HHS Considers Amending HIPAA Privacy Rule to Permit Disclosure of Mental Health Information for Firearm Background Checks

Posted by Cory Fox on May 10, 2013

Adding yet another wrinkle to the nation’s contentious gun control debate, the U.S. Department of Health and Human Services (HHS) has released an Advance Notice of Proposed Rulemaking (ANPRM) soliciting information and public comment on possible amendments to the HIPAA Privacy Rule to permit disclosure of limited mental health information to the National Instant Criminal Background Check System (NICS).  The ANPRM stems from one of the 23 Executive Actions included in the Obama Administration’s January 2013 plan to reduce gun violence that sought to address “unnecessary legal barriers, particularly relating to [HIPAA], that may prevent states from making information available to the NICS.” 

What is the NICS? 

The NICS is the federal government’s background check system for the sale or transfer of firearms.  Established under the Brady Handgun Violence Prevention Act, licensed gun dealers use the NICS to identify persons who are subject to one or more “prohibitors” under the Gun Control Act that make them ineligible to purchase firearms.  One such prohibitor is the “mental health prohibitor,” which applies to persons who have been involuntarily committed to a mental institution, found incompetent to stand trial or not guilty by reason of insanity, or otherwise adjudicated as having a serious mental condition that results in their presenting a danger to themselves or to others or being unable to manage their own affairs.  Prohibitors often originate at the state level, but federal law does not require state agencies to disclose the identities of individuals subject to prohibitors to the NICS, and not all states report prohibitors.  This lack of reporting to the NICS can result in the sale or transfer of firearms to individuals who are prohibited from purchasing them.

How does the Privacy Rule Affect the NICS?

According to the ANPRM, some states are not reporting mental health prohibitor information to the NICS because they are concerned that such disclosures may be prohibited under the HIPAA Privacy Rule.  However, as the ANPRM points out, much of the mental health prohibitor information in question, such as records of individuals adjudicated as incompetent to stand trial, originates with entities in the criminal justice system that are not covered entities subject to the Privacy Rule.  In addition, to the extent covered entities are involved, the ANPRM provides that there are ways in which the Privacy Rule permits reporting to the NICS, such as through the enactment of state legislation requiring such reporting or the use of hybrid entity status.  The ANPRM does note, however, that NICS reporting would not fall under the Privacy Rule’s provisions permitting disclosures for law enforcement purposes (which apply to specific law enforcement inquiries) or to avert a serious threat to public safety (which require an imminent threat of harm). 

How would the amendment work?

The amendments under consideration would expressly permit covered entities with information on the identities of persons subject to a mental health prohibitor to disclose this information to the NICS.  Such disclosures would be subject to the minimum necessary rule and would likely be limited to names, demographic information, and codes identifying the reporting entity and the relevant prohibitor.  No treatment records or other clinical or diagnostic information would be disclosed.  In addition, only those entities responsible for the determination that a mental health prohibitor exists would be permitted to disclose the information. 

What’s next?

HHS is seeking information regarding the nature and scope of the underreporting problem, the entities creating and/or maintaining data, the extent to which existing permissible disclosures are insufficient and additional methods of disseminating information concerning whether the Privacy Rule affects reporting to the NICS.  In particular, HHS has requested specific examples of situations where NICS reporting has been hindered by HIPAA requirements or where covered entities are uncertain over how HIPAA applies to such reporting.  HHS will then review and evaluate comments to the ANPRM and determine whether amendments to the HIPAA Privacy Rule are necessary.  Comments regarding the Privacy Rule amendments and the information requested by HHS are due by June 7, 2013. 

The Lessons of the "Street View" Imbroglio: Know What Data You Collect and Don't Collect Data You Don't Need

Posted by Maryanne Stanganelli on April 25, 2013

The unintended capture of personal data by Google Street View has resulted in a German Data Commissioner imposing a $189,000 fine on Google this Monday. As anyone who has used Google Maps at the street view level knows, Google Street View is a valuable service that captures roads, landscapes, landmarks, buildings—and other activity that happens to be taking place when the Google vehicle collecting the data takes its pictures. But privacy regulators were not happy with the fact that, from 2008 to 2010, the street view vehicles also picked up personal data, such as email addresses and passwords, sent over unsecured Wi-Fi networks as they traversed throughout the globe. 

In Germany, after state prosecutors in Hamburg decided not to press charges against Google in November 2012 on this issue, the Hamburg Commissioner for Data Protection and Freedom of Information picked up the case and on Monday handed down a fine of $189,000 (€ 145,000).  Google maintains that it did not look at or intend to collect the data, and that the company has taken steps against the occurrence of this kind of collection in the future. Accepting Google’s assertion that any violation was unintentional, the fine imposed was less than the maximum amount permitted for negligence-based violations, which is $195,000 (€ 150,000).  However, it is notable that a proposal in the draft EU data protection regulation would give regulators the power to impose higher fines for violations of data protection law —up to 2 percent of a company’s annual sales—if enacted. 

