Today, the Securities and Exchange Commission (“SEC”) issued an investor bulletin and an investigative report. The investigative report found that companies involved in sales of digital assets via distributed ledger or blockchain technology may be engaged in conduct subject to federal securities laws. While this report is the first of its kind to address initial coin offerings (“ICO”) or token sales and securities regulation, companies looking to launch their own ICOs can learn from the unique circumstances addressed in today’s report.
The SEC began investigating token sales in light of The DAO hack last summer. The DAO and related entities are a “virtual” organization running on blockchain technology. To fund its own development, The DAO developed DAO Tokens, which were then issued to investors through an initial token sale. This sale gave customers a chance to invest in the company by spending their Ether, an Ethereum, blockchain-based cryptocurrency, to purchase DAO Tokens. The revenues from the coin sale funded various projects at The DAO, and investors could make money if their projects were profitable. Additionally, investors could resell their DAO Tokens on secondary platforms. These activities came to the SEC’s attention after a hack caused The DAO to lose a third of its investments (although this was ultimately recovered via a technological solution that reversed the blockchain of The DAO, which was permissible because a majority of the DAO Token holders voted in favor of the reversal).
In its investigative report, the SEC concluded that the DAO Tokens were subject to SEC regulations, even though it chose not to file charges at this time. Specifically, the Commission concluded that all elements of a security, as defined in federal securities law, were met in the sale of the DAO Tokens: (1) Investors used money – in the form of Ether – to invest in The DAO, (2) with a reasonable expectation of profit, (3) that was derived from the managerial efforts of others.
The management of The DAO appears to have been a central concern in the SEC’s evaluation. The DAO was run by others and subject to their oversight. Those people were referred to as “Curators,” and they had a significant amount of control over the projects that would be funded by The DAO. Token holders could only vote on projects that the Curators pre-approved. Further, on top this management problem, the SEC expressed concerns that given the pseudonymous purchases of DAO tokens, the ability of investors to organize to “effect change or to exercise meaningful control.”
At this time and presumably because the ICO industry is new and developing, the SEC has declined to pursue an enforcement action against The DAO and related entities. However, it has used The DAO matter as a case study to examine this novel issue and provide guidance to others involved in ICOs and blockchain-based investments.
This is an innovative and developing area, as noted by SEC Chairman Jay Clayton, who stated today: “The SEC is studying the effects of distributed ledger and other innovative technologies and encourages market participants to engage with us. We seek to foster innovative and beneficial ways to raise capital, while ensuring – first and foremost – that investors and our markets are protected.” (In addition to the report, the SEC also published an investor bulletin on ICOs.)
Companies interested in funding their ventures through ICOs must take note of this opinion. While the final report notes that the applicability of laws to a token sale “depend[s] on the particular facts and circumstances,” this SEC investigative report should serve as official notice to all companies working in this emerging field that federal securities laws may apply to them. However, the DAO situation is unique and the SEC’s findings are quite narrow, so this report won’t be controlling precedent for every ICO in the future. Because The DAO’s coin sale was purely for investment, denying investors meaningful input into the company, DAO Tokens were classified as securities under the applicable federal laws. In contrast, a company offering coins in a less centralized system where investors have more freedom to manage their coins would avoid being classified as a security.
The Chairman’s statement makes clear that the Commission is still in the learning phase and open to guidance from industry experts. Leaders must take this opportunity to not only educate the regulators, but also to listen to and adapt to regulatory concerns. This is not at all a fatal blow to the market, but companies must ensure their offerings comport with federal securities law while also providing attractive, innovative options to new investors.
Acting Chairman of the Federal Trade Commission, Maureen Ohlhausen, answered questions about the FTC’s current role in data privacy before a crowded audience at the April 2017 IAPP Global Privacy Summit in D.C. Below are some take-aways we wanted to share from Commissioner Ohlhausen’s talk:
- Even if out of ISP oversight, the FTC is actively engaged in data privacy enforcement through its consumer protection role.
Ohlhausen expressed disappointment that FTC had to step out of ISP oversight in 2015, when the FCC reclassified broadband as a common carrier service (the reclassification means the FCC, no longer the FTC, has authority over privacy and data security enforcement of ISPs). But she said that the FTC is still active through holding companies to their data privacy policies and claims: “We enforce promises. We hold companies to their promises, even in technologically advanced areas.” She noted that FTC enforcement actions derive not only from consumer complaints, but that the FTC is getting cases from computer researchers and marketplace competitors.
- FTC to present positive findings from its enforcement actions.
Ohlhausen and her staff are considering changing up what they present publicly on their investigation findings. Normally, the FTC publishes what it has found companies doing wrong, but Ohlhausen believes the public could benefit from what the FTC has found companies doing right. The FTC therefore may be bolstering its public messages on enforcement actions with this positive twist.
