AD-ttorneys@law - December 13, 2017

Alerts / December 13, 2017

In This Issue:

Subscribe to AD-ttorneys@law >>

DMCA Safe Harbor Protection Deadline of Dec. 31, 2017

Renew It or Lose It

Outdated System

The Digital Millennium Copyright Act (DMCA) includes a safe harbor provision that protects appropriately registered online service providers from potential secondary liability for the infringing acts of others. Ironically, in previous years (until December 2016), the Copyright Office required online service providers to mail paper registration forms and checks in order to complete registration. The registration forms were scanned and then uploaded to an online site. The online site was not fully searchable and held inaccurate or outdated registration information.

New Rule(s)

Because of the outdated structure of the old registration and directory system, the Copyright Office changed to the new electronic system in order to substantially increase the efficiency of the office. With this new system, new rules were implemented.

In order for the safe harbor under the DMCA to be effective, all designations, including those previously submitted, must be made on the new electronic system. All paper registrations will be invalid after Dec. 31, 2017. In addition, there is a new three-year renewal period for designations, which will be reset after a service provider either amends or resubmits its designation through the online system.

The Takeaway

It is important to emphasize that, as of Jan. 1, 2018, all paper designations will become invalid and will not meet the safe harbor requirements of the DMCA. We encourage service providers to renew their designations as soon as possible and to rethink the use and structure of their designated agents in view of the new rules. For more information on the changes and how to register under the new online system, read our Copyright, Content, and Platforms blog post.

Subscribe to AD-ttorneys@law >>

Chicago to Uber: Once More Unto the Breach?

After second hacking scandal, second city joins wave of new suits

Origin Story

If the first Uber data breach was epic, there may not be a word for the second.

Back in 2014, an Uber employee left his login information on a highly trafficked software development platform, but failed to protect or encrypt the information. As a result, hackers identified the information and used it to access more than 100,000 names and driver’s license numbers – this in spite of a number of public assurances that the company made regarding its data security.

It was a bush-league mistake by a sole employee, but the company promised regulators it would review and strengthen its data security program by, in part, adopting multifactor authentication of user credentials and engaging in ongoing monitoring by security specialists.

But by August 2017, the company was in the crosshairs of a Federal Trade Commission (FTC) investigation that accused it of failing to follow up on its security promises – making mistakes such as letting all engineers access cloud-based storage with a single password, storing sensitive information in unencrypted text and failing to require multifactor authentication.

The company settled with the FTC, promising to “put a comprehensive privacy program in place and to get independent third-party audits every two years for the next 20 years.”

Üps They Did It Again

In October 2016, Uber was approached by two hackers who told the company they had breached its security and stolen a trove of personal information. They had, apparently, accessed the data by hacking a database on the same highly trafficked software development platform that had been breached in 2014, and uncovering login information.

The difference? They used the credentials to steal the records of millions of people – including the full names and driver’s license information of 600,000 Uber drivers in the United States, and the names, phone numbers and email addresses of 57 million Uber users.

But it kept getting worse. The breach was not revealed until November 2017, when, as part of an internal investigation by the Uber board, a complicated cover-up was revealed. Press accounts described how Uber had paid the hackers $100,000 to delete the data and conceal the breach, and then entered nondisclosure agreements with the pair, threatening legal recourse if they ever discussed the crime.

The city of Chicago has launched a The city of Chicago has launched a complaint against the company, charging it with violations of the city’s municipal code, the Illinois’ Personal Information Protection Act, and the Illinois Consumer Fraud and Deceptive Business Practices Act – including failure to safeguard personal information, failure to give prompt notice of a data breach, concealment of the breach and deceptive public statements about data protection. against the company, charging it with violations of the city’s municipal code, the Illinois’ Personal Information Protection Act, and the Illinois Consumer Fraud and Deceptive Business Practices Act – including failure to safeguard personal information, failure to give prompt notice of a data breach, concealment of the breach and deceptive public statements about data protection.

Among other relief, the city seeks $10,000 in fines for each day a violation of its ordinance existed.

The suit, which sources say is the first case brought by a municipality in the 2016 breach, joins a number of state-level investigations into the matter, as well as class action lawsuits on behalf of users who claim to have suffered identity theft because of it.

The Takeaway

When a security incident is suspected, it is essential that companies move quickly to identify, contain, assess, communicate about and remediate the issue. This may include mandatory reporting to data subjects and government agencies. Most states have breach notification laws, although they differ materially. Download the 2017 BakerHostetler Data Security Incident Response Report, which provides insights and statistics drawn from over 200 incidents we helped clients respond to in 2016 and for more information on how to prevent, prepare for and respond to security incidents.

Subscribe to AD-ttorneys@law >>

‘Pro’ Plaintiff’s Umpteenth TCPA Case Will Go On

Cooked claims? Maybe, says court, but harm is real

Squirrel Attack!

There are any number of good reasons Jan Konopca kept his landline number and switched over to cell phone service.

For instance: The wires that ran to his residential line were being gnawed on by squirrels. Also, the number on his landline was easy to remember; he kept it so that his elderly mother would have an easy time recalling it. And he wanted the women he met at bars to be able to remember his number after knocking back a few drinks.

