Your business booked a large charity event. However, the customer contact turns out to be a nightmare. She complains (during and after the event) that the service was slow, the food looked and tasted like a frozen meal, and the drinks were watered down. She even claims she was overcharged. You reviewed the situation and, while you disagree, you offer her a credit. She declines and instead decides to post scathing reviews on Yelp, TripAdvisor, and several other review sites. She also gets her friends to post similar reviews. You remember, however, that the booking contract this irate customer signed barred her from posting negative reviews and imposes a $200 per negative review penalty. You ring up your attorney and ask her to send Ms. Nasty Customer a demand. Your lawyer tells you there may be a problem with this approach – under a new law signed by President Obama in December, the Consumer Review Fairness Act of 2016 – form contracts restricting reviews or imposing penalties are void.
Exceptions and Carve-Outs
There are several significant exceptions to the new law, offering some protections to organizations. First, individually-negotiated agreements are not covered by the new legislation. Second, Congress carved out employer-employee and independent contractor agreements from the “form contract” definition. Thus, under the new Act, employment provisions barring negative online reviews of an employer are not void. However, the National Labor Relations Board strongly disfavors restrictions on employees’ rights to discuss wages and working conditions in public forum. Further, some states may also seek to bar restrictions on online reviews. California and Maryland already have enacted laws barring non-disparagement clauses in consumer contracts.
Third, the Act does not bar an organization or individual from suing for defamation, libel, or slander. Thus, companies may still file suit for reviews containing false statements (and presumably include a clause in a form agreement or terms and conditions addressing such statements). Fourth, the law preserves any confidentiality required by law – such as HIPPA. Fifth, the Act expressly allows a party to remove or to refuse to display on a website/webpage operated by that party the content of a “covered communication” : (1) that contains personal information or the likeness of another person; (2) is libelous, harassing, abusive, obscene, vulgar, sexually explicit “or is inappropriate with respect to race, gender, sexuality, ethnicity or other “intrinsic characteristic”; or (3) that is false or misleading. Thus, companies that host their own webpages for customer comments and interactions may remove customer reviews meeting these standards. It would also appear lawful to advise customers in company terms and conditions or form contracts that such content may be reviewed.
Congress further created a carve-out from the Act’s consumer review protections for trade secrets or commercial or financial information considered privileged or confidential, personnel and medical files where disclosure would result in an invasion of personal privacy, records compiled for law enforcement purposes, content that is unlawful, and content containing computer viruses, worms, or other damaging code.
Federal Trade Commission Enforcement
The Federal Trade Commission (“FTC”) will enforce the Consumer Review Fairness Act of 2016. State Attorney Generals may also bring a civil action in federal court to obtain relief for their residents. The new law requires the FTC (within 60 days) to conduct education and outreach to businesses, including non-binding “best practices” for complying with the Act. Companies get 90 days (until March 14, 2017) before their contracts containing the now-proscribed practices are considered void.
The FTC may target a few “brand name” organizations in early enforcement actions to garner industry attention. Companies should be aware, however, that they retain the right to object to assessments that are exempted, including those that disclose confidential or personal information, or that are defamatory, misleading, obscene, vulgar, or unrelated to the products and services offered on the company’s webpage. So, while consumers cannot be penalized through a form contract by posting reviews, their rights to post are not unfettered. Contrary to the popular adage, as the Union Street Guest House learned, not all press is good press – and companies may still address false or defamatory reviews and those reviews containing other exempted content.
A famous Homeland episode involved a terrorist gaining access to the Vice-President’s pacemaker. Accessing medical devices to wreak havoc was one of the motivations behind certain provisions of the Digital Millennium Copyright Act (aka the DMCA). The DMCA makes it “illegal to circumvent technological measures used to prevent unauthorized access to copyrighted works.” Section 1201 of the DMCA allows for exemptions to be made every three years. Recently, a number of exemptions were adopted to the DMCA’s anti-circumvention statute for numerous technologies, including personal medical devices. Although the exemptions went into effect on October 28, 2015, there were stipulations that delayed implementation until very recently. A number of safeguards remain in place, but safeguards to protect cybercrime in the healthcare context remain compelling.
What does this mean for patients who are using portable medical devices?
The exemption removes the barrier for researchers to set-up controlled experiments that can aim to improve potential vulnerabilities in the security of these devices. The exemption relates to researching medical devices and reads as follows: “Literary works consisting of compilations of data generated by medical devices that are wholly or partially implanted in the body or by their corresponding personal monitoring systems, where such circumvention is undertaken by a patient for the sole purpose of lawfully accessing the data generated by his or her own device or monitoring system.” In order to conduct research using this type of data, the research environment must meet certain criteria. Those criteria include the following: (1) the computer program, or any devices on which the programs run, must be “lawfully acquired,” (2) during the research, the device or computer program should operate “solely for the purpose of good-faith security research,” and (3) the research must not have begun before October 28, 2016.
