In January 2017, the Obama Administration will transfer power to the incoming Trump Administration, and Congress will convene with a Republican majority in both houses. Predictions abound as to what legislative and regulatory changes will transpire under the new administration. Earlier this month, WSJ Pro hosted a live video event to discuss how the election will impact financial regulation. Financial Regulation Editor Jacob Schlesinger moderated the discussion with two Washington financial-policy analysts: Brian Gardner of Keefe, Bruyette & Woods, and Ian Katz of Capital Alpha Partners. Both analysts expect aggressive deregulation of the financial sector according to the President-Elect’s promises during the campaign. Among the many topics covered, Gardner and Katz emphasized (i) potential changes to the Dodd-Frank Act, (ii) personnel changes at various agencies, including the Securities and Exchange Commission (SEC), and (iii) a more lenient approach to enforcement.
President-Elect Trump campaigned on a promise to get rid of the Dodd-Frank Act. Enacted in the wake of the 2008 recession, Dodd-Frank sought to limit the risks that banks can take and provided for consumer protection through the creation of the Consumer Financial Protection Bureau (CFPB). However Gardner and Katz agree that wholesale repeal of Dodd-Frank is unlikely, partly because Republicans will have a slim majority in the Senate and, thus, may lack the sixty votes needed to end a filibuster. If Senate Democrats unite in their opposition to repeal, they can prevent a vote altogether. Gardner and Katz think it more likely that the administration will modify Dodd-Frank at the margins.
Katz expects targeted efforts in that regard. For example, he predicts that the CFPB will be weakened, but not abolished. The new administration can weaken the Bureau by replacing its current single director with a Republican appointee, or by changing its structure to that of a commission with no more than three of five commissioners from either party. Given the President-Elect’s populist message, efforts to abolish the CFPB would be politically risky: the Bureau was established to protect consumers.
The administration could also target CFPB regulations. Gardner notes that promulgated rules will likely survive, but non-final rules may be withdrawn and rewritten. For example, in June 2016, CFPB proposed new restrictions on payday lending, but they have not yet been finalized. If the proposed rules are still pending in January 2017, the new administration may scrap them in favor of less onerous restrictions.
In addition to these modifications related to Dodd-Frank, Gardner and Katz discussed personnel changes at various agencies, including the Securities Exchange Commission (SEC). Although President-Elect Trump campaigned on a promise to “drain the swamp,” leaks from his transition team suggest he will rely to a great extent on veterans of past Republican administrations. Heading the efforts for independent regulators like the SEC, the Commodity Futures Trading Commission (CFTC), and the Federal Reserve is Paul Atkins, an ex-SEC Commissioner who disfavors regulation. Atkins almost certainly is looking for potential appointees who share his view. Gardner does not anticipate major shifts in the regulatory environment but, as Katz notes, individuals appointed to lead these agencies will set the tone and influence each agency’s enforcement priorities. Codified rules likely will remain, but agencies faced with close questions or grey areas of the law will probably resolve them in favor of industry.
All that said, President-Elect Trump’s candidacy did not unfold as many predicted. It will be interesting to see whether and how these expected changes to financial regulation materialize under the new administration.
The Federal Trade Commission (“FTC”) recently released a data breach guide for businesses, along with a video and blog to help companies following the immediate aftermath of a data breach. The FTC also provides a model data breach letter to notify individuals of a breach. The agency – which views itself as the nation’s primary “privacy police” has faced scrutiny from private parties and courts for allegedly enforcing privacy and data security standards without promulgating specific rules. The agency instead favors outreach efforts, such its blogs, guides and roundtables to educate industry and the public regarding what it views as best practices.
In this vein, the Guide and the model letter are not a “safe harbor” but offer suggestions on important steps that organizations can follow once they discover data breaches. The FTC emphasizes that the Guide does not pertain to the actual protection of personal information or prevention of breaches, because the agency has already issued separate guidance documents on those subjects. In fact, the FTC also recently updated its guide on protecting personal information.