The Hamburg authorities were the first to raise the issue of the collection of the payload data collected by Google’s vehicles, which was then picked up in other jurisdictions.  Last month, Google entered into an agreement with attorneys general from 38 U.S. states and the District of Columbia, agreeing to pay $7 million and launch a data-security education program both internally within the company and externally to the public in resolution of the joint investigation.  As announced by the Connecticut Attorney General in connection with that agreement, Google stated that the collection was limited to fragmented data, that it has since removed the software from its Street View vehicles, and agreed not to collect any additional data by means of those vehicles without notice and consent.

Google’s proactive approach in working with regulators to resolve their concerns has created an outcome that preserves its Street View service, with minimum negative impact on the company, and a positive working relationship with regulators going forward.  But the potential availability of enhanced fines for negligent data protection law violations means that in the future companies may pay a higher price for unintended data protection law violations.

All companies should take the following lessons from the Street View experience – know what data you are collecting and don’t collect more than you need, or you may be creating unnecessary exposure under data collection laws.

SEC Greenlights Use of Social Media for Publicly Disclosing Company Information

Posted by Fernando Bohorquez, Jr. on April 19, 2013

Co-authored by: Jonathan Nowakowski

Recognizing the reality that many investors likely get more information from Facebook and Twitter than a corporate 10-K and that most public companies have a robust social media presence, the U.S. Securities and Exchange Commission (“SEC”) recently weighed in on the use of social media by public companies to disclose material nonpublic information to the general public. The SEC’s guidance was prompted by its investigation of Netflix and its CEO Reed Hastings, specifically Hastings’ post of material nonpublic information on his personal Facebook page in July 2012 concerning Netflix monthly viewing numbers. In its April 2, 2013, report and investigation of whether the post violated the SEC’s corporate disclosure rules and regulations (“April Netflix Report”), the SEC decided not to pursue an enforcement action against Netflix or Hastings and used the incident as an important teaching moment for public companies that may want to use social media to communicate material nonpublic information.

On July 3, 2012, Hastings posted the following message to his personal Facebook page with over 200,000 followers:

“Congrats to Ted Sarados, and his amazing content licensing team. Netflix monthly viewing exceeded 1 billion hours for the first time ever in June. When House of Cards and Arrested Development debut, we’ll blow those records away. Keep going, Ted, we need even more!”

While the congratulatory post may have seemed harmless at the time, Netflix did not file a Form 8-K with the SEC, issue a formal press release, or post the information on Netflix’s webpage – the typical avenues for announcing material nonpublic information. Neither had Netflix previously alerted investors that Hasting’s Facebook page would be used to disclose material information about the company. Hasting’s Facebook post caught the SEC’s eye and in December 2012, the SEC notified Netflix and Hastings that it was considering an enforcement action against them for possibly violating Regulation Fair Disclosure (“Reg FD”).

A quick overview of Reg FD and the SEC’s Reg FD company website guidance: Reg FD requires that the disclosure of material nonpublic corporate information should be distributed in a broad and non-exclusionary manner to the public. Information is considered nonpublic if it has not been disseminated in a manner available to the public generally. Information is considered material if it is reasonably foreseeable that an investor would trade on the basis of that information. Reg FD was adopted to address the concern that issuers were selectively “disclosing important nonpublic information, such as advance warning of earnings results, to securities analysts or selected institutional investors before making full disclosure of the same information to the general public.” Public companies typically comply with Reg FD by disclosing material nonpublic information in SEC filings, through press releases, on the company website, or some combination of all three.

In August 2008, the SEC provided guidance on the disclosure of material nonpublic information via company websites, blogs, and other “push” technologies. 2008 Commission Guidance on the Use of Company Websites, Rel. No. 34-58288 (Aug. 7, 2008), (“2008 Guidance”). The 2008 Guidance explained that whether a company’s website or blog is a “recognized channel of distribution” passing muster under Reg FD depends on the “steps that the company has taken to alert the market to its website and its disclosure practices, as well as the use by investors and the market of the company’s website.” The 2008 Guidance non-exhaustive list of factors for companies to consider include, but are not limited to:

  • whether and how the company lets investors and the market know that the company has a website and that they should look at the company’s website for information;
  • whether the company has made investors and markets aware that it will post important information on its website and whether it has a pattern of doing so;
  • whether the company’s website is designed to lead investors and the market efficiently to information about the company;
  • the extent to which information posted on the website is regularly picked up by the market and media, and is reported;
  • the steps taken by the company to make its website accessible; and
  • the nature of the information being disclosed.

With respect to Hasting’s Facebook post, the SEC ultimately decided not to pursue enforcement proceedings against Netflix or Hastings, namely because the agency concluded that there was a great deal of uncertainty concerning how Reg FD applied to public disclosures via social media. In the April Netflix Report, the SEC made clear that the 2008 Guidance “provide[s] a relevant framework for applying Regulation FD to evolving social media channels of distribution” and applies with “equal force” to the use of social media to disclose material information. Accordingly, moving forward the SEC “expects issuers to examine rigorously the factors indicating whether a particular [social media] channel is a ‘recognized channel of distribution for communicating with their investors.” The SEC also emphasized that the “steps taken to alert the market about which forms of communication a company intends to use for the dissemination of material, nonpublic information, including social media channels … are critical to the fair and efficient disclosure of information.

