Attorney General Holder Calls on Congress to Establish Strong National Data Breach Notification Standard
By Michelle Cohen, CIPP-US
Yesterday, in his weekly video address, Attorney General Eric Holder urged Congress to create a national data breach notification standard requiring companies to quickly notify consumers of a breach of their personal or financial information. In the wake of the high profile holiday season data breaches at retailers Target and Neiman Marcus, Holder stated that the Department of Justice and the U.S. Secret Service continue to work to investigate hacking and cybercrimes. However, Holder believes that Congress should act to establish a federal notification requirement to protect consumers. Holder’s video address is available here .
Currently, at least forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. As might be expected, the laws vary widely from state to state, particularly in the timing requirement for the breach notifications. Most laws allow delay to accommodate a law enforcement investigation.
Some states require notification as soon as reasonably practicable. Others require notification within 45 days. Yet organizations have faced lawsuits for failing to notify on a timely basis, even where there is no set standard. This presents a difficult situation for companies. Organizations need to investigate a data breach and determine the type of information affected, who was affected (and thus needs to be notified), and importantly, whether the breach is ongoing such that the company must immediately implement remedial measures.
Attorney General Holder believes Congress should set a national standard that will better protect consumers. Holder asserts that a federal requirement should enable law enforcement to investigate the data breaches quickly and to hold organizations accountable when they fail to protect personal and financial information. Holder’s video message did include a reference that this requirement should create “reasonable exemptions” for companies to avoid creating unnecessary burdens.
The Target and Neiman Marcus data breaches have certainly raised the profile of cybersecurity issues on Capitol Hill, with several bills having been introduced in recent weeks addressing data breaches. While the states certainly took the lead in protecting consumers by enacting data breach laws over the past several years, a properly-crafted national standard could provide more consistent guidance for industry and a uniform rule for consumers irrespective of their home states. Should Congress move forward on a data breach law, reasonable accommodations need to be made for companies to have time to investigate data breaches, to determine scope, persons affected, and the type of information affected. A national standard setting forth a notification deadline would also presumably alleviate the “rush to the courthouse” from the plaintiff’s bar with data breach notification timing allegations.
A federal court in California recently ruled that a plaintiff who was required to enter her phone number to purchase a plane ticket online had consented to receive a text message, and dismissed her claim under the Telephone Consumer Protection Act (TCPA). A plaintiff’s prior express consent is a major issue in TCPA litigation and this decision represents a victory for companies that obtain phone numbers from consumers who are purchasing goods or services from them.
The plaintiff, Shaya Baird, booked flights online for herself and her family on the Hawaiian Airlines website. During the purchase, Baird was required to enter her contact information. The website required at least one phone number, which Baird provided by entering her mobile phone number. A few weeks later Baird received a text message inviting her to reply “yes” if she wanted to receive flight notification services. Baird did not respond and she did not receive any more text messages.
Baird then filed suit alleging that Sabre, which contracted with Hawaiian Airlines to provide traveler notification services to passengers, violated the TCPA by sending her the unsolicited text message. The TCPA bars the sending of autodialed or prerecorded “calls” (which the Federal Communications Commission (“FCC”) has interpreted to include text messages) to mobile numbers without “prior express consent.” An individual’s granting of consent to receive texts constitutes an affirmative defense in a TCPA lawsuit.
Sabre moved for summary judgment on the ground that Baird consented to receive its text message when she made her flight reservation on the Hawaiian Airlines website. Baird responded that she did not voluntarily provide her cell phone number, but was instead told that she was required to enter a phone number. She further argued that she was not informed that by providing her cell phone number she was consenting to receiving text messages.
The court rejected Baird’s argument and found that although she was required to provide her phone number to book a flight on the Hawaiian Airlines website, the act of providing her phone number was a voluntary act. Baird was not forced to book a flight on the Hawaiian Airlines website. The court found that under the FCC’s interpretation of the TCPA, Baird had consented to be contacted on her cell phone about flight related matters. The court looked to the FCC’s 1992 Order implementing the TCPA to determine if the act of providing a cell phone number in connection with a transaction constitutes the required consent under the TCPA to receive autodialed calls. The court found that since it was undisputed that Baird “knowingly released” her cell phone number when she booked her tickets, under the FCC’s 1992 TCPA Order she had consented to receiving text messages.