Following a data breach, the Guide suggests key steps organizations can take, which include:
- Mobilizing the company’s breach response team to prevent further data loss – the team may include legal, information security, IT, human resources, communications, investor relations, and management; companies may consider hiring an independent forensics team;
- Securing physical areas – lock any physical areas affected by a breach; consider changing access codes;
- Taking affected equipment offline immediately – monitor all entry and exit points, and update authorized users’ credentials and passwords;
- Removing improperly posted information from the company’s website, for instance in a situation where personal information affected by the breach is posted on the company’s website. The FTC also advises companies to search the Internet to see if breached information has been posted on other websites and to contact the owners of those websites;
- Protecting evidence – the FTC reminds companies to retain forensic evidence (e. do not destroy it);
- Documenting the investigation, including interviewing people who discovered the breach and making sure employees (such as customer service representatives) know where to forward information that might assist the company in its investigation;
- Examining service provider relationships, to determine if providers have access to personal information and whether provider access privileges should be changed;
- Determining whether data was encrypted at the time of the breach (note: encryption may obviate the need for data breach reporting in many states);
- Implementing a communications plan that explains the data breach to employees, customers, investors, partners, and others such as the press. The FTC recommends “plain English” answers on a company’s website;
- Following legal requirements – such as state data breach notifications and notifying law enforcement;
- Offering at least a year of free credit monitoring – while not required, free monitoring has become standard and most regulators and consumers expect to see the offer in data breach notifications.
As to data breach notification letters, in addition to following the requirements of state laws, the FTC urges companies to advise people what steps they can take, based on the information exposed. When a breach compromises social security numbers, individuals should be directed to contact the credit bureaus to request fraud alerts or credit freezes. Since some scammers pounce on data breach victims, the FTC counsels organizations to tell consumers how they will be contacted going forward. For instance, if the company will never contact individuals by phone, the company should tell consumers that – so individuals can detect telephonic phishing schemes.
The FTC encourages businesses to use the Guide and its accompanying materials to educate employees and customers, such as through newsletters and websites. However, when facing an enforcement action or a lawsuit, will a company’s compliance with the Guide offer any relief from FTC or state Attorney General penalties or assist organizations in their defense in private data breach lawsuits? Ultimately, the crux of breach liability usually relates to how it occurred, but taking swift, corrective actions following a breach should aid an organization when dealing with regulators and third parties by showing good faith actions to prevent further damages. Conversely, a company that fails to take corrective actions can exacerbate a breach and further negatively impact affected individuals and the organization.
The FTC’s Guide and accompanying materials are helpful references, particularly for smaller businesses. As a practical matter, the words of advice I give companies facing a possible data breach is to first, take the time to determine what happened, how it happened, whether the breach continues, and what you can do to prevent it in the future. While several states require reporting within a set number of days (e.g., 45), the laws allow organizations time to conduct factual inquiries, take corrective measures, and prepare to notify affected individuals. Organizations should not rush through these key steps. Second, communication is key. A company facing a breach should develop a clear, consistent statement regarding the breach, the steps being taken and a single contact point. The lack of a communication plan or a consistent message can cause a huge loss of customer and employee confidence and raise regulators’ interest. Third, when preparing data breach notifications, organizations should note that it is likely that the letter will become public due to some states’ open records laws. Numerous websites exist that track and publicize data breaches, based upon information in the notifications – often including copies of the actual letters. Companies should not assume that regulators and consumers simply file the letters away. While your organization cannot prevent the publicity, having a clear, concise data breach notification that meets each state’s requirements without providing excess data will help the company through the process and associated publicity.
As Halloween has people thinking of ghosts and ghouls, creative plaintiffs’ attorneys have turned an arcane New Jersey law into a true source of fright for virtually anybody who offers services that are even potentially available within the Garden State.
The law at issue is the New Jersey Truth in Consumer Contract, Warranty, and Notice Act (“TCCWNA”), which was enacted in 1981 with good intentions: to prevent businesses from advertising terms that violate state law in order to cow consumers into doing business under those terms even though they were unenforceable. For example, a storage space rental company might violate the law by requiring a consumer to release it from liability for personal injuries on company property, even though such a waiver is unenforceable under New Jersey Law. The statute provides seemingly modest damages of $100 per violation.
But the TCCWNA does not require a consumer to actually have been hurt by any illegal term or provision and, in fact, it allows for a cause of action to be brought even by a mere “prospective consumer.” In 1981, this likely made little difference to brick-and-mortar businesses, for whom the only individuals who may have seen a violative contract or term would be those who sought it out. But in the age of the Internet, everybody is a potential consumer, and one may shop for dozens of products from the comfort of one’s own desk in a single afternoon. Each time that one of these individuals views the website and, even theoretically, considers purchasing a product or service, that individual becomes a potential plaintiff under the TCCWNA.