The April Nextflix Report encourages companies to consider using periodic reports, press releases, and corporate websites to identify specific social media platforms that the company intends to use as well as the types of information it plans to disclose through social media. Further, while the SEC did not go so far as to endorse Facebook and Twitter as recognized channels of distribution in the April Netflix Report, by referencing them as general examples of social media platforms, coupled with each having one billion and 200 million users respectively, it is likely that the SEC would view both social media platforms as recognized channels of distribution so long as the public was adequately alerted of that intended use. Notably, the April Netflix Report found that personal social media sites of company employees – regardless of the amount of followers – would not ordinarily be assumed to be a proper channel for distribution without adequate notice that they will be used for that purpose.

Regulators are increasingly turning a critical eye toward companies' use of social media from everything from advertising to financial disclosures. The April Netflix Report is the latest example of regulators wrestling with the new reality of social media as an information source for the general public and companies increasingly relying on this medium to communicate to investors and consumers. Public companies looking to social media as a possible means to disclose nonpublic material information should take heed of the SEC's April Netflix Report and carefully consider the following steps:

  • revisit and review the company’s existing Reg. FD policy;
  • evaluate the selected social media platform(s) applying the 2008 Guidance factors summarized above;
  • formulate a plan to alert the public of the social media platforms it intends to use and for what purpose through, among other things, its corporate website, periodic reports filed with the SEC and through formal press releases, and do so over an extended period of time with a specific date given for when the company will begin posting material information via the social media platform(s) that the company ultimately chooses;
  • develop a coordinated plan to use designated social media platforms as part of the company’s investor communications along with more traditional venues such as SEC filings, press releases and the company’s website;
  • review and revise electronic communications policies and train employees on the potential consequences of disclosing material nonpublic information on social media;
  • coordinate legal, compliance, and investor relations departments to work together to implement and enforce electronic communications policies as well as review all social media content before it is posted; and
  • ensure compliance with the laundry list of potentially applicable securities laws, which are beyond the scope of this blog, e.g., compliance with antifraud and proxy solicitation regulations, among others.

 The April Netflix Report and 2008 Guidance are available here and here, respectively.

New gTLDs Raise Data Security Concerns

Posted by Craig Hoffman on April 16, 2013

Authored by: David A. Einhorn and Alan Pate

ICANN is well on its way to the launch of new generic top-level domains (gTLDs) with the first ones being approved as early as April 23rd.  The handful of TLDs currently in use, such as “.com”, “.org”, and “.edu”, may soon be joined by over 1000 gTLDs ranging from “.book” to “.football”.   While we have previously focused on intellectual property concerns and objections to these new gTLDs, the launch perhaps raises another important consideration:  What implications might the new gTLDs have on the security of the Internet itself?

At the end of last month, VeriSign, longstanding operator of the “.com” top-level domain, issued a highly critical assessment of the new gTLD program.  In its March 29 report, VeriSign described a range of potential issues, all suggesting that the launch on ICANN’s current timetable could undermine the stability and security of the Internet.  For VeriSign, the problem seems to be the rapid speed at which the launch is progressing combined with ICANN’s unrealistic expectations that the existing Internet infrastructure will adapt.  Certificate authorities, root server operators, and VeriSign itself, are described as not being prepared for the technical implications the influx of new gTLDs will bring. According to VeriSign, this ultimately puts the “safety and security of Internet users, and the infrastructure itself” at risk. 

Due to the seriousness of these allegations, the Intellectual Property Owner’s Association has taken the position that the launch of the new gTLDs be delayed until these concerns have been properly evaluated and addressed.

Further, in a recent letter to the CEO of ICANN, PayPal expressed similar security concerns.  Specifically, PayPal raises the possibility that the new gTLD program might dangerously interfere with the security of private domains.  Private domains, as their name implies, exist outside the public Internet and for that reason are most often employed for security reasons. One of the most common examples of a private domain is a corporate intranet.  Corporate intranets are typically used to host services such as internal document management, email, or other web-based business applications.  Being private, they do not have to “resolve” or go to public top-level domain’s such as .com or .org, and can by-and-large choose their own top-level domains.  One of most common domains for a business intranet, and the example PayPal uses in its letter, is the “.corp” domain.

The crux of PayPal’s concern is what will happen when “.corp” becomes a generic TLD?   In some circumstances, they argue, it is possible a computer, smartphone, or other device could actually be deceived into connecting to the public .corp as if it were connected to the private .corp. Once connected, the possibility of confidential data being compromised could be serious. 

How serious of a problem could this be?  Statistics PayPal cite show nearly 10% of the total query load on public root servers represent just the top ten most frequently used private domains.  In other words, a large portion of internet traffic consists of devices trying to connect to a private address on the public internet.  This suggests that there is ample possibility for foul play should those traditionally private domain names be delegated to the public. 

PayPal’s recommendation is relatively straightforward: ICANN should take the most popular private domain names off the market. These include strings such as .corp, .local, .home, .internal, and .private.  Not doing so, PayPal claims, would put “millions of users and high-value systems at considerable risk.”  To date, there are outstanding gTLD applications for the .corp and .home domains.

