FTC Beat
Aug 13
2015

The Key to Steering Clear of the FTC’s Crack Down on Car Dealership Advertisements

man holding a car key with remote in the concessionaire

Car dealerships are notorious for running loud, flashy ads with too-good-to-be-true offers for outrageous deals to buy or lease cars.  Some dealerships downplay or even hide the seemingly endless list of qualifications on those offers which render many potential buyers ineligible for the deals, much to the irritation of misled consumers.  The FTC has taken action to stop these misleading practices by continuing its effort to crack down on deceptive advertising among automobile dealerships, which began in 2014 with the FTC’s “Operation Steer Clear,” a nationwide sweep of deceptive car dealership advertising.  The FTC’s efforts in this area have continued, most recently resulting in settlement with two Las Vegas auto dealerships.

Planet Hyundai and Planet Nissan of Las Vegas were the subject of FTC enforcement actions alleging that the dealers’ ads misrepresented the cost to buy or lease a car by omitting critical information or deceptively hiding it in fine print.  For instance, Planet Hyundai advertised a car for sale with “$0 Down Available,” but fine print revealed that a buyer would have to trade in a car worth a minimum of $2,500 or meet other qualifications in order to take advantage of the offer. Planet Nissan’s advertisements ran purportedly reduced prices side by side with former prices which had been struck through (“Was $12,888, Now $9,997”). However, the ads did not adequately disclose the qualifications which buyers had to meet to get those prices. Similarly, the ads touted that the cars were for “Purchase! Not a lease!,” when in fact many of the cars were leases. In both cases the FTC alleged that the prominently advertised prices are not generally available to consumers. The dealerships both entered into consent agreements in which they did not have to admit guilt or pay any fines or penalties, but were obligated to abide by relevant laws and regulations pertaining to deceptive advertising.

Further automobile enforcement efforts may be on the horizon.  In a late July regulatory filing, GM disclosed that it is currently the subject of an ongoing FTC investigation regarding “certified pre-owned vehicle advertising where dealers had certified vehicles allegedly needing recall repairs.”  GM and the FTC declined to comment further, so it is not immediately clear whether the individual dealers were following GM corporate policy when certifying the pre-owned cars in need of recall repairs, or specifically how the ads were allegedly deceptive.

While many of the FTC’s enforcement actions focus on lower-cost products with a large national customer base, such as dietary supplements sold over the internet, these cases serve as a reminder that the FTC’s advertising requirements apply equally to big-ticket items sold locally.  Merchants and service providers of every type, whether operating online or in brick and mortar shops, must ensure that their advertisements adequately disclose all material terms and conditions in a way that is not misleading or deceptive.

Ifrah Law is a leading white-collar criminal defense firm that focuses on internet advertising, and online fraud and abuse.

Jul 09
2015

State Attorneys General Tell Congress: “Back-Off Our Data Breach Authority”

Slide1

Every week, we learn about new data breaches affecting consumers across the country. Federal government workers and retirees recently received the unsettling news that a breach compromised their personal information, including social security numbers, job history, pay, race, and benefits. Amid a host of other public relations issues, the Trump organization recently discovered a potential data breach at its hotel chain. If you visited the Detroit Zoo recently, you may want to check your credit card statements, as the zoo’s third party vendor detected “malware” which allowed access to customers’ credit and debit card numbers. And, certainly, none of us can forget the enormous data breach at Target, and the associated data breach notifications and subsequent lawsuits.

For years, members of Congress have stressed the need for national data breach standards and data security requirements. Aside from mandates in particular laws, such as HIPAA, movement on data breach requirements had stalled in Congress. Years ago, however, the states picked up the slack, establishing data breach notification laws requiring notifications to consumers and, in many instances to attorneys general and consumer protection offices when certain defined “personal information” was breached. California led the pack, passing its law in 2003. Today, 47 states have laws requiring organizations to notify consumers when a data breach has compromised consumers’ personal information. Several states’ laws also mandate particular data security practices, including Massachusetts, which took the lead on establishing “standards for protection of personal information.”

Many businesses and their lobbying organizations have urged Congress to preempt state laws and establish a national standard. Most companies have employees or customers in multiple states. Thus, under current laws, organizations have to address a multitude of state requirements, including triggering events, types of personal information covered, how quickly the notification must be made, who gets notified, what information should be included in the notification, among others. State Attorneys General, on the other hand, assert that, irrespective of these inconveniences, their oversight of data breaches through the supervision of notifications and enforcement has played a critical role in consumer protection.

