Craig_Hoffman.jpgCraig Hoffman regularly counsels clients on notice obligations, remediation strategies, and risk avoidance in connection with data breach incidents involving personally identifiable information and cardholder data. He is experienced in managing all aspects of incident response—from working with internal resources and external forensic experts to contain and remediate the intrusion, to minimizing reputational harm, to mitigating potential liability. Craig has represented companies in class action litigation arising from data breaches and alleged violations of federal privacy laws and regulations. He also helps companies identify, evaluate, and manage risks associated with privacy and information security practices. Craig regularly conducts legal privacy assessments to determine the scope of a company's legal obligations regarding personally identifiable information under its control and the company's compliance with those obligations. He also helps companies develop appropriate written information security programs.

Mr. Hoffman is a member of the Ohio State, Cincinnati and Kentucky Bar Associations, and was a member of Class XIV (2010) of the Cincinnati Academy of Leadership for Lawyers. Prior to joining Baker Hostetler, Mr. Hoffman clerked for U.S. Department of Labor Administrative Law Judge Thomas F. Phalen from 2002 to 2004.

Practice Strengths:

  • Privacy and Information Security
  • Commercial Litigation

Education:

  • J.D., University of Cincinnati College of Law
  • B.A., University of Cincinnati

Bar/Court Admissions:

  • U.S. Court of Appeals, Sixth Circuit
  • U.S. District Court, Southern District of Ohio
  • Kentucky, 2008
  • Ohio, 2002

Entries authored by Craig Hoffman

New gTLDs Raise Data Security Concerns

Posted by Craig Hoffman on April 16, 2013

Authored by: David A. Einhorn and Alan Pate

ICANN is well on its way to the launch of new generic top-level domains (gTLDs) with the first ones being approved as early as April 23rd.  The handful of TLDs currently in use, such as “.com”, “.org”, and “.edu”, may soon be joined by over 1000 gTLDs ranging from “.book” to “.football”.   While we have previously focused on intellectual property concerns and objections to these new gTLDs, the launch perhaps raises another important consideration:  What implications might the new gTLDs have on the security of the Internet itself?

At the end of last month, VeriSign, longstanding operator of the “.com” top-level domain, issued a highly critical assessment of the new gTLD program.  In its March 29 report, VeriSign described a range of potential issues, all suggesting that the launch on ICANN’s current timetable could undermine the stability and security of the Internet.  For VeriSign, the problem seems to be the rapid speed at which the launch is progressing combined with ICANN’s unrealistic expectations that the existing Internet infrastructure will adapt.  Certificate authorities, root server operators, and VeriSign itself, are described as not being prepared for the technical implications the influx of new gTLDs will bring. According to VeriSign, this ultimately puts the “safety and security of Internet users, and the infrastructure itself” at risk. 

Due to the seriousness of these allegations, the Intellectual Property Owner’s Association has taken the position that the launch of the new gTLDs be delayed until these concerns have been properly evaluated and addressed.

Further, in a recent letter to the CEO of ICANN, PayPal expressed similar security concerns.  Specifically, PayPal raises the possibility that the new gTLD program might dangerously interfere with the security of private domains.  Private domains, as their name implies, exist outside the public Internet and for that reason are most often employed for security reasons. One of the most common examples of a private domain is a corporate intranet.  Corporate intranets are typically used to host services such as internal document management, email, or other web-based business applications.  Being private, they do not have to “resolve” or go to public top-level domain’s such as .com or .org, and can by-and-large choose their own top-level domains.  One of most common domains for a business intranet, and the example PayPal uses in its letter, is the “.corp” domain.

The crux of PayPal’s concern is what will happen when “.corp” becomes a generic TLD?   In some circumstances, they argue, it is possible a computer, smartphone, or other device could actually be deceived into connecting to the public .corp as if it were connected to the private .corp. Once connected, the possibility of confidential data being compromised could be serious. 

How serious of a problem could this be?  Statistics PayPal cite show nearly 10% of the total query load on public root servers represent just the top ten most frequently used private domains.  In other words, a large portion of internet traffic consists of devices trying to connect to a private address on the public internet.  This suggests that there is ample possibility for foul play should those traditionally private domain names be delegated to the public. 

PayPal’s recommendation is relatively straightforward: ICANN should take the most popular private domain names off the market. These include strings such as .corp, .local, .home, .internal, and .private.  Not doing so, PayPal claims, would put “millions of users and high-value systems at considerable risk.”  To date, there are outstanding gTLD applications for the .corp and .home domains.