This decision represents a victory for TCPA defendants. TCPA litigation has been increasing significantly in the past few years and recent changes have gone into effect that placed stricter requirements on businesses that engage in marketing via mobile messaging and prerecorded telephone calls. While we recommend businesses obtain “prior express written” consent for TCPA-covered calls and texts, now at least one court has recognized the knowing provision of a mobile number as consent. However, companies engaging in text messaging should proceed cautiously as the new rules do impose strict requirements when it comes to telemarketing messages in particular, different from the informational text messages Ms. Baird received here. Under the new TCPA rules purely informational calls/texts and calls/texts to mobile phones for non-commercial purposes require prior express consent – oral or written. “Telemarketing” calls/texts to mobile phones require prior express written consent. Covered telemarketing calls include those made by advertisers that offer or market products or services to consumers and calls that are generally not purely informational (such as “mixed messages” containing both informational content and offering a product, good, or service for sale).
A California court ruled earlier this month that Overstock must pay a roughly $6.8 million penalty to settle claims that the retailer “routinely and systematically” made false and misleading claims about the prices of its products on its website. If upheld, this ruling could have significant effects on how companies use price comparisons in advertisements in the future.
A group of California District Attorneys sued Overstock in 2010 for $15 million, alleging that Overstock was deceptive in the way it determined and displayed price comparisons on its website. Overstock used a comparative advertising method based on price, which is commonly referred to as “advertised references prices” or “ARPs” that showed the price of a certain product on Overstock compared to the price of the same product from a different retailer. The lawsuit alleged that the ARPs that Overstock used were false or misleading because Overstock employees chose the highest price that they could find as an ARP or constructed ARPs using arbitrary formulas. The lawsuit alleged that as a result of Overstock’s method of constructing its ARPs, its savings comparisons were inflated.
A California state judge’s tentative ruling earlier this month levied civil penalties against Overstock of just over $6.8 million. The court dismissed some of the claims in the lawsuit, but found that Overstock’s pricing comparison violated the state’s laws on unfair competition and false advertising.
The court also issued an injunction that prohibits Overstock from comparison price advertising unless it is done in conformity with a lengthy set of court mandated practices outlined in the opinion. Among those requirements, the court ordered that Overstock explain its pricing more clearly on its website, including a disclosure of how it computes the price comparisons. The ruling also prohibits Overstock from setting average retail prices based on anything other than the actual retail price offered in the marketplace.
Overstock has said that they plan to appeal the court’s ruling by arguing that the court’s decision is misreading California law and is holding the company to a higher standard than other e-commerce sites. If this ruling is upheld, this could have a significant ripple effect on retail advertising for both online and brick-and-mortar businesses. Almost every state has a law regarding deceptive pricing in advertisement, and the Federal Trade Commission also has jurisdiction to pursue claims against deceptive advertising in price comparisons. Companies need to be aware if they are using comparative price advertising that those advertisements, and the formulas for determining the prices on those advertisements, will be scrutinized by government agencies.
By Michelle Cohen, CIPP-US
On January 28th, in an effort raise awareness of privacy and data privacy, the United States, Canada and 27 countries of the European Union celebrate International Data Privacy Day. Many organizations use Data Privacy Day as an opportunity to educate their employees and stakeholders about privacy-related topics. With the recent, high-profile data breaches as Target, Neiman Marcus, and potentially, Michaels, the need for training and instruction on data security is more critical than ever before. In this vein, we’ve set forth our views on what we see as the year ahead in legal developments relating to data security and what companies can do to prepare.
Legislation Introduced but on the Move?
Data security and data breaches will continue to be the focus of regulators and Congress through 2014. In fact, Congress summoned Target’s Chief Financial Officer to appear before the Senate Judiciary Committee on February 4th and a House committee is seeking extensive documents from Target about its security program. Meanwhile, Senator Leahy re-introduced data breach legislation which would set a federal standard for data breach notifications (most states now require notifications, though the requirements differ state-to-state).
