Telephone Consumer Protection Act (TCPA, 42 U.S.C. § 227) claims often are a waste of time and money. The plaintiffs frequently are serial (some having filed dozens of claims) and usually want to receive the alleged spam so they can sue and cash in. The harm is slim to non-existent, and the economic burden of the litigation on defendants (and the courts) is staggering. In a ruling on August 8, U.S. Northern District of Illinois Judge St. Eve ruled that she wouldn’t “stand” for this state of affairs any longer (or at least not with respect to the facts before her). She found that because the plaintiff was not in the “zone of interests” intended to be protected by the TCPA, the plaintiff lacked statutory standing. See Tel. Sci. Corp. v. Asset Recovery Solutions, 2016 U.S. Dist. LEXIS 104234, at *50 (N.D. Ill. Aug. 8, 2016).

As a result of selling a tool for screening alleged robocalls, plaintiff Telephone Science Corporation (TSC) claimed it had received a lot of calls in violation of the TCPA. Id. at *4. Judge St. Eve ruled that because the whole purpose of TSC’s business was to identify/screen robocalls, it couldn’t sue under the TCPA based on receipt of those robocalls. Id. at *48–50. In other words, TSC’s claims did not implicate the interests against privacy intrusion and nuisance underpinning the TCPA. Continue Reading Judges Can’t Stand TCPA Claims

After nine months of intense negotiations and uncertainty, and despite ongoing criticisms from powerful data protection regulators, the new EU-U.S. Privacy Shield program went into effect this week as the U.S. Department of Commerce began accepting applications online. Some companies that are self-certifying their compliance have already submitted their documentation and many more are expected to do so in the coming days and weeks as they seek shelter under the replacement for the long-standing EU-U.S. Safe Harbor arrangement that was invalidated by the European Court of Justice last year.

Companies can now “sign up” for the Privacy Shield list, but they should not expect a rubber stamp from the Commerce Department just because they have self-certified. To ensure that their applications are approved, companies should take the following steps:

  • Confirm that they are eligible to participate—not all organizations are. Only companies subject to the jurisdiction of the FTC or the DOT may participate at this time
  • Develop a Privacy Shield-compliant privacy policy statement
  • Identify their independent recourse mechanism—under the new framework, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual
  • Ensure that they have compliance verification mechanisms in place
  • Designate contacts within their organizations to serve as liaisons regarding the Privacy Shield
  • Review the information required to self-certify
  • Go online to www.privacyshield.gov to self-certify

Continue Reading Time to Raise Your Shield: The New EU-U.S. Framework Is Here

It’s been awhile since last we published for our firm blog Media & Privacy Risk Report, and one thing is largely to blame: ransomware attacks on our clients have been keeping us very busy. We’ve learned many lessons from these attacks that we plan to share over the coming months with our readers. But the focus of this post is recent guidance from the Office of Civil Rights of the Department of Health and Human Services (OCR) indicating that any ransomware attack involving protected health information PHI) could be a data breach with Health Insurance Portability and Accountability Act (HIPAA) reporting obligations.

Often in ransomware matters, a hacker encrypts data and demands that a ransom be paid (usually in Bitcoin) before the hacker will decrypt the data and make it once again accessible to the data owner (or covered entity) or maintainer (or business associate). But just because a hacker has frozen your data, does that mean that the hacker has accessed, acquired or exfiltrated your data? Isn’t it possible that a hacker could freeze your data without accessing, acquiring or exfiltrating it? By analogy, couldn’t someone render the locks on your house unusable (and thus your house inaccessible to you without a forced break-in) without actually accessing your house, acquiring anything within your house, or taking anything out of your house? It would seem that the answer would be yes. But if the OCR is asked that question, the presumption is that the answer is no, at least in the realm of ransomware attacks. Continue Reading OCR: Ransomware Attack Often Is a Data Breach

On Wednesday, President Obama signed the federal Defend Trade Secrets Act of 2016 (the “Act”) that passed both houses of Congress in late April.  The statute is the first federal statutory protection afforded to trade secrets and could have a significant impact on trade secrets litigation nationwide.  The passage of the law comes as no surprise, and much has already been written about what it means for the future of these disputes.  But what about those who are currently involved in trade secrets litigation —could the Act change the course of those cases?  There is not a definitive answer, but it is something that all litigants should consider now that the Act has become law.