This has opened the door to suits against virtually any retailer that has a website that can be accessed in New Jersey—unless the terms offered by such retailers are fully compliant with New Jersey law or clearly indicate what provisions would be invalid in New Jersey, there is a chance that those retailers could be found to violate the TCCWNA. And although statutory damages of $100 may not seem scary, those damages are awarded on a per-violation—that is, per-consumer—basis. And plaintiffs’ attorneys have begun to bring class actions alleging that every single New Jerseyan who has accessed a given website is a “potential consumer” under the statute, opening the door to potentially massive liability.
The news is not all bleak: a federal judge in New Jersey recently dismissed a TCCWNA case against the car rental company Hertz relying on a recent Supreme Court case that bars lawsuits by plaintiffs who have suffered no more than a “bare procedural harm” without any real injury. But it is not yet clear if other judges will follow suit, and even if they do, that ruling will not help defendants who may find themselves stuck in state court. Until the courts or the New Jersey legislature provide clearer and more meaningful protection, businesses may find themselves being forced to comply with New Jersey law no matter where they may be located.
The Federal Acquisition Regulation final rule implementing the “Fair Play and Safe Workplaces” Executive Order 13673 was issued on August 25, 2016, and the rule goes into effect on October 25, 2016. This new regulation presents a significant change – and potential challenge – for major government contractors.
President Obama signed Executive Order 13673, often referred to as the “Blacklisting” order, on July 31, 2014. The stated goal of the order is to “increase efficiency and cost savings in the work performed by parties who contract with the Federal Government by ensuring that they understand and comply with labor laws.” On their face, the Order and regulations provide new instructions for Federal contracting officers to consider a contractor’s compliance with certain Federal and State labor laws as a part of the determination of contractor “responsibility” that contracting officers must undertake before awarding a Federal contract. But what do the Blacklisting Order and the final rule really do?
Mandatory Reporting of Labor Law Violations
The new rule imposes significant reporting obligations on federal contractors during the procurement process. Ultimately, contractors and subcontractors will need to report three years of labor law violations once the rule is fully in effect. Labor law violations encompass violations of the Fair Labor Standards Act, the Occupational Safety and Health Act, Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, and ten other federal laws and orders. According to the final rule, there are three types of actions that constitute reportable violations: “administrative merits determinations,” arbitral awards or decisions, and civil judgments. Contractors must supply basic information about the violation, including the nature of the violation and identifying information, and also have the option of submitting evidence of mitigating factors and remedial measures. This information will be stored on a publicly available, searchable website.
Acknowledging this reporting is a significant burden, there is a phase-in period to allow companies to get up to speed. When the rule becomes effective on October 25, 2016, the reporting requirements will only be effective for procurements of $50 million or more and only for prime contractors. But after six months, on April 25, 2017, contractors bidding on prime contracts of $500,000 or more will need to make the relevant disclosures. On October 25, 2017, subcontractors become subject to the rule as well. Additionally, while the reporting time frame is ultimately the three preceding years, for the first year the rule is in effect, reporting will only reach back for one year. The reporting window will be expanded by a year each year thereafter, until the three-year reporting period is completely phased in on October 25, 2018.
New Paycheck Transparency Requirements
The Blacklisting Order and final rule also institutes requirements for contractors in how they communicate wage information to workers. As of January 1, 2017, contractors and subcontractors must provide a detailed wage statement, including hours worked, overtime hours, rate of pay, and any additions made or deductions taken, to every worker performing under a federal contract. Additionally, prior to beginning work, the contractor must indicate to the worker whether they will be considered an employee or an independent contractor, and if an employee, whether they are exempt or non-exempt. These notifications must be provided to workers in English and any other language used by a “significant portion” of the workforce.
Restrictions on Pre-dispute Arbitration
On the same date the reporting requirements begin the phase-in process – October 25, 2016, the requirements surrounding arbitration agreements will go into full effect. Companies with federal contracts or subcontracts of $1 million or more may not require workers to enter into pre-dispute arbitration agreements for disputes based on Title VII claims or torts related to sexual assault or harassment. The only exception will be for employees covered by a collective bargaining agreement that has negotiated the contract with an agreement to arbitrate prior to the contractor bidding on the covered contract.
The Government’s Obligations Under the New Rule
Under the new rules, the Government has obligations as well. Each agency must designate an Agency Labor Compliance Advisor (“ALCA”) to implement the reporting program. The ALCA will be the central point of contact for the agency and all matters related to Blacklisting reporting. This includes helping contractors achieve compliance with the rules and recommending labor compliance agreements. On the date the rule goes into effect, the Department of Labor will release a list of the ALCAs and their contact information.