Senators Carper and Blunt introduced a separate bipartisan bill intended to establish national data security standards, set a federal breach notification requirement, and also require notification to federal agencies, police, and consumer reporting agencies when breaches affect more than 5,000 persons. Many companies have suffered data breaches and then faced civil lawsuits under various causes of actions, including allegations that they did not notify customers promptly. As a result, there may be strong support for federal standards rather than facing a patchwork of state laws. While the Target breach has certainly renewed interest in data security, and we expect Congress will conduct numerous hearings, ultimate passage of data breach legislation this Congress is still probably a longshot.
Watching Wyndham Take on FTC
As covered in this blog, various Wyndham entities have struck back at the FTC, challenging the FTC’s authority to bring an action against Wyndham for alleged data security failures. The Wyndham entities claim that the FTC may not set data security standards absent specific authority from Congress. Yet, with Congress having not set data security standards thus far, the court in oral arguments seemed concerned about leaving a void in the data security area. Wyndham’s motion to dismiss remains pending in federal court in New Jersey. Most observers think the court will be hard pressed to limit the FTC’s authority under Section 5 of the FTC Act, which broadly prohibits ”unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce” and provides the FTC with administrative and civil litigation enforcement authority. The agency has used this administrative authority with great success, bringing numerous data privacy actions that usually result in settlements by companies rather than risk further litigation expenses, penalties, and reputational damage. We think the FTC will remain vigilant in this space, including attention on the security of mobile apps.
Class Actions Jump on Breaches
Whether breaches affect Sony Playstation, Adobe, Target, or some other company, the class action firms have been busy filing lawsuits based upon data breaches. For example, by year end, at least 40 suits had already been filed against Target, with seven filed the day Target disclosed the breach. The plaintiffs use various theories – including violations of consumer protection statutes, negligence, fraud, breach of contract, breach of fiduciary duty, invasion of privacy and conversion. But, if a consumer’s information was potentially breached, yet nothing happened to the consumer as a result, does that consumer have cognizable damages? That has been a huge sticking point for these lawsuits. Yet, the class action lawyers will continue to file these suits and some companies will settle to avoid further reputational damages and litigation expenses.
Don’t Count out the States
States have taken the lead in setting data breach notification standards, and in some cases data security requirements. For instance, in March 2010, Massachusetts enacted strict data security regulations. Organizations that own or license personal information of Massachusetts residents are required to develop and implement a written comprehensive information security program (“CISP”) to protect that information. Almost all of the states have standards setting forth what types of information are covered by data breaches, who gets notified, what content goes in the notifications and, the timing of the notifications. Multiple states are investigating the Target breach; certainly less well known breaches get state regulators’ attention as well. We predict the states will continue to be active regulators and enforcers of data security and data breaches, and will likely continue to “rule the roost” while federal legislation lags behind.
Preparation and Training Still Key
We’ve said before that, unfortunately, no company is immune from data breaches. Companies cannot assume that they have the best anti-malware or security features and that these other newsworthy breaches resulted from lapses that would not apply to them. Whether it is a sophisticated hacker or, more commonly, a well-meaning but negligent employee, data loss and data breaches will occur. All organizations should have procedures in place NOW to prevent data loss and to prepare for a breach. This includes IT, human resources, legal, and communications resources. Companies should designate a “data security/data breach” team with representatives from these key departments (working with outside counsel and other privacy breach specialists when needed). The team should meet periodically to review procedures, recommend improvements, and engage in periodic training on data security.
We can’t stress here enough about employee training. An employee who, for instance, wants to finish a project at home after stopping by the gym might download information that contains sensitive personal information onto a flash drive. Let’s say the gym bag gets stolen, along with the flash drive. Well, the employee’s unlucky company may now have a huge data breach situation on its hands requiring notices to customers, state attorneys general, and potential litigation and other expenses (such as paying for creditor monitoring, now industry standard). Employees need training about securing sensitive information – from shredding documents instead of putting them in the dumpster, to encrypting information that is being taken offsite, to avoiding “phishing” scams, to having unique passwords they change periodically. According to recent reports, “password” and “123456” are still among the most popular passwords. While data breaches cannot be avoided completely, we can ameliorate some risks with better practices in our organizations.
FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current
Once again using its administrative litigation process, the Federal Trade Commission (“FTC”) announced settlements with twelve large businesses, including the Atlanta Falcons and Denver Broncos football teams, the Baker Tilly accounting firm, BitTorrent, Inc., a peer-to-peer file sharing protocol, Level 3 Communications (one of the largest Internet service providers in the world), and Reynolds Consumer Products, all relating to alleged deceptive claims of U.S.-E.U Safe harbor certifications.
The “Safe Harbor” certification, overseen by the U.S. Department of Commerce, is a voluntary privacy certification; however, it requires an annual reaffirmation to maintain “current” certification status. The FTC filed complaints against these companies alleging that the organizations made statements in their privacy policies or displayed the Safe Harbor certification mark indicating that they held current Safe Harbor certifications, even though these companies had allowed their certifications to lapse. The European Commission has recently criticized what it views as lax enforcement of the Safe Harbor process in the U.S., and issued a report with recommendations for improvements. The European Commission will review its participation in the Safe Harbor framework in a decision to be issued by summer 2014.
The process is entirely voluntary. Once a company self-certifies to the Department of Commerce and Commerce reviews and accepts the filing, a company may state that it has certified compliance with the Safe Harbor. Most companies state this certification in their privacy policies. Organizations may use the Safe Harbor “seal” on their websites and elsewhere. Annually, by the anniversary of its original filing date, a company must “reaffirm” its compliance in order for its certification to remain current.
The FTC’s action this week alleges that the twelve companies stated that they held current certifications under the U.S.-E.U. (and in three cases, the similar U.S. –Swiss) Safe Harbor frameworks, when in fact the certifications were not current. Companies which have self-certified compliance with the Safe Harbor framework should check their certifications to ensure they are up-to-date with their annual reaffirmations. The Department of Commerce maintains a public database listing the status of every self-certifying company. While the annual reaffirmation is not an overly taxing task, the FTC’s settlements with these companies demonstrate that the agency is taking its Safe Harbor enforcement role seriously and that it is monitoring compliance.
While the proposed settlements do not contain monetary penalties, the companies are barred from any further misrepresentations about their participation in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The organizations must also maintain relevant advertisements and promotional materials for five years, and the consent order (once approved) would be in place for 20 years. The proposed settlements are subject to public comment for 30 days and then require final approval of the FTC commissioners.
In privacy law and FTC enforcement, in particular, a guiding principle is “if you say it, do it, and if you don’t do it, don’t say it.” The FTC’s action on Safe Harbor enforcement is a good lesson – companies should review their privacy policies to make sure they are up-to-date, accurate, and reflect current practices, including ensuring any certifications are up-to-date. While the U.S.-EU Safe Harbor certification is voluntary, companies must complete their annual reaffirmations on time or risk enforcement.
Things look a bit bleak for the for-profit education industry: it seems like every other day a new federal or state agency is launching an investigation or proposing new regulations. The latest news is that a coalition of 32 state attorneys general, along with the Consumer Financial Protection Bureau, is expanding a probe into lending practices at for-profit colleges. This news follows pronouncements by the Securities and Exchange Commission, the Justice Department, the Federal Trade Commission and the Federal Communications Commission of stepped-up initiatives to combat alleged predatory practices by for-profit colleges. In the midst of this full frontal assault, the industry is facing a major new regulatory scheme under the Department of Education’s impending Gainful Employment rule. What the new regulatory scheme will cover and require remains to be determined, but the released drafts of the rule portend extensive record keeping and reporting requirements. With mounting investigations and regulatory scrutiny, no wonder shares in for-profit education have been on the decline: how can these companies turn a profit in the midst of all this costly government intervention?
