We’ve all heard the statistics showing obesity rates rising in the U.S. year after year. Most of us are well aware of the billion dollar diet and weight-loss supplement industry to which millions turn with the hope of finding that one “miracle pill” to help them lose that stubborn belly fat or get rid of those unsightly love-handles. Advertisers should be aware that the Federal Trade Commission has taken an interest in advertising involving weight loss claims. In a 2011 study, the FTC concluded that weight loss product false advertising is the most common type of consumer fraud. More recently, the agency testified on the issue during a June 17, 2014 hearing before the Senate Subcommittee on Consumer Protection, Product Safety, and Insurance, in addition to several witnesses from the advertising industry.
In addition to the FTC representative, witnesses who testified at the hearing included the CEO of a natural products non-profit organization, and the president of the nation’s advertising self-regulatory body. However, one witness received the most attention and the toughest questions from Subcommittee Chair, Senator Claire McCaskill, regarding the problem of deceptive advertising of weight-loss products: television personality, and Oprah-favorite, Dr. Mehmet Oz.
When asked who the most popular television personality known to talk about green coffee bean extract, raspberry ketones, pure garcinia cambogia, or just weight loss products in general, there’s a good chance that the majority of Americans would name Dr. Oz. Despite his former days as the go-to doctor of Oprah’s talk show, and the celebrity he has become through the popularity of his own daytime television show, Senator McCaskill’s tone revealed how unimpressed she is by Dr. Oz’s “flowery” language- an adjective he used at the hearing to defend his enthusiastic statements when promoting the use of unproven weight-loss products. The Senator expressed her concern with the overreaching statements often made by the doctor, specifically his use of the words “magic” and “miracle” to describe the products he endorses on his show.
To be fair, Dr. Oz is by no means the only source of flowery language when it comes to weight-loss products. Surf the web for five minutes and at least one advertisement for an all-natural weight-loss supplement that melts away fat in a matter of days will have flashed on your screen. And in his defense, Dr. Oz does not appear to promote specific product brands on his show. He also generally adds that any weight-loss enhancement product must be supplemented by a healthy diet and regular exercise. But to Senator McCaskill and the FTC, the problem is too serious to not to make an example out of Dr. Oz, especially in light of the fact that some advertisers misleadingly use the Dr. Oz name brand (among others) for product promotion. Voltaire’s saying that with great power comes great responsibility was used more than once at the hearing.
Besides the scolding of one celebrity voice, the FTC appears to have a three-fold strategy for cracking down on what it views as misleading advertising practices.
First, the agency’s law enforcement efforts have included more than 80 weight-loss enforcement actions over the last 10 years, in addition to over $100 million amassed in consumer restitution, and that’s just since 2010. In January of this year, the FTC had its own New Year’s resolution with regard to fighting back against newer fraudulent weight-loss fads, appropriately named “Operation Failed Resolution.”
Second, the FTC also recently delivered a “Gut Check” to respected media outlets: a reference guide containing a list of fraudulent claims often used by those advertising weight-loss products. The goal of the guide is to encourage media outlets to carefully consider whether or not the endorsement of such ads is advisable.
Third, the FTC has issued numerous consumer education resources to teach and inform the public about exaggerated weight-loss product claims. Also, the same day it testified at the Senate Subcommittee hearing, the agency launched an interactive “Challenge” video and game, with the goal of helping consumers understand what’s true and what’s not when it comes to weight-loss products claiming guaranteed results without the added components of diet and exercise.
The FTC’s extensive program to fight what it views as weight-loss scams and fraudulent advertising, in addition to the Subcommittee’s admonishment of “America’s Doctor,” demonstrate that truth in weight loss advertisements remain a top priority for federal regulators and legislators. Organizations offering weight loss products should review their advertisements – whether on the Internet, in print advertisements, or elsewhere – for any potentially unsubstantiated claims. The FTC will remain vigilant regarding health and fitness claims. Advertisers need to be similarly vigilant, because there’s no magic pill that prevents expensive enforcement actions and lawsuits.