The New Jersey resident offered these rationales in a TCPA suit brought against FDS Bank in 2015.The company called Konopca more than 600 times between 2011 and 2015, when Konopca decided to sue FDS in the District of New Jersey.

It’s a Living

The defendant had a different take on the service switch.

Turns out that Konopca’s suit was simply the latest in a string of 31 lawsuits he brought against a variety of defendants under the Telephone Consumer Protection Act (TCPA) – 21 of which were related to calls he received on the very same squirrel-abused phone number. FDS also shared Konopca’s total winnings from these cases with the court: $800,000. Konopca seemed to be making a pretty good living off the suits.

In this case specifically, FDS maintained that Konopca switched the service from landline to cell so that he could sue the company under the TCPA, which treats calls to the two types of services differently when it comes to necessity and type of consent required to places calls using autodialers or with pre-recorded messages. And because he chose to make the switch for the purpose of raising the suit, he had manufactured his own injury, and did not have standing to sue under the TCPA.

Licensed to Bill

In an order issued on Nov. 22, 2017, the court responded to FDS’ motion for summary judgment by addressing issues raised in earlier cases in which so-called professional plaintiffs, including one who stockpiled phones hoping to attract TCPA violations, lost standing because they sought out their own injury.

But in a surprising turn, the court concluded that the cases were not applicable to Konopca’s claims. “Although it is most probable that Plaintiff manufactured the harm based on his motivation to be awarded monetary awards in the lawsuits,” the court stated, “the case is distinguishable … by the fact that Plaintiff never gave consent …” In other words, the actual harm suffered by the plaintiff rendered questions of his motivation irrelevant.

The Takeaway

The court went on to say that because both the defendant and the plaintiff had weak cases, it would apply the Third Circuit Susinno decision that held that a “single call in violation of the TCPA was sufficient harm to show standing.” The case will go on.

Companies that engage in telemarketing or non-telemarketing calls or texts, including with vendors and collection agencies, need to ensure that such programs comply with the complex consent requirements of the TCPA. The TCPA provides per-call statutory damages, which on a class-wide basis and even an individual basis can mount up significantly, and the Federal Communications Commission and courts have read the legislative history to support very strict, technical and pro-consumer interpretation and application of the law. And watch out for the squirrels.

Subscribe to AD-ttorneys@law >>

FCC Debuts New Robocall Rules

Commission targets bad-faith phone numbers

Endless Spoof

The Federal Communications Commission (FCC or Commission) was hearing about it – 200,000 times a year.

That is the rate of consumer complaints to the FCC about unwanted calls, including robocalls – calls made from automated phone banks. But if you think this complaint rate is astounding, it pales in comparison with the cause: The Commission cites studies that claim consumers receive about 2.4 billion unwanted calls every month. And as every year goes by, robocallers become more technologically sophisticated – more skilled at hiding their identity and appearing to be legitimate callers.

The FCC cites, for example, scam callers that use non-outbound numbers at the IRS to dial potential victims. The victims unfortunately believe the calls are legitimate, based on their caller ID.

New Rule(s)

The Commission is trying to make a dent in the sheer volume of unwelcome phone calls with a new ruleset allowing phone companies and other service providers to block robocalls from “numbers that do not or cannot make outgoing calls.” The Commission carved out an exception to the call completion rules to allow this type of blocking, which is rarely permitted under the law.

As of Nov. 16, 2017, providers are allowed to block different types of numbers, including numbers placed on a “do not originate” list by the owner, numbers not currently used or subscribed, and impossible numbers – numbers that are assigned nonexistent area codes, for instance.

The Takeaway

Providers need to read the new order and understand it thoroughly. While it allows blocking that will be beneficial to the end consumer, it also suggests that providers should provide a simple and straightforward way for owners of legal numbers to report and address accidental blocking.

Subscribe to AD-ttorneys@law >>

Direct Mail Supplement Marketer Settles With FTC

$3.7 million judgment hits Health Research Laboratories for faux science journals

Step Right Up!

Arthritis, aching joints, obesity, Alzheimer’s, faulty memory, cognitive weakness: This was the ambitious slate of illnesses and symptoms that Health Research Laboratories (HRL) and Kramer Duhon, its owner and president, claimed to cure.

In a complaint filed on Nov. 30, 2017, the Federal Trade Commission (FTC) accused HRL, whose products BioTherapex and NueroPlus sold for nearly $40 per bottle, of appealing to consumers through direct mail marketing that copied the look and feel of science journals. HRL’s materials included fake testimonials and nonexistent medical authorities. One BioTherapex advertisement even touted a 1,200-subject study that turned out to never have occurred.

But Wait, There’s More!

The FTC also took aim at a slew of other alleged violations. HRL, the FTC claims, enrolled customers in auto-renewal plans without sufficient notice, charging consumer credit cards without permission (a violation of the Electronic Fund Transfer Act), misrepresenting its supposedly risk-free trial period and violating the Telemarketing Sales Rule.