How does this open up the field for more research opportunities?
The exemption rule allows for “good-faith research” which is defined as “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.” What this means in the real world is that security researchers can, in a controlled manner and environment, access medical devices to search for vulnerabilities so that vulnerable software can be quickly patched. The exemption allows for researchers to publicly talk about and share details of their vulnerability research without facing legal repercussions.
Why do we need this type of research?
A cybercrime-wave impacted the healthcare sector in 2016. According to TrapX there was 63% year over year growth in attacks against the healthcare sector. Many of these cyber intrusions leveraged back-doors into medical devices like X-ray machines and blood gas analyzers. These devices are vulnerable to compromise as they lack the memory space necessary for cybersecurity software and are rarely updated. The dramatic ransomware attack against Medstar which crippled their hospitals’ networks underscored the defenselessness of the sector. The culture of the healthcare sector has been to adopt technology with minimal regard to the cybersecurity of those networks. The cybercrime community took note in 2016, and the ransomware attacks against the healthcare sector served as a canary in the coal mine. The vulnerability of medical devices poses a systemic risk to the sector’s digital health.
Historically, medical device manufacturers have been resistant to allow outside security experts to look at their code for fear that flaws in their software will be revealed and expose them to regulatory scrutiny or lawsuits. More recently, some of the larger medical device manufacturers (e.g. Philips and Dräger) have published a coordinated vulnerability disclosure policy, which essentially invites researchers to look for software flaws in their devices, as well as a public statement about of how the companies will handle reported vulnerabilities. For device manufacturers it is important to note that the FDA is encouraging this type of research to increase patient safety and reduce cybersecurity threats.
Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures for the Center for Devices and Radiological Health, a division of the FDA, stated that “The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices.” On December 29, 2016 the FDA issued the final guidance “Postmarket Management of Cybersecurity in Medical Devices”. What this means is the device manufacturers may need to report post-market modifications to devices already in the field related to cybersecurity to the FDA (pursuant to Part 806 of the Food, Drug & Cosmetic Act (for device manufacturers this reporting relates to compliance with the quality system regulations)). Device manufacturers need to take into account security considerations through a product’s entire lifecycle, starting with its development to ensure proper performance and functionality if a hospital’s network is hacked. The FDA indicated that most routine updates or patches will not trigger a reporting responsibility, but the guidance leaves open the possibility that changes made to prevent or fix cybersecurity vulnerabilities will trigger reporting. As a result of this guidance, it is important for manufacturers to coordinate their cybersecurity efforts. This relatively new exemption can help foster that dialogue and introduce research into vulnerabilities to reduce the threat of future cyber-attacks on critical medical devices used by patients. In 2017, an individual’s physical well-being is going to dependent on the digital health of medical devices.
What Proactive Risk Management Steps Can Be Taken in 2017 to Increase Security?
Listed below are some proactive steps that medical device manufacturers can take to decrease the risk of cybersecurity vulnerabilities and attacks. With the advent of new research into cybersecurity, the hope is that additional technology improvements will take place to allow for even further safety and evolution of security for medical devices.
Proactive Risk Management for 2017
- Require regular penetration tests of medical devices and networks which develop and utilize them.
- Deploy a DeceptionGrid.
- Deploy User Entity Behavior Analytics
- Deploy two factor authentication (e.g. Biometrics) with contextual verification.
- Integrate Intrusion protection systems with breach detection systems.
Source: Strategic Cyber Ventures 2017
In January 2017, the Obama Administration will transfer power to the incoming Trump Administration, and Congress will convene with a Republican majority in both houses. Predictions abound as to what legislative and regulatory changes will transpire under the new administration. Earlier this month, WSJ Pro hosted a live video event to discuss how the election will impact financial regulation. Financial Regulation Editor Jacob Schlesinger moderated the discussion with two Washington financial-policy analysts: Brian Gardner of Keefe, Bruyette & Woods, and Ian Katz of Capital Alpha Partners. Both analysts expect aggressive deregulation of the financial sector according to the President-Elect’s promises during the campaign. Among the many topics covered, Gardner and Katz emphasized (i) potential changes to the Dodd-Frank Act, (ii) personnel changes at various agencies, including the Securities and Exchange Commission (SEC), and (iii) a more lenient approach to enforcement.