Career Education Corporation, like a host of other for-profit education companies, has found itself spinning on the courthouse revolving door. The latest legal challenge for CEC: a False Claims Act suit filed in federal court in New Jersey on May 16. The lawsuit alleges that CEC defrauded the federal government by (1) falsifying job placement statistics to exaggerate the number of graduates working in their fields of study, (2) misrepresenting accreditation status of some of its programs to remain eligible for federal funding, (3) admitting students who did not have high school diplomas or GEDs, could not speak English, or were mentally handicapped, and (4) paying bonuses to admissions staff based on enrollment numbers. Many of these allegations are familiar to CEC as well as others in the industry. Unfortunately CEC – like many other for-profit education companies – just can’t seem to free itself from the yoke of enforcement agencies and plaintiffs’ attorneys.
Last August, CEC entered a settlement agreement with the New York Attorney General’s office following an investigation into allegations of inflated job placement rates and allegations of inadequate disclosures regarding accreditation status. That agreement cost CEC $10.25 million and imposed significant reporting requirements.
The allegation of inappropriate incentive compensation for college recruiters is a popular basis for lawsuits against the for-profit education industry. In May, the Department of Justice filed a False Claims Act suit against Stevens-Henager College, Inc. for allegedly illegally compensating recruiters. These suits follow similar False Claims Act suits filed against the University of Phoenix (which settled in 2009 for a whopping $67.5 million, plus $11 million in attorneys’ fees) and Oakland City University (which settled in 2007 for $5.3 million) for their incentive compensation structures. There is also a pending False Claims Act case against Education Management Corporation with claims that largely mirror those faced by CEC.
Unfortunately for CEC and its fellow for-profit educators, settling with one entity does not necessarily mean freedom from future suits by other regulators or supposed whistleblowers. The more common scenario follows the camel under the tent: once an investigation is initiated – and publicly announced – follow-on actions ensue. The host of False Claims Act cases against the industry is a perfect example.
Part of the problem is the nature of False Claims Act cases. These suits, which are brought on behalf of the federal government by private plaintiffs (known as “relators”), are intended to help root out fraud against the government. Whistleblower relators are given incentive to file claims as they can receive significant compensation should the lawsuit succeed (or settle). For instance, the whistleblowers in the U. Phoenix settlement received $19 million in compensation; the whistleblower in the Oakland City U. settlement received $1.4 million.
The concept of False Claims Act cases seems laudable – the government cannot possibly keep track of all fraudulent claims it pays out to government contractors and other recipients of federal funds; having private actors with personal knowledge come forward to help address the problem should save the government significant sums. But the host of False Claims Act cases against the for-profit education industry defendants has produced little new or damnable information. When False Claims Act cases are brought after the news of alleged problems breaks, or after an investigation is launched, the benefit to the government is substantially diminished. The lawsuits become more about economic opportunity for enterprising litigators and relators.
Sprint Gets a Wallop of a Reminder – Company-Specific Do Not Call Lists Still Matter – $7.5 Million Record Do Not Call Consent Decree
Yesterday, the Federal Communications Commission (“FCC”) announced a consent decree with Sprint Corporation for federal do not call violations. Specifically, under the terms of the agreement, Sprint will make a $7.5 million “voluntary contribution” to the United States Treasury. This payment represents the largest do not call settlement reached by the FCC. Sprint also agreed to various ongoing compliance initiatives, including enhanced training and reporting requirements. Importantly, the action also serves as an important reminder on an often overlooked section of the do not call rules – the requirement that companies maintain and abide by “company-specific” or internal do not call lists.
Under the federal do not call rules, organizations making telemarketing calls to residential customers (including mobile phones) are required to scrub the federal do not call database before initiating those calls, unless the calls meet certain exceptions – the called party has an existing business relationship (“EBR”) with the caller or has provided prior express consent for the calls or the call is from a tax-exempt non-profit. Of course, as we have written before, there are additional requirements for autodialed or prerecorded calls to mobile mobiles and prerecorded telemarketing calls to residential lines.
Another, sometimes overlooked requirement is that companies making permissible calls (for instance, after scrubbing the do not call database or with an existing business relationship or prior express consent) must maintain an internal, company-specific do not call list where companies log individuals’ subsequent requests not to be called. In other words, even if a consumer has an existing business relationship or has given prior express consent to be called, once the consumer tells the company not to call again, that request trumps the existing business relationship/prior consent or the do not call scrub. This company-specific do not call request must be implemented within 30 days and honored for five years from the date the consumer made the request. (The federal do not call registration, in contrast, lasts indefinitely). A company must also have a do not call policy, available upon request.