HRL moved to settle the charges, leading to a comprehensive court order that put the company’s claims in fetters.

The Takeaway

The company and its owner are forbidden to assert any of the FTC’s seven “gut check” claims – a set of advertising claims about weight loss that the FTC has defined as “always false.” These claims include weight loss of two pounds or more a week for a month without exercise or diet, permanent weight loss after the product is no longer used and substantial weight loss for any user. Weight loss and health and fitness advertisers should take note.

The challenged claims in the complaint are also verboten unless HRL can produce actual scientific evidence of their veracity. In addition, HRL is forbidden from misrepresenting trial offers, refunds and other financial aspects of their product slate. The judgment also hits the company with a $3.7 million dollar fee (limited, upon payment, to $800,000). Advertisers must have adequate substantiation for claims made, with health claims requiring a higher level of validity than claims on other products.

Subscribe to AD-ttorneys@law >>

FTC Settlement With Lingerie Maker Leaves Little to the Imagination

AdoreMe, Inc. seduced consumers into negative-option, no-exit programs

Racy to the Top

It was the unlikely pairing of buttoned-up business and intimate fashion.

AdoreMe, Inc., was born in 2010 when a former McKinsey & Company consultant sought to address the lack of lingerie lines that were affordable without being cheaply made. With its launch in 2012, the company became something of a venture capital darling, with millions of dollars raised in round upon round of venture capital funding.

By 2016, AdoreMe had been repeatedly celebrated as one of the fastest-growing private retailers by publications like Crain’s Chicago Business and Inc. Magazine.

That Model Looks Familiar …

That success was sullied by a spate of consumer complaints, which brought the company to the attention of the Federal Trade Commission (FTC or Commission).

According to the FTC’s complaint, AdoreMe was running a problematic negative option program that would lure in unsuspecting customers and then make it very hard for them to leave.

At the heart of it all was the company’s VIP program, which billed customers $39.95 a month – provided the customer did NOT buy something from the company website or click on a “skip” button within the first five days of each month. If they didn’t make a purchase or “skip” out, they were assured that they would receive the $39.95 as a credit toward future purchases – redeemable “anytime.”

The Takeaway

But according to the Commission, “anytime” never came for many AdoreMe customers – the company is alleged to have taken away unused credit from consumers who tried to cancel their subscription or raised a dispute with their banks. Disclosures related to this forfeiture were buried deep within legal notices that were reachable only by a link on the bottom of the website’s page. Moreover, the FTC alleges that AdoreMe made it unreasonably difficult to quit the service and stop the recurring charges, thus violating the Restore Online Shoppers' Confidence Act (ROSCA), which provides detailed notice, cancellation and other operational requirements for online negative option programs.

AdoreMe settled with the Commission the same day the complaint was issued, and is now prohibited from misrepresenting sales or services with a negative option feature, and must provide an easy means for the customer to opt out of recurring charges. Finally, the order mandates a $1.3 million judgment that will be used to refund AdoreMe customers. Negative option and sales continuity programs can be conducted legally, but retailers need to comply with the notice, cancellation and other requirements of ROSCA and the many state laws that govern these types of advertising and sales programs.

Subscribe to AD-ttorneys@law >>

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.


In The Blogs

Previous Next
Data Privacy Monitor
COVID-19 Cybersecurity Exposure
By Andreas T. Kaltsounis
March 18, 2020
Risk scenarios and recommendations History tells us that unscrupulous actors will exploit any crisis, and COVID-19 is no exception. Attackers wasted no time building coronavirus-themed phishing emails and malware-laden websites purporting...
Data Privacy Monitor
HHS Issues Two Important Bulletins Waiving HIPAA Sanctions During the COVID-19 National Emergency
By Vimala Devassy
March 18, 2020
The HHS Office for Civil Rights (OCR) issued two important bulletins this week regarding the novel coronavirus disease (COVID-19) outbreak. On Mar. 16, OCR issued a limited waiver of HIPAA sanctions and penalties for noncompliance with...
Data Privacy Monitor
Additional 6-Month CCPA Extension Sought in Wake of COVID-19
By Taylor A. Bloom, Gerald J. Ferguson, Alan L. Friel
March 18, 2020
Today we filed a request to the California Attorney General, as part of the CCPA rulemaking process, seeking an additional six month delay in the enforcement of the CCPA to allow our clients time to better focus on business continuity and...
Data Privacy Monitor
FERPA Disclosures in Response to COVID-19
By Lynn Sessions, Benjamin P. Wells
March 16, 2020
The United States Department of Education (ED) Student Privacy Policy Office (SPPO), on March 13, 2020, issued Frequently Asked Questions related to the serious novel coronavirus disease (COVID-19) that the world is now grappling with...
Data Privacy Monitor
CCPA Class Actions: Can They Include a Blast From the Past?
By Casie D. Collignon
March 13, 2020
Our Digital Assets and Data Management teams have been tracking all aspects of the CCPA, so when Fuentes v. Sunshine Behavioral Health Group, LLC (Case No. 8:20-cv-00487, Central District of California) was filed on March 10, 2020...