For VeriSign, nothing short of a temporary halt to the process would be satisfactory.  In a recent interview, however, ICANN CEO Fadi Chehade indicated that ICANN had no intention of delaying the issuance of the new gTLDs.  Nevertheless, this past week, perhaps in response to VeriSign’s report, ICANN did announce some additional protections it would be employing—“Emergency Back-End Registry Operators” or EBEROs. These EBEROs will work to guarantee that websites hosted on new gTLDs will resolve in the event any gTLD fails. The EBEROs will be scattered across different regions of the globe to eliminate the possibility that any one natural disaster could affect all EBEROs at once. This is a measure VeriSign had suggested.

Ultimately, it remains to be seen what data security, privacy, or other concerns may be implicated by the influx of new gTLDs.  For the many businesses and entities that could be affected by the program, it is important to remain vigilant of the new top-level domains on the horizon and how they may impact existing systems.

International Compendium of Data Privacy Laws

Posted by Craig Hoffman on February 26, 2013

Privacy and data protection issues confront all organizations—whether you handle employee information, credit card data, sensitive financial information or trade secrets. Securing data is a daunting task that is further complicated by cross-border transfer issues and the differences in privacy laws around the world. These laws are complex and can pose myriad and sometimes conflicting obligations to a multinational enterprise. BakerHostetler's Privacy and Data Protection Team is experienced at guiding our clients through this maze of global privacy norms.

The BakerHostetler Privacy and Data Protection Team has developed a prompt and practical approach. We have a comprehensive international network of experienced service providers who are responsive when clients require support and guidance through a data security event. This compendium represents our global experience in this field. While it is not a substitute for legal advice, it is a reference guide that outlines the basic requirements in place when dealing with an international data breach so that you can know what immediate steps to take and what questions you need to ask to minimize your company's exposure.

BakerHostetler's International Compendium of Data Privacy Laws is now accessible.

We hope you find the information practical and welcome your comments and suggestions. We encourage you to contact the authors of the compendium, Gerald J. Ferguson at gferguson@bakerlaw.com, Theodore J. Kobus III at tkobus@bakerlaw.com, or Gonzalo S. Zeballos at gzeballos@bakerlaw.com for further information.

APT Threat Report Shows Cybersecurity Risks Not Limited to Identity Theft

Posted by Craig Hoffman on February 22, 2013

We often talk to companies who believe they are an unlikely target for hackers because they do not have financial account information, Social Security numbers, or medical information.  However, personal information is not the only item hackers are after.  Indeed, the chief of the United States Cyber Command and director of the National Security Agency said last year that the loss of industrial information and intellectual property through cyberespionage is “the greatest transfer of wealth in history.”

Cyberespionage has often only been publicly attributed to the APT (Advanced Persistent Threat), a generic naming convention for sophisticated attacks that are believed to be sponsored by foreign governments.  This week computer security firm Mandiant released a threat intelligence report that detailed the cyberespionage attributed to one specific APT group (APT1—reportedly a division of China’s People’s Liberation Army) over the past seven years.  The report was based on the investigation of compromises at 141 companies across 20 industries that included the theft of hundreds of terabytes of data containing blueprints, manufacturing processes, product development test results, business plans, and pricing documents, as well as the e-mails of company executives.  The industries that were targeted most often include information technology, aerospace, telecommunications, energy, transportation, manufacturing, engineering services, and high-tech electronics.  Notably, the APT1’s attack methodology usually begins with aggressive spear phishing to gain entry to a company’s network before deploying their sophisticated “digital weapons” (Figure 15 of the report contains a spear-phishing e-mail APT1 sent to Mandiant employees that contained a malicious executable that would install a custom backdoor).

The release of Mandiant’s report follows recent disclosures by news organizations that they had been compromised by attackers from China.  Among the targets were “journalists who had written about Chinese leaders, political and legal issues in China and the telecom giants Huawei and ZTE.”   President Obama, who has declared that the "cyber threat is one of the most serious economic and national security challenges we face as a nation," issued a cybersecurity executive order shortly before his February 12, 2013 State of the Union address, which was designed as a start towards protecting the country’s critical infrastructure from these threats.  The executive order was followed by a February 20, 2013 release of the Administration Strategy on Mitigating the Theft of U.S. Trade Secrets, which was designed as a means for improved government coordination to protect against trade secret theft by foreign competitors of U.S. companies.

Because the attack methodology and motives behind cyberespionage are different than attacks designed to steal credit card data, companies need to spend time learning about the threat before designing their defenses.  The appendix to Mandiant’s report lists more than 3,000 indicators of APT1's arsenal of digital weapons, including domain names, IP addresses, encryption certificates and MD5 hashes of malware.   