In 2009, the FCC investigated Sprint for do not call violations relating to the company-specific do not call list. Sprint subsequently settled that enforcement action in 2011 through a consent decree (which included a $ 400,000 payment). The decree required Sprint to report to the FCC’s Enforcement Bureau, for two years, any noncompliance with the consent decree or the FCC’s company-specific do not call rules.
In March 2012, Sprint disclosed to the FCC that it had discovered additional issues involving human error and technical malfunctions relating to Sprint’s or its vendor’s do not call processes that caused potential noncompliance with consumers’ do not call or do not text preferences, or prevented the timely capture of the preferences. Sprint represented that it had subsequently implemented improvements in its do not call data management systems. It had also ceased telemarketing and text campaigns to investigate the issues. The FCC investigated Sprint’s do not call compliance and ultimately entered into this record-setting $7.5 million settlement.
Under the terms of the consent decree, in addition to the settlement payment, Sprint will designate a Compliance Officer to administer a new compliance plan and to comply with the consent decree. Sprint also must implement a compliance manual which will instruct “covered personnel” (including Sprint personnel and independent contractors who provide telemarketing services for Sprint) on Sprint’s do not call policies. The consent decree further requires Sprint to establish and maintain an annual compliance training program, and to file several compliance reports with the FCC at designated time frames. Significantly, Sprint acknowledges that actions or inactions of any independent contractors, subcontractors, or agents that result in a violation of the company-specific do not call rules or the consent constitute an act or inaction by Sprint – in other words, Sprint is specifically on the hook for third parties’ actions.
The consent decree and $7.5 million payment serve as a useful reminder of the company-specific do not call rules. Once a consumer indicates they do not wish to receive further telemarketing calls or texts, the FCC’s rules require that the telemarketer place that consumer on its internal, company-specific do not call list. This consumer requests trumps even an established business relationship or prior express consent. It can only be revoked by subsequent express consent – which we would recommend be in writing. Even if a consumer does business with your company every day, if he or she has asked not to receive telemarketing calls – don’t call! Compliance with the company-specific do not call rule means your organization does not call someone who has indicated they do not want to be called. And, it can also save your company great time, resources, and money spent defending private litigation or an FCC enforcement action. Further, if your organization utilizes third parties for telemarketing campaigns, your company should make sure the third party is taking do not call requests, logging them, and passing those to your company for future campaigns.
In a recent case in the U.S. District Court for the Eastern District of Missouri, the district court held that the plaintiff’s Telephone Consumer Protection Act (“TCPA”) claim should be dismissed. The court ruled that the plaintiff gave prior express consent when she agreed to the terms of her health insurance plan, which stated that the company could share her number with other businesses who work for the plan.
The plaintiff Suzy Elkins enrolled to receive prescription benefit management services through a group plan offered by her employer. The plaintiff then reenrolled after her employer changed plans to receive prescription management services from the Defendant, Medco Health Solutions, Inc. (“Medco”) through Coventry Health of Missouri (“Coventry”). On the reenrollment form, Elkins provided her cell phone number as her home phone number and certified that the information she provided was true and accurate. Ms. Elkins refilled several prescriptions using Medco’s retail pharmacy network.
Elkins filed a complaint alleging that the automated and prerecorded calls she received from Medco through her enrollment in her employer’s health insurance plan, Coventry, violated the TCPA’s prohibition on autodialed/prerecorded calls to mobile phones and the federal “do not call” rules. Elkins had registered her number in the federal do not call database. Elkins alleged that Medco called her cell phone twice utilizing autodialed, prerecorded calls in an attempt to sell prescription medications. Medco claimed that it was attempting to make Elkins aware of certain pharmacy benefits, such as obtaining refills at reduced prices. Both parties disputed whether the calls were actually autodialed or prerecorded, and the court did not address that issue.