For VeriSign, nothing short of a temporary halt to the process would be satisfactory.  In a recent interview, however, ICANN CEO Fadi Chehade indicated that ICANN had no intention of delaying the issuance of the new gTLDs.  Nevertheless, this past week, perhaps in response to VeriSign’s report, ICANN did announce some additional protections it would be employing—“Emergency Back-End Registry Operators” or EBEROs. These EBEROs will work to guarantee that websites hosted on new gTLDs will resolve in the event any gTLD fails. The EBEROs will be scattered across different regions of the globe to eliminate the possibility that any one natural disaster could affect all EBEROs at once. This is a measure VeriSign had suggested.

Ultimately, it remains to be seen what data security, privacy, or other concerns may be implicated by the influx of new gTLDs.  For the many businesses and entities that could be affected by the program, it is important to remain vigilant of the new top-level domains on the horizon and how they may impact existing systems.

Guest Blog: Vermont Privacy Breach Regulations

Posted by Admin on April 16, 2013

Editor's Notes:
Guest blog Interview by Mark Greisiger, President NetDiligence®
This blog post has been republished with permission from Junto – NetDiligence Blog

A Q&A with Ryan Kriger
Among state Attorneys General, Vermont has gained a reputation for being particularly aggressive about data breach and privacy regulation. To better understand the state’s Consumer Protection Act requirements and processes for data breach investigation, I talked to Ryan Kriger, Assistant Attorney General.

What should a small business know about complying with the Vermont law?
We have a guidance available on our website, which should be helpful. In the case of a breach, they should first contact law enforcement, their insurer, their lawyer, any IT people involved and, if there’s credit card information at stake, their processor. Their primary duty is to figure out what happened and get the situation under control. They have to notify us within 14 days of finding out about the breach. That preliminary notice is kept confidential. We want businesses to give notice to consumers relatively quickly, and the 14-day notice to us allows us to stay on top of things and make sure they are doing that. We did create a waiver last year—if your company has policies in place and you’re confident that you will comply with the law, you can be certified ahead of time as long as you sign the document and get it on file with us before a breach incident. If you have a certification on file, you don’t need to notify us within 14 days. Another subsection says that if the data collector is sure that the data never got into the wrong hands—say, a password protected laptop was lost for five hours, then returned—they can call and ask us if they still need to give notice, and we probably won’t require it.

If it’s a really big breach and we think it could be problematic, we may follow up with questions. If we perceive the company’s actions to be unreasonable, unfair or deceptive, such as in the case with TJX, then we will begin an inquiry. Often, this wouldn’t just be Vermont, but multiple states getting together and asking questions.

How might you approach a data breach incident?
The first step is that we want to make sure the business has covered all of the necessary notification. Notice to consumers should go out “in the most expedient time possible and without unreasonable delay.” Vermont has a 45-day deadline, but we think in many cases notice should go out sooner. We encourage companies to send us their notification letter before it goes out to consumers, and we can help them make sure it’s in line with the statute. Also, the sample letter to consumers gets posted to our website, so consumers can confirm that the letter itself is legitimate. The second thing is to make sure the company fixes the problems that led to the breach. Sometimes smaller businesses think it’s a one-shot deal and don’t want to change their business practices, but we remind them that they are on notice, and that the fine outlined in the Consumer Protection Act is $10,000 per violation. Now, we’ve never had to levy that fine as most people seem to want to resolve the issues, but we want businesses to know that we are here to protect consumers and they need to take that seriously. In the TJX case, it appears that the company may have been collecting credit card information at point of sale and transmitting it, unencrypted, over unprotected wi-fi networks. This sort of blatant violation of standard security practices, and the length of time that it was allowed to continue, clearly justified bringing an enforcement action. We’re not trying to trick people, and in most cases we can resolve things in a cooperative fashion, but when a company drags their feet, we will go after them.

What are some of the key weak spots that lead to a privacy/data breach incident?
It can be all over the map—certainly, not encrypting data where encryption is appropriate is one issue. Over-collecting data you don’t need, such as using SSNs as an identifier, could be another. Other problems we see: collecting credit card data through a homemade system that’s not PCI-compliant when you could be using a secure third-party system. Not changing passwords or updating software. In smaller businesses, it might be negligence about employees who could be stealing credit card information. In general, it’s a good practice to have the occasional forensic analysis or stress test. We have partnered with Norwich University to offer penetration testing to any small business in Vermont that wants it. The Verizon Report has shown us that small businesses are the prime focus of security breaches, so we are particularly sensitive to the needs of small businesses in Vermont.

What type of fines and penalties can a company face for noncompliance? Can the lack of certain actions or controls increase their culpability in your view?
I mentioned the $10,000 per violation fine, and we consider each day you go beyond the deadline a separate penalty. Our Consumer Protection Act doesn’t have an intent requirement, but we obviously take intent, negligence and lack of controls into account when we think about enforcement and penalties. A business suffering a breach calling us to ask what they can do, making it’s clear they want to do the right thing, is very different from a business that denies anything went wrong, after we’ve found out about the breach three months later. We are very cautious with our use of power and we’re not trying to bully anyone, but if we need to use a large fine to get a business into compliance, we will do so. If an enforcement action reaches a settlement agreement, called an assurance of discontinuance or consent judgment, we may seek penalties, but we will also seek injunctive relief, which is asking the business to change its behavior. For example, we may want the business to put security or compliance systems into place, offer restitution for consumers, or take other steps to make sure it doesn’t happen again. In general, we are eager to proactively work with businesses to protect consumers and create a productive, cooperative relationship in order to prevent breaches.