Magistrate Recommends Dismissal with Prejudice of Claims Against Global Payments

Posted by Craig Hoffman on February 20, 2013

Global Payments, which processes credit card transactions, announced on March 30, 2012 that an unauthorized person gained access to a portion of its processing system.  Global Payments later disclosed that Track 2 data (card number, expiration date, verification code but not cardholder name or address) of 1.5 million cardholders were taken.  Three individuals brought a putative class action alleging that fraudulent charges were made to the credit card they used at merchants who used Global Payments to process their transactions.  The plaintiffs asserted claims of: (1) negligence; (2) violations of the Stored Communications Act (SCA); (3) violations of the Fair Credit Reporting Act (FCRA); (3) violations of the Georgia Uniform Deceptive Trade Practices Act; and (4) implied contract and third party beneficiary breach of contract claims.  Global Payments moved to dismiss all claims on the grounds that the plaintiffs failed to allege sufficient facts to establish Article III standing or all of the necessary elements of their seven claims.  United States Magistrate Judge Janet King issued a recommended decision on February 5, 2013.   

The magistrate addressed the Article III argument first.  The plaintiffs only alleged that they discovered fraudulent charges on their account -- they did not allege that they actually paid for the fraudulent charges.  They also did not allege that their information was used to commit identity theft, which the magistrate used to distinguish the Eleventh Circuit’s decision in AvMed.  Accordingly, the magistrate found that the plaintiffs failed to adequately plead an injury in fact.  In so doing, the magistrate stated that the plaintiffs’ personal information does not have an inherent monetary value.  The magistrate also found that allegations of increased risk of future identity theft were insufficient because they were entirely speculative.  However, the magistrate recommended that the Rule 12(b)(1) motion be denied as moot based on her recommendation that all claims in the plaintiffs’ first amended complaint be dismissed with prejudice for failing to state a claim under Rule 12(b)(6).

In addressing the Rule 12(b)(6) motion, the magistrate easily identified why the SCA and FCRA claims were fatally defective—Global Payments does not provide electronic or remote computing services to the public, it did not knowingly divulge plaintiffs’ information, and it does not provide consumer reports or act as a consumer reporting agency.  The Georgia Unfair and Deceptive Trade Practices Act claims were dismissed because plaintiffs did not allege any facts showing that they would be harmed without injunctive relief (injunctive relief is the exclusive remedy of this claim), in part because they could not identify any representations from Global Payments that they relied on and because their allegations of increased risk of future harm were speculative.  The negligence claim, which was premised on allegations that Global Payments was not PCI DSS compliant at the time it was compromised, was dismissed based on the economic loss doctrine and because plaintiffs could not identify any duty owed by Global Payments because the parties had no direct relationship.  The contract claims were dismissed: (1) based on precedent from prior breach cases that consumers are not intended beneficiaries of contracts between merchants and the entities that facilitate their card processing; and (2) because plaintiffs did not allege that they were aware of or relied on any representations from Global Payments before providing their credit card to a merchant that used Global Payments.

If the district court judge adopts the magistrate’s recommended decision, this will serve as yet another example of why putative class actions arising out of payment card industry breaches are an uphill climb for plaintiffs.  For example, similar claims were brought against another payment processor (Heartland) after it disclosed a compromise that affected over 100 million cardholders.  Although Heartland settled the consumer claims by establishing a fund of $1 million, only eleven cardholders submitted valid claims.  Indeed, the primary sources of liability and expense to breached entities comes from notification costs, attorney and forensic investigation fees, network security remediation costs, and the fines and assessments from the credit card networks.  Of the $93.9 million in expenses related to the compromise recorded by Global Payments  through November 30, 2012 (as disclosed in its January 8, 2013 10-Q), $35.9 million was their estimate of total fraud losses, fines and other charges that will be imposed by the card networks.

Recorded Webinar: New Cybersecurity Executive Order

Posted by Craig Hoffman on February 13, 2013

TwoImagesCybersecurity_Bigstock_73297921

 

  
Recorded Webinar:
New Cybersecurity Executive Order

President Obama has declared that the "cyber threat is one of the most serious economic and national security challenges we face as a nation" and that "America's economic prosperity in the 21st century will depend on cybersecurity." In an increasingly interconnected and interdependent world, the threats posed by cyberterrorism, state sponsored industrial espionage or hacktivists such as Anonymous, are real and growing. President Obama's long-awaited cybersecurity executive order issued shortly before his State of the Union address on February 12, 2013, aims to confront these threats and challenges.

 

BakerHostetler and Kroll Advisory Solutions presented a webinar discussing the President's cyber-security executive order and its anticipated impact on US businesses. Topics covered include:
 

  • Threats analysis – cyberterrorism, industrial espionage, hacktivists
  • Key features of the cybersecurity executive order
  • Potential impact on industry security standards
  • Dealing with regulatory aspects of the cybersecurity executive order

 

PANELISTS

Michael DuBose, Senior Managing Director, Kroll Advisory

Gerald J. Ferguson, Partner, BakerHostetler

Theodore J. Kobus III, Partner, BakerHostetler

Jason Straight, Managing Director, Kroll Advisory

 

Recording: Windows>> | Mac>>

 

PowerPoint Presentation>>

 

 

 

BH11003-logo_RGB_300dpi_FINAL      kroll

Do Merchants That Outsource Payment Processing Still Have Risk From a Breach?