Instead, the district court found that the plaintiff’s TCPA claim was barred because she gave her express prior consent to be called at the number she provided when she gave that number at the time of enrollment as hercontact number related to healthcare benefits. The court noted that the Certificate of Coverage that the plaintiff agreed to with Coventry stated that Coventry could use or share her personal information with “other businesses who work for the Plan . . . [t]o tell you about treatment options or health related services.” The Certificate of Coverage also provided that members have certain rights including the right to ask for restrictions.However, the plaintiff never provided notice requesting that she not be contacted at that number with respect to her health benefits.
The court concluded that the calls that were the basis of the complaint were made by a pharmacy benefits specialist on behalf of her existing health plan regarding the pharmacy benefits she was receiving on an ongoing basis. The court reasoned that the provision of her cell phone number reasonably evidenced prior express consent by the plaintiff to be contacted at that number regarding pharmacy benefits.
The district court also found that the plaintiff had an established business relationship with the defendant which barred liability under the “do not call” rules. The court held that it was uncontroverted that there was an established business relationship since the plaintiff had utilized Medco’s prescription benefit management services to fill twelve prescriptions in a six month period before the calls that served as the basis for the complaint.
This decision represents a victory for TCPA defendantsin that the court found that prior express consent was given by the plaintiff when she gave her phone number and agreed to the terms of the Certificate of Coverage, which authorized Coventry to share her phone number. TCPA litigation has been increasing significantly in the past few years. While this court did not address the recent changes that have gone into effect that placed stricter requirements on businesses that engage in marketing via mobile messaging and prerecorded telephone calls, this decision does serve as guidance for consent, at least to non-telemarketing calls.
It is unclear whether the consent in this case would pass muster as “prior express written” consent for prerecorded or autodialed telemarketing calls to mobile phones and residential lines under the new rules, but since the calls at issue in this case predated the new rules the court did not need to address that point. We recommend businesses obtain “prior express written” consent for TCPA-covered calls and texts, consistent with the requirements under the new rules. It is important to note, however, this this court acknowledged that express consent can be extended to third parties through the plaintiff’s agreement to the terms if those terms are sufficiently broad to cover third parties. Finally, for non-autodialed or prerecorded telemarketing calls to mobile phone and live telemarketing calls to residential lines, this case is a useful reminder that an existing business relationship still constitutes a valid defense.
The Internet Corporation for Assigned Names and Numbers (ICANN) continues to make significant progress with its implementation of the New generic Top–Level Domain (gTLD) Program. Under the new program, ICANN has added more than 250 new gTLDs to the Domain Name System (DNS) and could add hundreds more in the next several years.
ICANN is a nonprofit organization that was formed in 1998 to coordinate the internet’s address system, promote competition in the domain–name space, and ensure the security and stability of the Domain Name System. Back then, there were a dozen or so Country Code TLDs (ccTLDs) and just eight gTLDs, including the most common top–level domains: .com, .edu, .mil, .net, and .org. As the internet grew, so did the demand for top–level domains. ICANN responded by hosting two gTLD application rounds in 2000 and 2003. Those trial rounds resulted in ICANN’s delegation of 15 new gTLDs and laid the groundwork for greater expansion under the New gTLD Program.
The New gTLD program evolved in two phases: the policy development phase and the implementation phase. The policy development phase was overseen by one of ICANN’s supporting organizations, the Generic Names Supporting Organization (GNSO). For two years, GNSO sought input from various constituencies in ICANN’s global internet community, including government, business, technology, and intellectual–property stakeholders. Participants submitted comments on a range of topics, such as the demand for gTLDs, associated risks and benefits, selection criteria, and allocation. As a result of that process, GNSO issued a set of policy recommendations for implementing the New gTLD Program, and ICANN adopted them in June 2008.
During the subsequent implementation phase, ICANN worked with stakeholders to establish consensus on the application, evaluation and delegation process for the New gTLD Program. Drafts of an Applicant Guidebook were released for public comment and revised to address stakeholder concerns over the protection of intellectual property and community interests, consumer protection, and DNS stability. In June 2011, the ICANN Board adopted the Applicant Guidebook and launched the New gTLD Program.
During the four–month application period, ICANN received 1,930 applications for new generic Top Level Domains. These included submissions from Europe, Asia, Latin America and Africa. More than 100 applications were first–time requests for Top-Level Domains in non–Latin scripts, including Chinese, Greek and the Indian alphabet, Devanagari.