Not the First Attempt at Blacklisting
President Bill Clinton has tried this once before. On December 20, 2000, just weeks before the end of his final term, he issued similar blacklisting rules. These rules would have required federal contractors to certify whether they violated any federal, state, or foreign labor, employment, tax, environmental, antitrust, or consumer protection law in the prior three years. A violation was defined as any incident running afoul of the various laws supported by “pervasive evidence.” That is, no formal ruling or determination of liability had to have been made to create a reportable violation. Further, contracting officers would have had complete authority to determine if the violations disqualified the contractor from reporting and were not obligated to allow bidding contractors an opportunity to respond to potentially disqualifying violations.
While the temporal element is the same as the current rule, the list of reportable violations far exceeded the list of labor law violations as contemplated now. Contractors and various industry groups aggressively opposed the 2000 proposed rule, and several lawsuits were filed in an attempt to block implementation. Nonetheless, the rule went into effect on January 19, 2001 – the day before President Clinton left office. However, in March 2001, President George W. Bush ordered suspension of the rule and began the process for overturning it. By the end of 2001, the Bush Administration had successfully revoked this rule.
Next Steps for Contractors
Contractors shouldn’t expect the 2016 rule to meet the same fate as the 2000 version. While both rules bear some similarities, the current rule is much narrower and better defines what constitutes a reportable violation. Some industry groups have publicly contemplated lawsuits against the 2016 rule, none have been filed yet. With the looming deadline, contractors should start making plans to establish a compliance regime.
While compliance with labor laws is a worthy goal, the new regulation also will have significant costs. It reduces an employers’ ability to require arbitration, which likely will result in increased, costly litigation and possibly class action litigation if future labor disputes arise. Similarly, for existing disputes decided in arbitration, it eliminates the benefit of confidentiality by requiring public disclosure concerning any adverse award.
The new regulation does provide some additional compliance options for contractors in advance of official implementation. Companies may undergo a voluntary preassessment by the Department of Labor. Beyond helping companies become acquainted with the rules, participation in this program will be considered a mitigating factor in future acquisitions. The preassessment, however, the DOL may require companies to enter into labor compliance agreements.
Federal contractors should start taking internal steps to ensure compliance in advance of the effective dates. Companies should work with their internal teams, including legal, human resources, and IT support, to ensure that the necessary records are being kept and to design a reporting and monitoring program for the future. Companies should also review their new hire policies, to ensure that proper notifications are made to all workers in the required languages.
While this is a final rule and set to go into effect in the coming weeks, the matter is far from settled. Legal challenges to the rule once implemented may arise in the courts. And, as with any new rule, the devil is always in the details, so companies will likely not know the full impact of the rule until attempting compliance during the procurement process.
The Consumer Financial Protection Bureau (CFPB) has proposed a new rule to regulate payday lending and auto-title loan companies. Right now, it is merely a proposal, meant to undergo the notice and comment period until September 14, 2016. But if the rule goes into effect, it would be a significant imposition on the lending business.
The CFPB has been studying the effects of payday lending on consumers for years and found that many consumers struggle. They cannot repay their loans, so they take out new ones and incur significant penalties and fees. Or, they default on repayment altogether. The new rule tries to reduce this by regulating the people who issue those loans.
In theory, the rule would affect two types of loans: those with a term of 45 days or less, and those with a term of more than 45 days but with certain specifications, like an all-in annual percentage rate above 36% and a consumer’s bank account or vehicle for collateral. Before issuing either loan, a lender would have to determine if the borrower can repay it without re-borrowing in the following 30 days. To determine this, a lender would assess the borrower’s income, debt obligations, and housing costs; project them over the life of the loan; and forecast non-housing living costs.
The rule would also restrict how lenders can collect repayment. Today, lenders are allowed unlimited tries to withdraw from an indebted borrower’s bank account, but the new rule would stop them after the second attempt that fails due to insufficient funds.
Because the rule has not been approved yet, affected borrowers and lenders can speak out against or in favor of it. Richard Cordray, the director of the CFPB, has promised that the Bureau “will continue to listen and learn” as comments come in. Sourcing from the industry is the best way to create a rule that protects consumers and helps lenders continue to provide so vital a lifeline.