In summary…
I first met AAG Ryan Kriger at our NetDiligence® Cyber Risk & Privacy Liability Forum last year in Marina del Rey. I thought he might be guarded about the state’s approach to enforcement, but boy, was I wrong. He was actually very forthright in talking about how seriously Vermont takes the issue of consumer privacy, including violators of state regulation. He makes the point that his department is willing to work with organizations that suffer a data breach incident and will give them a roadmap to do the right thing by the victims (whose personal information is now in wrongful hands). What is clear is that organizations that demonstrate a lack of care (or even willful nondisclosure) will be penalized.

Ryan is also speaking at the upcoming NetDiligence® Cyber Risk & Privacy Liability Forum in Philadelphia this June 6-7.

Hannaford vs. comScore - Up and Down Results for Privacy Class Action Defendants

Posted by Judy Selby on April 08, 2013

Editor's note: This is a cross-blog post with BakerHostetler’s Class Action Lawsuit Defense blog.  For the latest class action defense updates, visit www.ClassActionLawsuitDefense.com.

Sighs of relief by class actions defendants following the denial of class certification in Hannaford may give way to renewed uncertainty now that a massive class, estimated by the plaintiffs’ lawyer to be more than a million people, was certified by an Illinois federal district court last week in the case of Harris v. comScore.

According to its website, “comScore measures what people do as they navigate the digital world – and turns that information into insights and actions for our clients to maximize the value of their digital investments.”   comScore has more than 2,100 clients worldwide, ranging from private corporations, major media outlets, to governments.  comScore gathers data through a software program called OSSProxy, which, when installed on a computer, constantly collects data about activities on the computer. comScore works with so-called “bundlers,” who provide free digital products to internet users.  While downloading the bundlers’ free software, consumers are given the opportunity to download OSSProxy.  The named plaintiffs in Harris v. comScore both downloaded and installed OSSProxy after downloading a free digital program from one of comScore’s bundlers.

In their Complaint, the plaintiffs alleged that “comScore has developed highly intrusive and robust data collection software ... to surreptitiously siphon exorbitant amounts of sensitive and personal data from consumers’ computers [and] uses deceitful tactics to disseminate its software and thereby gain constant monitoring access to millions of hapless consumers’ computers and networks.”  They further alleged that “comScore’s sophisticated computer applications monitor every action conducted by users [and that the collected] data is sent to comScore’s servers, and then organized and sold to  [comScore’s] clients.”  comScore allegedly collects a “terrifying” amount of data from “unsuspecting customers,” including usernames and passwords, search engine queries, and credit card numbers.

The plaintiffs asserted claims for (1) violation of the federal Stored Communications Act (SCA), which, among other things, makes it unlawful to obtain access to stored communications on another person’s computer system without authorization; (2) violation of the federal Electronic Communications Privacy Act (ECPA), which prohibits unauthorized wiretapping and electronic eavesdropping; (3) violation of the federal Computer Fraud and Abuse Act (CFAA), which prohibits accessing computers in excess of authorization; and (4) common law unjust enrichment.

Two certifications were sought -- Class certification of “All individuals who have had, at any time since 2005, downloaded and installed comScore’s tracking and software onto their computers via one of comScore’s third party bundling partners,” and Subclass certification of “All Class members not presented with a functional hyperlink to an end user license agreement before installing comScore’s software onto their computers.”

Unjust Enrichment Claim

The court first addressed the unjust enrichment claim, ruling that it could not be resolved on a class basis because of “insurmountable choice-of-law problems.”  The court noted that the proposed Class and Subclass likely would include plaintiffs from all 50 states as well as some foreign countries, and that the plaintiffs “propose no solution to allow the court to manage the variety of laws that may be applicable to the Class, other than to suggest that the court certify two subclasses under California and Illinois law.” That proposal was rejected as being “plainly inadequate in light of the geographical diversity of the plaintiffs and the variations in applicable law.”

Statutory Claims

comScore did not fare as well with regard to class certification of the plaintiffs’ remaining claims.  After confirming that each of the federal statutes at issue provides a private right of action, the court ruled that the plaintiffs satisfied the requirements for class certification under FRCP 23 for each statute. 

            Numerosity

comScore did not dispute that the numerosity requirement was met, noting that comScore’s program was installed on millions of computers between 2008 and 2011. 

            Commonality

The court found that the plaintiffs raised a variety of common questions that could be resolved on a classwide basis.  Most significant was the fact that each Class and Subclass member agreed to a form contract, and that “claims arising from interpretations of a form contract appear to present the classic case for treatment as a class action.”  The court rejected comScore’s argument that each plaintiff’s subjective understanding of the agreement and his or her scope of consent rendered class treatment inappropriate, finding that “[t]hat rule has no place where a party manifested consent through the adoption of a form contract.” 