President-Elect Trump campaigned on a promise to get rid of the Dodd-Frank Act. Enacted in the wake of the 2008 recession, Dodd-Frank sought to limit the risks that banks can take and provided for consumer protection through the creation of the Consumer Financial Protection Bureau (CFPB). However Gardner and Katz agree that wholesale repeal of Dodd-Frank is unlikely, partly because Republicans will have a slim majority in the Senate and, thus, may lack the sixty votes needed to end a filibuster. If Senate Democrats unite in their opposition to repeal, they can prevent a vote altogether. Gardner and Katz think it more likely that the administration will modify Dodd-Frank at the margins.
Katz expects targeted efforts in that regard. For example, he predicts that the CFPB will be weakened, but not abolished. The new administration can weaken the Bureau by replacing its current single director with a Republican appointee, or by changing its structure to that of a commission with no more than three of five commissioners from either party. Given the President-Elect’s populist message, efforts to abolish the CFPB would be politically risky: the Bureau was established to protect consumers.
The administration could also target CFPB regulations. Gardner notes that promulgated rules will likely survive, but non-final rules may be withdrawn and rewritten. For example, in June 2016, CFPB proposed new restrictions on payday lending, but they have not yet been finalized. If the proposed rules are still pending in January 2017, the new administration may scrap them in favor of less onerous restrictions.
In addition to these modifications related to Dodd-Frank, Gardner and Katz discussed personnel changes at various agencies, including the Securities Exchange Commission (SEC). Although President-Elect Trump campaigned on a promise to “drain the swamp,” leaks from his transition team suggest he will rely to a great extent on veterans of past Republican administrations. Heading the efforts for independent regulators like the SEC, the Commodity Futures Trading Commission (CFTC), and the Federal Reserve is Paul Atkins, an ex-SEC Commissioner who disfavors regulation. Atkins almost certainly is looking for potential appointees who share his view. Gardner does not anticipate major shifts in the regulatory environment but, as Katz notes, individuals appointed to lead these agencies will set the tone and influence each agency’s enforcement priorities. Codified rules likely will remain, but agencies faced with close questions or grey areas of the law will probably resolve them in favor of industry.
All that said, President-Elect Trump’s candidacy did not unfold as many predicted. It will be interesting to see whether and how these expected changes to financial regulation materialize under the new administration.
The Federal Trade Commission (“FTC”) recently released a data breach guide for businesses, along with a video and blog to help companies following the immediate aftermath of a data breach. The FTC also provides a model data breach letter to notify individuals of a breach. The agency – which views itself as the nation’s primary “privacy police” has faced scrutiny from private parties and courts for allegedly enforcing privacy and data security standards without promulgating specific rules. The agency instead favors outreach efforts, such its blogs, guides and roundtables to educate industry and the public regarding what it views as best practices.
In this vein, the Guide and the model letter are not a “safe harbor” but offer suggestions on important steps that organizations can follow once they discover data breaches. The FTC emphasizes that the Guide does not pertain to the actual protection of personal information or prevention of breaches, because the agency has already issued separate guidance documents on those subjects. In fact, the FTC also recently updated its guide on protecting personal information.
Following a data breach, the Guide suggests key steps organizations can take, which include:
- Mobilizing the company’s breach response team to prevent further data loss – the team may include legal, information security, IT, human resources, communications, investor relations, and management; companies may consider hiring an independent forensics team;
- Securing physical areas – lock any physical areas affected by a breach; consider changing access codes;
- Taking affected equipment offline immediately – monitor all entry and exit points, and update authorized users’ credentials and passwords;
- Removing improperly posted information from the company’s website, for instance in a situation where personal information affected by the breach is posted on the company’s website. The FTC also advises companies to search the Internet to see if breached information has been posted on other websites and to contact the owners of those websites;
- Protecting evidence – the FTC reminds companies to retain forensic evidence (e. do not destroy it);
- Documenting the investigation, including interviewing people who discovered the breach and making sure employees (such as customer service representatives) know where to forward information that might assist the company in its investigation;
- Examining service provider relationships, to determine if providers have access to personal information and whether provider access privileges should be changed;
- Determining whether data was encrypted at the time of the breach (note: encryption may obviate the need for data breach reporting in many states);
- Implementing a communications plan that explains the data breach to employees, customers, investors, partners, and others such as the press. The FTC recommends “plain English” answers on a company’s website;
- Following legal requirements – such as state data breach notifications and notifying law enforcement;
- Offering at least a year of free credit monitoring – while not required, free monitoring has become standard and most regulators and consumers expect to see the offer in data breach notifications.