ICANN has already completed its initial evaluation of the submissions. Approved applications are now moving toward “delegation” on a rolling basis. Each applicant must finalize and execute the required contract with ICANN. Then, the applicant must undergo pre–delegation testing. If the applicant meets the relevant technical requirements, ICANN “delegates” the new gTLD by adding it to the root zone database and turning over management of related domain–name registrations to the new registry operator. After that, the registry operator is free to sell second–level domain names under the new gTLD.
As mentioned, ICANN has already delegated more than 250 new gTLDs, with hundreds more to follow. In April alone, the organization delegated more than 50 new gTLDs.
If the expansion “transform[s] the way people use the Internet,” as ICANN hopes, the impacts will probably be most profound for the non–English speaking world. Indeed, it seems difficult to overstate the New gTLD Program’s transformative potential given ICANN’s addition of gTLDs comprising at least twelve non-Latin scripts. If the rollout continues as expected, millions of people who speak Arabic, Chinese, Hindi, Japanese, Korean, and Russian, will—for the first time—be able to use the internet in their native language.
For a current list of approved gTLDs, visit ICANN’s website.
FDA Says Product Containing No Tobacco is a “Tobacco Product” – FDA Expands Authority to Include E-Puffing
In an effort that Food and Drug Administration (FDA) officials say was motivated by the (Big Brother?) desire “to correct a misperception by consumers that tobacco products not regulated by FDA are safe alternatives to currently regulated tobacco products,” the FDA released proposed regulations this morning that would regulate the rapidly growing e-cigarette market. (The regulations would also regulate cigars, pipe tobacco, nicotine gels, and hookahs.) The long-awaited proposal would subject the $2 billion industry to federal regulation for the first time. The full text of the proposed regulations are available here. A 75-day public comment period follows.
Calls for Regulation and Basis
Last September, 40 state attorneys general wrote to the FDA asking the agency to take all available measures to issue regulations on the advertising, ingredients, and sale to minors of e-cigs. There has been very little regulation of the industry since its inception– partially because the extent of the FDA’s authority to regulate e-cigarettes is not clearly defined. In 2010, the U.S. Court of Appeals for the D.C. Circuit issued an opinion in Sottera, Inc. v. Food & Drug Administration, affirming the district court’s decision that the FDA could not regulate e-cigarettes as a medical device under the Food, Drug & Cosmetic Act and finding that the FDA’s authority is limited to traditional tobacco products.. Specifically, the Tobacco Control Act authorizes the FDA to regulate “tobacco products,” giving the agency authority to impose restrictions on their sale, advertising and promotions, and establish other standards for their distribution and production. The term “tobacco product” means any product made or derived from tobacco that is intended for human consumption, including any component, part, or accessory of a tobacco product (except for raw materials other than tobacco used in manufacturing a component, part, or accessory of a tobacco product).
E-Cigarettes are Tobacco Products?
The FDA claims that e-cigarettes contain nicotine and thus derive from tobacco. However, the agency acknowledges in its proposed rules that “the health consequences of e-cigarettes are not well understood because of their relatively new entrance into the market.” Despite its questionable authority and a lack of evidence showing a need for regulation, the FDA nevertheless proposes to subject e-cigarettes to regulation similar to cigarettes and other regulated tobacco products. We expect commenters will urge the FDA to support its jurisdiction over the e-cigarette industry with a sufficient statutory basis. However laudable the FDA’s actions to protect the public may be, agencies may obviously only act pursuant to the specific statutory authority granted by Congress.
Under the proposed rules, companies offering e-cigarettes and the other products deemed tobacco products will now be required to register all their products and ingredients with the FDA, though they would not be required to adhere immediately to specific product or quality control standards. Companies would also be required to submit new and existing products to the FDA for approval. They would have two years from the time the rule goes into effect to submit an application to enable their products to continue to stay on the market or to submit a new product application.
The new regulations would require e-cigs to have health warnings on packaging, though initially the only health warning that will be required is a warning regarding the potential for addiction to nicotine. Manufacturers would be able to market new products only after a FDA review, and scientific evidence would need to be provided before any direct or indirect claim can be made of risk reduction associated with their product. Manufacturers would also be prohibited from selling their products at vending machines unless they are in adult-only venues. The proposed rules would prohibit the offering of free samples. The regulations would also require that the minimum age to buy the products be set at 18 years old.