            Typicality

The court held that this requirement was satisfied because both the Class and the Subclass representative plaintiffs “used a substantively identical process to download OSSProxy,” following which the Subclass representative was not presented with a functioning hyperlink to the end user agreement.  The court dismissed what it called comScore’s “speculative” arguments that the named plaintiffs were atypical because of issues concerning whether they actually downloaded OSSProxy.  comStar had presented no “actual evidence” that the named plaintiffs did not download the software, and therefore, the plaintiffs’ “unrefuted” testimony that they downloaded the software provided “ample evidence that their claims are typical.” 

            Adequacy

comScore did not dispute that the adequacy requirement was met.  Further, there was no evidence of conflicting interests on the part of the named plaintiffs.  They vigorously participated in the case thus far, and plaintiffs’ counsel were deemed to be qualified to represent the class. 

            Ascertainability

Because comScore possesses contact information for some of the proposed Class and Subclass members, the court ruled that those portions of the proposed classes were identifiable in satisfaction of the ascertainability requirement.  The court ruled that any remaining class members could claim membership by affidavit.  Although rejecting comScore’s argument that the affidavit process would be unwieldy, the court acknowledged that the issue could be reconsidered if the portion of the class asserting membership by affidavit proved to be excessively large, in which case the class could be limited to members who downloaded OSSProxy as reflected in conScore’s records. 

            Predominance and Superiority

comScore argued that statutes of limitations raised individual issues that are not suited to class treatment.  Because the limitation periods for SCA, ECPA and CFAA begin to run two years after a plaintiff discovers a potential violation, comScore asserted that a case-by-case determination would be required to determine when each plaintiff discovered the alleged violation.  The court disagreed on the grounds that the issue arises only for class members who downloaded OSSProxy two years before the lawsuit was filed, some of those class members still have OSSProxy installed on their computers, and it is unlikely that any remaining class members had the requisite knowledge of OSSProxy’s operations to trigger the statute of limitations.

In addition, since SCA and ECPA provide for statutory damages, the court rejected comScore’s contention that there were issues concerning whether each individual plaintiff suffered damage or loss. And even though CFAA grants a civil action only to persons “who suffer damage or loss,” and further requires that each offense lead to a “loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value,” the court held that it would be more efficient to resolve all of the common issues in a single proceeding than to hold individual damages hearings.

If the estimate of the plaintiffs’ lawyer concerning class membership proves to be correct, Harris v. comScore is likely to be the largest privacy case ever certified on an adversarial basis.

Ted Kobus To Present Cyber Global Threats at Advisen Singapore Cyber Liability Conference

Posted by Theodore J. Kobus III on April 07, 2013

For those deciding to buy, sell or develop and offer cyber liability coverage, the Singapore Cyber Liability Insights Conference, a one full day event, will be a valuable learning and networking experience. New York Partner Ted Kobus, Co-Leader of BakerHostetler’s Privacy and Data Protection Team is on the Advisory Committee and will be presenting on best practices in cyber risk management and global cybersecurity threats. BakerHostetler is also a conference sponsor.

Date and Venue

Tuesday, 9 April 2013 from 9am to 5pm SGT

Marina Bay Sands

10 Bayfront Avenue

Singapore

The conference will bring together more than 200 attendees from across the globe to discuss cybersecurity threats and how companies can prepare for, and respond to, these events.

Register.

 

Poland Adopts Heavy Penalties for Telcos Using Cookies without Obtaining "Opt-In" Consent

Posted by Maryanne Stanganelli on April 05, 2013

Poland’s Act amending its Telecommunications Law and Certain Other Laws of November 16, 2012, came into effect on March 22, 2013.  The law relates specifically to telecommunications companies, and therefore other sectors such as service providers and third-party advertisers are not affected by the amendment.  With respect to cookies, it implements the EU Cookie Directive and switches the requirement from “opt-out” to “opt-in.”  In other words, consent of the user must be obtained before cookies are stored and accessed.  The penalties for non-compliance can be up to 3% of a company’s annual profits. Informed consent requires disclosure of the purpose of storing and gaining access to cookies and the option of using browser settings to control the access and storing of cookies.  However, the expression of consent may be manifested by leaving the default browser setting as-is. 

The amendment also imposes a breach notification requirement on wherein public telecommunications providers must report to the Polish Inspector General for the Protection of Personal Data (in Poland, this is abbreviated as “GIODO”) within three days if the breach is considered to be incidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.  If the breach has a negative impact on users’ service, those users must be notified as well—also within three days. The Polish Data Inspector General spoke with DataGuidance and indicated that administrative decisions as well as sanctions to companies not in compliance with administrative decisions will take place.  

Court Denies Motion for Class Certification in Hannaford

Posted by Erica Gann Kitaev on April 04, 2013

Editor's note: This is a cross-blog post with BakerHostetler’s Class Action Lawsuit Defense blog.  For the latest class action defense updates, visit www.ClassActionLawsuitDefense.com.