But the CFPB and the 32-state coalition could (unwittingly) be the industry’s knights in shining armor. The enforcement agencies’ expanded probe – along with action by the SEC, DOJ, FTC and the FCC – could provide a good argument for why the Education Department’s impending Gainful Employment rule may be redundant. Since there is so much disagreement over the Gainful Employment rule, not only over the prospective text,but also over the rule’s utility in the first place,it may be time to follow the cues of some in Congress who advocate abandoning the rule when the Higher Education Act is next up for re-authorization (this year).And if Congress could be persuaded to nix the rule, educators could allocate more resources to growth that would otherwise need to be focused on compliance with complex new regulations.
This argument initially may sound like a stretch, but consider some of the following points: (1) congressional infighting about the possible effects of the rule, (2) rule making failures as interested parties cannot come together on regulatory language, and (3) current law and enforcement actions that already address the goals of the prospective rule. There are only so many ways to skin a cat, and you can only have so many cat-skinners (poor analogical cat!).
(1) Congressional Democrats are split on whether the Gainful Employment rule would protect students or negatively impact students. Thirty Democratic members of Congress recently wrote a letter to Education Secretary Arne Duncan voicing concerns over the adverse effects a Gainful Employment rule could have on students. At the same time, 31 Democratic members wrote a letter in support of the prospective rule. During the back and forth on the Democratic side, many Republicans are advocating abandoning the rule, concerned that it would ultimately hurt students.With so much uncertainty, why press forward with a rule that has been lingering in limbo for years?
(2) While Congress members deliberate the rule’s ultimate utility, the Education Department and its panel of negotiators have slogged through several sessions of a statutorily mandated negotiated rule making. They have been unable to reach any consensus on what types of metrics to incorporate into the rule, let alone what metric ranges to use. After several months, three rounds of negotiations, and three very different drafts of the prospective rule, the Education Department is no closer to final language. The third and final round of negotiations, which occurred mid-December, highlighted the extent to which opposing sides remained polarized.
(3) The Education Department has stated that its goals for the Gainful Employment rule are to:
- Define what it means for a program to prepare a student for gainful employment in a recognized occupation and construct an accountability system that distinguishes between programs that prepare students and those that do not;
- Develop measures to evaluate whether programs meet the requirement and provide the opportunity to improve program performance;
- Protect students and taxpayers by identifying GE programs with poor student outcomes and end taxpayer support of programs that do not prepare students as required; and
- Support students in deciding where to pursue education and training by increasing transparency about the costs and outcomes of GE programs.
These goals are already being addressed in current regulations and current enforcement actions. For instance, in November the FTC released marketing guidelines directed toward for-profit colleges, advising colleges against misrepresenting, for instance, their job placement and graduation rates, graduate salaries, credit transferring, etc. The announcement was accompanied by guidelines for prospective students on choosing a school. The FTC’s guidelines send a message to the for-profit education industry: ensure integrity in your marketing and advertising or face the consequences of regulatory action. A new FCC rule, which took effect last October, restricts how for-profit educators can make recruiting calls to past, current, and prospective students.The SEC and CFPB are investigating student recruitment and private lending at various for-profit colleges for possible violations of, for instance, the Dodd-Frank Act (which prohibits violations of federal consumer financial laws and unfair, deceptive or abusive acts or practices), TILA and Regulation Z. And numerous states attorneys general have been actively investigating the industry under state laws.
The expanded probe that the CFPB and state attorneys general coalition is but a continuation of the panoply of government actions and initiatives directed at the for-profit education sector. But the probe provides an excellent basis for reconsidering the necessity of the Gainful Employment rule. The for-profit industry is not shy of regulatory oversight. All the new regulation would achieve is more cost to industry and taxpayers in compliance and compliance reviews.
As the Federal Trade Commission (“FTC”) continues to flex its consumer protection muscles by bringing numerous administrative lawsuits, industry and members of Congress are questioning whether there is a level playing field that allows companies to properly defend themselves against FTC charges. Or, as some say, does the FTC have the “home court advantage” in its role as investigator and prosecutor, armed with very broad authority under Section 5 of the FTC Act –leaving many companies to decide simply to settle rather than face the Goliath FTC. However, some companies have been bucking that trend recently and challenging the FTC’s authority (particularly in the area of regulating data security and FTC officials’ impartiality.