As to data breach notification letters, in addition to following the requirements of state laws, the FTC urges companies to advise people what steps they can take, based on the information exposed. When a breach compromises social security numbers, individuals should be directed to contact the credit bureaus to request fraud alerts or credit freezes. Since some scammers pounce on data breach victims, the FTC counsels organizations to tell consumers how they will be contacted going forward. For instance, if the company will never contact individuals by phone, the company should tell consumers that – so individuals can detect telephonic phishing schemes.
The FTC encourages businesses to use the Guide and its accompanying materials to educate employees and customers, such as through newsletters and websites. However, when facing an enforcement action or a lawsuit, will a company’s compliance with the Guide offer any relief from FTC or state Attorney General penalties or assist organizations in their defense in private data breach lawsuits? Ultimately, the crux of breach liability usually relates to how it occurred, but taking swift, corrective actions following a breach should aid an organization when dealing with regulators and third parties by showing good faith actions to prevent further damages. Conversely, a company that fails to take corrective actions can exacerbate a breach and further negatively impact affected individuals and the organization.
The FTC’s Guide and accompanying materials are helpful references, particularly for smaller businesses. As a practical matter, the words of advice I give companies facing a possible data breach is to first, take the time to determine what happened, how it happened, whether the breach continues, and what you can do to prevent it in the future. While several states require reporting within a set number of days (e.g., 45), the laws allow organizations time to conduct factual inquiries, take corrective measures, and prepare to notify affected individuals. Organizations should not rush through these key steps. Second, communication is key. A company facing a breach should develop a clear, consistent statement regarding the breach, the steps being taken and a single contact point. The lack of a communication plan or a consistent message can cause a huge loss of customer and employee confidence and raise regulators’ interest. Third, when preparing data breach notifications, organizations should note that it is likely that the letter will become public due to some states’ open records laws. Numerous websites exist that track and publicize data breaches, based upon information in the notifications – often including copies of the actual letters. Companies should not assume that regulators and consumers simply file the letters away. While your organization cannot prevent the publicity, having a clear, concise data breach notification that meets each state’s requirements without providing excess data will help the company through the process and associated publicity.
As Halloween has people thinking of ghosts and ghouls, creative plaintiffs’ attorneys have turned an arcane New Jersey law into a true source of fright for virtually anybody who offers services that are even potentially available within the Garden State.
The law at issue is the New Jersey Truth in Consumer Contract, Warranty, and Notice Act (“TCCWNA”), which was enacted in 1981 with good intentions: to prevent businesses from advertising terms that violate state law in order to cow consumers into doing business under those terms even though they were unenforceable. For example, a storage space rental company might violate the law by requiring a consumer to release it from liability for personal injuries on company property, even though such a waiver is unenforceable under New Jersey Law. The statute provides seemingly modest damages of $100 per violation.
But the TCCWNA does not require a consumer to actually have been hurt by any illegal term or provision and, in fact, it allows for a cause of action to be brought even by a mere “prospective consumer.” In 1981, this likely made little difference to brick-and-mortar businesses, for whom the only individuals who may have seen a violative contract or term would be those who sought it out. But in the age of the Internet, everybody is a potential consumer, and one may shop for dozens of products from the comfort of one’s own desk in a single afternoon. Each time that one of these individuals views the website and, even theoretically, considers purchasing a product or service, that individual becomes a potential plaintiff under the TCCWNA.
This has opened the door to suits against virtually any retailer that has a website that can be accessed in New Jersey—unless the terms offered by such retailers are fully compliant with New Jersey law or clearly indicate what provisions would be invalid in New Jersey, there is a chance that those retailers could be found to violate the TCCWNA. And although statutory damages of $100 may not seem scary, those damages are awarded on a per-violation—that is, per-consumer—basis. And plaintiffs’ attorneys have begun to bring class actions alleging that every single New Jerseyan who has accessed a given website is a “potential consumer” under the statute, opening the door to potentially massive liability.
The news is not all bleak: a federal judge in New Jersey recently dismissed a TCCWNA case against the car rental company Hertz relying on a recent Supreme Court case that bars lawsuits by plaintiffs who have suffered no more than a “bare procedural harm” without any real injury. But it is not yet clear if other judges will follow suit, and even if they do, that ruling will not help defendants who may find themselves stuck in state court. Until the courts or the New Jersey legislature provide clearer and more meaningful protection, businesses may find themselves being forced to comply with New Jersey law no matter where they may be located.
The Federal Acquisition Regulation final rule implementing the “Fair Play and Safe Workplaces” Executive Order 13673 was issued on August 25, 2016, and the rule goes into effect on October 25, 2016. This new regulation presents a significant change – and potential challenge – for major government contractors.