This week, the Attorneys General from the 47 states wrote to Congressional leaders, urging Congress to maintain states’ authority in any federal law, by requiring data breach notifications, and preserving the states’ enforcement authority.

The AGs’ key points are:

  • State AG offices have played critical roles in investigating and enforcing data security lapses for more than a decade.
  • States have been able to respond to constant changes in data security by passing “significant, innovative laws related to data security, identity theft, and privacy.” This includes addressing new categories of information, such as biometric data and login credentials for online accounts.
  • States are on the “front lines” of helping consumers deal with the fallout of data breaches and have the most experience in guiding consumers through the process of removing fraudulent charges and repairing their credit. By way of example, the Illinois AG helped nearly 40,000 Illinois residents remove more than $27 million in unauthorized charges from their accounts.
  • Forty states participate in the “Privacy Working” group, where state AGs coordinate to investigate data breaches affecting consumers across multiple states.
  • Consumers keep asking for more protection. Any preemption of state law “would make consumers less protected than they are right now.”
  • States are better equipped to “quickly adjust to the challenges presented by a data-driven economy.”
  • Adding enforcement and regulatory authority at the federal level could hamper the effectiveness of the state law. Some breaches will be too small to have priority at the federal level; however, these breaches may have a large impact at the state or regional level.

Interestingly, just this week, Rep. David Cicilline (D-RI) introduced a House bill mandating that companies inform consumers within 30 days of a data breach. The bill also requires minimum security standards. Representative Cicilline’s bill would not preempt stricter state-level data breach security laws. The bill also contains a broad definition of “personal information” to include data that could lead to “dignity harm” – such as personal photos and videos, in addition to the traditional categories of banking information and social security numbers. The proposed legislation would also impose civil penalties upon organizations that failed to meet the standards.

Without a doubt data breaches will continue – whether from bad actors, technical glitches, or common employee negligence. The states have certainly “picked up the slack” for over a decade while Congressional actions stalled. Understandably, the state AGs do not want Congress taking over the play in their large and established “privacy sandbox.” Preemption will continue to be a key issue for any federal data breach legislation before Congress. As someone who has guided companies through multi-state data breach notifications, I have seen firsthand that requiring businesses to deal with dozens of differing state requirements is costly and extremely burdensome. Small businesses, in particular, are faced with having to grapple with a data security incident while trying to understand and comply with a multitude of state requirements. Those businesses do not have the resources of a “Target” and complying with a patchwork of laws significantly and adversely impacts those businesses. While consumer protection is paramount, a federal standard for data breach notification would provide a common and clear-cut standard for all organizations and reduce regulatory burdens. While the federal standard could preempt state notification laws, states could continue to play critical roles as enforcement authorities.

In the interim, companies must ensure that they comply with the information security requirements and data breach notifications of applicable states. An important, and overlooked aspect is to remember that while an organization may think of itself as, say a “Vermont” or “Virginia” company, it is likely that the company has personal information on residents of various states – for instance, employees who telecommute from neighboring states, or employees who left the company and moved to a different state. Even a “local” or “regional” company can face a host of state requirements. As part of an organization’s data security planning, companies should periodically survey the personal information they hold and the affected states. In addition to data breach requirements in the event of a breach, organizations need to address applicable state data security standards.

Ifrah Law is a leading white-collar criminal defense firm that focuses on data privacy.

Jun 17
2015

Free* to Play Means Only If You Pay

Free

As online gaming companies compete for business, they are offering customers increasingly large incentives to play on their websites, often in the form of deposit bonuses.  These deposit bonuses allow players to play with the bonus money as if it’s cash and keep the winnings (although players cannot cash out the bonus itself). However, some players and regulators believe that some of these promotions are misleading, because they allegedly do not clearly and conspicuously disclose all of the material terms of the offer.

The UK’s Advertising Standards Authority (ASA) recently banned an advertisement by online gaming operator Betway which allegedly failed to disclose the material terms of the offer. Betway’s homepage prominently advertised a “£50 Free Bet*.” By clicking on the asterisk, users were taken to a tab listing the bonus terms, which stated that the operator would match new customers’ first deposit, from £10 to £50, with a bonus that must be used within a week from the initial deposit.