- How FCC and FTC oversight of ISPs differs.
Ohlhausen noted that the FCC has ended up with a different approach to data security oversight. For instances, they have taken a different view on what constitutes sensitive data and on what types of opt-ins and opt-outs are permissible. She expressed concern that, with the Open Internet Order, which revoked FTC Privacy Rules, no one is really watching the hen house. She hopes either Congress or the FCC will reconsider the FTC’s role: The FCC could rescind its reclassification or Congress could rescind the FCC’s common carrier authority of broadband services.
- The Privacy Shield and the FTC’s role in working with Europe.
Ohlhausen noted that the current Administration seems committed to the Privacy Shield. She believes that the Privacy Shield meets Europe’s needs and further that the FTC has an important role to fill in (1) ensuring how information is disseminated and (2) enforcement. For instance, the FTC can provide guidance on how to inform EU consumers on the parameters of the Privacy Shield. Moreover, the FTC will enforce Privacy Shield violations—based on deception for failure to comply. She is optimistic that the Shield will withstand court challenges, in contrast to the Safe Harbor, which was negotiated in a different environment.
- Chinese forays into privacy.
Ohlhausen, who was heading to Beijing the day after her IAPP talk, expressed interest in Chinese developments in privacy regulation: where a communist country’s government controls so much, there still can be a real interest in privacy for the consumer. She noted that some international companies have concerns over whether they will be disadvantaged by Chinese privacy laws.
- Privacy and overlap with other areas of law
When asked whether privacy laws, such as anti-discrimination provisions contained in the GDPR, are carrying more water than just privacy, Ohlhausen noted that there is some overlap, such as with the Fair Credit Reporting Act and Civil Rights Act. She took the discussion as an opportunity to highlight the importance of balancing fear of the unknown against the benefits of innovation: it is good to identify the bad things that can happen. But we also need to weigh that against the good things. While consumer protection is important, we also want a competitive marketplace, and want to encourage innovation.
 A side note on the FCC reclassification: a persistent theme in Ohlhausen’s talk was expressing hope that the FTC would get authority back over ISPs.
Over the past several years, the Federal Communications Commission (“FCC”) took an expansive view of its rules under the Telephone Consumer Protection Act of 1991 (“TCPA”). The TCPA bars certain calls, texts and faxes without prior express consent and requires disclosures and opt-out procedures. While the FCC and state attorney generals may enforce the TCPA, the law’s truth “teeth” come in the form of private lawsuits where statutory damages allow up to $1500 per call/text/fax advertisement. Organizations in every industry, including hospitality, financial services, retail, and healthcare, have settled TCPA lawsuits for millions of dollars.
Businesses viewed recent FCC rulings for the most part as pro-plaintiff, encouraging additional class action lawsuits. In July 2015, for instance, the FCC issued an “omnibus” declaratory ruling in which it expanded certain definitions and interpreted the TCPA in ways seen as empowering the plaintiffs’ bar. However, the FCC’s TCPA rules do not go unchecked, as they are subject to challenge in the courts. The D.C. Circuit recently sent a message to the FCC, ruling in Bais Yaakov of Spring Valley v. Federal Communications Commission that the agency’s 2006 rule requiring an opt-out notice on “solicited” facsimile advertisements ignored clear statutory language. The D.C Circuit’s ruling demonstrates that the court will invalidate FCC rules and interpretations when the agency exceeds statutory authority, even if the FCC may think it is making good policy. It also suggests that the D.C. Circuit may be ready to give a defiant “thumbs down” to significant parts of the FCC’s July 2015 order. A decision is expected on that appeal at any time and we anticipate that the D.C. Circuit will invalidate several aspects of that ruling. This action would have a tremendous impact on pending TCPA litigation and may curb the TCPA gravy train on which several class action firms have already ridden.
The TCPA, as amended by Congress through the Junk Fax Prevention Act, prohibits (among other things) sending an unsolicited advertisement to a fax machine. An “unsolicited advertisement,” as defined in the TCPA is “any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person’s prior express invitation or permission, in writing or otherwise.” Thus, the law allows fax advertisements transmitted with permission (“solicited faxes”). The law also contains another exception to the unsolicited fax advertisement ban where there is an established business relationship with the recipient (“EBR faxes”), provided the recipient voluntarily communicated the fax number or made it available, and a conspicuous opt-out notice meeting certain statutory requirements appears on the fax.