The first question is whether the Act applies at all in such instances. The Act applies to “any misappropriation of a trade secret (as defined in section 1839 of title 18, United States Code, as amended by this section) for which any act occurs on or after the date of the enactment of this Act.” S. 1890, 1144th Cong. § 2(e) (emphasis added). “Misappropriation” is defined as “(A) acquisition of a trade secret of another by a person who knows or has reason to know that the trade secret was acquired by improper means; or (B) disclosure or use of a trade secret of another without express or implied consent.  18 U.S.C. § 1839(5).  So, in litigation where the “use” of trade secrets is ongoing, there may be an argument that the Act applies. Continue Reading Impact of Defend Trade Secrets Act on Pending Cases is Unclear

On May 11, 2016, President Obama signed into law the Defend Trade Secrets Act (DTSA). Unlike other forms of intellectual property, trade secrets issues have been addressed mainly through state law. The DTSA provides a new federal court civil remedy for acts of trade secret misappropriation, among other key provisions:

Ex Parte Seizure of Property

The most controversial aspect of the DTSA is the ex parte seizure provision, which permits a court to order the seizure of property if deemed necessary to prevent the propagation or dissemination of the trade secret. A party seeking an ex parte seizure will have to demonstrate that “extraordinary circumstances” exist warranting the seizure. The ex parte provision also allows a defendant to seek damages for abusive or wrongfully-acquired seizure orders.

Jurisdiction

The DTSA provides that the U.S. district courts have original jurisdiction over civil actions brought under the law. Such jurisdiction is not exclusive. To establish jurisdiction in federal court, a plaintiff will have to show that the trade secret is “related to a product or service used in, or intended for use in, interstate or foreign commerce.” Continue Reading President Obama Signs the Defend Trade Secrets Act into Law: What You Need to Know Now

As published in State Bar of Michigan Health Care Law Section

“In recent years, the likelihood of suffering a data breach has risen significantly for American companies across numerous industries. Health care providers, in particular, have been targeted due to the value of the sensitive information they hold regarding their patients and employees, including birth dates and Social Security numbers. Health care providers that suffer data breaches risk incurring significant fines, settlement amounts, legal fees, negative publicity and increased scrutiny from regulatory authorities …”

To read the publication in its entirety, please click here.

On April 5, 2016, the Fraud Section of the Criminal Division of the Department of Justice (“DOJ”) released an Enforcement Plan and Guidance (the “Plan”) regarding the Foreign Corrupt Practices Act (“FCPA”). The Plan contains three components designed to enhance the DOJ’s ability to detect and prosecute violations of the FCPA:  (1) a substantial increase in law enforcement resources; (2) increased coordination with foreign jurisdictions; and (3) implementation of a pilot program (the “Pilot Program”) offering substantial cooperation credit to companies that meet certain specified standards for “(1) voluntary self-disclosure of criminality, (2) full cooperation, and (3) remediation.”

One of the enumerated requirements for companies to achieve “full cooperation” (and thus earn maximum cooperation credit) under the Pilot Program is that companies must effectuate “[d]islcosure of overseas documents, the location in which such documents were found, and who found the documents.” This requirement comes with an exception for situations in which “such disclosure is impossible due to foreign law, including but not limited to foreign data privacy laws.”  The requirement and exception are followed by a note stating that:

Where a company claims that disclosure is prohibited, the burden is on the company to establish the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents.

