This Wednesday, Heather Nolan will discuss the legal issues related to Gamification. The session is part of the Brand Activation Association’s comprehensive, 6-part webinar series, which has been covering the A-Z must-knows of sweepstakes, contests and games. This week’s session will be helpful to business and legal team members who are interested in using game elements in their promotions. Content will be helpful to those who are new to gamification and need help understanding the basics, as well as those who are seasoned and just want to extend their knowledge. Developed and offered for the first time by BAA’s Sweepstakes, Contest & Games Council, the series pairs industry experts from law firms, agencies, and marketing companies to share their insights and experiences so you can maximize your promotion spending. This week’s session will take place online on Wednesday, July 30th at 2pm ET/1pm CT/11am PT. Click to register.
On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with Women & Infant’s Hospital of Rhode Island (“WIH”) to resolve allegations that it violated federal and state information security laws when it lost backup tapes. The backup tapes, allegedly containing sensitive personal information and protected health information of 12,127 Massachusetts residents, were not encrypted. As a result of the consent judgment, WIH will pay a civil penalty of $110,000, attorney fees of $25,000, and contribute $15,000 to funds organized by the Attorney General to support data security enforcement actions and education on the protection of sensitive personal information.
The Attorney General asserted that WIH failed to discover the breach in a reasonably timely fashion. The backup tapes were allegedly transferred off-site during the summer of 2011 but their loss was not noticed until April 2012 and public notice was provided in November 2012. The Attorney General claimed that the delay in detecting the loss resulted from inadequate inventory and tracking of sensitive personal information. In addition, the Attorney General asserts that notification to consumers was delayed because of “deficient employee training and internal policies”.
The WIH consent judgment follows the recent pattern of litigation to implement the Massachusetts data security regulations, 201 C.M.R. 17.00, and the HITECH Act provisions empowering state attorneys general to enforce HIPAA. This is consistent with the consent judgments entered into with Goldthwaite Associates in 2013 and South Shore Hospital in 2012.
Several important lessons may be learned from this recent sequence of enforcement actions.
- The Massachusetts Attorney General will pursue actions under the Massachusetts data security regulations against out-of-state enterprises that handle the personal information of Massachusetts residents. Prior enforcement actions have focused upon Massachusetts-based businesses. Going forward, out-of-state businesses having sufficient minimum contacts with the Commonwealth of Massachusetts should evaluate their data protection practices in order to avoid running afoul of the Massachusetts data security regulations.
- The U.S. Department of Health and Human Services (“HHS”) is cooperating with state attorneys general that wish to pursue compliance enforcement actions under HIPAA. Accordingly, HIPAA covered entities and business associates across the country should note that the states may become a bigger factor in HIPAA enforcement in the future.
- Businesses should maintain appropriate procedures to inventory and track the sensitive personal information that they collect and use. Accurate data inventory can help businesses better identify their security risks and detect anomalous events in a timely fashion.
- Businesses should also take steps to maintain comprehensive procedures for investigating and responding to data breaches. Such procedures help businesses avoid the kinds of delays in public notification that may elevate the concerns of federal and state regulators.
- While encryption is not a panacea for privacy and security issues, there are several circumstances where it can substantially reduce legal risks. The inability to implement physical and other reliable access safeguards makes encryption particularly valuable for protecting electronic media transported outside company facilities.
Companies sending text messages or conducting voice telemarketing in Connecticut beware! Connecticut has substantially amended its telemarketing law (the “mini-TCPA”), which now may regulate even more conduct than the federal TCPA – particularly, push notifications and in-app messages. In addition, the mini-TCPA provides for reasonable attorneys’ fees, which may present an incentive for plaintiffs to bring suit; and also authorizes large penalties recoverable by the government. The amended statute becomes effective on October 1, 2014. This article is intended to highlight some of the key differences between the new Connecticut law and the TCPA that are relevant to businesses that already comply with the TCPA.
Over the past eight years, the New York Attorney General’s office has been compiling statistics on data breaches pursuant to the state’s breach notification law. Earlier this week, Attorney General Eric Schneiderman published a report titled, “Information Exposed: Historical Examination of Data Breaches in New York State,” which provides analysis and insight into how those breaches have affected New York residents.
It should come as no surprise that data breaches are on the rise, increasing both in size and frequency. Between 2006 and 2013, more than 3,000 businesses, nonprofits and government entities reported data breaches involving New York residents. In 2013 alone, New York experienced more than 900 data breaches which exposed the personal information of a record setting 7.3 million New Yorkers. If we include data for the past eight years, that number balloons to 22.8 million. By way of comparison, New York’s population last year was only 19 million. If you live in New York, it is a good chance that at some point, your personal information potentially compromised.