In an order surely to reverberate with both the plaintiffs’ and defense bar, on March 20, 2013, Judge D. Brock Hornby of the United States District Court for the District of Maine denied the plaintiffs’ motion to certify a class in In re Hannaford Brothers Company Data Security Breach Litigation

Hannaford was filed as a putative class action in 2008 and arises out of a cybersecurity incident wherein criminals infiltrated Hannaford’s network and stole customer debit and credit card information.  The District Court, after certifying questions to the Supreme Court of Maine, dismissed all seven claims alleged in the consolidated class action complaint either for failure to state a claim or for failure to allege injury sufficient to confer Article III standing.  The First Circuit reversed on two claims, however, finding that the plaintiffs had alleged sufficient injury to support their state law negligence and implied breach of contract claims because they had alleged damages in the form of foreseeable costs to mitigate any harm arising from the data breach, specifically fees for replacing cards and the cost of data theft protection products.

On remand, the plaintiffs filed their motion for class certification and tailored their putative class to fall within the scope of the First Circuit decision by limiting the proposed class to “Hannaford customers who incurred out-of-pocket costs in mitigation efforts that they undertook in response to learning of the data intrusion.” 

The Court acknowledged the force in Hannaford’s argument that individual questions surrounding reliance and causation prevented a typicality finding under Rule 23(a) and further noted that the differing economic impact of the intrusion on various class members could create typicality issues.  However, extensively quoting the opinion, the Court stated that it would be “unfaithful to the First Circuit’s decision” to accept Hannaford’s arguments on a typicality analysis.  Ultimately, the Court found that each requirement of Rules 23(a) and (b) of the Federal Rules of Civil Procedure was satisfied except for Rule 23(b)’s predominance requirement. 

The Court focused its predominance analysis on damages.  The plaintiffs argued that individual issues as to damages did not create a predominance issue because they would be able to present statistical proof of the total damages to the class based on records that show cards replaced, fees charged, and the instances of purchase of insurance of credit monitoring services by class members.  Then, according to the plaintiffs, because of the nature of the records and the data, they would be able to show by statistical probability what portions of those alleged damages were attributable to the Hannaford intrusion.  With this evidence, plaintiffs intended to ask the jury for a lump sum damage award that would distributed in the class administration process.

The Court rejected the plaintiffs’ arguments that they could prove damages on a class-wide basis and distinguished the cases that support such a procedure by noting that generally in those cases actual expert testimony was presented at the certification stage that supported the expert’s ability to testify as to total damages.  The Court found that without an expert, the plaintiffs cannot prove total damages and declined “to take judicial notice that there will be such an expert.”

From the defense perspective, the order clearly supports the arguments that individual issues of reliance and damages present a barrier to class certification in data breach cases, while the plaintiffs’ bar may read Hannaford as providing a roadmap for overcoming at least the issue of individualized damages.  What is clear, however, is that courts are starting to require plaintiffs to nail down proof that their claims can be manageably tried on a class basis, particularly as it relates to damages issues, a conclusion supported by the U.S. Supreme Court’s recent decision in Comcast Corp. v. Behrend.  But it would not be wise to read Hannaford as providing a simple way to provide that proof.  As discussed here, Comcast left unanswered whether the Daubert standard for expert witnesses applies to expert testimony at the class certification stage, leaving significant room for doubt about the appropriate standards. 

The New FTC Dot Com Disclosures - the FTC Updates its Digital Advertising Guidelines for the Twitter and Facebook Age

Posted by Fernando Bohorquez, Jr. on March 27, 2013

In what seems like a lifetime ago –and in the fast moving world of the Internet maybe it is –  in May 2000 the Federal Trade Commission issued “Dot Com Disclosures: Information about Online Advertising" to provide guidelines on the applicability of the FTC’s rules to online activities. Back then, the top of mind issues for companies selling and promoting products online were email solicitations and online sales and advertisements.  That was before  social media juggernauts Twitter and Facebook changed the way companies communicate to their consumers and before smartphones and tablets emerged as ubiquitous advertising platforms.  It’s been nine years since Facebook opened its doors to the general public and ushered in the age of social media, and since then 82% of the Fortune Global 100 have Twitter accounts, 74% have Facebook pages, 79% have branded YouTube channels, and over a quarter use all the above.

On March 12, 2013, the FTC updated its online advertising guidelines to reflect this new environment releasing “.com Disclosures: How to Make Effective Disclosures in Digital Advertising” (“Guidelines”). The Guidelines reinforce that online ads must be disclosed and disclosures must be clear and conspicuous, highlighting the information businesses should consider as they develop ads for online media to ensure compliance with the FTC’s rules in space constrained screens and social media. The Guidelines are important because although they may not carry the force and effect of law, they are the FTC staff interpretations of the laws administered by the FTC and a person or entity that fails to comply with the Guidelines runs the risk of an FTC investigation or enforcement action. If there is one clear message for companies to glean from the Guidelines – it is that as much as things have changed in the digital marketplace, they remain the same for online advertising: Tell the truth, don’t mislead, and if you need to qualify your claims make sure that the disclosure is clear and conspicuous.