President Obama signed Executive Order 13673, often referred to as the “Blacklisting” order, on July 31, 2014. The stated goal of the order is to “increase efficiency and cost savings in the work performed by parties who contract with the Federal Government by ensuring that they understand and comply with labor laws.” On their face, the Order and regulations provide new instructions for Federal contracting officers to consider a contractor’s compliance with certain Federal and State labor laws as a part of the determination of contractor “responsibility” that contracting officers must undertake before awarding a Federal contract. But what do the Blacklisting Order and the final rule really do?
Mandatory Reporting of Labor Law Violations
The new rule imposes significant reporting obligations on federal contractors during the procurement process. Ultimately, contractors and subcontractors will need to report three years of labor law violations once the rule is fully in effect. Labor law violations encompass violations of the Fair Labor Standards Act, the Occupational Safety and Health Act, Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, and ten other federal laws and orders. According to the final rule, there are three types of actions that constitute reportable violations: “administrative merits determinations,” arbitral awards or decisions, and civil judgments. Contractors must supply basic information about the violation, including the nature of the violation and identifying information, and also have the option of submitting evidence of mitigating factors and remedial measures. This information will be stored on a publicly available, searchable website.
Acknowledging this reporting is a significant burden, there is a phase-in period to allow companies to get up to speed. When the rule becomes effective on October 25, 2016, the reporting requirements will only be effective for procurements of $50 million or more and only for prime contractors. But after six months, on April 25, 2017, contractors bidding on prime contracts of $500,000 or more will need to make the relevant disclosures. On October 25, 2017, subcontractors become subject to the rule as well. Additionally, while the reporting time frame is ultimately the three preceding years, for the first year the rule is in effect, reporting will only reach back for one year. The reporting window will be expanded by a year each year thereafter, until the three-year reporting period is completely phased in on October 25, 2018.
New Paycheck Transparency Requirements
The Blacklisting Order and final rule also institutes requirements for contractors in how they communicate wage information to workers. As of January 1, 2017, contractors and subcontractors must provide a detailed wage statement, including hours worked, overtime hours, rate of pay, and any additions made or deductions taken, to every worker performing under a federal contract. Additionally, prior to beginning work, the contractor must indicate to the worker whether they will be considered an employee or an independent contractor, and if an employee, whether they are exempt or non-exempt. These notifications must be provided to workers in English and any other language used by a “significant portion” of the workforce.
Restrictions on Pre-dispute Arbitration
On the same date the reporting requirements begin the phase-in process – October 25, 2016, the requirements surrounding arbitration agreements will go into full effect. Companies with federal contracts or subcontracts of $1 million or more may not require workers to enter into pre-dispute arbitration agreements for disputes based on Title VII claims or torts related to sexual assault or harassment. The only exception will be for employees covered by a collective bargaining agreement that has negotiated the contract with an agreement to arbitrate prior to the contractor bidding on the covered contract.
The Government’s Obligations Under the New Rule
Under the new rules, the Government has obligations as well. Each agency must designate an Agency Labor Compliance Advisor (“ALCA”) to implement the reporting program. The ALCA will be the central point of contact for the agency and all matters related to Blacklisting reporting. This includes helping contractors achieve compliance with the rules and recommending labor compliance agreements. On the date the rule goes into effect, the Department of Labor will release a list of the ALCAs and their contact information.
Not the First Attempt at Blacklisting
President Bill Clinton has tried this once before. On December 20, 2000, just weeks before the end of his final term, he issued similar blacklisting rules. These rules would have required federal contractors to certify whether they violated any federal, state, or foreign labor, employment, tax, environmental, antitrust, or consumer protection law in the prior three years. A violation was defined as any incident running afoul of the various laws supported by “pervasive evidence.” That is, no formal ruling or determination of liability had to have been made to create a reportable violation. Further, contracting officers would have had complete authority to determine if the violations disqualified the contractor from reporting and were not obligated to allow bidding contractors an opportunity to respond to potentially disqualifying violations.
While the temporal element is the same as the current rule, the list of reportable violations far exceeded the list of labor law violations as contemplated now. Contractors and various industry groups aggressively opposed the 2000 proposed rule, and several lawsuits were filed in an attempt to block implementation. Nonetheless, the rule went into effect on January 19, 2001 – the day before President Clinton left office. However, in March 2001, President George W. Bush ordered suspension of the rule and began the process for overturning it. By the end of 2001, the Bush Administration had successfully revoked this rule.
Next Steps for Contractors
Contractors shouldn’t expect the 2016 rule to meet the same fate as the 2000 version. While both rules bear some similarities, the current rule is much narrower and better defines what constitutes a reportable violation. Some industry groups have publicly contemplated lawsuits against the 2016 rule, none have been filed yet. With the looming deadline, contractors should start making plans to establish a compliance regime.