The ASA determined that the “£50 Free Bet” advertisement was misleading because it did not disclose the material terms and conditions of the offer in a clear and conspicuous manner. The ASA asserted that the “£50 Free Bet” advertisement would lead the average user to believe that they would receive a truly free bet—not that they had to first pay £50 before they could receive the “free” bet as a deposit bonus.

Gaming companies, like all advertisers, must be vigilant in ensuring that their advertisements fully disclose the terms of any offer up front.  This includes information such as how much money the customer will receive (in this case, a matching deposit bonus up to £50), what the customer must do to earn the bonus (make a deposit), when the customer will receive the incentive (whether they receive it in a lump sum immediately upon deposit, or whether additional milestones in play or deposits must be reached), and how long they have to use the bonus funds. In the United States, the Federal Trade Commission and state Attorneys General may bring actions for alleged deceptive advertising offers, and in many states customers may bring suit for the purportedly misleading offers. In operators’ quest to compete for customers and make attractive offers, they should proceed with caution and err on the side of full disclosure in doing so.

Ifrah Law is a leading white-collar criminal defense firm that focuses on internet advertising.

Jun 01
2015

FAIL: For-Profit Education Sector Dealt Major Blow

iStock_000062376740_Medium

For-profit education was dealt a major blow in a federal court case challenging the Department of Education’s Gainful Employment Rule. U.S. District Court Judge Lewis Kaplan of New York dismissed a lawsuit that was filed last November by the Association of Proprietary Colleges. The lawsuit is one of two filed in federal court shortly after the Department of Education issued its revised version of the Gainful Employment Rule. The second lawsuit, brought by the Association of Private Sector Colleges and Universities, is still pending before a federal judge in D.C.

In his opinion, Judge Kaplan rejected APC’s arguments that the Gainful Employment Rule (1) violates colleges’ constitutional due process rights, (2) violates the plain language of the statute, exceeding statutory authority, and (3) is arbitrary and capricious. Kaplan held there could be no due process issues as for-profit colleges do not have a “vested right” to participate in federal student aid programs. He discounted as ill-conceived or misleading arguments that the rule exceeds statutory authority. And he dismissed APC’s allegations that the rule as drafted is arbitrary and capricious.

Judge Kaplan’s rejection of APC’s lawsuit is hailed as a victory by detractors of the for-profit education industry who are anxious to see the new rule implemented this July. Some project that Kaplan’s opinion will influence the direction of the pending federal case in D.C. But, despite these portents, the legal theories in the two suits are distinct enough that APSCU’s case should not be overshadowed. The APSCU’s suit centers on how and why the Gainful Employment Rule, as drafted, would disparately impact populations, identifying concern that the rule would “impose massive disincentives” on schools from recruiting “low-income, minority, and other traditionally underserved student populations, because, as an historical matter, those demographics are widely recognized as most at risk of failing the Department’s arbitrary test.”

The complaint also identifies concerns regarding the DoE’s rulemaking process, which it alleges was marred by “well-substantiated allegations of bias and misconduct that led several Members of Congress to accuse the Department of bad faith.” Perhaps it will not go without notice, the next opinion around, that the DoE’s proposed rule more than doubled in size at the 11th hour of the rulemaking process, flying in the face of the purpose of the public notice and comment period.

It is surprising to see so many consumer advocate groups cheering a marred process and pushing for standards that will have the effect of discouraging education opportunities for historically underserved low-income and minority students. It can’t be that their intentions are bad. It is more likely that detractors of for-profit education are narrowly focused on examples of bad actors in the field—that have been called out by authorities for predatory lending practices and misrepresenting the quality or results of their programs. Indeed the industry is not shy of regulators scrutinizing and penalizing bad practices. For-profit education has the likes of the SEC, CFPB, FTC, and a bevy of state attorneys general at the ready. You might think that those skeptical of for-profit education could look to the work done by these agencies and be satisfied that problems are being addressed.

While detractors breathlessly anticipate another judicial benediction of the DoE’s rulemaking, hopefully the next round of judicial opining will address not just the extent of the DoE’s statutory authority but also how the DoE can and should carry out its purpose. In the meantime, for-profit educators would do well to continue efforts to disseminate data that shows how they meet important needs that other schools do not and how their costs compare to actual costs of other schools (e.g., including data on taxpayer funding of community colleges). Perhaps many of the well-intentioned skeptics would be less anxious to see the end of the industry.

Ifrah Law is a leading white-collar criminal defense firm that focuses on a variety of practice areas. View all.