The report also revealed that the leading cause of data breaches was hacking, accounting for over 40% of the number of breaches, with lost or stolen equipment in a distance second with only 23% of breaches. This figure is significant because, as noted in the report, not all breaches are created equal. Hacking tend to compromise more personal records since they are often performed with the explicit goal of stealing information.
And yet, for most consumers, data breaches are merely a nuisance. However, for affected businesses, data breaches can be very costly. The Attorney General’s office estimates that data breaches cost organizations doing business in New York State over $1.37 billion in 2013 alone. This figure includes the cost of investigating the breach, notifying the affected individuals, and in some cases, providing free credit monitoring services for the affected individuals. There, there are the indirect costs such lost sales and decreased stock price. Any way you slice it, data breaches can be very expensive. “What’s truly shocking about this report, beyond the fact that hacking is now the greatest threat to our personal information and costs us billions of dollars, is that many of these breaches could have been prevented,” said Attorney General Schneiderman. “If millions of New Yorkers were exposed, one can only imagine how many have been compromised across the nation.”
The report goes beyond the historical analysis and provides a few simple steps organizations can take to help protect themselves. These steps include identifying and minimizing data collection practices, as well as the creation and implementation of an information security plan. The Attorney General also encourages entities to implement technical safeguarding, including:
- Requiring encryption of all stored sensitive personal information;
- Minimizing the storage of sensitive personal information on devices connected to the Internet;
- Implementing hashing and salting of stored user passwords;
- Incorporation of firewalls and up-to-date security software to protect corporate networks; and
- Ensuring that all devices issued to employees require secure authentication to access encrypted sensitive personal information.
There is nothing earth shattering about these recommendations. However, as the figures in the report suggest, there remain a significant number of organizations that have failed to take these straightforward steps.
The full text of the Attorney General’s report is available on their website at http://www.ag.ny.gov/pdfs/data_breach_report071414.pdf.
Yesterday, the FTC gave its blessing to some new ways that covered organizations can obtain verifiable parental consent before collecting personal information from children under 13. The updated COPPA Rule FAQs offer expanded options to get consent using payment card information and for developers using a third party such as an app store to get consent.
If you want to collect payment card information to obtain parental consent, you may now have additional ways to get sufficient consent other than having to conduct a monetary transaction. In its updates to the FAQs, the FTC departed from its position that a financial transaction must occur for a parent’s payment card number to be used for consent. Collecting a 16-digit credit or debit card number alone is still insufficient to satisfy the standard, however, the FTC explained that a card number used in conjunction with another safeguard could be sufficient. For example, it may be enough to also ask questions that only the parents would know the answers. The revised FAQ answer suggests that other options could also be sufficient and depend on the available technology and circumstances.
If you are an app developer, the recent FAQ updates offer additional options for using a third party to get consent on your behalf. Formerly, the FAQs generally prohibited covered organizations from relying solely on a third party for consent. Now, app developers can have third parties obtain consent as long as the developers ensure that the COPPA requirements are met, including, for example, that the third party is using a method that is reasonably calculated based on available technology to ensure that the person providing consent is the parent. As one illustration, the third party may not simply require an app store account number or password, but must also require other indicia of reliability, such as knowledge-based authentication questions or verification of government identification. The FTC’s updated FAQ answer also reminds developers to provide direct notice outlining your information collection practices before the parent provides consent.
Finally, the FTC added a new FAQ that considers a platform’s liability if it takes advantage of the new options for helping developers obtain consent by providing a verifiable parental consent mechanism. The FAQ makes clear that app stores will not be liable as “operators” under COPPA for failing to investigate the privacy practices of the operators for whom they obtain consent, but points out that the platform may have liability under other laws such as Section 5 of the FTC Act.
InfoLawGroup congratulates our colleague Evan Brown on being named by fastcase as one of the fastcase 50 for 2014. The fastcase 50 honors entrepreneurs who are innovating in the area of legal services. fastcase has recognized Evan as a “go-to expert for tech law in the media, from Wired to CNN and BBC.” Evan is also recognized for his extensive writing on emerging trends in law nd technology and as co-host for the netcast This Week in Law (TWIL).
One of the big questions preceding the Supreme Court’s decision in the Aereo case earlier this week was whether a holding against Aereo would put cloud services into such a legally precarious position that the innovation and investment climate would chill. While the decision clearly makes Aereo’s use of its technology illegal, one should not be too quick to foretell a drastic impact on all hosted services. Here are some reasons why.