FDA Showing Some Restraint?
Although the FDA proposal is not as broad as the regulations sought by tobacco-control advocates, FDA officials noted that further restrictions may come in the future. At this point the regulations do not seek to ban the use of flavored e-cigs or restrict online sales or advertising. However, the Federal Trade Commission (“FTC”) is closely monitoring marketing and advertisements from the industry and has the ability to take action against companies that it believes are engaging in deceptive advertising. The proposed rules note that the FDA would consult with the FTC to harmonize their requirements for health warnings.
The FDA proposal also leaves many unanswered questions regarding how new products would be regulated in the long term. Under current law, new tobacco products can be approved if they are “substantially equivalent” to a product that was sold prior to February 15, 2007. It is unclear whether any e-cigarettes were on sale prior to that date that can be used as a benchmark. An FDA official said that it would seek more information during the public comment period to determine whether the substantial equivalence test is valid for e-cigarettes.
The recommendations from the FDA that were released today will be followed by a 75-day public comment period after which the regulations will be finalized. The exact time frame for the regulations to be finalized is unclear and the final rulemaking process could alter the regulations that were proposed today. It may be more than a year before the final regulations take effect. Of course, parties are expected to challenge the FDA’s rules in court, which could further delay any new regulations.
We expect numerous, diverse parties will submit comments, including the scientific/medical community, public interest groups, and industry. The e-cigarette industry, representing a new product, would appear to have the most power to influence the outcome of the rules, because even the FDA acknowledges the product has yet to be studied in depth.
Last week the Federal Trade Commission (“FTC”) charged the operators of Jerk.com with harvesting personal information from Facebook to create profiles for more than an estimated 73 million people, where they could not be labeled a “Jerk” or “not a Jerk.”
In the complaint, the FTC charged the defendants, Jerk, LLC and the operator of the website, John Fanning, with violating the FTC Act by allegedly misleading consumers into believing that the content on Jerk.com had been created by registered users of the site, when most of it had been harvested from Facebook. The FTC alleged that the operators of Jerk.com falsely claimed that consumers could revise their online profiles by paying a $30 membership fee. Additionally, the FTC asserted that the defendants misled consumers to believe that by paying for a membership, they would have access to the website that could allow them to change their profiles on the site.
Facebook profile pictures and profile names generally are public. Facebook rules allow for developers to upload the names and pictures in bulk. However, Jerk.com allegedly violated Facebook’s policies in the way it mined data from people’s profiles. At the time, Facebook’s rules only allowed an app developer to keep a person’s profile picture for 24 hours. The complaint stated that Fanning registered several websites with Facebook and used Facebook’s application program to download the data needed to create the fake profiles on Jerk.com. The FTC is also seeking an order barring the defendants from using the personal information that was obtained and requiring them to delete the information.
This action is another indication that the FTC is closely monitoring companies that the FTC believes are scraping data on consumers from other sites and deceiving customers in their business practices. The complaint notes how Jerk.com profiles often appear high in search engine results when a person’s name is searched. “In today’s interconnected world, people are especially concerned about their reputation online, and this deceptive scheme was a brazen attempt to exploit those concerns,” said Jessica Rich, Director of the FTC’s bureau of Consumer Protection in a statement.
Companies should monitor their practices for obtaining data from other websites to ensure that they are in compliance with the terms and conditions of websites where they obtain data. Organizations should be cautious about how they use this data, including being careful about making any representations and disclosures that could be viewed as deceptive by the FTC or a state attorney general.
By Michelle Cohen, CIPP-US
After recovering from high-profile data breaches at Target and Neiman Marcus, signing up for free credit monitoring and analyzing our credit reports, a new Internet villain recently emerged: the “Heartbleed Bug.” The Heartbleed Bug is a security flaw present on Open SSL, popular software run on most webservers. This open source software is widely used to encrypt web communications. The Heartbleed Bug affects approximately 500,000 websites, including reportedly Yahoo, OK Cupid, and Tumblr. And, in addition to websites, the Bug may impact networking devices such as video conferencing services, smartphones, and work phones.