May 26
2015

Keeping Your Privacy Promises: Retail Tracking and Opt-Out Choices

No time for talking. Cropped image of beautiful young woman in pink dress holding shopping bags and mobile phone

As children, many of us were taught how important it is to “keep your word.” Similarly, it is black letter privacy law that if a company commits (for instance, in a privacy policy or in website statements) to certain actions or practices, such as maintaining certain security features or implementing consumers’ choices on opt-outs, the organization must abide by those practices. Many companies have faced the Federal Trade Commission’s (“FTC”) ire when the agency found the organizations’ practices failed to comport with their privacy promises. Recently, the FTC settled the first action against a retail tracking company, Nomi Technologies, Inc. (“Nomi”). The FTC alleged that Nomi mislead consumers with promises that it would provide an in-store mechanism for consumers to opt-out of tracking and that consumers would be informed when locations were utilizing Nomi’s tracking services. In fact, according to the FTC, Nomi did not provide an in-store opt-out and did not inform consumers of locations where the tracking services were used. This action signals that the FTC will continue to exert its jurisdiction over privacy practices it deems false or deceptive, including those occurring in emerging technologies like retail tracking.

The FTC’s complaint stated that Nomi’s technology (called its “Listen” service) allows retailers to track consumers’ movements through stores. The company places sensors in its clients’ stores, which collect the MAC addresses of consumers’ mobile devices as the devices search for WiFi networks. While Nomi “hashes” the MAC addresses prior to storage in order to hide the specific MAC addresses, the process results in identifiers unique to consumers’ mobile devices which can be tracked over time. Nomi provided its retail clients with aggregated information, such as how long consumers stayed in the store, the types of devices used by consumers, and how many customers had visited a different location in a chain of stores. Between January and September 2013, Nomi collected information on approximately 9 million mobile devices, according to the FTC’s complaint.

What Nomi did wrong, according to the FTC, was fail to honor its privacy policy which “pledged to…always allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology.” Nomi presented an opt-out on its website, but (per the complaint), no option was available at retailers using Nomi’s service. The FTC also asserted that consumers were not informed of the tracking (contrary to the privacy policy promises). Thus, the FTC alleged that Nomi’s privacy promises were false because no in-store opt-out mechanism was available, nor were consumers informed when the tracking occurred.

Nomi’s settlement does not require any monetary payment but prohibits Nomi from misrepresenting the options through which consumers can exercise control over the collection, use, disclosure or sharing of information collected from or about them or their devices. The settlement also bars Nomi from misrepresenting the extent to which consumers will be provided notice about how data from or about a particular consumer or device is collected, used, disclosed or shared. Nomi is required to maintain certain supporting records for five years. As is typical with FTC consent orders, this agreement remains in force for 20 years.

What can companies learn from Nomi’s settlement, even those not in the retail tracking business?

  • While this is the first FTC action against a retail tracking company, the FTC has repeatedly stated that it will enforce the FTC Act and other laws under its jurisdiction against emerging as well as traditional technologies.
  • Consumers could opt-out on Nomi’s website by providing a MAC address in an online form. The FTC did not seem to have a problem with this part of Nomi’s practices. If Nomi had not promised that consumers could also opt-out at the retail locations, and that they would be notified of tracking, there would not have been an FTC action. In other words, it was Nomi’s words (in its privacy policy) that got it in hot water with the FTC. All companies should review their privacy policies regularly to make sure the language comports with their practices.  If you don’t do it, don’t say it.
  • The FTC noted that Nomi had about 45 clients. Most of those clients did not post a disclosure or notify consumers regarding their use of the Listen service, and Nomi did not mandate such disclosures by its clients. The FTC did not address what, if any, obligation, these businesses may have to make such disclosures. Will it become common/mandated to see a sign in a retail location warning that retail tracking via mobile phones is occurring (similar to signs about video surveillance)? One industry group’s self-regulatory policy requires retail analytics firms to take “reasonable steps to require that companies using their technology display, in a conspicuous location, signage that informs consumers about the collection and use of MLA [mobile location analytics] Data at that location.” This issue will become more prevalent as more retailers and other businesses use tracking technology.
  • Interestingly, the FTC brought this action even though traditional “personal information” was not collected (such as name, address, social security number, etc.). Organizations should not assume that collecting IP addresses, MAC addresses, or other less personalized information presents no issues. The FTC takes privacy statements seriously, whatever the information collected (though certainly there is more sensitivity toward certain categories such as health, financial, and children’s information).