Posted by Craig Hoffman on February 11, 2013

Last week a small New England bakery announced that its point-of-sale (POS) devices were infected with malware that may have put card data at risk.  The bakery’s letter to its customers stressed that it did not store card data on its computer systems, but the malware allowed an unauthorized person to gather card data as the cards were swiped.  Merchants similar to the bakery often ask us the following question: "We use a third party vendor for processing transactions and have no card data in our computer system, do we have any risk from a data breach?"  The simple answer is "YES!"  Indeed, although there are advantages of outsourcing payment processing, doing so does not immunize the business from all risk.  If a merchant suffers a breach that allows an unauthorized person to gain access to card data, there are two primary areas of compliance obligations and liability.

(1) State Notification Law Obligations 

First, almost every state has a notification law that requires the owner of data to notify individuals whose personal information was compromised.  Depending on the type of compromise and the nature of the data collected by the merchant, a merchant may have an obligation to notify the affected individuals.  Just the cost of printing and mailing notification letters can reach $2-3 per person notified.  The merchant also faces the decision of offering credit monitoring, which ranges in cost from $10-25 per person.  Some merchants, who may not have address information, elect to put notices of the compromise on their website.  And some state attorneys general post notification letters on their website.  A public disclosure of a breach, especially if a significant number of individuals are involved, can result in affected individuals filing putative class action lawsuits.  The merchant can also face an investigation by a state attorney general as well as an investigation by the Federal Trade Commission.   

(2) Credit Card Association Regulations

Second, the merchant has to report card data compromise events to its merchant bank, who in turn will notify the credit card associations.  Doing so triggers a process set forth in the credit card association regulations that can end in the merchant paying millions of dollars in paying fines and assessments. 

The contract a merchant signs with its bank to be able to accept credit cards, in general, requires a merchant to: (1) comply with credit card association regulations, including the Payment Card Industry Data Security Standards (PCI DSS); and (2) pay for any fines and assessments issued by the card associations following a card data compromise event.

If a merchant reports an account data compromise event, the merchant is often required to retain a Payment Card Industry Forensic Investigator (PFI) to conduct a forensic examination of the merchant’s processing environment.  The current version of the Visa International Operating Regulations (the process imposed by the MasterCard Security Rules and Procedures is similar), which was released on April 15, 2012, sets the rules for what happens next. 

If the PFI finds evidence of a breach, the PFI’s report to the card associations will detail the period of time when card data was at risk and whether the merchant was in compliance with PCI DSS at the time of the breach.  The merchant will then have to provide the numbers of all cards that were processed during the at risk period to the card associations, who will then notify the banks that issued the cards.  If the merchant was not PCI DSS compliant at the time of the breach, Visa can fine the merchant bank up to $50,000 for the first incident.  It may also fine the merchant bank up to $100,000 if the incident is not reported immediately.  If the merchant was not PCI DSS compliant, the breach put the magnetic stripe data of 15,000 or more Visa cards at risk, and there is $150,000 in fraud and operating expenses associated with the at risk cards, Visa will determine the amount it will require the merchant bank to pay under Visa’s Global Compromised Account Recovery program (generally, breaches involving card not present transactions, such as an online transaction, do not qualify for this recovery program).

If a breach qualifies for the GCAR program, several months after the PFI report is submitted, Visa will send the merchant bank a preliminary determination of the fines that will be assessed and the estimate of counterfeit fraud and operating expenses liability amounts.  This assessment can often amount to $2-3 per compromised card.  The merchant bank has 30 days to submit an appeal letter if it disagrees with the preliminary assessment.  If the merchant bank appeals, Visa will then notify the merchant bank of the final disposition of the appeal—the “decision on appeal [by Visa] is final and not subject to any challenge or other appeal rights.” 

When the process is complete, by virtue of the indemnity provisions in the merchant services agreement, the merchant bank will require the merchant to pay the amount assessed by the card associations.  This process and the amount of fines and assessments that can result often come as a surprise to merchants.  One restaurant in Utah that went through this process refused to reimburse its merchant bank for $82,000 in assessments, and when the bank filed suit to require the restaurant to pay, the restaurant brought a counterclaim against the bank alleging that the indemnification provision in the contract was unenforceable.  On a larger scale, a shoe retailer recently disclosed that it is considering filing suit against the card associations to recover over $15 million in assessments following a potential POS breach. 