In 2006, the FCC ruled that “solicited” faxes – i.e. those fax advertisements for which the sender received prior consent – require the opt-out notice and associated opt-out procedures. The TCPA, in contrast, only mandates the opt-out notice for the EBR faxes. The 2006 ruling resulted in litigation against companies like Anda (a generic drug seller) that had permission to fax advertisements. Anda had valid permission from pharmacies to fax advertisements regarding time-sensitive topics such as pricing information and weekly specials. Plaintiffs nevertheless sued Anda in a $150 million class action lawsuit because Anda allegedly had not included the opt-out notice. Anda subsequently sought a ruling from the FCC clarifying that solicited faxes did not require the opt-out.
In the category of “sometimes when you ask, you get the answer you don’t want,” the FCC ruled that the opt-out notice applied to solicited and EBR faxes. However, the FCC stated it would waive application for faxes sent before April 30, 2015. The two Republican commissioners (including now Chairman Pai) vigorously dissented. Anda then appealed to the D.C. Circuit.
Late last month, the D.C. Circuit vacated the 2006 solicited fax rule and remanded it to the agency. The court focused on the TCPA’s statutory language, noting that the opt-out notice requirement only appears in the EBR fax provision. “Although the Act requires an opt-out notice on unsolicited fax advertisements, the Act does not require a similar opt-out notice on solicited fax advertisements…Nor does the Act grant the FCC authority to require opt-out notices on solicited fax advertisements.” The appeals court concluded that the case was quite simple – the FCC can only take action that Congress authorized. Congress did not authorize an opt-out notice requirement for solicited fax advertisements. Under an existing rule, senders must still allow recipients to opt-out if they no longer want to receive solicited faxes. But the FCC cannot require the opt-out notice on those solicited fax advertisements. Consequently, companies should not be liable under the TCPA for not including the opt-out notice on solicited fax advertisements.
While the FCC understandably wants to protect consumers and businesses from unsolicited calls, texts, and faxed advertisements – the agency must respect its authority and the limits to that authority. In other words, the FCC cannot choose how the TCPA “should” read. Congress made that choice.
With TCPA litigation continuing to explode, this ruling provides some comfort that the FCC will not go unchecked in its recent, broad TCPA interpretations. And, with the high stakes appeal of the 2015 Omnibus Ruling pending before the same court, there are strong signs that the D. C. Circuit will push the FCC back on its expansive interpretations of autodialer and liability for calls to reassigned numbers, among other challenged rules. Companies involved in ongoing TCPA litigation involving the challenged interpretations may want to seek stays from their courts or arbitrators pending the outcome of the next appeal.
Your business booked a large charity event. However, the customer contact turns out to be a nightmare. She complains (during and after the event) that the service was slow, the food looked and tasted like a frozen meal, and the drinks were watered down. She even claims she was overcharged. You reviewed the situation and, while you disagree, you offer her a credit. She declines and instead decides to post scathing reviews on Yelp, TripAdvisor, and several other review sites. She also gets her friends to post similar reviews. You remember, however, that the booking contract this irate customer signed barred her from posting negative reviews and imposes a $200 per negative review penalty. You ring up your attorney and ask her to send Ms. Nasty Customer a demand. Your lawyer tells you there may be a problem with this approach – under a new law signed by President Obama in December, the Consumer Review Fairness Act of 2016 – form contracts restricting reviews or imposing penalties are void.
Exceptions and Carve-Outs
There are several significant exceptions to the new law, offering some protections to organizations. First, individually-negotiated agreements are not covered by the new legislation. Second, Congress carved out employer-employee and independent contractor agreements from the “form contract” definition. Thus, under the new Act, employment provisions barring negative online reviews of an employer are not void. However, the National Labor Relations Board strongly disfavors restrictions on employees’ rights to discuss wages and working conditions in public forum. Further, some states may also seek to bar restrictions on online reviews. California and Maryland already have enacted laws barring non-disparagement clauses in consumer contracts.
Third, the Act does not bar an organization or individual from suing for defamation, libel, or slander. Thus, companies may still file suit for reviews containing false statements (and presumably include a clause in a form agreement or terms and conditions addressing such statements). Fourth, the law preserves any confidentiality required by law – such as HIPPA. Fifth, the Act expressly allows a party to remove or to refuse to display on a website/webpage operated by that party the content of a “covered communication” : (1) that contains personal information or the likeness of another person; (2) is libelous, harassing, abusive, obscene, vulgar, sexually explicit “or is inappropriate with respect to race, gender, sexuality, ethnicity or other “intrinsic characteristic”; or (3) that is false or misleading. Thus, companies that host their own webpages for customer comments and interactions may remove customer reviews meeting these standards. It would also appear lawful to advise customers in company terms and conditions or form contracts that such content may be reviewed.
Congress further created a carve-out from the Act’s consumer review protections for trade secrets or commercial or financial information considered privileged or confidential, personnel and medical files where disclosure would result in an invasion of personal privacy, records compiled for law enforcement purposes, content that is unlawful, and content containing computer viruses, worms, or other damaging code.