The bottom line is “do what you say” when it comes to privacy practices. All companies should evaluate their privacy policies at least every six months to ensure that they remain accurate and complete, have working links (if any), and reflect a company’s current practices.

Ifrah Law is a leading white-collar criminal defense firm that focuses on e-commerce, and data privacy.

May 20
2015

Yelp Fights for the Right to Complain Anonymously

Presentation1

In e-commerce, user reviews can make or break a business.  Review sites such as Yelp are a double edged sword for merchants and service providers: on one hand satisfied customers can generate buzz about the company and bring in new customers, and on the other hand dissatisfied customers can use it as a very public platform to air their grievances and discourage new business.

Review sites such as Yelp maintain policies protecting users’ anonymity, a major source of frustration among business owners.  By remaining anonymous, users can make potentially defamatory statements and leave the businesses with little recourse to hold the individuals accountable. A recent ruling by the Virginia Supreme Court has demonstrated the long and tortured road that businesses must take to challenge the anonymity of these unnamed users.

In 2012 a small Virginia company, Hadeed Carpet Cleaning Inc., brought suit against unnamed Doe defendants for allegedly defamatory statements published about Hadeed on the Yelp review website. According to Hadeed, a number of negative reviews did not match up to records of the company’s existing customers, and therefore the company suspected that the false statements were published by individuals who had never used the company’s services.  The Circuit Court for the City of Alexandria, Virginia, issued a subpoena to Yelp requiring it to provide identifying information about the anonymous users.  Yelp refused to comply, and the Circuit Court held Yelp in contempt.

Yelp appealed, arguing that the court’s order violated the First Amendment by forcing the company to identify the anonymous users. In January 2014 the Court of Appeals upheld the Circuit Court’s order, applying a six-prong procedure Virginia’s “unmasking statute,” which provides that the court may issue a subpoena to unveil the identity of an individual speaking anonymously over the internet where (1) notice of the subpoena was served on the anonymous speaker through his internet service provider, (2) the plaintiff has a legitimate, good faith basis to contend that communications may be tortious or illegal, (3) other efforts to identify the speaker have been fruitless, (4) the identity of the communicator is important, (5) there is no pending motion challenging the viability of the lawsuit, and (6) the entity to whom the subpoena is addressed is likely to have responsive information.

The Court of Appeals noted that Hadeed had followed the proper procedure in requesting the subpoena. The court found that the company’s evidence that the reviews did not match customer records was sufficient to establish they were not published by actual customers of the company, and were therefore likely to be false.

Yelp appealed the Circuit Court decision to Virginia’s Supreme Court.  Last month, the Virginia Supreme Court issued an anticlimactic ruling dismissing the case on jurisdictional grounds, stating that the case should have been brought in California where Yelp is headquartered and where the responsive records are located.

If Hadeed chooses to resume the case in California, if will face a somewhat higher burden in obtaining the names of the users.  Notably, Virginia is the only state in the country to have enacted an unmasking statute.  In most states, the courts will no issue a subpoena until the plaintiff has established a prima facie case for defamation—significantly more than the “legitimate, good faith basis” used in Virginia.

Apr 13
2015

Even In The UK, Think Twice Before Using Celebrity Endorsements

Battleship Premiere - RihannaPhoto at vi.wikipedia.org

A recent legal case in the UK between singer Rihanna and fashion retailer Topshop has highlighted differences between publicity rights in the UK and some US jurisdictions. Rihanna sued Topshop for its sale of a t-shirt bearing a large photograph of her.  Rihanna had not approved or endorsed the sale of the t-shirt; rather, an independent photographer had taken the picture and licensed it for use on the shirts.

In the United States, many jurisdictions have laws governing the right of publicity; that is, the right to control the use of your image for commercial gain, or to be compensated for the commercial use of your image.  The UK, however, does not have corresponding laws on image rights.  Instead, Rihanna had to allege that Topshop engaged in “passing off” the shirts as being endorsed by the singer, thereby damaging her goodwill and business.  In support, Rihanna argued that the circumstances of the sale of the shirts were likely to mislead customers into thinking that she had endorsed the product because the photograph was similar to those used in official album promotions, the nature of the shirt itself, and the fact that Topshop is a major and reputable retailer.