While compliance with labor laws is a worthy goal, the new regulation also will have significant costs. It reduces an employers’ ability to require arbitration, which likely will result in increased, costly litigation and possibly class action litigation if future labor disputes arise. Similarly, for existing disputes decided in arbitration, it eliminates the benefit of confidentiality by requiring public disclosure concerning any adverse award.
The new regulation does provide some additional compliance options for contractors in advance of official implementation. Companies may undergo a voluntary preassessment by the Department of Labor. Beyond helping companies become acquainted with the rules, participation in this program will be considered a mitigating factor in future acquisitions. The preassessment, however, the DOL may require companies to enter into labor compliance agreements.
Federal contractors should start taking internal steps to ensure compliance in advance of the effective dates. Companies should work with their internal teams, including legal, human resources, and IT support, to ensure that the necessary records are being kept and to design a reporting and monitoring program for the future. Companies should also review their new hire policies, to ensure that proper notifications are made to all workers in the required languages.
While this is a final rule and set to go into effect in the coming weeks, the matter is far from settled. Legal challenges to the rule once implemented may arise in the courts. And, as with any new rule, the devil is always in the details, so companies will likely not know the full impact of the rule until attempting compliance during the procurement process.
The Consumer Financial Protection Bureau (CFPB) has proposed a new rule to regulate payday lending and auto-title loan companies. Right now, it is merely a proposal, meant to undergo the notice and comment period until September 14, 2016. But if the rule goes into effect, it would be a significant imposition on the lending business.
The CFPB has been studying the effects of payday lending on consumers for years and found that many consumers struggle. They cannot repay their loans, so they take out new ones and incur significant penalties and fees. Or, they default on repayment altogether. The new rule tries to reduce this by regulating the people who issue those loans.
In theory, the rule would affect two types of loans: those with a term of 45 days or less, and those with a term of more than 45 days but with certain specifications, like an all-in annual percentage rate above 36% and a consumer’s bank account or vehicle for collateral. Before issuing either loan, a lender would have to determine if the borrower can repay it without re-borrowing in the following 30 days. To determine this, a lender would assess the borrower’s income, debt obligations, and housing costs; project them over the life of the loan; and forecast non-housing living costs.
The rule would also restrict how lenders can collect repayment. Today, lenders are allowed unlimited tries to withdraw from an indebted borrower’s bank account, but the new rule would stop them after the second attempt that fails due to insufficient funds.
Because the rule has not been approved yet, affected borrowers and lenders can speak out against or in favor of it. Richard Cordray, the director of the CFPB, has promised that the Bureau “will continue to listen and learn” as comments come in. Sourcing from the industry is the best way to create a rule that protects consumers and helps lenders continue to provide so vital a lifeline.
Recently, I wrote about the CFPB’s plans to issue new regulations restricting arbitration clauses in certain consumer contracts. Today, the agency announced those new rules and CFPB Director Richard Cordray is expected to discuss them at the agency’s field hearing in Albuquerque, New Mexico. As expected, the new rules eliminate the use of class action waivers and otherwise restrict the availability of arbitration in consumer contracts, including those involving credit transactions, automobile leases, debt relief services, consumer depository accounts, check cashing, credit monitoring/reporting, and debt collection. The CFPB admits that it intends to “incentivize” greater legal compliance through the “in terrorem” deterrent impact of the new rules. In other words, the CFPB wants the prospect of increased class action litigation to scare companies into treating consumers better.
The new proposed rules are available at the CFPB’s website along with over 350 pages of supplementary information explaining the proposed rulemaking. The CFPB proposal prohibits “companies from putting mandatory arbitration clauses in new contracts that prevent class action lawsuits.” See Proposed § 1040.4(a). Companies would still be able to include arbitration clauses in their contracts, but could not restrict access to class litigation and the arbitration provisions must include specific language provided by the CFPB.
In addition, in practical terms, the CFPB has just designated itself as the overseer of U.S. arbitral bodies in direct contrast to existing laws and rules that provide very limited court oversight and review of arbitration decisions. The proposed rules would require covered companies to submit detailed information about any of their consumer arbitrations to the CFPB. See Proposed § 1040.4(b). The CFPB states that it will gather, and may publish, this data so that it may gain “insight into whether companies are abusing arbitration or whether the process itself is fair.” Although the rule provides for redaction of personal information, this new practice threatens to undermine the confidential nature of arbitrations and thereby limit one of arbitration’s principle benefits. It is not yet clear how the CFPB might conclude that consumer arbitrations are “unfair” or what they might do in response to such a determination.