Let’s be clear about what we mean by “the cloud” in this context. Aereo’s technical model – which the court found to infringe copyright – captured over-the-air television content using one tiny antenna per customer, transcoded that content into one copy per customer, which Aereo stored and then streamed on-demand to the customer. The court found that model bore an “overwhelming likeness to the cable companies targeted by the [1976 Copyright Act]” to an extent that Aereo was “for all practical purposes a traditional cable system.” Aereo’s technological attempts such as the one-copy-per-customer method that it used to distinguish itself from traditional cable services were immaterial to the court. Aereo looked like a cable company, so the court treated it as one, with all the copyright consequences that go along with that status.
Aereo was a cloud service inasmuch as it stored the TV content and served it to its users when those users initiated the performances. It was the cable-like functions that got it into trouble, not necessarily the cloud-provider functions. That arguably leaves the rest of what we consider cloud services – online collaboration tools, centralized communications systems, most hosted applications, and the like – outside the scope of the court’s decision. Most software-as-a-service models, whether to the consumer or at the enterprise level, are unlike cable systems and thus likely stand clear of the sweep of the Aereo sickle.
The technology could live on.
One must also be sure to recognize that the court’s decision did not kill the technology altogether, but instead killed the use of the technology in the hands of one who does not have ownership or license to the content being delivered. Since the court found that Aereo’s service was “substantially similar” to cable systems, Aereo, its successors, or other players in the space could look to monetize the technology while paying the compulsory licenses that Section 111 of the Copyright Act spells out in dizzying complexity. Or the broadcasters and other content stakeholders could acquire Aereo-like technology and use it to supplement the other means of content delivery currently at play. In either scenario, the needs for investment and innovation in providing infrastructure (as well as the need for clarity on network neutrality) remain firmly intact.
The real likely effect.
This is not to say that Aereo will have no effect on development of technology in areas outside the particular facts of the case. The court’s decision expands the class of online intermediaries who may be liable for direct copyright infringement. In that respect, the case differs from other important technology-provider copyright cases like the Betamax case, Grokster and the Cablevision case. In those cases, the main question before the courts was whether the providers were secondarily liable for the infringement committed by their users. In Aereo, however, the question was whether Aereo itself was liable for infringement committed by providing the technology to others. The Supreme Court held that Aereo was a direct infringer because its functionality so closely resembled a cable company.
So the court has given copyright plaintiffs some new, additional angles to consider when pursuing infringement litigation against technology providers. Does the technology so resemble the technical model of a cable delivery system, particularly from the perspective of the end user, such that it de facto publicly performs the works delivered by the system? If so, then the Aereo test forbids it. Moreover, the case fuzzies the relatively bright line that began to be drawn almost 20 years ago with Religious Technology Center v. Netcom, requiring that for an internet intermediary to be liable for direct infringement, it need undertake some volitional conduct in furtherance of the infringement. That fuzziness will no doubt embolden some plaintiffs who otherwise would not have seen the potential for a cause of action against future defendant-innovators.
In reality, few platforms are likely to actually get “Aereoed” in litigation. The ones at greatest risk will be those that facilitate access to streaming content provided by others. But the fact that ultimate liability may not lie against a provider will likely do little to stop aggressive copyright plaintiffs from trying out the theory against all forms of remote storage providers. That’s the problem Justice Scalia identified in his dissent when he said the decision “will sow confusion for years to come.” Let’s hope that’s mostly an overstatement.
In a case of first impression, the National Advertising Division (NAD) recently issued a decision concerning substantiation for consumer preference claims that should put advertisers on alert.
In, Euro-Pro Operating, LLC, Shark-brand Vacuum Cleaners, NAD Case Reports #5717 (May 29, 2014), the NAD reviewed an advertising claim Euro-Pro made for its Shark-branded vacuum cleaners in various media, including television commercials, infomercials, online advertising, and on product packaging. Euro-Pro’s competitor, Dyson, Inc., brought the claim to the NAD’s attention.
The first phase of Canada’s Anti-Spam Legislation (CASL) goes into effect on July 1, 2014. Accordingly, all businesses engaged in the transmission of Commercial Electronic Messages (CEMs) in Canada should assess their business practices and take steps to adhere to any applicable provisions of the law. To that end, my February blog post summarizing several key elements of CASL is presented below.
Over the past year, the number of data breaches has skyrocketed and, as a result, companies are facing increased risk of litigation for any perceived failure to protect their customer data. In the context of data breach litigation, organizations routinely withheld from production documents related to internal compliance investigations on the grounds of the attorney-client or work product privilege. A recent decision from a U.S. District Court in the District of Columbia calls into question the privileged status of those documents.
In U.S. ex rel Barko v Halliburton Co., a former contract administrator for Kellogg, Brown and Root (“KBR”) alleged that Halliburton and other KBR contractors inflated the costs of construction services on military bases in Iraq. In connection with a qui tam suit, the administrator Harry Barko sought documents relating to possible violations of the corporate code of conduct. KBR withheld documents related to internal compliance investigations on the grounds that they were privileged and Barko moved to compel production. After an in camera review, a District Court Judge for the District of Columbia held that the documents were not protected by the attorney-client or work product privilege, but the reasoning behind that decision may surprise you.