Recently, I wrote about the CFPB’s plans to issue new regulations restricting arbitration clauses in certain consumer contracts. Today, the agency announced those new rules and CFPB Director Richard Cordray is expected to discuss them at the agency’s field hearing in Albuquerque, New Mexico. As expected, the new rules eliminate the use of class action waivers and otherwise restrict the availability of arbitration in consumer contracts, including those involving credit transactions, automobile leases, debt relief services, consumer depository accounts, check cashing, credit monitoring/reporting, and debt collection. The CFPB admits that it intends to “incentivize” greater legal compliance through the “in terrorem” deterrent impact of the new rules. In other words, the CFPB wants the prospect of increased class action litigation to scare companies into treating consumers better.
The new proposed rules are available at the CFPB’s website along with over 350 pages of supplementary information explaining the proposed rulemaking. The CFPB proposal prohibits “companies from putting mandatory arbitration clauses in new contracts that prevent class action lawsuits.” See Proposed § 1040.4(a). Companies would still be able to include arbitration clauses in their contracts, but could not restrict access to class litigation and the arbitration provisions must include specific language provided by the CFPB.
In addition, in practical terms, the CFPB has just designated itself as the overseer of U.S. arbitral bodies in direct contrast to existing laws and rules that provide very limited court oversight and review of arbitration decisions. The proposed rules would require covered companies to submit detailed information about any of their consumer arbitrations to the CFPB. See Proposed § 1040.4(b). The CFPB states that it will gather, and may publish, this data so that it may gain “insight into whether companies are abusing arbitration or whether the process itself is fair.” Although the rule provides for redaction of personal information, this new practice threatens to undermine the confidential nature of arbitrations and thereby limit one of arbitration’s principle benefits. It is not yet clear how the CFPB might conclude that consumer arbitrations are “unfair” or what they might do in response to such a determination.
Regardless of whether the proposed regulations will succeed in scaring companies into greater legal compliance, if the rules become effective, companies should expect a marked increase in consumer class action litigation. The newly announced regulations are not final, however, and interested parties will have an opportunity to comment before the rules become effective. Interested parties have 90 days from the publication of the proposed rule in the Federal Register to comment and we expect multiple objections from the financial industry this summer. The comments likely will include practical examples of the benefits of consumer arbitration provisions, critiques of the agency’s study of consumer arbitration that formed the basis of the proposed regulations, and proof of the detrimental impact that an increase in class actions will have on the business community, especially on smaller businesses. Any potentially covered company should consider commenting on the CFPB proposed regulations, either directly or through trade associations.
Once the rules are final, companies will only need to comply with the new regulations prospectively; the provisions of the Dodd-Frank Act authorizing the CFPB to regulate arbitration provide that any new rules will be binding 180 days after their effective date. So any arbitration agreement entered into prior to, or within six months of, the new rule’s effective date is not subject to the new restrictions. This gives potentially covered companies some breathing space to review and, if necessary, modify their existing contracts.
Although many in Congress do not support the newly proposed rules, given current political realities, there are unlikely to be any legislative changes to the proposed rules or the CFPB’s authority. As a result, we expect that something close to the proposed rule will become effective later this year. Following that, there likely will be multiple court challenges to the new rules and the CFPB’s authority to issue them. In the meantime, all potentially affected companies should:
- Review their existing contracts and arbitration programs to determine whether their existing contract forms would violate the proposed regulations;
- Prepare alternative contract language if existing forms will no longer be permitted; and
- Consider whether their existing pricing structure and litigation positions make sense in the coming world.
Whatever the goal, companies are unlikely to be scared into greater legal compliance; most companies already strive to comply with the law. We anticipate that the CFPB’s proposed rules will have many unintended consequences. In the short term, the increase in class action litigation will be a boon for many lawyers. Consumers with legitimate claims, however, may find that the class action process results in smaller payouts over which they have less control. And as companies adjust to this new environment, they will pass on the increased costs of increased class litigation to customers and likely will further tighten credit standards and product availability to reduce potential claims.
* * *
 Under Section 9 of the Federal Arbitration Act, a court must confirm an arbitration award unless it is vacated, modified, or corrected in accordance with Sections 10 and 11.5 of the FAA, i.e. where the award was procured by corruption, fraud, or undue means or there was an evident material miscalculation or mistake in the award.
 For example, companies may wish to withdraw from the American Arbitration Association’s Consumer Clause Registry. For that matter, the AAA and similar arbitral organizations are sure to lose significant business as the consumer arbitration market is sure to shrink significantly if the new rules become effective.