Regardless of whether the proposed regulations will succeed in scaring companies into greater legal compliance, if the rules become effective, companies should expect a marked increase in consumer class action litigation. The newly announced regulations are not final, however, and interested parties will have an opportunity to comment before the rules become effective. Interested parties have 90 days from the publication of the proposed rule in the Federal Register to comment and we expect multiple objections from the financial industry this summer. The comments likely will include practical examples of the benefits of consumer arbitration provisions, critiques of the agency’s study of consumer arbitration that formed the basis of the proposed regulations, and proof of the detrimental impact that an increase in class actions will have on the business community, especially on smaller businesses. Any potentially covered company should consider commenting on the CFPB proposed regulations, either directly or through trade associations.
Once the rules are final, companies will only need to comply with the new regulations prospectively; the provisions of the Dodd-Frank Act authorizing the CFPB to regulate arbitration provide that any new rules will be binding 180 days after their effective date. So any arbitration agreement entered into prior to, or within six months of, the new rule’s effective date is not subject to the new restrictions. This gives potentially covered companies some breathing space to review and, if necessary, modify their existing contracts.
Although many in Congress do not support the newly proposed rules, given current political realities, there are unlikely to be any legislative changes to the proposed rules or the CFPB’s authority. As a result, we expect that something close to the proposed rule will become effective later this year. Following that, there likely will be multiple court challenges to the new rules and the CFPB’s authority to issue them. In the meantime, all potentially affected companies should:
- Review their existing contracts and arbitration programs to determine whether their existing contract forms would violate the proposed regulations;
- Prepare alternative contract language if existing forms will no longer be permitted; and
- Consider whether their existing pricing structure and litigation positions make sense in the coming world.
Whatever the goal, companies are unlikely to be scared into greater legal compliance; most companies already strive to comply with the law. We anticipate that the CFPB’s proposed rules will have many unintended consequences. In the short term, the increase in class action litigation will be a boon for many lawyers. Consumers with legitimate claims, however, may find that the class action process results in smaller payouts over which they have less control. And as companies adjust to this new environment, they will pass on the increased costs of increased class litigation to customers and likely will further tighten credit standards and product availability to reduce potential claims.
* * *
 Under Section 9 of the Federal Arbitration Act, a court must confirm an arbitration award unless it is vacated, modified, or corrected in accordance with Sections 10 and 11.5 of the FAA, i.e. where the award was procured by corruption, fraud, or undue means or there was an evident material miscalculation or mistake in the award.
 For example, companies may wish to withdraw from the American Arbitration Association’s Consumer Clause Registry. For that matter, the AAA and similar arbitral organizations are sure to lose significant business as the consumer arbitration market is sure to shrink significantly if the new rules become effective.
In March 2015, I wrote about the ongoing dispute between the FTC and LabMD, an Atlanta-based cancer screening laboratory, and looked at whether the FTC has the authority to take enforcement action over data-security practices alleged to be insufficient and therefore “unfair” under section 5(n) of the Federal Trade Commission Act (“FTCA”). On November 13, 2015, an administrative law judge ruled that the FTC had failed to prove its case.
In 2013, the FTC filed an administrative complaint against LabMD, alleging it had failed to secure personal, patient-sensitive information on its computer networks. The FTC alleged that LabMD lacked a comprehensive information-security program, and had therefore failed to (i) implement measures to prevent or detect unauthorized access to the company’s computer networks, (ii) restrict employee access to patient data, and (iii) test for common security risks.
The FTC linked this absence of protocol to two security breaches. First, an insurance aging report containing personal information about thousands of LabMD customers was leaked from the billing manager’s computer onto peer-to-peer file-sharing platform LimeWire, where it was available for download for at least eleven months. Second, Sacramento police reportedly discovered hard copies of LabMD records in the hands of unauthorized individuals. They were charged with identity theft in an unrelated case of fraudulent billing and pleaded no contest.
Incriminating as it all might seem, Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint entirely, citing a failure to show that LabMD’s practices had caused substantial consumer injury in either incident.
Section 5(n) of the FTCA requires the FTC to show that LabMD’s acts or practices caused, or were likely to cause, substantial injury to consumers. The ALJ held that “substantial injury” means financial harm or unwarranted risks to health and safety. It does not cover embarrassment, stigma, or emotional suffering. As for “likely to cause,” the ALJ held that the FTC was required to prove “probable” harm, not simply “possible” or speculative harm. The ALJ noted that the statute authorizes the FTC’s regulation of future harm (assuming all statutory criteria are met), but that unfairness liability, in practice, applies only to cases involving actual harm.