Federal Trade Commission Enforcement
The Federal Trade Commission (“FTC”) will enforce the Consumer Review Fairness Act of 2016. State Attorney Generals may also bring a civil action in federal court to obtain relief for their residents. The new law requires the FTC (within 60 days) to conduct education and outreach to businesses, including non-binding “best practices” for complying with the Act. Companies get 90 days (until March 14, 2017) before their contracts containing the now-proscribed practices are considered void.
The FTC may target a few “brand name” organizations in early enforcement actions to garner industry attention. Companies should be aware, however, that they retain the right to object to assessments that are exempted, including those that disclose confidential or personal information, or that are defamatory, misleading, obscene, vulgar, or unrelated to the products and services offered on the company’s webpage. So, while consumers cannot be penalized through a form contract by posting reviews, their rights to post are not unfettered. Contrary to the popular adage, as the Union Street Guest House learned, not all press is good press – and companies may still address false or defamatory reviews and those reviews containing other exempted content.
A famous Homeland episode involved a terrorist gaining access to the Vice-President’s pacemaker. Accessing medical devices to wreak havoc was one of the motivations behind certain provisions of the Digital Millennium Copyright Act (aka the DMCA). The DMCA makes it “illegal to circumvent technological measures used to prevent unauthorized access to copyrighted works.” Section 1201 of the DMCA allows for exemptions to be made every three years. Recently, a number of exemptions were adopted to the DMCA’s anti-circumvention statute for numerous technologies, including personal medical devices. Although the exemptions went into effect on October 28, 2015, there were stipulations that delayed implementation until very recently. A number of safeguards remain in place, but safeguards to protect cybercrime in the healthcare context remain compelling.
What does this mean for patients who are using portable medical devices?
The exemption removes the barrier for researchers to set-up controlled experiments that can aim to improve potential vulnerabilities in the security of these devices. The exemption relates to researching medical devices and reads as follows: “Literary works consisting of compilations of data generated by medical devices that are wholly or partially implanted in the body or by their corresponding personal monitoring systems, where such circumvention is undertaken by a patient for the sole purpose of lawfully accessing the data generated by his or her own device or monitoring system.” In order to conduct research using this type of data, the research environment must meet certain criteria. Those criteria include the following: (1) the computer program, or any devices on which the programs run, must be “lawfully acquired,” (2) during the research, the device or computer program should operate “solely for the purpose of good-faith security research,” and (3) the research must not have begun before October 28, 2016.
How does this open up the field for more research opportunities?
The exemption rule allows for “good-faith research” which is defined as “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.” What this means in the real world is that security researchers can, in a controlled manner and environment, access medical devices to search for vulnerabilities so that vulnerable software can be quickly patched. The exemption allows for researchers to publicly talk about and share details of their vulnerability research without facing legal repercussions.
Why do we need this type of research?
A cybercrime-wave impacted the healthcare sector in 2016. According to TrapX there was 63% year over year growth in attacks against the healthcare sector. Many of these cyber intrusions leveraged back-doors into medical devices like X-ray machines and blood gas analyzers. These devices are vulnerable to compromise as they lack the memory space necessary for cybersecurity software and are rarely updated. The dramatic ransomware attack against Medstar which crippled their hospitals’ networks underscored the defenselessness of the sector. The culture of the healthcare sector has been to adopt technology with minimal regard to the cybersecurity of those networks. The cybercrime community took note in 2016, and the ransomware attacks against the healthcare sector served as a canary in the coal mine. The vulnerability of medical devices poses a systemic risk to the sector’s digital health.
Historically, medical device manufacturers have been resistant to allow outside security experts to look at their code for fear that flaws in their software will be revealed and expose them to regulatory scrutiny or lawsuits. More recently, some of the larger medical device manufacturers (e.g. Philips and Dräger) have published a coordinated vulnerability disclosure policy, which essentially invites researchers to look for software flaws in their devices, as well as a public statement about of how the companies will handle reported vulnerabilities. For device manufacturers it is important to note that the FDA is encouraging this type of research to increase patient safety and reduce cybersecurity threats.
Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures for the Center for Devices and Radiological Health, a division of the FDA, stated that “The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices.” On December 29, 2016 the FDA issued the final guidance “Postmarket Management of Cybersecurity in Medical Devices”. What this means is the device manufacturers may need to report post-market modifications to devices already in the field related to cybersecurity to the FDA (pursuant to Part 806 of the Food, Drug & Cosmetic Act (for device manufacturers this reporting relates to compliance with the quality system regulations)). Device manufacturers need to take into account security considerations through a product’s entire lifecycle, starting with its development to ensure proper performance and functionality if a hospital’s network is hacked. The FDA indicated that most routine updates or patches will not trigger a reporting responsibility, but the guidance leaves open the possibility that changes made to prevent or fix cybersecurity vulnerabilities will trigger reporting. As a result of this guidance, it is important for manufacturers to coordinate their cybersecurity efforts. This relatively new exemption can help foster that dialogue and introduce research into vulnerabilities to reduce the threat of future cyber-attacks on critical medical devices used by patients. In 2017, an individual’s physical well-being is going to dependent on the digital health of medical devices.