In March 2015, I wrote about the ongoing dispute between the FTC and LabMD, an Atlanta-based cancer screening laboratory, and looked at whether the FTC has the authority to take enforcement action over data-security practices alleged to be insufficient and therefore “unfair” under section 5(n) of the Federal Trade Commission Act (“FTCA”). On November 13, 2015, an administrative law judge ruled that the FTC had failed to prove its case.
In 2013, the FTC filed an administrative complaint against LabMD, alleging it had failed to secure personal, patient-sensitive information on its computer networks. The FTC alleged that LabMD lacked a comprehensive information-security program, and had therefore failed to (i) implement measures to prevent or detect unauthorized access to the company’s computer networks, (ii) restrict employee access to patient data, and (iii) test for common security risks.
The FTC linked this absence of protocol to two security breaches. First, an insurance aging report containing personal information about thousands of LabMD customers was leaked from the billing manager’s computer onto peer-to-peer file-sharing platform LimeWire, where it was available for download for at least eleven months. Second, Sacramento police reportedly discovered hard copies of LabMD records in the hands of unauthorized individuals. They were charged with identity theft in an unrelated case of fraudulent billing and pleaded no contest.
Incriminating as it all might seem, Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint entirely, citing a failure to show that LabMD’s practices had caused substantial consumer injury in either incident.
Section 5(n) of the FTCA requires the FTC to show that LabMD’s acts or practices caused, or were likely to cause, substantial injury to consumers. The ALJ held that “substantial injury” means financial harm or unwarranted risks to health and safety. It does not cover embarrassment, stigma, or emotional suffering. As for “likely to cause,” the ALJ held that the FTC was required to prove “probable” harm, not simply “possible” or speculative harm. The ALJ noted that the statute authorizes the FTC’s regulation of future harm (assuming all statutory criteria are met), but that unfairness liability, in practice, applies only to cases involving actual harm.
In the case of the insurance aging report, the evidence showed that the file had been downloaded just once—by a company named Tiversa, which did so to pitch its own data-security services to LabMD. As for the hard copy records, their discovery could not be traced to LabMD’s data-security measures, said the ALJ. Indeed, the FTC had not shown that the hard copy records were ever on LabMD’s computer network.
The FTC had not proved—either with respect to the insurance aging report or the hard copy documents—that LabMD’s alleged security practices caused or were likely to cause consumer harm.
The FTC has appealed the ALJ’s decision to a panel of FTC Commissioners who will render the agency’s final decision on the matter. The FTC’s attorneys argue that the ALJ took too narrow a view of harm, and a substantial injury occurs when any act or practice poses a significant risk of concrete harm. According to the FTC’s complaint counsel, LabMD’s data-security measures posed a significant risk of concrete harm to consumers when the billing manager’s files were accessible via LimeWire, and that risk amounts to an actual, substantial consumer injury covered by section 5(n) of the FTCA.
The Commissioners heard oral arguments in early March and will probably issue a decision in the next several months. On March 20th, LabMD filed a related suit in district court seeking declaratory and injunctive relief against the Commission for its “unconstitutional abuse of government power and ultra vires actions.”
In the past few years, many organizations such as Capital One, Bass Pro Outdoor, and the Cosmopolitan Hotel have faced class actions alleging violations of California’s call recording law. This week, California’s Attorney General demonstrated that her office, working with state prosecutors, will also vigorously enforce the law under the state’s criminal statutes. Attorney General Harris announced an $8.5 million dollar settlement with Wells Fargo Bank, N.A. over the alleged failure to provide call recording announcements to California consumers.
The complaint alleged violations of Sections 632 and 632.7 of California’s Penal Code, including the purported failure of Wells Fargo’s employees to “timely and adequately disclose the recording of communications with members of the public.” These laws form part of California’s Invasion of Privacy Act. Section 632 makes it illegal to eavesdrop (monitor) or record a “confidential communication” without the consent of all parties. The statute defines a “confidential communication” as including “any communication carried on in circumstances as may reasonably indicate that any party to the communication desires it to be confined to the parties thereto.“ The law specifically excludes communications in circumstances “in which the parties to the communication may reasonably expect that the communication may be overheard or recorded. “ Section 632.7 bars the recording of cell phone conversations, without the consent of all parties.