The danger of the Heartbleed Bug lies in its ability to reveal the content of a server’s memory. Then, the Bug can grab sensitive data stored in the memory, including passwords, user names, and credit card numbers. Adding insult to injury, the Bug has existed for at least two years, giving hackers a huge head start. News reports and some websites have urged users to change their passwords. Others have warned individuals not to change their passwords until a website has indicated it has installed the security patch that “cures” the Bug. Several sites offer tools to “test” whether an indicated website is vulnerable to the Heartbleed Bug, including one by McAfee. In terms of priorities, users should focus on sites where they bank, conduct e-commerce, e-mail and use file storage accounts.
Further intrigue comes from the fact that a recent Bloomberg report alleged that the National Security Agency (“NSA”) knew about the Bug for at least two years, but may have utilized the vulnerabilities to access information. The NSA has denied it had knowledge of the Bug.
While we have yet to see a “rush to the courthouse” following the announcement of the Heartbleed Bug, we anticipate lawsuits and enforcement could follow where organizations do not act in response to the Bug by installing the necessary security patch. Companies (including our clients in the Internet marketing and I-gaming industries) should investigate whether their websites, apps, or other services (such as cloud services) use Open SSL – then take immediate efforts to oversee the installation of the security patch. Organizations should also advise users of the status of the Heartbleed Bug fix and encourage users to change their passwords, with different passwords across different services.
Congress enacted the Telephone Consumer Protection Act (“TCPA”) to protect consumers from unwanted telemarketing, fax marketing, and prerecorded/auto-dialed phone calls. Recently, there has been an explosion in TCPA litigation, including class action litigation. In response, several parties have asked the Federal Communications Commission (“FCC”) to clarify certain of the agency’s TCPA rules to provide relief from TCPA liability in certain enumerated circumstances. Two recent FCC rulings allow certain business communications under the TCPA.
The Cargo Airline Association (“CAA”), a trade association representing companies that deliver packages, filed a petition seeking clarification of the TCPA’s application to auto-dialed or prerecorded package delivery notification calls made to consumers’ wireless phones. The CAA asserted that the FCC should recognize the public interest in receiving time sensitive package notifications. Revised FCC rules that went into effect in October generally require that the sender of prerecorded or auto-dialed calls and text messages to mobile numbers have prior consent from the recipient to receive such calls and texts. If the calls or texts constitute telemarketing, prior express written consent is required.
The FCC granted the CAA’s request to exempt its notifications to consumers subject to certain conditions. In the order, the FCC observed that these notifications “are the types of normal, expedited communications the TCPA was not designed to hinder . . . we believe that consumers generally desire, expect, and benefit from, package delivery notifications.” The FCC order requires that the text messages must be sent only to the telephone number provided by the package recipient, and identify the name and include the contact information of the delivery company sending the message. Furthermore, the FCC’s order limits companies to sending one text message per package per delivery attempt. The notifications also cannot contain any advertising content and must provide consumers the ability and information on how to easily opt out of receiving future notifications.
In the second ruling, the FCC granted a petition by GroupMe concerning how consent is obtained. GroupMe is an app that allows users to create text message based group chats. A user who wants to create a group chat using GroupMe’s service must register with GroupMe and agree to its terms of service. The terms of service require the group creator to represent that each individual added to the group chat has consented to receive the text messages. In its petition to the FCC, GroupMe asked the FCC to clarify that consent to receive certain calls or text messages could be given through an intermediary, such as a group chat organizer.
The FCC granted GroupMe’s petition allowing for consent to be obtained through an intermediary. Interestingly, the FCC acknowledged in its order that “the TCPA is ambiguous as to how a consumer’s consent to receive an auto-dialed or prerecorded non-emergency call should be obtained.” However, the FCC stressed that this ruling does not mitigate the duty to obtain prior express consent of the called party. Further, a company can still be held liable even when relying on the assertion of an intermediary that a consumer has consented. The order states that, “[w]e further clarify that where the consumer has agreed to participate in a GroupMe group, agreed to receive associated calls and texts, and provided his or her wireless telephone number to the group organizer for that purpose, the TCPA’s prior express consent requirement is satisfied with respect to both GroupMe and the group members regarding that particular group, but only regarding that particular group.” Companies seeking to obtain consent through an intermediary should consider this potential liability when deciding if, or how to, rely on consent given by an intermediary. Companies may want to consider contractual representations and warranties and indemnifications where a third party obtains consent.