What Proactive Risk Management Steps Can Be Taken in 2017 to Increase Security?
Listed below are some proactive steps that medical device manufacturers can take to decrease the risk of cybersecurity vulnerabilities and attacks. With the advent of new research into cybersecurity, the hope is that additional technology improvements will take place to allow for even further safety and evolution of security for medical devices.
Proactive Risk Management for 2017
- Require regular penetration tests of medical devices and networks which develop and utilize them.
- Deploy a DeceptionGrid.
- Deploy User Entity Behavior Analytics
- Deploy two factor authentication (e.g. Biometrics) with contextual verification.
- Integrate Intrusion protection systems with breach detection systems.
Source: Strategic Cyber Ventures 2017
In January 2017, the Obama Administration will transfer power to the incoming Trump Administration, and Congress will convene with a Republican majority in both houses. Predictions abound as to what legislative and regulatory changes will transpire under the new administration. Earlier this month, WSJ Pro hosted a live video event to discuss how the election will impact financial regulation. Financial Regulation Editor Jacob Schlesinger moderated the discussion with two Washington financial-policy analysts: Brian Gardner of Keefe, Bruyette & Woods, and Ian Katz of Capital Alpha Partners. Both analysts expect aggressive deregulation of the financial sector according to the President-Elect’s promises during the campaign. Among the many topics covered, Gardner and Katz emphasized (i) potential changes to the Dodd-Frank Act, (ii) personnel changes at various agencies, including the Securities and Exchange Commission (SEC), and (iii) a more lenient approach to enforcement.
President-Elect Trump campaigned on a promise to get rid of the Dodd-Frank Act. Enacted in the wake of the 2008 recession, Dodd-Frank sought to limit the risks that banks can take and provided for consumer protection through the creation of the Consumer Financial Protection Bureau (CFPB). However Gardner and Katz agree that wholesale repeal of Dodd-Frank is unlikely, partly because Republicans will have a slim majority in the Senate and, thus, may lack the sixty votes needed to end a filibuster. If Senate Democrats unite in their opposition to repeal, they can prevent a vote altogether. Gardner and Katz think it more likely that the administration will modify Dodd-Frank at the margins.
Katz expects targeted efforts in that regard. For example, he predicts that the CFPB will be weakened, but not abolished. The new administration can weaken the Bureau by replacing its current single director with a Republican appointee, or by changing its structure to that of a commission with no more than three of five commissioners from either party. Given the President-Elect’s populist message, efforts to abolish the CFPB would be politically risky: the Bureau was established to protect consumers.
The administration could also target CFPB regulations. Gardner notes that promulgated rules will likely survive, but non-final rules may be withdrawn and rewritten. For example, in June 2016, CFPB proposed new restrictions on payday lending, but they have not yet been finalized. If the proposed rules are still pending in January 2017, the new administration may scrap them in favor of less onerous restrictions.
In addition to these modifications related to Dodd-Frank, Gardner and Katz discussed personnel changes at various agencies, including the Securities Exchange Commission (SEC). Although President-Elect Trump campaigned on a promise to “drain the swamp,” leaks from his transition team suggest he will rely to a great extent on veterans of past Republican administrations. Heading the efforts for independent regulators like the SEC, the Commodity Futures Trading Commission (CFTC), and the Federal Reserve is Paul Atkins, an ex-SEC Commissioner who disfavors regulation. Atkins almost certainly is looking for potential appointees who share his view. Gardner does not anticipate major shifts in the regulatory environment but, as Katz notes, individuals appointed to lead these agencies will set the tone and influence each agency’s enforcement priorities. Codified rules likely will remain, but agencies faced with close questions or grey areas of the law will probably resolve them in favor of industry.
All that said, President-Elect Trump’s candidacy did not unfold as many predicted. It will be interesting to see whether and how these expected changes to financial regulation materialize under the new administration.
The Federal Trade Commission (“FTC”) recently released a data breach guide for businesses, along with a video and blog to help companies following the immediate aftermath of a data breach. The FTC also provides a model data breach letter to notify individuals of a breach. The agency – which views itself as the nation’s primary “privacy police” has faced scrutiny from private parties and courts for allegedly enforcing privacy and data security standards without promulgating specific rules. The agency instead favors outreach efforts, such its blogs, guides and roundtables to educate industry and the public regarding what it views as best practices.