The lower court considered Rihanna’s prior connections to the store in considering whether passing off occurred.  It noted that Topshop had previously run a competition in which the winner was awarded with a shopping trip to Topshop. Also, only weeks before the shirts went on sale, Topshop tweeted that Rihanna was shopping at one of its locations.  Against that background, the court noted that the particular photograph on the shirt could have led her fans to believe that it was associated with the marketing campaign for the album, since the particular hairstyle and scarf worn by Rihanna in the photograph were widely used in a music video and associated publicity.

Ultimately Rihanna’s passing off arguments were successful, and the court granted an injunction prohibiting Topshop from selling the shirts without informing customers that they had not been approved or authorized by Rihanna.  However, it is interesting to think what the result might have been in an instance where it was more obvious that Rihanna had not endorsed the product; for instance, if the t-shirts were sold, not through a trusted retailer which has been associated with the singer but instead by an independent seller hawking t-shirts on the street corner.  In such circumstances the case in favor of passing off may have been weaker and Rihanna might not have been able to control the use of her image.

In contrast, the outcome under such a scenario might be very different in a state like California, which has strong right of publicity laws.  California Civil Code §3344(a) forbids the use of another’s likeness “on or in products, merchandise, or goods, or for purposes of advertising or selling, or soliciting purchases of, products, merchandise, goods or services, without such person’s prior consent…”   The law establishes liability $750 or actual damages, whichever is greater, as well as “any profits from the unauthorized use that are attributable to the use and are not taken into account in computing the actual damages.”  Punitive damages and attorney’s fees and costs are also available under the statute.

While Rihanna’s victory in UK court does not establish a right of publicity in the country, it does provide an interesting case study in the workarounds that celebrities must use in order to protect their image from being improperly used in jurisdictions which do not have a right of publicity.

Ifrah Law is a leading white-collar criminal defense firm that focuses on e-commerce, and data privacy, and internet advertising.

Apr 02
2015

Telemarketing Tips: What We Can Learn From Caribbean Cruise Lines’ Excursion With The FTC

iStock_000013768185_Large

The FTC’s “Do Not Call” and “robocall” rules do not apply to political survey calls.  So, if Hillary Clinton sought to “voice blast” a survey about international issues, she could do so without violating the Telemarketing Sales Rule (“TSR”).  (Though under FCC rules she would have an issue calling wireless numbers).  However, companies may not telemarket under the guise of exempt political calls.  Caribbean Cruise Lines (CCL) and several other companies working with CCL recently learned this lesson the hard way. The FTC and a dozen state attorneys general sued CCL and others for offering cruises and vacation “add ons” following purported political calls.  CCL settled, agreeing to pay $500,000 of a $7.2 million dollar penalty, and to comply with multiple compliance mechanisms.

CCL and the other defendants implemented an extensive calling campaign involving 12 to 15 million calls per day for approximately ten months offering a political survey.  However, the survey calls invited consumers to “press one” to receive a “free” two-day cruise to the Bahamas (port taxes would apply).  A live telemarketer working on behalf of CCL then offered consumers pre-cruise hotels, excursions, and other value packages.

While political calls remain exempt under the TSR’s robocall and Do Not Call provisions, if a caller offers a good, product or service during an otherwise exempt call, an “upsell” has occurred and the call is now telemarketing.  FTC rules prohibit robocalls to telemarket except with prior express consent.  Thus, the FTC asserted that CCL violated the TSR’s robocall provision since the called parties had not consented to the recorded sales calls.  While the calls started as political survey calls, they were actually standard telemarketing, subject to all TSR telemarketing rules.  The FTC also alleged violations of the Do Not Call rules, the caller identification rules, and the “company-specific Do Not Call requirements,” among other violations.

In addition to the reminder about “upsells” or “mixed messages,” this action highlights several important TSR enforcement lessons:

bulletThe FTC and State Attorneys General work closely in telemarketing enforcement – in this action, ten state attorneys general joined the FTC’s action.

bulletMany of the State AGs involved tend to be those most active in telemarketing litigation– Florida, Indiana, Mississippi, North Carolina, Ohio, and Washington State.

bulletThe FTC does not require a company to actually make the prohibited calls. An enforcement action will lie where a company paid or directed others to make calls in violation of the TSR.

bulletThe TSR also bars third parties from providing “substantial assistance” to others who violate the rule. Here, the FTC’s complaint charged a group of five companies and their individual owner with assisting and facilitating the illegal cruise calls, by providing robocallers with telephone numbers to use in the caller ID field, to hide the robocallers’ identities.