As background, the FTC may begin an enforcement action if it has “reason” to believe that the FTC Act is being or has been violated. Section 5(a) of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC also enforces several other consumer protection statutes, including the Fair Credit Reporting Act, the Do-Not-Call Implementation Act of 2003, and the Children’s Online Privacy Protection Act.
Under Section 5(b) of the FTC Act, the FTC can challenge “unfair or deceptive acts or practices” or violations of certain other laws (such as those listed above) in an administrative adjudication. The way this works is the FTC issues a complaint putting forth its charges. Many companies faced with such complaints inevitably settle with the FTC, rather than endure an administrative trial. Those companies that contest the charges face a trial-type proceeding before an FTC administrative law judge. FTC staff counsel “prosecute” the complaint. The administrative law judge later issues an initial decision. Either party can appeal the initial decision to the full FTC for review.
Many observers, including the American Bar Association, have criticized this situation — where the FTC acts as both prosecutor and judge — as inherently unfair. After the FTC’s decision, the respondent organization (or individual)may appeal to a federal court of appeals. However, at this point, an extensive record has been made and this assumes an organization or individual has the resources to devote to a federal appeal. (In addition, the FTC can also bring consumer protection enforcement directly in court rather than through administrative litigation).
The FTC’s winning record in these administrative proceedings has many observers questioning the process and the FTC’s potential impartiality. House antitrust chairman Spencer Bachus (R-Ala.) called out the FTC’s apparent lack of impartiality and fairness, stating “ a company might wonder whether it is worth putting up a defense at all.”
Just a couple weeks ago, however, medical testing company LabMD went on the offense and sought the disqualification of an FTC Commissioner. Facing an administrative proceeding relating to its alleged failure to secure patient information data, LabMD moved to disqualify Commissioner Julie Brill from consideration of its case. LabMD claimed that the Commissioner made numerous statements at industry conferences prejudging its ongoing litigation. Specifically, LabMD claimed Brill stated LabMD that had violated the law, rather than indicating that LabMD was under investigation or in litigation. The FTC opposed the disqualification. However, Commissioner Brill voluntarily recused herself from the case on Christmas Eve to avoid “undue distraction” from the administrative litigation.
As the FTC litigates in several key areas – data privacy, financial services, credit repair, telemarketing – we expect administrative litigation will increase in 2014. While some companies will continue to settle to avoid continued litigation expenses and possible further detrimental outcomes, we think others will take the LabMD route and seek relief when they believe the processes are not transparent or the FTC is exceeding its authority.
New year, new resolutions. Yesterday, the FTC announced a resolution of its own: to undertake a nationwide enforcement effort to protect consumers against deceptive weight loss claims. Dubbed “Operation Failed Resolution,” the FTC’s latest enforcement effort seeks to protect consumers who face a barrage of “opportunistic marketers” promising quick ways to shed pounds. According to the FTC, these marketing tactics cause millions of dollars of consumer injuries and encourage people to postpone important changes to diet and exercise.
To announce this new initiative, the FTC held a press conference in which it identified four significant enforcement actions: (1) Sensa – a flavored powder that claims to cause weight loss when sprinkled on food; (2) L’Occitane Inc.– a skin cream that promised to shave inches off consumers’ bodies; (3) HCG Diet Direct – a product based on the human chorionic gonadotropin hormone; and (4) LeanSpa – a dietary supplement. Collectively, these four enforcement actions total $44 million in potential recovery for consumers.
All four enforcement actions shared one common thread – claims of quick and easy weight loss that were not supported by evidence. Many of the ads in question touted substantial weight loss without diet or exercise simply by using the product alone. Although some of these marketers cited clinical studies that supported their claims, the FTC said that the so-called “independent” studies were largely fabricated. The FTC also took issue with consumer endorsements, which failed to disclose that the consumers were paid for their testimonials or that the consumers were related to the owner. The FTC also scrutinized so-called physician endorsements. According to the FTC, marketers failed to disclose that their endorsers were compensated to the tune of $1,000-$5,000 and free trips.