In the case of the insurance aging report, the evidence showed that the file had been downloaded just once—by a company named Tiversa, which did so to pitch its own data-security services to LabMD. As for the hard copy records, their discovery could not be traced to LabMD’s data-security measures, said the ALJ. Indeed, the FTC had not shown that the hard copy records were ever on LabMD’s computer network.
The FTC had not proved—either with respect to the insurance aging report or the hard copy documents—that LabMD’s alleged security practices caused or were likely to cause consumer harm.
The FTC has appealed the ALJ’s decision to a panel of FTC Commissioners who will render the agency’s final decision on the matter. The FTC’s attorneys argue that the ALJ took too narrow a view of harm, and a substantial injury occurs when any act or practice poses a significant risk of concrete harm. According to the FTC’s complaint counsel, LabMD’s data-security measures posed a significant risk of concrete harm to consumers when the billing manager’s files were accessible via LimeWire, and that risk amounts to an actual, substantial consumer injury covered by section 5(n) of the FTCA.
The Commissioners heard oral arguments in early March and will probably issue a decision in the next several months. On March 20th, LabMD filed a related suit in district court seeking declaratory and injunctive relief against the Commission for its “unconstitutional abuse of government power and ultra vires actions.”
In the past few years, many organizations such as Capital One, Bass Pro Outdoor, and the Cosmopolitan Hotel have faced class actions alleging violations of California’s call recording law. This week, California’s Attorney General demonstrated that her office, working with state prosecutors, will also vigorously enforce the law under the state’s criminal statutes. Attorney General Harris announced an $8.5 million dollar settlement with Wells Fargo Bank, N.A. over the alleged failure to provide call recording announcements to California consumers.
The complaint alleged violations of Sections 632 and 632.7 of California’s Penal Code, including the purported failure of Wells Fargo’s employees to “timely and adequately disclose the recording of communications with members of the public.” These laws form part of California’s Invasion of Privacy Act. Section 632 makes it illegal to eavesdrop (monitor) or record a “confidential communication” without the consent of all parties. The statute defines a “confidential communication” as including “any communication carried on in circumstances as may reasonably indicate that any party to the communication desires it to be confined to the parties thereto.“ The law specifically excludes communications in circumstances “in which the parties to the communication may reasonably expect that the communication may be overheard or recorded. “ Section 632.7 bars the recording of cell phone conversations, without the consent of all parties.
Wells Fargo Bank settled the case, agreeing in a stipulated judgment to the $8.5 million settlement and certain compliance requirements. Specifically, Wells Fargo must make a “clear, conspicuous, and accurate disclosure” to any consumer in California of the fact that Wells Fargo is recording the call. The settlement requires that this disclosure occur “immediately at the beginning” of the call, but allows Wells Fargo to precede the disclosure with an introductory greeting identifying the customer service representative and the entity on whose behalf the call is made (presumably, a Wells Fargo-affiliated entity). Wells Fargo also committed to a compliance program for one year and periodic internal testing of its employees’ and agents’ compliance with the call disclosure requirement. The bank agreed to appoint an officer or supervisor with specific oversight responsibility for compliance with the settlement obligations. Within a year following the stipulated judgment, Wells Fargo must provide the Attorney General with a report summarizing the testing.
Interestingly, the Attorney General previously pursued a similar action against home improvement platform Houzz Inc. for allegedly failing to notify all parties of its recording of incoming and outgoing telephone calls. In that case, Houzz agreed to appoint a Chief Privacy Officer to oversee Houzz’s compliance, a first for a California Department of Justice settlement.
As we have advised before, all organizations recording calls – whether inbound or outbound – should immediately disclose to called parties that the call is being recorded. The disclosure should occur at the outset of the call. One type of introduction could be, “This is Michelle, calling on behalf of XYZ Company. This call is being recorded and/or monitored.” Some companies may wish to announce the option of a non-recorded line, available via a key press. It is also important to time the recording to begin after the announcement, to avoid potential liability based on even a few seconds of a recorded call before an announcement is given.
A few important reminders are worth repeating:
- The announcement requirement applies to inbound and outbound calls, including requested return calls.
- Recording announcements apply to all types of calls – not just sales calls.
- Maintain proof of the announcement.
- Implement a short, written call recording policy.
- Train customer service representatives to understand the call recording policies.
- Periodically “test” call recording procedures.
- Promptly investigate any call recording complaints and take appropriate corrective action.
- Have customer service representatives sign an acknowledgment that they understand they are being monitored and/or recorded.
The recording of customer service and other calls is an important component to prevent fraud, fulfill legal requirements and augment customer service, among other reasons. Companies can implement call recording effectively, but must comply with announcement requirements and should take proactive measures, such as training and testing, to protect against civil and criminal liability and to safeguard consumer goodwill.