Wells Fargo Bank settled the case, agreeing in a stipulated judgment to the $8.5 million settlement and certain compliance requirements. Specifically, Wells Fargo must make a “clear, conspicuous, and accurate disclosure” to any consumer in California of the fact that Wells Fargo is recording the call. The settlement requires that this disclosure occur “immediately at the beginning” of the call, but allows Wells Fargo to precede the disclosure with an introductory greeting identifying the customer service representative and the entity on whose behalf the call is made (presumably, a Wells Fargo-affiliated entity). Wells Fargo also committed to a compliance program for one year and periodic internal testing of its employees’ and agents’ compliance with the call disclosure requirement. The bank agreed to appoint an officer or supervisor with specific oversight responsibility for compliance with the settlement obligations. Within a year following the stipulated judgment, Wells Fargo must provide the Attorney General with a report summarizing the testing.
Interestingly, the Attorney General previously pursued a similar action against home improvement platform Houzz Inc. for allegedly failing to notify all parties of its recording of incoming and outgoing telephone calls. In that case, Houzz agreed to appoint a Chief Privacy Officer to oversee Houzz’s compliance, a first for a California Department of Justice settlement.
As we have advised before, all organizations recording calls – whether inbound or outbound – should immediately disclose to called parties that the call is being recorded. The disclosure should occur at the outset of the call. One type of introduction could be, “This is Michelle, calling on behalf of XYZ Company. This call is being recorded and/or monitored.” Some companies may wish to announce the option of a non-recorded line, available via a key press. It is also important to time the recording to begin after the announcement, to avoid potential liability based on even a few seconds of a recorded call before an announcement is given.
A few important reminders are worth repeating:
- The announcement requirement applies to inbound and outbound calls, including requested return calls.
- Recording announcements apply to all types of calls – not just sales calls.
- Maintain proof of the announcement.
- Implement a short, written call recording policy.
- Train customer service representatives to understand the call recording policies.
- Periodically “test” call recording procedures.
- Promptly investigate any call recording complaints and take appropriate corrective action.
- Have customer service representatives sign an acknowledgment that they understand they are being monitored and/or recorded.
The recording of customer service and other calls is an important component to prevent fraud, fulfill legal requirements and augment customer service, among other reasons. Companies can implement call recording effectively, but must comply with announcement requirements and should take proactive measures, such as training and testing, to protect against civil and criminal liability and to safeguard consumer goodwill.
Since the Federal Arbitration Act (FAA) of 1925, the United States has had a policy preference for arbitration, even when an arbitration provision includes language barring class action litigation. We saw this most recently in December 2015 when the Supreme Court reversed a decision by a California Court of Appeal to invalidate a class-arbitration waiver within a service agreement between DirecTV and its customers. But not everyone thinks arbitration is so great a thing. Encouraged by consumer groups and trial lawyers, federal regulators are pushing for limits on arbitration provisions in consumer contracts.
At its core, the debate is about whether companies may compel consumers to arbitrate rather than litigate disputes and – perhaps more significantly – bar consumers from class action remedies as part of the arbitration requirement. Critics of mandatory arbitration say that it restricts consumer redress and is tantamount to a deceptive trade practice because the arbitration provisions are usually contained in the “fine print” of a contract. The new rules being proposed reportedly are designed to eliminate mandatory arbitration provisions and facilitate class action litigation.
Despite the criticisms of consumer groups, arbitration often is cheaper and more effective for both individual consumers and companies. By interfering with Americans’ freedom of contract to prevent the use of mandatory arbitration, the government could severely damage U.S. business interests by exposing them to a marked increase in expensive class action litigation. In turn, that would result in more limited choices and increased costs for consumers.
The government’s efforts to eliminate mandatory arbitration provisions in consumer-related contracts have been highlighted in several recent agency actions. In its list of near-term goals, the Bureau of Consumer Financial Protections (CFPB) said that new rules to govern arbitration in consumer contracts would be a priority in 2016. The Department of Education announced that it, too, was reviewing mandatory arbitration provisions in college enrollment contracts. And despite multiple appellate decisions to the contrary, the National Labor Relations Board (NLRB) again concluded that class action waivers in arbitration agreements infringe on an individual’s rights under Section 7 of the National Labor Relations Act.
All of this has happened in the space of three months, indicating a clear effort by the government to diminish businesses’ ability to require arbitration that shields them from often frivolous and costly class action litigation. The acts of some Congressmen have made this agenda even more transparent. In February 2016, Senator Patrick Leahy introduced a bill that would modify the scope of the FAA and curtail the use of mandatory arbitration. The bill is unlikely to pass in the current Republican Congress, but Congress previously empowered federal agencies to curtail the use of mandatory arbitration provisions on a significant, but more limited, basis.