Yesterday’s press conference is not the first time that the FTC has taken action against deceptive weight loss claims. In 2011, we reported on 10 lawsuits filed by the FTC against marketers behind the ubiquitous “1 Tip for a Tiny Belly” ads, which the FTC claimed were a scheme by marketers of diet and weight loss products to grab consumer credit card information and pile on additional, unapproved charges.
Although deceptive weight loss claims are not a new phenomenon, the FTC announced yesterday that it is taking a new approach to cracking down on these types of ads. The FTC is now encouraging media outlets that run these ads to conduct a “gut check” and turn down spots with bogus claims. Yesterday’s press conference was a call to action for both consumers and media outlets to help the FTC track down deceptive weight loss marketers, which can mean only one thing – more widespread enforcement efforts against marketers of dietary supplements. The FTC does not comment on non-public investigations and would not comment on whether these enforcement efforts would result in criminal enforcement from other agencies. One thing is for certain, however: If you make a claim about your weight loss product, you’d better be able to back it up.
ZeroAccess is one of the world’s largest botnets – a network of computers infected with malware to trigger online fraud. Recently, after having eluded investigators for months, ZeroAccess was disrupted by Microsoft and law enforcement agencies.
Earlier this month, armed with a court order and law enforcement help overseas, Microsoft took steps to cut off communication links to the European-based servers considered the mega-brain for an army of zombie computers known as ZeroAccess. Microsoft also took control of 49 domains associated with ZeroAccess. Although Microsoft does not know precisely who is behind ZeroAccess, Microsoft’s civil suit against the operators of ZeroAccess may foreshadow future enforcement efforts against operators alleged to have illegally accessed and overtaken people’s computers.
ZeroAccess, also known as max++ and Sirefef, is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine and to form a botnet mostly involved in Bitcoin mining and click fraud, while remaining hidden on a system. Victims’ computers usually fall prey to ZeroAccess as the result of a drive-by download or from the installation of pirated software. Essentially, ZeroAccess hijacks web search results and redirects users to potentially dangerous sites to steal their details. It also generates fraudulent ad clicks on infected computers then claims payouts from duped advertisers.
The Microsoft lawsuit, originally filed under seal in Texas federal court, alleges, among other things, violations of the Computer Fraud and Abuse Act (“CFAA”) (18 U.S.C. §1030), the Electronic Communications Privacy Act (18 U.S.C. §2701), and various trademark violations under the Lanham Act (15 U.S.C. §1114 et seq.). Microsoft secured an injunction blocking all communications between computers in the U.S. and 18 specific IP addresses that had been identified as being associated with the botnet. The company also took control of 49 domains associated with ZeroAccess. Microsoft took action against ZeroAccess in collaboration with Europol’s European Cybercrime Centre, the FBI, and other industry partners. As Microsoft enacted the civil order obtained in its case, Europol coordinated law enforcement agency action in Germany, Latvia, Luxembourg, the Netherlands and Sweden to execute search warrants and seize servers associated with the fraudulent IP addresses operating within Europe.
The federal statutes on which Microsoft relied in its lawsuit may be broad enough to capture the gravamen of the complaint here. For example, the CFAA was enacted in 1986 to protect computers that there was a compelling federal interest to protect, such as those owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities and there has been recent discussion on Capitol Hill of amending it further. The CFAA now prohibits accessing any computer without proper authorization or if it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing plaintiffs and prosecutors unfettered discretion by allowing claims based merely on violations of a website’s terms of service. In those cases in which ZeroAccess has accessed a user’s computer entirely without permission, there will likely be no dispute about whether the CFAA applies; however, in any follow-on cases in which the authority to access the computer was less clear, Microsoft may have more difficulty in relying upon this statute.
