceable. For example, a storage space rental company might violate the law by requiring a consumer to release it from liability for personal injuries on company property, even though such a waiver is unenforceable under New Jersey Law. The statute provides seemingly modest damages of $100 per violation.
But the TCCWNA does not require a consumer to actually have been hurt by any illegal term or provision and, in fact, it allows for a cause of action to be brought even by a mere “prospective consumer.” In 1981, this likely made little difference to brick-and-mortar businesses, for whom the only individuals who may have seen a violative contract or term would be those who sought it out. But in the age of the Internet, everybody is a potential consumer, and one may shop for dozens of products from the comfort of one’s own desk in a single afternoon. Each time that one of these individuals views the website and, even theoretically, considers purchasing a product or service, that individual becomes a potential plaintiff under the TCCWNA.
This has opened the door to suits against virtually any retailer that has a website that can be accessed in New Jersey—unless the terms offered by such retailers are fully compliant with New Jersey law or clearly indicate what provisions would be invalid in New Jersey, there is a chance that those retailers could be found to violate the TCCWNA. And although statutory damages of $100 may not seem scary, those damages are awarded on a per-violation—that is, per-consumer—basis. And plaintiffs’ attorneys have begun to bring class actions alleging that every single New Jerseyan who has accessed a given website is a “potential consumer” under the statute, opening the door to potentially massive liability.
The news is not all bleak: a federal judge in New Jersey recently dismissed a TCCWNA case against the car rental company Hertz relying on a recent Supreme Court case that bars lawsuits by plaintiffs who have suffered no more than a “bare procedural harm” without any real injury. But it is not yet clear if other judges will follow suit, and even if they do, that ruling will not help defendants who may find themselves stuck in state court. Until the courts or the New Jersey legislature provide clearer and more meaningful protection, businesses may find themselves being forced to comply with New Jersey law no matter where they may be located.
The Federal Acquisition Regulation final rule implementing the “Fair Play and Safe Workplaces” Executive Order 13673 was issued on August 25, 2016, and the rule goes into effect on October 25, 2016. This new regulation presents a significant change – and potential challenge – for major government contractors.
President Obama signed Executive Order 13673, often referred to as the “Blacklisting” order, on July 31, 2014. The stated goal of the order is to “increase efficiency and cost savings in the work performed by parties who contract with the Federal Government by ensuring that they understand and comply with labor laws.” On their face, the Order and regulations provide new instructions for Federal contracting officers to consider a contractor’s compliance with certain Federal and State labor laws as a part of the determination of contractor “responsibility” that contracting officers must undertake before awarding a Federal contract. But what do the Blacklisting Order and the final rule really do?
Mandatory Reporting of Labor Law Violations
The new rule imposes significant reporting obligations on federal contractors during the procurement process. Ultimately, contractors and subcontractors will need to report three years of labor law violations once the rule is fully in effect. Labor law violations encompass violations of the Fair Labor Standards Act, the Occupational Safety and Health Act, Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, and ten other federal laws and orders. According to the final rule, there are three types of actions that constitute reportable violations: “administrative merits determinations,” arbitral awards or decisions, and civil judgments. Contractors must supply basic information about the violation, including the nature of the violation and identifying information, and also have the option of submitting evidence of mitigating factors and remedial measures. This information will be stored on a publicly available, searchable website.
Acknowledging this reporting is a significant burden, there is a phase-in period to allow companies to get up to speed. When the rule becomes effective on October 25, 2016, the reporting requirements will only be effective for procurements of $50 million or more and only for prime contractors. But after six months, on April 25, 2017, contractors bidding on prime contracts of $500,000 or more will need to make the relevant disclosures. On October 25, 2017, subcontractors become subject to the rule as well. Additionally, while the reporting time frame is ultimately the three preceding years, for the first year the rule is in effect, reporting will only reach back for one year. The reporting window will be expanded by a year each year thereafter, until the three-year reporting period is completely phased in on October 25, 2018.
New Paycheck Transparency Requirements
The Blacklisting Order and final rule also institutes requirements for contractors in how they communicate wage information to workers. As of January 1, 2017, contractors and subcontractors must provide a detailed wage statement, including hours worked, overtime hours, rate of pay, and any additions made or deductions taken, to every worker performing under a federal contract. Additionally, prior to beginning work, the contractor must indicate to the worker whether they will be considered an employee or an independent contractor, and if an employee, whether they are exempt or non-exempt. These notifications must be provided to workers in English and any other language used by a “significant portion” of the workforce.