In this vein, the Guide and the model letter are not a “safe harbor” but offer suggestions on important steps that organizations can follow once they discover data breaches. The FTC emphasizes that the Guide does not pertain to the actual protection of personal information or prevention of breaches, because the agency has already issued separate guidance documents on those subjects. In fact, the FTC also recently updated its guide on protecting personal information.
Following a data breach, the Guide suggests key steps organizations can take, which include:
- Mobilizing the company’s breach response team to prevent further data loss – the team may include legal, information security, IT, human resources, communications, investor relations, and management; companies may consider hiring an independent forensics team;
- Securing physical areas – lock any physical areas affected by a breach; consider changing access codes;
- Taking affected equipment offline immediately – monitor all entry and exit points, and update authorized users’ credentials and passwords;
- Removing improperly posted information from the company’s website, for instance in a situation where personal information affected by the breach is posted on the company’s website. The FTC also advises companies to search the Internet to see if breached information has been posted on other websites and to contact the owners of those websites;
- Protecting evidence – the FTC reminds companies to retain forensic evidence (e. do not destroy it);
- Documenting the investigation, including interviewing people who discovered the breach and making sure employees (such as customer service representatives) know where to forward information that might assist the company in its investigation;
- Examining service provider relationships, to determine if providers have access to personal information and whether provider access privileges should be changed;
- Determining whether data was encrypted at the time of the breach (note: encryption may obviate the need for data breach reporting in many states);
- Implementing a communications plan that explains the data breach to employees, customers, investors, partners, and others such as the press. The FTC recommends “plain English” answers on a company’s website;
- Following legal requirements – such as state data breach notifications and notifying law enforcement;
- Offering at least a year of free credit monitoring – while not required, free monitoring has become standard and most regulators and consumers expect to see the offer in data breach notifications.
As to data breach notification letters, in addition to following the requirements of state laws, the FTC urges companies to advise people what steps they can take, based on the information exposed. When a breach compromises social security numbers, individuals should be directed to contact the credit bureaus to request fraud alerts or credit freezes. Since some scammers pounce on data breach victims, the FTC counsels organizations to tell consumers how they will be contacted going forward. For instance, if the company will never contact individuals by phone, the company should tell consumers that – so individuals can detect telephonic phishing schemes.
The FTC encourages businesses to use the Guide and its accompanying materials to educate employees and customers, such as through newsletters and websites. However, when facing an enforcement action or a lawsuit, will a company’s compliance with the Guide offer any relief from FTC or state Attorney General penalties or assist organizations in their defense in private data breach lawsuits? Ultimately, the crux of breach liability usually relates to how it occurred, but taking swift, corrective actions following a breach should aid an organization when dealing with regulators and third parties by showing good faith actions to prevent further damages. Conversely, a company that fails to take corrective actions can exacerbate a breach and further negatively impact affected individuals and the organization.
The FTC’s Guide and accompanying materials are helpful references, particularly for smaller businesses. As a practical matter, the words of advice I give companies facing a possible data breach is to first, take the time to determine what happened, how it happened, whether the breach continues, and what you can do to prevent it in the future. While several states require reporting within a set number of days (e.g., 45), the laws allow organizations time to conduct factual inquiries, take corrective measures, and prepare to notify affected individuals. Organizations should not rush through these key steps. Second, communication is key. A company facing a breach should develop a clear, consistent statement regarding the breach, the steps being taken and a single contact point. The lack of a communication plan or a consistent message can cause a huge loss of customer and employee confidence and raise regulators’ interest. Third, when preparing data breach notifications, organizations should note that it is likely that the letter will become public due to some states’ open records laws. Numerous websites exist that track and publicize data breaches, based upon information in the notifications – often including copies of the actual letters. Companies should not assume that regulators and consumers simply file the letters away. While your organization cannot prevent the publicity, having a clear, concise data breach notification that meets each state’s requirements without providing excess data will help the company through the process and associated publicity.
As Halloween has people thinking of ghosts and ghouls, creative plaintiffs’ attorneys have turned an arcane New Jersey law into a true source of fright for virtually anybody who offers services that are even potentially available within the Garden State.
The law at issue is the New Jersey Truth in Consumer Contract, Warranty, and Notice Act (“TCCWNA”), which was enacted in 1981 with good intentions: to prevent businesses from advertising terms that violate state law in order to cow consumers into doing business under those terms even though they were unenforceable. For example, a storage space rental company might violate the law by requiring a consumer to release it from liability for personal injuries on company property, even though such a waiver is unenforceable under New Jersey Law. The statute provides seemingly modest damages of $100 per violation.