The CFPB’s current actions were authorized by the 2010 Dodd-Frank Act, which barred the use of arbitration clauses in certain mortgage contacts and gave the SEC power to ban or restrict the use of arbitration in other disputes. Deepak Gupta, then the CFPB’s senior counsel for enforcement strategy, stated that prohibiting or restricting mandatory arbitration would be “the single most transformative thing the bureau can do” for consumers. In March 2015, the CFPB released a 728-page study of arbitration in consumer contracts, which was criticized by some academics and trade groups for misstating the impact of mandatory arbitration provisions on consumers. Since then, members of Congress have engaged in deeply partisan squabbling over the need for additional rulemaking on consumer arbitration or to limit class action litigation in other ways.
Despite the criticism and opposition, CFPB director Richard Cordray reiterated the agency’s plans to release new rules aimed at banks and other financial firms. Earlier comments by the agency confirm that the new rules will be designed to prevent arbitration clauses from restricting class action remedies. We think such changes would quickly spread to encompass telephone, Internet, and other commonplace consumer agreements.
American companies should be concerned with how executive agencies, e.g., the CFPB, the Department of Education, and the NLRB, will carry out their plans to introduce regulations that restrict the use of arbitration clauses in a broad range of consumer contracts. We will not be surprised to see some companies restrict their consumer offerings or increase prices to account for these new rules. If you work in American business, we urge you to take notice of these changes and review how to protect your company from undue litigation in future contracts. Among other options, you should analyze the inclusion of non-mandatory arbitration provisions, the separation of class-action waivers from arbitration provisions, and the option of raising prices to contend with increased litigation.
 Id. § 1414.
 Carter Dougherty, CFPB Finds Arbitration Harms Consumers, Presaging New Rules, BLOOMBERG BUS., March 10, 2015, available at http://www.bloomberg.com/news/articles/2015-03-10/cfpb-finds-arbitration-harms-consumers-in-study-presaging-rules.
The Office of the Inspector General, which enforces Health and Human Services, has long been averse to referral services that don’t meet certain criteria. To get protection against a possible enforcement action, the referral service can’t exclude anyone from participating in the service, and payments for referrals have to be reasonable and cannot be tied to the volume or value of the referrals that are made. All this complexity doesn’t simply keep referral services from earning a legitimate living; it denies patients access to superior healthcare options.
In a time when patients gravitate toward online resources, the OIG’s restrictions on medical referrals appear horribly out of date. Generally, when people want to find a pharmacy, lab, or doctor, they ask a friend or family member. In many circumstances, though—such as moving to a new city and not knowing anyone—people are likely to go online. Here they will find numerous referral services that can steer them to many reputable providers, who are often happy to pay for the hookup. This type of commercialized referral happens all the time in privatized industries—but because the government pays for healthcare (in the case of Medicare and Medicaid), it gets to set the rules for that space. Many of these rules are legitimately designed to protect against fraud and misuse of public funds, but that shouldn’t make them impervious to revision.
Thankfully, this has not escaped the notice of referral services and even the OIG, which has issued some enlightened opinions on the matter; case in point, No. 11-18. In 2011, a web-based provider of billing, electronic record, and patient messaging services asked if it could offer a coordination service whereby physicians could pay a transmission fee for connecting to other providers in order to share patient information, provider numbers, and clinical data. In response, the OIG determined that this service would not be afforded protection under the safe harbor, but it would not necessitate enforcement action either. In this instance, and many others in today’s marketplace, the referral service isn’t a health care provider that bills the government, but a third party provider of software and services. What would be the harm of facilitating the transmission of information between referring providers so that a patient can receive care? Here the OIG acknowledged that the fee structure was fair market value, that it would be assessed whether or not a patient followed through, and that it was unlikely to influence a provider’s decision to refer to any particular person or entity.
When the referral services safe harbor was drafted it made some sense for the OIG to suspect that an online referral service could charge a fee to steer patients to a particular provider, thereby exploiting federally reimbursed services and products. However, in most cases, online referral services are there simply to expand access to care, allow patients to have more choices, and help them find options that best suit their needs. In any other industry it makes perfect business sense for a referral service to charge its users a fee in order to recoup the cost of implementation (if any) and achieve a profit. It’s high time the OIG gives medical referral services the air they need to do the same. Modifying the safe harbor could take a lot of time and effort, but the OIG can take it upon itself to revise its interpretation of the safe harbor’s requirements without having to turn a blind eye to the law.