These two orders by the FCC represent positive news for businesses that utilize texts and prerecorded/auto-dialed communications. The orders eliminate some of the uncertainty surrounding compliance with the TCPA in the circumstances addressed by the FCC. While the agency has taken numerous enforcement actions against TCPA violators and promulgated strict rules, these recent rulings indicate that the FCC recognizes that there are circumstances in which strict interpretations of the TCPA and/or FCC rules do not comport with the realities of business communications. Companies should note, however, that these rulings are limited to the particular situations presented by the petitioners. Due to the enormous potential liability for violating the TCPA, companies should continue to review their policies and practices and make sure they are in compliance with all regulations before initiating any covered TCPA communications, including prerecorded and auto-dialed calls and texts to mobile phones, prerecorded telemarketing to residential lines, facsimile advertising, and live telemarketing.
Mobile payments have become so commonplace that consumers rarely stop to think about whether their online payment is secure. Mobile app developers can fall into a similar trap of assuming that the necessary security measures are enabled without performing the necessary audits to assure security on a regular basis. A recent settlement between the FTC and two companies offering unsecured mobile application products gives cause to think again.
The FTC alleges that the movie ticketing service Fandango and credit monitoring company Credit Karma failed to adequately protect consumers’ sensitive personal information in their mobile apps because they failed to use Secure Sockets Layer (“SSL”) protocol to establish authentic, encrypted connections with consumers. Generally, an online service will present an SSL certificate to the app on the consumer’s device to vouch for its identity. The app then verifies the certificate to ensure that it is connecting to the genuine online service. When companies fail to use this protocol—especially if consumers use the app over a public wi-fi system—third party attackers can substitute an invalid certificate to the app, thus establishing a connection between the app and the attacker rather than the online service. As a result, any information that the consumer enters into the app will be sent directly to the attacker, including credit card numbers and other sensitive and personally identifying information.
The FTC alleged that Fandango and Credit Karma left their applications vulnerable to interception by third parties by failing to use SSL protocol. The FTC alleged that Fandango misrepresented the security of its application by stating that consumers’ credit card information would be stored and transmitted securely, despite the fact that the SSL protocol was disabled on the app from March 2009 to March 2013. The FTC alleged that Credit Karma’s app failed to validate SSL certificates from July 2012 to January 2013, leaving the app susceptible to attackers which could gather personal identifying information such as passwords, security questions and answers, birthdates, and “out of wallet” verification answers regarding things like mortgages and loan amounts.
In both cases, the online services received warnings of the vulnerabilities from both users and the FTC. In December 2012 a security researcher used Fandango’s online customer service form to submit a warning regarding the vulnerability. However, Fandango mistakenly flagged the email as a password reset request and sent the researcher a stock response on password resetting, then marked the complaint as resolved. A user sent a similar notice to Credit Karma about the SSL certificates in January 2013. Credit Karma responded by issuing a fix in the update to the iOS operating system that same month, however, one month later Credit Karma issued an Android app which contained the same vulnerability.
In both cases, the online services performed a more thorough internal audit of the apps only when issued a warning by the FTC. The FTC issued complaints against the companies for their deceptive representations regarding the security of their systems. While the complaints noted that the apps were vulnerable to third party attacks, they did not allege that any such attacks were made or that any consumer information was in fact compromised. Perhaps due to the lack of consumer harm, the FTC entered into consent agreements with Fandango and Credit Karma in which the services did not have to pay a monetary judgment, but did agree to establish comprehensive security programs and undergo security assessments every other year for the next 20 years. Fandango and Credit Karma are additionally prohibited from misrepresenting the level of privacy and security in their products or services.
SSL certificates are the default validation process that iOS and Android operating systems provide developers using the application programming interface. Therefore, mobile app developers can protect themselves and their users from this vulnerability simply by leaving the default SSL protocol enabled. What’s more, app developers can test for and identify SSL certificate validation vulnerabilities using free or very low cost tools. Therefore, all app developers should take the necessary precautions to ensure the security of their systems, and prevent harm to consumers (and potential lawsuits) down the road.