But the TCCWNA does not require a consumer to actually have been hurt by any illegal term or provision and, in fact, it allows for a cause of action to be brought even by a mere “prospective consumer.” In 1981, this likely made little difference to brick-and-mortar businesses, for whom the only individuals who may have seen a violative contract or term would be those who sought it out. But in the age of the Internet, everybody is a potential consumer, and one may shop for dozens of products from the comfort of one’s own desk in a single afternoon. Each time that one of these individuals views the website and, even theoretically, considers purchasing a product or service, that individual becomes a potential plaintiff under the TCCWNA.
This has opened the door to suits against virtually any retailer that has a website that can be accessed in New Jersey—unless the terms offered by such retailers are fully compliant with New Jersey law or clearly indicate what provisions would be invalid in New Jersey, there is a chance that those retailers could be found to violate the TCCWNA. And although statutory damages of $100 may not seem scary, those damages are awarded on a per-violation—that is, per-consumer—basis. And plaintiffs’ attorneys have begun to bring class actions alleging that every single New Jerseyan who has accessed a given website is a “potential consumer” under the statute, opening the door to potentially massive liability.
The news is not all bleak: a federal judge in New Jersey recently dismissed a TCCWNA case against the car rental company Hertz relying on a recent Supreme Court case that bars lawsuits by plaintiffs who have suffered no more than a “bare procedural harm” without any real injury. But it is not yet clear if other judges will follow suit, and even if they do, that ruling will not help defendants who may find themselves stuck in state court. Until the courts or the New Jersey legislature provide clearer and more meaningful protection, businesses may find themselves being forced to comply with New Jersey law no matter where they may be located.
The Federal Acquisition Regulation final rule implementing the “Fair Play and Safe Workplaces” Executive Order 13673 was issued on August 25, 2016, and the rule goes into effect on October 25, 2016. This new regulation presents a significant change – and potential challenge – for major government contractors.
President Obama signed Executive Order 13673, often referred to as the “Blacklisting” order, on July 31, 2014. The stated goal of the order is to “increase efficiency and cost savings in the work performed by parties who contract with the Federal Government by ensuring that they understand and comply with labor laws.” On their face, the Order and regulations provide new instructions for Federal contracting officers to consider a contractor’s compliance with certain Federal and State labor laws as a part of the determination of contractor “responsibility” that contracting officers must undertake before awarding a Federal contract. But what do the Blacklisting Order and the final rule really do?
Mandatory Reporting of Labor Law Violations
The new rule imposes significant reporting obligations on federal contractors during the procurement process. Ultimately, contractors and subcontractors will need to report three years of labor law violations once the rule is fully in effect. Labor law violations encompass violations of the Fair Labor Standards Act, the Occupational Safety and Health Act, Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, and ten other federal laws and orders. According to the final rule, there are three types of actions that constitute reportable violations: “administrative merits determinations,” arbitral awards or decisions, and civil judgments. Contractors must supply basic information about the violation, including the nature of the violation and identifying information, and also have the option of submitting evidence of mitigating factors and remedial measures. This information will be stored on a publicly available, searchable website.
Acknowledging this reporting is a significant burden, there is a phase-in period to allow companies to get up to speed. When the rule becomes effective on October 25, 2016, the reporting requirements will only be effective for procurements of $50 million or more and only for prime contractors. But after six months, on April 25, 2017, contractors bidding on prime contracts of $500,000 or more will need to make the relevant disclosures. On October 25, 2017, subcontractors become subject to the rule as well. Additionally, while the reporting time frame is ultimately the three preceding years, for the first year the rule is in effect, reporting will only reach back for one year. The reporting window will be expanded by a year each year thereafter, until the three-year reporting period is completely phased in on October 25, 2018.
New Paycheck Transparency Requirements
The Blacklisting Order and final rule also institutes requirements for contractors in how they communicate wage information to workers. As of January 1, 2017, contractors and subcontractors must provide a detailed wage statement, including hours worked, overtime hours, rate of pay, and any additions made or deductions taken, to every worker performing under a federal contract. Additionally, prior to beginning work, the contractor must indicate to the worker whether they will be considered an employee or an independent contractor, and if an employee, whether they are exempt or non-exempt. These notifications must be provided to workers in English and any other language used by a “significant portion” of the workforce.
Restrictions on Pre-dispute Arbitration
On the same date the reporting requirements begin the phase-in process – October 25, 2016, the requirements surrounding arbitration agreements will go into full effect. Companies with federal contracts or subcontracts of $1 million or more may not require workers to enter into pre-dispute arbitration agreements for disputes based on Title VII claims or torts related to sexual assault or harassment. The only exception will be for employees covered by a collective bargaining agreement that has negotiated the contract with an agreement to arbitrate prior to the contractor bidding on the covered contract.