Heightened Risk for Small Merchants

There have been surveys reporting that 85% of breaches occur at merchants who have less than one million annual transactions.  Security companies continue to write about the lack of awareness by small merchants when it comes to cardholder data security in the face of an increasing threat landscape.  Yet merchants often continue to simply rely on their vendor without doing any auditing and without negotiating for appropriate contractual protections.  If the vendor improperly installs the payment application with a weak default password or does not adequately secure remote access and cardholder data is compromised, it is the merchant—not the vendor—who will be required to reimburse the merchant bank.  Merchants in this scenario may then look to vendor for indemnity, only to find that the contract with the vendor limits the vendor’s liability to a small amount (e.g. the amount of three months of fees paid by the merchant to the vendor). 

Proposed FFIEC Guidance on Financial Institution Social Media Use

Posted by Craig Hoffman on January 24, 2013

The Federal Financial Institutions Examination Council (FFIEC) released for comment on January 17 its proposed Social Media: Consumer Compliance Risk Management Guidance.  There is a 60-day comment period.  The purpose of the guidance is to help banks, savings associations, credit unions, and non-bank entities supervised by the Consumer Financial Protection Bureau (CFPB) understand and address the risks created by the applicability of federal consumer protection and compliance laws to activities conducted through social media. 

The guidance begins with the premise that a financial institution’s use of social media to interact with customers can impact the institution’s risk profile, not only through legal and compliance risks, but also related risks of harm to operations and reputation. To address these risks, the FFIEC recommends that financial institutions adopt a risk management program to identify, monitor, and control the risks associated with its use of social media.  The complexity of the program should be commensurate with the risks created by the nature and scope of the institution’s use of social media.  The guidance identified seven components that the social media risk management program should contain: (1) a governance structure; (2) policies and procedures; (3) a vetting and management process for vendors; (4) employee training; (5) monitoring of posts to proprietary social media sites; (6) audit/compliance functions to ensure ongoing compliance; and (7) parameters for reporting on the effectiveness of the program to management. 

The guidance then discusses in greater detail the risks created by social media use.  Under the compliance and legal risk section, there is a summary of laws and regulations that may apply when a financial institution uses social media.  The laws discussed include Truth in Savings, Fair Lending, Fair Housing, Truth in Lending, RESPA, FDCPA, UDAAP, EFTA, BSA/AML, and  privacy (GLBA, COPPA, TCPA, CAN-SPAM).  Under the discussion of reputational risk, there is a recommendation that financial institutions adopt policies to address employee participation in social media, which has employment law implications based on recent NLRB decisions.  The operational risk discussion is brief and essentially says that institutions should safeguard customer data, especially because social media is vulnerable to account takeover and the distribution of malware.  Accordingly, the guidance recommends that an institution’s incident response policy address social media as appropriate.

The FFIEC is specifically seeking comments by March 18 on the following questions:

1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?

2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?

3. Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?

2012 Payments Systems Year-in-Review

Posted by Craig Hoffman on December 27, 2012

The interchange fee and the potential of mobile payments were the dominant payment system issues in 2012.  From a landmark antitrust settlement to seemingly daily announcements of a new prepaid or mobile payment product, there was plenty of activity in 2012.  However, following opt-outs and objections to the settlement, the rise-and-fall of new products, and the looming prospect of regulatory enforcement and intervention, there is little certainty at year’s end as to how these issues will be resolved.     

  • Emerging Payment Products.

Gartner, Inc. released an often-cited report that projected worldwide mobile payment transaction values to surpass $171.5 billion in 2012 (a 61.9 percent increase from 2011) and the number of mobile payment users to reach 212.2 million in 2012 (a 50 million user increase over 2011). 

A number of different industry stakeholders made significant moves (as well as retreats) in this space in 2012.  Some of the more prominent announcements, if you are looking to update your scorecard, include:

  • The different offerings from Square were some of the most talked about.  In August, Square and Starbucks announced a partnership that involved Square providing traditional merchant processing services to Starbucks, Starbucks investing in Square, and Starbucks accepting payments using the Square Wallet.  Square also announced a pricing change in August that would allow small merchants to elect to pay a fixed monthly processing fee of $275 instead of a per swipe fee.  Finally, Square announced in December that users of the Square Wallet could send e-gift cards for use at participating merchants. 
  • VeriFone launched Sail in May to compete with Square for small merchants, but by December VeriFone determined that the venture was unprofitable and it moved to selling Sail through banks and merchant acquirers. 
  • Isis, a joint venture of wireless communication companies, launched trials of its mobile wallet (an app that stores virtual credit cards and uses NFC at the POS) in two cities in October.  
  • PayPal announced a deal with Discover that would allow individuals to pay with their PayPal account at the POS at 16 national merchants.
  • The Google Wallet underwent several changes during the year.  First, it expanded to work with all four major credit card associations instead of just MasterCard.  There are also reports that it will issue a plastic credit card companion to the digital wallet, similar to the PayPay-Discover product.  
  • Merchant Customer Exchange, a joint venture of several large national merchants, announced that it was developing its own mobile payments platform.  Although it has not yet released details regarding the platform, it is anticipated that it will operate outside of the credit card associations (allowing merchants to avoid paying the interchange fee).  It will also allow the participating merchants to control the in-product advertising to customers.  