bulletAs part of its settlements, the FTC may impose a variety of remedies, including requiring the seller (here, CCL) to monitor its lead generators.

bulletThe FTC may also bar the seller from purchasing leads from a lead generator who is determined by the seller to obtain leads through unlawful TSR calling.

bulletThe FTC will carefully review, and proceed against companies who violate other TSR provisions, including caller ID requirements, scrubbing of the federal Do Not Call database, and the company-specific Do Not Call list.

bulletA settlement often requires ongoing recordkeeping. Here, the FTC required CCL to create records for ten years (and retain each one for 5 years), including records of consumer complaints and documentation of all lead generators.

bulletThe FTC and state AGs may proceed against individuals as well as companies.

bulletMany states have their own “do not call” laws, caller ID requirements and TSR-similar rules which can be used to bolster claims and penalties.

*                                  *                                              *

            While it should not come as a surprise that a “mixed message” call must comply with the TSR, the recent joint case against CCL and others serves as a potent reminder that the FTC and state attorneys general continue to monitor robocalling and other mass telemarketing campaigns. Further, the enforcers will use the full panoply of legal requirements and enforcement mechanisms to address telemarketing violations.  The seller, the telemarketer, the lead generator, the caller ID provider, and any other party providing substantial assistance may find themselves at the receiving end of a call from the FTC if they fail to follow each of the TSR’s obligations or engage in activities that the TSR prohibits.

Ifrah Law is a leading white-collar criminal defense firm that focuses on .

Mar 06
2015

Why the FTC Can Go After Companies For Insufficient Data Security Allegations

iStock_000018208381_Large

FTC seems more confident than ever in its authority to go after companies with insufficient data security measures. As of January 2015, FTC had settled 53 data-security enforcement actions, and FTC Senior Attorney Lesley Fair expects that number to increase.

Not everyone is sanguine about FTC’s enforcement efforts. Companies targeted for administrative action complain that the Commission is acting beyond its delegated powers under the Federal Trade Commission Act (the “FTCA”). So far, courts have declined to intervene in any administrative action that is not yet resolved at the agency level.

One such case involves LabMD, Inc., an Atlanta-based cancer-screening laboratory. At least nine years ago, someone downloaded onto the billing department manager’s computer a peer-to-peer file-sharing application called Limewire. Hundreds of files on the computer were designated for sharing on the network, including an insurance aging report that contained personal information for more than 9,000 LabMD customers. In 2008, a third party notified LabMD that the aging report was available on Limewire. The application was promptly removed from the billing department manager’s computer, but the damage allegedly had been done. According to FTC, authorities discovered in October 2012 that data from the aging report and other LabMD files were being used to commit identify theft against LabMD’s customers.

Ten months later, FTC filed an administrative complaint against LabMD alleging that it had failed to employ reasonable and appropriate data security measures. FTC further alleged that LabMD could have corrected the problems at relatively low cost with readily available security measures. By contrast, LabMD’s customers had no way of knowing about the failures and could not reasonably avoid the potential harms, such as identity theft, medical identity theft, and disclosure of sensitive, private, medical information. On these facts, FTC alleged that LabMD had committed an unfair trade practice in violation of the FTCA.

LabMD tried to get the administrative action dismissed on several grounds, including that the FTCA does not give the Commission express authority to regulate data-security practices. The Commission denied LabMD’s motion, explaining that Congress gave FTC broad jurisdiction to regulate unfair and deceptive practices that meet a three-factor test: section 5(n) provides that, in enforcement actions or rulemaking proceedings, the Commission has authority to determine that an act or practice is “unfair” if (i) it causes or is likely to cause substantial injury to consumers which is (ii) not reasonably avoidable by consumers themselves and (iii) not outweighed by countervailing benefits to consumers or competition. Commissioners noted that the FTCA as passed in 1918 granted FTC the authority to regulate unfair methods of competition. When courts took a narrow view of that authority, Congress responded by amending the FTCA to clarify that the Commission has authority to regulate unfair acts or practices that injure the public, regardless of whether they injure one’s competitors. According to the Commission, the statutory delegation is intentionally broad, giving FTC discretionary authority to define unfair practices on a flexible, incremental basis. For these and other reasons, the administrative action against LabMD would proceed.