The Government’s Obligations Under the New Rule
Under the new rules, the Government has obligations as well. Each agency must designate an Agency Labor Compliance Advisor (“ALCA”) to implement the reporting program. The ALCA will be the central point of contact for the agency and all matters related to Blacklisting reporting. This includes helping contractors achieve compliance with the rules and recommending labor compliance agreements. On the date the rule goes into effect, the Department of Labor will release a list of the ALCAs and their contact information.
Not the First Attempt at Blacklisting
President Bill Clinton has tried this once before. On December 20, 2000, just weeks before the end of his final term, he issued similar blacklisting rules. These rules would have required federal contractors to certify whether they violated any federal, state, or foreign labor, employment, tax, environmental, antitrust, or consumer protection law in the prior three years. A violation was defined as any incident running afoul of the various laws supported by “pervasive evidence.” That is, no formal ruling or determination of liability had to have been made to create a reportable violation. Further, contracting officers would have had complete authority to determine if the violations disqualified the contractor from reporting and were not obligated to allow bidding contractors an opportunity to respond to potentially disqualifying violations.
While the temporal element is the same as the current rule, the list of reportable violations far exceeded the list of labor law violations as contemplated now. Contractors and various industry groups aggressively opposed the 2000 proposed rule, and several lawsuits were filed in an attempt to block implementation. Nonetheless, the rule went into effect on January 19, 2001 – the day before President Clinton left office. However, in March 2001, President George W. Bush ordered suspension of the rule and began the process for overturning it. By the end of 2001, the Bush Administration had successfully revoked this rule.
Next Steps for Contractors
Contractors shouldn’t expect the 2016 rule to meet the same fate as the 2000 version. While both rules bear some similarities, the current rule is much narrower and better defines what constitutes a reportable violation. Some industry groups have publicly contemplated lawsuits against the 2016 rule, none have been filed yet. With the looming deadline, contractors should start making plans to establish a compliance regime.
While compliance with labor laws is a worthy goal, the new regulation also will have significant costs. It reduces an employers’ ability to require arbitration, which likely will result in increased, costly litigation and possibly class action litigation if future labor disputes arise. Similarly, for existing disputes decided in arbitration, it eliminates the benefit of confidentiality by requiring public disclosure concerning any adverse award.
The new regulation does provide some additional compliance options for contractors in advance of official implementation. Companies may undergo a voluntary preassessment by the Department of Labor. Beyond helping companies become acquainted with the rules, participation in this program will be considered a mitigating factor in future acquisitions. The preassessment, however, the DOL may require companies to enter into labor compliance agreements.
Federal contractors should start taking internal steps to ensure compliance in advance of the effective dates. Companies should work with their internal teams, including legal, human resources, and IT support, to ensure that the necessary records are being kept and to design a reporting and monitoring program for the future. Companies should also review their new hire policies, to ensure that proper notifications are made to all workers in the required languages.
While this is a final rule and set to go into effect in the coming weeks, the matter is far from settled. Legal challenges to the rule once implemented may arise in the courts. And, as with any new rule, the devil is always in the details, so companies will likely not know the full impact of the rule until attempting compliance during the procurement process.
The Consumer Financial Protection Bureau (CFPB) has proposed a new rule to regulate payday lending and auto-title loan companies. Right now, it is merely a proposal, meant to undergo the notice and comment period until September 14, 2016. But if the rule goes into effect, it would be a significant imposition on the lending business.
The CFPB has been studying the effects of payday lending on consumers for years and found that many consumers struggle. They cannot repay their loans, so they take out new ones and incur significant penalties and fees. Or, they default on repayment altogether. The new rule tries to reduce this by regulating the people who issue those loans.
In theory, the rule would affect two types of loans: those with a term of 45 days or less, and those with a term of more than 45 days but with certain specifications, like an all-in annual percentage rate above 36% and a consumer’s bank account or vehicle for collateral. Before issuing either loan, a lender would have to determine if the borrower can repay it without re-borrowing in the following 30 days. To determine this, a lender would assess the borrower’s income, debt obligations, and housing costs; project them over the life of the loan; and forecast non-housing living costs.
The rule would also restrict how lenders can collect repayment. Today, lenders are allowed unlimited tries to withdraw from an indebted borrower’s bank account, but the new rule would stop them after the second attempt that fails due to insufficient funds.
Because the rule has not been approved yet, affected borrowers and lenders can speak out against or in favor of it. Richard Cordray, the director of the CFPB, has promised that the Bureau “will continue to listen and learn” as comments come in. Sourcing from the industry is the best way to create a rule that protects consumers and helps lenders continue to provide so vital a lifeline.