Although competition has intensified, no product has developed a simple-enough message to appeal to a wide-enough audience and the right incentives to motivate adoption by enough of the payments ecosystem to emerge as a market leader. 

  • Interchange Fee.

The interchange fee­—a fee set by the card associations that is charged by the bank that issued a credit or debit card to the acquiring bank of the merchant who accepted the card—is the largest expense merchants incur in connection with accepting credit or debit cards.  The impact and unintended consequences of the Durbin Amendment, which imposed a cap on the interchange fee for debit transactions, began to emerge, including prepaid card growth (prepaid cards are not covered by the Durbin Amendment), savings to some merchants, increased processing costs to others (e.g. fast food restaurants), and little evidence of individual consumer benefit.  Preliminary approval of a $6 billion settlement was granted in the antitrust action related to interchange fee setting practices brought by retailers against Visa, MasterCard, and card-issuing banks.  Some merchants and retail trade associations have opposed the settlement, in part because they do not believe the settlement protects them from future interchange fee increase.  The Second Circuit Court of Appeals denied the request of the objecting merchants to expedite the appellate process following the preliminary approval and has deferred briefing on the appeal until the trial court issues a final order regarding the proposed settlement.   

  • EMV Shift.

EMV is a specification for interoperability of POS devices and payment cards with embedded chips that are designed to enhance the security of card transactions compared to cards with a magnetic stripe.  EMV cards have been used in Europe and other countries for over a decade.  In countries where EMV has been implemented, liability for fraudulent transactions shifts from the bank that issued the credit card to the merchant if the merchant does not accept EMV cards.       

By the summer of 2012, Visa, MasterCard, Discover, and American Express had all announced an EMV liability shift roadmap for the United States.  Using Visa’s implementation roadmap as an example, as of October 1, 2012, Visa’s TIP program eliminates the requirement for eligible merchants to annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant's Visa transactions originate from chip-enabled terminals (although those merchants must still comply with PCI DSS).  Payment processors must support merchant acceptance of chip transactions by April 1, 2013.  As of October 1, 2015, liability for fraud on contact chip card-present transactions will shift to the merchant acquirer (whom the merchant will likely have to indemnify) from the issuing bank if the merchant has not adopted chip-enabled terminals (fuel-selling merchant have an extra two years).

Some industry experts expect to see the card associations push the April 1, 2013 deadline for processors to adopt EMV chip card technology back by one year.  With issuing banks losing revenue as a result of the Durbin Amendment, issuing cards with smart chips might become more attractive as a way to reduce fraud losses.  Adoption by merchants is more complicated, because they have to purchase new POS devices.  The uncertainty over what mobile payment technology will emerge further complicates this analysis because merchants will not want to incur the expense to upgrade their POS devices for EMV if they will have to change them again to accept mobile payments.  The card associations’ plans for card not present transactions using cards with chips are less clear.  And if the EMV implementation experience in the US is similar to Europe, the level of card present transaction fraud will drop but the level of card not present transaction fraud will increase (card not present fraud is now 30-40% higher in Europe than the US).       

  • The Regulators are Watching.

A veritable alphabet soup of governing bodies have the ability to enforce existing regulations that impact mobile payments, including the FTC, CFPB, FCC, FDIC, OOC, FFIEC, Federal Reserve, DOJ, Treasury, and state regulators.  These regulators can enforce “old laws” like the Bank Secrecy Act, Anti-Money Laundering Compliance obligations, OFAC, Fair Credit Reporting Act, unfair, deceptive, or abusive acts and practices laws, and Regs. B, D, E, CC, DD, and Z.  Even service providers to banks are subject to direct CFPB enforcement under the Dodd-Frank Act.  The Federal Reserve Bank of Boston issued a paper in November discussing the security features of different mobile payment options as well as consumer risks and mitigation options.  The winter 2012 issue of the FDIC’s Supervisory Insights featured a discussion that “describes the mobile payments marketplace and examines critical issues, including the adequacy of legal protections and disclosures received by consumers.” If you attend a mobile payments or prepaid card industry event, you are likely to encounter regulators seeking to learn more about these new products as they form their enforcement priorities and evaluate the use of their rule-making authority.  