To that end, the Guidelines focus on the “clear and conspicuous” disclosures requirement in the online world, providing 26 pages of graphic screen shot examples of do’s and don’ts.  Clear and conspicuous disclosures are required to prevent an ad from being unfair or deceptive. And the FTC is taking a hard line: “If a disclosure is necessary to prevent an advertisement from being deceptive [or] unfair … and if it is not possible to make the disclosure clear and conspicuous, then either the claim should be modified or the ad should not be disseminated. Moreover, if a particular platform does not provide an opportunity to make clear and conspicuous disclosure, it should not be used to disseminate advertisements that require such disclosures.” In other words, the FTC is not sympathetic to the creative challenge of getting across a company’s message in 140 characters or less.

The good news is that the Guidelines provide a common sense approach to developing a clear and conspicuous disclosure and are generally consistent with how companies tend to provide other important information to their consumers. Here is an overview of five practical, high level takeaways from the Guidelines that companies should keep in mind when assessing their online ad campaigns:

1. Same screen, adjacent disclosures are the best practice.

Proximity and placement of the disclosure is critical.  Across any platform, a disclosure is most effective and consumers are most likely to notice it when placed on the same screen and as close as possible to the information it relates to. Here is an example from the Guidelines of a properly placed “imitation” disclosure in an online jewelry ad:

2. Consumers should not have to scroll to view disclosures, but where scrolling is necessary, steps should be taken to encourage consumer to scroll to the disclosure.

Generally speaking, wherever possible, avoid placing disclosures where consumers might have to scroll in order to view them. However, if scrolling is necessary because the disclosures are lengthy or difficult to place next to the claim they qualify, use text or visual cues to encourage consumers to scroll to the disclosure. For instance, an explicit instruction to “see below for information on restocking fees” would likely pass muster under the Guidelines as opposed to a vague “see details below.” Moreover, if scrolling is necessary, then the disclosure should be unavoidable, i.e., consumers should not be able to proceed with the transaction without scrolling to and then clicking through the disclosure.

3. Disclosures in space-constrained ads, i.e., Twitter ads, should simply say they are an ad.

For space-constrained ads such as those on Twitter or  mobile applications, the disclosure should be incorporated into the ad whenever possible and in certain circumstances short form disclosures may be sufficient under the Guidelines. For instance, in a Twitter advertisement, including the term “Ad:” or “Sponsored:” in front of the tweet should sufficiently disclose to the consumer the promotional nature of the tweet (and it is only three or ten characters, respectively). Notably, the Guidelines explain that a disclosure in a tweet should be included in each and every subsequent tweet with the ad requiring a disclosure. Here is a hypothetical Twitter ad from the Guidelines that adequately discloses that the speaker is a paid spokesperson and qualifies the nature of the product:

4. Hyperlinking to a disclosure is discouraged and, if necessary, should be carefully scrutinized to ensure compliance with FTC rules.

Hyperlinks should not be used to communicate disclosures that are an integral part of a claim or inseparable from it, such as health/safety information or cost information. Do not simply hyperlink a single word or phrase in a text, just add the words “disclaimer” or “more information,” or use a subtle symbol or icon that a reasonable consumer would not view as something other than another graphic. At the end of the day, the consumer should be given a reason to click on the disclaimer not ignore it. Here is an example from the Guidelines of what not to do by simply adding a hyper link labeled “Important Health Information”:

That said, if the details of the disclosure are too difficult to place on the same screen as the claim, and a hyperlink is necessary, then the hyperlink should (a) be obvious and labeled to ensure that the consumer understands its relevance and importance; (b) be used consistently with consumer use of hyperlinks, (c) be placed as close as possible to the relevant information so consumers will notice it, and (d) take consumers from the hyperlink directly to the disclosure. Here is a screen shot of an FTC approved hyperlink to a return fee disclosure:

5. Advertisers should account for viewing of disclosures across all platforms and avoid technology that hinders viewing disclosures.

Websites should be designed so that disclosures are clear and conspicuous regardless of the device on which they are displayed –whether on a browser or smartphone. Advertisers should consider, for instance, whether a disclosure may be too small to read on a mobile device. Disclosures are more likely to be clear and conspicuous on websites that are optimized for mobile devices or created using responsive design, which automatically detects the kind of device the consumer is using to access the site and arranges the content on the site so it makes sense for that device.

In the above example from the Guidelines, the website is optimized for mobile devices, and both the information about the service plan and the hyperlink to the plan’s prices are immediately adjacent to the camera price they qualify.

Similarly, advertisers should not use pop-ups or other technology that could block the disclosure or otherwise make it difficult to view. For instance, companies should not disclose necessary information through the use of pop-ups that could be prevented from appearing by pop-up blocking software. Likewise, a disclosure requiring Adobe Flash Player should be avoided as it will not be displayed on mobile devices because many smart phones do not support that technology.

Companies advertising online and the marketers that promote their products and services should familiarize themselves with the Guidelines. Although the Guidelines are similar to the FTC’s May 2000 Dot Com Disclosures and confirm the application of general advertising rules to the online world, the Guidelines provide a pragmatic informative update of these basic principles to the constantly shifting social media and mobile ad tech spaces. The foregoing provides a good starting point to assess online advertising practices in light of the Guidelines, but a deeper dive is recommended as the Guidelines are rich in practical content and provide illustrative examples of complaint ads. The Guidelines are available here.