Thus, companies seeking to avail themselves of the cooperation credit offered under the Pilot Program may find themselves trying to strike a delicate balance between compliance with foreign data privacy laws, such as those in the European Union that restrict the transfer of personal data, and compliance with the DOJ’s “full cooperation” requirement. Continue Reading The Intersection of the Foreign Corrupt Practices Act and Data Privacy

Audit. A simple enough word, which basically means “to count.” Yet few words can evoke fear as much as this one word. No one asks their love “How do I love thee? Let me audit the ways,” nor do we tell our children to “Audit your blessings.” And while audits are not inherently unreasonable, their use should be reasonable and relevant. And due to the negative connotation of the word, many IT vendors are even couching their audit notices in “kinder” terms, characterizing the reviews as customer-benefitting and the like. But just as Shakespeare noted about misnamed flowers, an audit by any other name doesn’t change anything, and still holds risk.

Software audits are on the rise, and with most users reporting some under-licensing situations (and the requisite payment of additional license and support fees), this upward trend will only continue as more IT providers focus on this “low hanging fruit” revenue source. An increasing number of IT solutions providers are asking (or sometimes just telling) their customers to submit to an audit, albeit many times called by a different name, and taking increasingly aggressive approaches. The IT industry and the industries of its customers are taking notice, as in many cases, what is portrayed as a simple review will end up with tens or hundreds of thousands of dollars of exposure in the form of license and maintenance fees. Continue Reading Software Audits: A Rose by any Other Name…

The Internal Revenue Service recently issued an alert to payroll and human resources professionals to be aware of an emerging phishing e-mail scheme that purports to be from company executives and requests personal information about employees1. Vedder Price would like to reiterate this alert, as it is personally aware of multiple companies having fallen victim to this scheme in the past few days.

The phishing e-mails typically appear to be from the company CEO or other executive, and are generally directed to a company employee in the payroll, human resources or accounting departments. The “CEO” sends an e-mail to the company employee and requests certain tax documents or other personally identifiable information (“PII”) pertaining to the company employees, including W-2s, SSNs, dates of birth, addresses and salaries. Continue Reading Emerging Phishing E-mail Scheme Alert

Finger wagging

Over the last several years, financial technology (“FinTech”) companies have captured the attention of the marketplace with innovative financial products and processes. Now FinTech companies are capturing the attention of the Consumer Financial Protection Bureau (“CFPB”). Two recent actions by the CFPB within the last fourteen days make clear that FinTech companies can expect some of the same regulatory burdens as faced by Federal Deposit Insurance Corporation (“FDIC”) insured banks. In the first action, the CFPB assessed a civil money penalty against a FinTech company for data security deficiencies, the first-ever such action brought by the CFPB. In the second action, the CFPB announced to the public that it would begin accepting consumer complaints regarding online marketplace lenders.

Data Security Protections

On March 2, 2016, the CFPB and Dwolla, Inc., an Iowa-based online peer-to-peer payment system provider (“Dwolla”), entered into a Consent Order that imposed the CFPB’s first-ever civil money penalty for data security violations under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”).

In the Consent Order, the CFPB alleged that Dwolla made misrepresentations relating to Dwolla’s data security practices that otherwise constituted deceptive acts and practices likely to cause substantial consumer harm, in violation of the Dodd-Frank Act. Specifically, the CFPB alleged that between 2010 and 2014, Dwolla advertised falsely on its website that all its payment transactions were “safe and secure,” and that its data security processes and protections “met or exceeded” industry standards. The CFPB claimed that Dwolla failed to employ reasonable and appropriate measures to protect sensitive consumer data from unauthorized access by failing to:

  • adopt and implement data security policies and procedures reasonable and appropriate for the organization;
  • use appropriate measures to identify reasonably foreseeable security risks;
  • ensure that employees who had access to consumer information receive adequate training and guidance about security risks;
  • use encryption technologies to properly safeguard sensitive consumer information (at rest and in transit); and
  • practice secure software development, particularly with regard to consumer facing applications developed at an affiliated website.

Continue Reading The CFPB Takes Aim at FinTech