The mobile payments industry is not sitting idly by.  The Electronic Transactions Association announced in August that it had formed a Mobile Payments Committee, and one of its agenda items was to educate legislators and regulators.  Committee members include the four largest wireless carriers, credit card associations, a payment processor, and other mobile payment industry stakeholders (Google, Isis, PayPal, and VeriFone).  

  • International Mobile Payments.

In January 2012, the European Commission issued a Green Paper “Towards an integrated European market for card, internet, and mobile payments” for the purpose of assessing the “current landscape of card, internet and mobile payments in Europe, identifies the gaps between the current situation and the vision of a fully integrated payments market and the barriers which have created these gaps.”  The sentiment behind the analysis was that the lack of a standard payments framework was a barrier to e-commerce growth and that self-regulation was not sufficient.  When the Commission releases its report based on the stakeholder contributions it received, it will be interesting to see what influence, if any, it will have on the US market.

Recent Trends in Class Actions for Telephone and Fax Solicitation and Advertising

Posted by Craig Hoffman on December 17, 2012

Authorship Credit: Justin T. Winquist

Editor’s Note: This post is a joint submission to BakerHostetler’s Class Action Lawsuit Defense blog.

Class actions under the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, continue to be an active trend in consumer and privacy class action litigation. The TCPA, which was historically called the "fax blast" statute, prohibits unsolicited faxes and automated calls for the purpose of commercial solicitation. The TCPA has a statutory penalty provision that allows consumers to recover $500 for each violation and up to $1,500 for violations found to be willful and knowing. The ability to collect far more in statutory penalties than the actual damages caused by a given violation (often pennies for ink and paper) makes TCPA violations an appealing target for enterprising plaintiffs' class action lawyers. The aggregation of thousands of claims together can create huge monetary exposure for defendants and the potential for easy settlements and the large contingent fees that come with them.

FEDERAL JURISDICTION OVER TCPA CLAIMS

Arguably the most significant development in TCPA litigation this year was the United States Supreme Court's decision in Mims v. Arrow Financial Services, LLC, which held that TCPA claims arise under federal law and may be asserted in federal court even absent diversity of citizenship jurisdiction. Prior to Mims, the federal circuits disagreed over whether the TCPA provided for federal question jurisdiction or whether jurisdiction was limited to state courts and federal suits brought or removed on diversity jurisdiction. The Court resolved the issue in favor of federal jurisdiction, finding that "federal and state courts have concurrent jurisdiction over private suits arising under the TCPA." Because of Mims, plaintiffs now have the option of bringing TCPA suits in state court or federal court, even in the absence of diversity jurisdiction.

Mims also has important implications for companies defending TCPA claims. Prior to Mims, defendants had some success arguing that state laws limiting class actions -- such as § 901(b) of New York's Civil Practice Law and Rules, which prohibits class actions for claims seeking statutory penalties -- were applicable in federal TCPA actions. Where successful, those arguments meant that federal diversity jurisdiction over the class action was trumped by state laws prohibiting certain types of class actions. In the wake of Mims, however, some federal courts have rejected these arguments, finding that federal substantive and procedural law apply to TCPA claims in federal court. In one recent opinion with extensive analysis on the issue, the United States District Court for the District of New Jersey concluded in Bais Yaakov of Spring Valley v. Peterson's Nelnet, LLC that federal courts are not required to follow state laws in adjudicating TCPA claims.

The Mims decision is also impacting the statute of limitations defense to TCPA claims. Because of the peculiar nature of the TCPA, courts have historically split over whether a state or federal statute of limitations applies. In Giovanniello v. ALM Media LLC, the Second Circuit answered this question and held that a shorter state-law limitations period applied rather than the four-year federal catchall provision. However, the Supreme Court granted certiorari, and recently vacated that decision and remanded for further consideration in light of Mims. In one decision following Mims, the United States District Court for the Eastern District of Pennsylvania, in Hawk Valley, Inc. v. Taylor, reached the conclusion that the federal limitations period applies.

CLASS ACTIONS UNDER THE TCPA

Another major issue being litigated is whether TCPA claims are suitable for class action treatment at all. Several decisions have highlighted a split among both the state and federal courts on class action suitability. Of particular note is the decision of the New Jersey Superior Court, Appellate Division in Local Baking Products, Inc. v. Kosher Bagel Munch, Inc., which provides an excellent survey of the various state and federal court decisions on both sides of the issue. The court in Local Baking Products ultimately decided that class certification of TCPA claims was not appropriate. It reasoned that class actions are not a superior procedure for enforcing the TCPA because Congress had made statutory penalties available so that individuals would be incentivized to pursue vindication of their rights in individual actions in small claims or other state courts. In addition to lack of superiority, a common reason offered by other courts for rejecting TCPA class certification is that the question of whether faxes or calls were authorized is too individualized for common questions to predominate.