According to Microsoft, more than 800,000 ZeroAccess-infected computers were active on the internet on any given day as of October of this year. Although the latest action is expected to significantly disrupt ZeroAccess’ operation, Microsoft has not yet been able to identify the individuals behind the botnet, which is still very much intact. Microsoft’s attack is noteworthy in that it represents a rare instance of significant damage being done to a botnet that is controlled via a peer-to-peer system. But ZeroAccess has come back to life once before after an attack on it, and it would not be surprising if it recovered from this attack as well. Unless Microsoft or Europol can identify the “John Does 1-8”referenced in the complaint, this and other botnets will keep on operating without fear of reprisal.
The big question at this point is whether Microsoft’s actions will have an enduring impact beyond ZeroAccess. Will Microsoft’s actions spur other private companies to take steps of their own to stop malicious software? That answer remains to be seen.
The U.S. Court of Appeals for the Sixth Circuit is currently hearing an appeal of a district court decision, which if upheld would have enormous ramifications for freedom of speech and the online service provider safe harbor under the Communications Decency Act (CDA).
TheDirty.com is a website run by Nik Lamas-Richie. The site allows users to submit gossip about anyone or anything and the site currently features hundreds of thousands of comments on a wide range of topics and users can also freely post comments on stories that are published on the website. Lamas-Richie then selects some of the user posts, and sometimes adds a little commentary to the user submission, which he then posts to the site. Sarah Jones, a former Cincinnati Bengals cheerleader, was featured twice on TheDirty.com including allegations that she was promiscuous and that she had a sexually-transmitted disease.
Jones then sued TheDirty.com and Lamas-Richie alleging defamation, libel and invasion of privacy. The first trial resulted in a hung jury, but in the second trial in July a jury of eight women and two men in a Kentucky federal court awarded Jones $338,000 in damages.
Typically, cases involving claims like Jones’ against websites are quickly dismissed under the CDA, which provides websites immunity from third party content. TheDirty.com filed a pre-trial motion to dismiss the case on the basis that the suit was barred by the CDA that was rejected by the district court, which held that the CDA did not offer protection because “the very name of the site, the manner in which it is managed, and the personal comments of defendant Richie, the defendants have specifically encouraged development of what is offensive about the content of the site.” The court reasoned that since the site served to encourage the comments then it was not entitled to immunity under the CDA. The CDA typically immunizes providers of interactive computer services against liability arising from content created by third parties if the provider is not also responsible in whole or in part or the creation or development of the offending content.
In August, after the jury verdict, the judge wrote a supplemental opinion reiterating the views expressed in the earlier opinion. In particular Judge William Bertelsman said that because Richie “played a significant role in developing the offensive content such that he has no immunity under the CDA.”
Richie appealed the decision to the Sixth Circuit, arguing that the case should have been dismissed because the CDA immunizes liability for users’ comments. Congress enacted the CDA to encourage website owners to actively screen, review, and moderate third party posts and to allow website operators to have the ability to remove offensive content when necessary without fear of liability. Richie argued that under the CDA website operators are free to edit, alter, or modify user-created content without losing immunity, as long as their edits do not materially alter the content’s original meaning.
Four separate amicus briefs were filed with signatories that included many of the biggest names on the Internet including Facebook, Google, Amazon, Microsoft, Yahoo, Twitter and eBay. The briefs argue that the district court ruling wrongly interpreted the CDA and that the consequences of upholding the district court’s decision would be enormous. The amicus brief submitted on behalf of Google, Facebook and others states that aspects of the district court decision “significantly depart from the settled interpretation of [the CDA] and, if adopted by this Court, would not only contravene Congress’s policies as declared in the statute, but also introduce substantial uncertainty regarding a law that has been a pillar for the growth and success of America’s Internet industry.” \
This case will be closely watched because of the far reaching consequences it would have if the district court ruling imposing liability of the website is upheld. A ruling from the Sixth Circuit that affirmed the district court’s ruling could chill the operation of online businesses that are open for users to create content. There is a long line of cases that have held that conduct similar to TheDirty.com’s in this case is protected by the CDA, but a decision from the Sixth Circuit finding TheDirty.com liable would uproot the well-established jurisprudence under the CDA.