In concluding that the documents were not privileged, the court highlighted the involvement of non-attorneys in the investigation process, the timing of the investigation in relation to the litigation, and the representations made to those involved, specifically that those being interviewed were not told about the legal nature of the inquiry. However, the lynchpin of the court’s logic was that the investigations were taken pursuant to regulatory law rather than for purpose of obtaining legal advice. Here, the court cited Department of Defense regulations that require contractors to have internal controls for compliance, including a mechanism, such as a hotline, by which employees may report suspected instances of improper conduct. The court reasoned that an investigation would have been conducted regardless of whether legal advice was sought because compliance investigations were required by regulatory law and corporate policy.
In this regard, the court’s holding appears to be flawed because regulations are of course enforced by criminal investigations and civil actions, such as the one brought by the plaintiff. While the regulations may require an investigation, the goal is not to force companies to conduct investigations for the sake of investigations, but instead to detect and respond to violations of those regulations. Even without a mandate, a corporation must undertake an investigation before it can assess its potential liability and determine next steps. Granted, some aspects of regulatory compliance will not involve rendering legal advice, such as employee training. Nevertheless, Barko involved allegations of false claims and overbilling the federal government. It seems counter-intuitive that an investigation into such allegations would not be in anticipation of litigation or, at a minimum, for the purpose of rendering legal advice to the corporation on how to proceed.
The court also appears to have overreached when concluding that the investigation would have been conducted regardless of whether legal advice was sought. The idea, the court reasoned, was that the Department of Defense regulations require contractors to have internal control systems, such as KBR’s Code of Business Conduct, to facilitate the timely discovery and disclosure of improper conduct in connection with government contracts. However, simply being required to investigate potential violations does not supplant nor override the ultimate purpose of the investigation, which is to determine whether there has been a violation of the law.
The facts in Barko are similar to those often encountered in the data breach context. Consider a typical data breach under the Health Insurance Portability and Accountability Act (“HIPAA”). As with Barko, the initial investigation may be handled by non-attorney personnel such as a member of the IT department, and may be guided by corporate policy and Department of Health and Human Services (“DHHS”) regulations. Additional similarities can be seen in the Department of Defense regulations cited in Barko which required contractors to 1) have a written code of business ethics, 2) implement internal controls for compliance, 3) conduct internal and/or external audits, 4) enact disciplinary action for improper conduct, 5) timely report to appropriate government offices, and 6) fully cooperate with any government agencies. Similarly, HIPAA requires covered entities to have 1) written policies and procedures regarding the protection of personal health information, 2) appropriate safeguards for protecting that information, 3) regular risk assessments, 4) sanctions against members who fail to comply with HIPAA rules, and 5) notification to the DHHS within 60 days for breaches, and imposes a duty on covered entities to provide records and cooperate with the DHHS in compliance reviews and investigations.
DOD Regs cited by Barko
|Have a written code of ethics.||Have written policies and procedures for protecting personal health information (“PHI”).|
|Implement internal controls for compliance.||Implement appropriate safeguards for safeguarding PHI.|
|Conduct internal and/or external audits.||Conduct regular risk assessments.|
|Enact disciplinary action for improper conduct.||Enact sanctions against employees who fail to comply with the HIPAA rules.|
|Timely reporting to appropriate government offices.||Notification to DHHS is required within 60 days for certain breaches.|
|Full cooperation with any government agencies is required.||Imposes a duty to cooperate with DHHS in compliance reviews and investigations.|
Given these parallels, it is likely only a matter of time before Barko is cited in the context of data breach litigation. Nearly every U.S. state and several federal agencies have regulations that effectively require an organization to conduct an investigation any time there is security incident. If the court’s reasoning in Barko is adopted by other districts, it may hinder an organization’s ability to assert the attorney-client or work product privilege over documents related to the investigation and response.
That being said, it is important to note that the precedential value of the Barko decision is currently limited to the D.C. District. In addition, most significantly, the opinion does not purport to overturn, challenge or reinterpret existing jurisprudence, but instead relies entirely on existing case law as applied to the facts of the case. As a result, organizations can and should take steps to avoid some of the same pitfalls that plagued KBR. Specifically, organizations should clearly identify (from the outset and throughout) those investigations that are intended to be legally privileged – i.e., for the purpose of obtaining legal advice and at the direction of counsel – both in written documents and in communications with employees. Further, internal and external counsel should lead or be heavily involved in any investigation where the organization may want to assert the attorney-client or work product privilege.
Court Opinion: US ex rel Barko v Halliburton Co