Having failed to get the case dismissed, LabMD sought relief from the federal courts to no avail. On January 20, 2015, the U.S. Court of Appeals for the Eleventh Circuit dismissed LabMD’s suit for lack of subject-matter jurisdiction. The court explained that it lacked the power to decide LabMD’s claims in the absence of final agency action. FTC had filed a complaint and issued an order denying LabMD’s motion to dismiss. But neither was a reviewable agency action because neither represented a “consummation of the agency’s decision-making process.” Moreover, “no direct and appreciable legal consequences” flowed from the actions and “no rights or obligations had been determined” by them.

LabMD can challenge FTC’s data-security jurisdiction only after the Commission’s proceedings against it are final. That may well be too late. As a result of FTC’s enforcement action, the company was forced to wind down its operations more than a year ago.

LabMD is one of very few companies to test FTC’s data-security jurisdiction. In 2007, a federal court in Wyoming sided with FTC in holding that the defendant’s unauthorized disclosure of customer phone records was an unfair trade practice in violation of the FTCA. The Tenth Circuit affirmed that decision on appeal.

More recently, a district court in New Jersey gave FTC a preliminary victory against Wyndham Worldwide Corporation. In that case, the court held that FTC’s unfairness jurisdiction extends to data-security practices that meet the three-factor test under Section 5(n). That decision is currently on appeal before the Third Circuit. During oral argument on March 3rd, the three-judge panel signaled little doubt that FTC has authority to regulate unreasonable cybersecurity practices. Instead, the panel was concerned with how the Commission exercises that authority—specifically, whether and how it has given notice as to what data security measures are considered to be “unfair.”

Ifrah Law is a leading white-collar criminal defense firm that focuses on data privacy.

Mar 03
2015

Another Class Action Pops Up For Complaints About Pop-Ups

Confused businessman in front of computer

A class action lawsuit recently instituted in federal court in the Northern District of California, Hunter v. Lenovo et al., alleges that Lenovo Inc., a computer manufacturer, violated its customers’ rights by selling computers which came preinstalled with alleged spyware manufactured by Superfish Inc., another named defendant.  The purported class alleges that the Superfish software monitors user activity and displays pop-up ads, among other things, as part of an “image-based search” function which identifies images on the user’s screen and seeks out similar images on the web. The complaint states causes of action for violations of the Electronic Communications Privacy Act and the Stored Communications Act, as well as unjust enrichment.

The Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2712 provides criminal penalties for anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility.”  The SCA has been cited by plaintiffs in other class actions in which users allege that a technology company has overstepped its bounds.  For instance, in Perkins v. LinkedIn Corp., No. 13-CV-04303-LHK, 2014 WL 2751053 (N.D. Cal. June 12, 2014), a putative class of LinkedIn users alleged that the social networking company violated the SCA by collecting contacts from users’ external email accounts.  The court granted LinkedIn’s motion to dismiss the SCA claims, noting that the users consented to the collection of email addresses in a prominent disclosure, and therefore LinkedIn was “authorized” to collect the information, an exception to the SCA pursuant to 18 U.S.C. §2701(c).

The complaint in Hunter v. Lenovo attempts to preempt a consent defense, alleging that “Plaintiff never agreed to any terms or conditions regarding the Superfish Surveillance Software.  Accordingly, Plaintiff never consented to Defendants’ monitoring of, access to, and/or interception of his internet communications.”  However, according to a January 23, 2015 forum post by a Lenovo administrator (since edited to link to Lenovo advisory), users had the opportunity to decline the Superfish software Terms of Use, thus disabling the software.  If this proves to be true, then it would be consistent with the court’s determination in LinkedIn that a user’s consent may serve as a defense against an SCA claim.  Unlike LinkedIn, however, the Hunter SCA claim may not be appropriate for resolution at the motion to dismiss stage because it raises an issue of disputed fact which may require discovery.

Although the suit is still pending, Lenovo has reversed course on the Superfish software.  Lenovo has disabled Superfish on computers which came pre-installed with the software, its websites offer instructions for users to uninstall the software altogether, and Lenovo computers no longer come preinstalled with the program.  While these remedial actions may be an appropriate response to user concerns, they do not constitute an admission of legal liability in the class action suit.   The defendants may still argue that users consented to the software, even as they remove it from the computers.

Ifrah Law is a leading white-collar criminal defense firm that focuses on data privacy.

Connect with Us Share

About Ifrah Law

Crime in the Suites is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, healthcare, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen, David Deitch, and associates Rachel Hirsch, Jeff Hamlin, Steven Eichorn, Sarah Coffey, Nicole Kardell, and Casselle Smith. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website

Popular Posts