Restrictions on Pre-dispute Arbitration
On the same date the reporting requirements begin the phase-in process – October 25, 2016, the requirements surrounding arbitration agreements will go into full effect. Companies with federal contracts or subcontracts of $1 million or more may not require workers to enter into pre-dispute arbitration agreements for disputes based on Title VII claims or torts related to sexual assault or harassment. The only exception will be for employees covered by a collective bargaining agreement that has negotiated the contract with an agreement to arbitrate prior to the contractor bidding on the covered contract.
The Government’s Obligations Under the New Rule
Under the new rules, the Government has obligations as well. Each agency must designate an Agency Labor Compliance Advisor (“ALCA”) to implement the reporting program. The ALCA will be the central point of contact for the agency and all matters related to Blacklisting reporting. This includes helping contractors achieve compliance with the rules and recommending labor compliance agreements. On the date the rule goes into effect, the Department of Labor will release a list of the ALCAs and their contact information.
Not the First Attempt at Blacklisting
President Bill Clinton has tried this once before. On December 20, 2000, just weeks before the end of his final term, he issued similar blacklisting rules. These rules would have required federal contractors to certify whether they violated any federal, state, or foreign labor, employment, tax, environmental, antitrust, or consumer protection law in the prior three years. A violation was defined as any incident running afoul of the various laws supported by “pervasive evidence.” That is, no formal ruling or determination of liability had to have been made to create a reportable violation. Further, contracting officers would have had complete authority to determine if the violations disqualified the contractor from reporting and were not obligated to allow bidding contractors an opportunity to respond to potentially disqualifying violations.
While the temporal element is the same as the current rule, the list of reportable violations far exceeded the list of labor law violations as contemplated now. Contractors and various industry groups aggressively opposed the 2000 proposed rule, and several lawsuits were filed in an attempt to block implementation. Nonetheless, the rule went into effect on January 19, 2001 – the day before President Clinton left office. However, in March 2001, President George W. Bush ordered suspension of the rule and began the process for overturning it. By the end of 2001, the Bush Administration had successfully revoked this rule.
Next Steps for Contractors
Contractors shouldn’t expect the 2016 rule to meet the same fate as the 2000 version. While both rules bear some similarities, the current rule is much narrower and better defines what constitutes a reportable violation. Some industry groups have publicly contemplated lawsuits against the 2016 rule, none have been filed yet. With the looming deadline, contractors should start making plans to establish a compliance regime.
While compliance with labor laws is a worthy goal, the new regulation also will have significant costs. It reduces an employers’ ability to require arbitration, which likely will result in increased, costly litigation and possibly class action litigation if future labor disputes arise. Similarly, for existing disputes decided in arbitration, it eliminates the benefit of confidentiality by requiring public disclosure concerning any adverse award.
The new regulation does provide some additional compliance options for contractors in advance of official implementation. Companies may undergo a voluntary preassessment by the Department of Labor. Beyond helping companies become acquainted with the rules, participation in this program will be considered a mitigating factor in future acquisitions. The preassessment, however, the DOL may require companies to enter into labor compliance agreements.
Federal contractors should start taking internal steps to ensure compliance in advance of the effective dates. Companies should work with their internal teams, including legal, human resources, and IT support, to ensure that the necessary records are being kept and to design a reporting and monitoring program for the future. Companies should also review their new hire policies, to ensure that proper notifications are made to all workers in the required languages.
While this is a final rule and set to go into effect in the coming weeks, the matter is far from settled. Legal challenges to the rule once implemented may arise in the courts. And, as with any new rule, the devil is always in the details, so companies will likely not know the full impact of the rule until attempting compliance during the procurement process.
The Consumer Financial Protection Bureau (CFPB) has proposed a new rule to regulate payday lending and auto-title loan companies. Right now, it is merely a proposal, meant to undergo the notice and comment period until September 14, 2016. But if the rule goes into effect, it would be a significant imposition on the lending business.
The CFPB has been studying the effects of payday lending on consumers for years and found that many consumers struggle. They cannot repay their loans, so they take out new ones and incur significant penalties and fees. Or, they default on repayment altogether. The new rule tries to reduce this by regulating the people who issue those loans.
In theory, the rule would affect two types of loans: those with a term of 45 days or less, and those with a term of more than 45 days but with certain specifications, like an all-in annual percentage rate above 36% and a consumer’s bank account or vehicle for collateral. Before issuing either loan, a lender would have to determine if the borrower can repay it without re-borrowing in the following 30 days. To determine this, a lender would assess the borrower’s income, debt obligations, and housing costs; project them over the life of the loan; and forecast non-housing living costs.
The rule would also restrict how lenders can collect repayment. Today, lenders are allowed unlimited tries to withdraw from an indebted borrower’s bank account, but the new rule would stop them after the second attempt that fails due to insufficient funds.
Because the rule has not been approved yet, affected borrowers and lenders can speak out against or in favor of it. Richard Cordray, the director of the CFPB, has promised that the Bureau “will continue to listen and learn” as comments come in. Sourcing from the industry is the best way to create a rule that protects consumers and helps lenders continue to provide so vital a lifeline.
Recently, I wrote about the CFPB’s plans to issue new regulations restricting arbitration clauses in certain consumer contracts. Today, the agency announced those new rules and CFPB Director Richard Cordray is expected to discuss them at the agency’s field hearing in Albuquerque, New Mexico. As expected, the new rules eliminate the use of class action waivers and otherwise restrict the availability of arbitration in consumer contracts, including those involving credit transactions, automobile leases, debt relief services, consumer depository accounts, check cashing, credit monitoring/reporting, and debt collection. The CFPB admits that it intends to “incentivize” greater legal compliance through the “in terrorem” deterrent impact of the new rules. In other words, the CFPB wants the prospect of increased class action litigation to scare companies into treating consumers better.
The new proposed rules are available at the CFPB’s website along with over 350 pages of supplementary information explaining the proposed rulemaking. The CFPB proposal prohibits “companies from putting mandatory arbitration clauses in new contracts that prevent class action lawsuits.” See Proposed § 1040.4(a). Companies would still be able to include arbitration clauses in their contracts, but could not restrict access to class litigation and the arbitration provisions must include specific language provided by the CFPB.
In addition, in practical terms, the CFPB has just designated itself as the overseer of U.S. arbitral bodies in direct contrast to existing laws and rules that provide very limited court oversight and review of arbitration decisions. The proposed rules would require covered companies to submit detailed information about any of their consumer arbitrations to the CFPB. See Proposed § 1040.4(b). The CFPB states that it will gather, and may publish, this data so that it may gain “insight into whether companies are abusing arbitration or whether the process itself is fair.” Although the rule provides for redaction of personal information, this new practice threatens to undermine the confidential nature of arbitrations and thereby limit one of arbitration’s principle benefits. It is not yet clear how the CFPB might conclude that consumer arbitrations are “unfair” or what they might do in response to such a determination.
Regardless of whether the proposed regulations will succeed in scaring companies into greater legal compliance, if the rules become effective, companies should expect a marked increase in consumer class action litigation. The newly announced regulations are not final, however, and interested parties will have an opportunity to comment before the rules become effective. Interested parties have 90 days from the publication of the proposed rule in the Federal Register to comment and we expect multiple objections from the financial industry this summer. The comments likely will include practical examples of the benefits of consumer arbitration provisions, critiques of the agency’s study of consumer arbitration that formed the basis of the proposed regulations, and proof of the detrimental impact that an increase in class actions will have on the business community, especially on smaller businesses. Any potentially covered company should consider commenting on the CFPB proposed regulations, either directly or through trade associations.
Once the rules are final, companies will only need to comply with the new regulations prospectively; the provisions of the Dodd-Frank Act authorizing the CFPB to regulate arbitration provide that any new rules will be binding 180 days after their effective date. So any arbitration agreement entered into prior to, or within six months of, the new rule’s effective date is not subject to the new restrictions. This gives potentially covered companies some breathing space to review and, if necessary, modify their existing contracts.
Although many in Congress do not support the newly proposed rules, given current political realities, there are unlikely to be any legislative changes to the proposed rules or the CFPB’s authority. As a result, we expect that something close to the proposed rule will become effective later this year. Following that, there likely will be multiple court challenges to the new rules and the CFPB’s authority to issue them. In the meantime, all potentially affected companies should:
- Review their existing contracts and arbitration programs to determine whether their existing contract forms would violate the proposed regulations;
- Prepare alternative contract language if existing forms will no longer be permitted; and
- Consider whether their existing pricing structure and litigation positions make sense in the coming world.
Whatever the goal, companies are unlikely to be scared into greater legal compliance; most companies already strive to comply with the law. We anticipate that the CFPB’s proposed rules will have many unintended consequences. In the short term, the increase in class action litigation will be a boon for many lawyers. Consumers with legitimate claims, however, may find that the class action process results in smaller payouts over which they have less control. And as companies adjust to this new environment, they will pass on the increased costs of increased class litigation to customers and likely will further tighten credit standards and product availability to reduce potential claims.
* * *
 Under Section 9 of the Federal Arbitration Act, a court must confirm an arbitration award unless it is vacated, modified, or corrected in accordance with Sections 10 and 11.5 of the FAA, i.e. where the award was procured by corruption, fraud, or undue means or there was an evident material miscalculation or mistake in the award.
 For example, companies may wish to withdraw from the American Arbitration Association’s Consumer Clause Registry. For that matter, the AAA and similar arbitral organizations are sure to lose significant business as the consumer arbitration market is sure to shrink significantly if the new rules become effective.