A Supreme Court of Kansas decision upholding a lower court's decision granting class certification in a TCPA case illustrates the other side of the split on certification issues. In Critchfield Physical Therapy v. The Taranto Group, Inc., the court rejected both the argument that individual actions in small claims court would be superior to a class action and the argument that the question of consent was too individualized. In addition, the court rejected the argument that class actions would not be superior in light of the threat that aggregating thousands of individual statutory penalties together could create an "annihilating" judgment against the defendant that would be disproportionate to any harm to the class.

The increase in automated dialing technology and cellular telephone prevalence is also giving rise to new substantive and class certification issues in TCPA cases. With respect to cell phones, one new issue is whether consent to receive calls on a particular cell phone number applies to subsequent holders of that cell phone number. For example, if person A consents to receive calls from company X on a certain cell number, can company X continue to call that number with TCPA impunity even though the number is later assigned to different people? In May, the Seventh Circuit answered no, holding that simply providing a company with a cell number does not authorize perpetual calls to that number after it has been reassigned to someone else. Soppet v. Enhanced Recovery Co., LLC.Consent to receive calls on a cell phone has also been an issue in the class certification context. For example, the Ninth Circuit recently found that individualized issues of consent to receive calls did not preclude a finding of typicality and commonality for purposes of certifying a class. Meyer v. Portfolio Recovery Associates, LLC.

TCPA CLAIMS BASED ON TEXT MESSAGING

TCPA claims based on text messages sent to cell phones are also a major trend today. Although the TCPA does not expressly reference text messages, the Federal Communications Commission and courts have consistently interpreted the term "call" in the TCPA to include SMS and MMS text messages. E.g., Satterfield v. Simon & Schuster, Inc. Defendants have argued that claims based on text messages are not suitable for class action treatment because each plaintiff would have to show individually that she was charged for the text sent to her cell phone. Some courts have rejected this argument, finding that the TCPA does not require plaintiffs to show that they incurred charges for text messages sent to their phones. E.g., Agne v. Papa John's Intern., Inc.

THIRD PARTY LIABILITY AND PENDING FCC INTERPRETATION

Finally, a major issue applicable to virtually any company that uses telephone, text or fax marketing is whether and to what extent a company can be liable under the TCPA for calls made (or faxes or texts sent) by third parties. This issue typically arises where a company is sued for TCPA violations but the actual caller or faxer was a marketing company, franchisee or independent agent. In some cases, the relationship can be even more removed, for example, where a company's independent contractors hire marketing firms that then hire separate telemarketing firms, which actually make the calls.

In most decisions to date, courts have held that vicarious liability of this sort is possible under the TCPA, and that there is no bright-line limit on how far is too far removed to impose liability. Most courts have tackled the issue under a traditional agency analysis. A recent decision from the United States District Court for the Northern District of West Virginia, Mey v. Pinnacle Sec., LLC, is a good example of the prevailing analysis. The Mey court stated that the defendant could be liable for calls made by its lead-generating company if the lead company "acted as an agent" and the defendant "controlled or had the right to control them and, more specifically, the manner and means of the [solicitation] campaign they conducted."

Significantly, however, the Mey court also recognized that a more strict form of liability might be possible under the TCPA. Certain sections of the TCPA allow consumers to sue for calls made by or "on behalf of" an entity. The meaning of this "on behalf of" language is currently the subject of a Joint Petition for Declaratory Ruling before the Federal Communications Commission, on which the FCC has solicited public comments. One interpretation advocated in the public comments is an agency analysis similar to what the courts have done to date. Another, however, is a strict liability approach that would impose liability on any party that "benefits from" the offending communication, even absent knowledge or direction. If adopted, this strict liability approach could significantly increase exposure for companies because liability could be imposed even without the companies' knowledge that calls were made, or faxes or texts were sent, in the company's name. The FCC has not yet issued a ruling on the issue.

WHAT YOU CAN DO

The BakerHostetler Privacy and Data Protection and Class Action Defense Teams have extensive experience defending claims under the TCPA and other statutory damage statutes, as well as advising clients of their obligations under the TCPA and similar statutes. If you have questions, please contact Gerald J. Ferguson ( gferguson@bakerlaw.com or 212.589.4238); Paul G. Karlsgodt (pkarlsgodt@bakerlaw.com or 303.764.4013); Justin T. Winquist ( jwinquist@bakerlaw.com or 303.764.4059); or any member of our Privacy and Data Protection or Class Action Defense Teams , or your regular BakerHostetler contact.

Bank Agrees to Reimburse Company for Funds Taken Through Online Bank Account Theft

Posted by Craig Hoffman on December 06, 2012

We reported in July on a First Circuit Court of Appeals decision finding that a bank failed to implement commercially reasonable security methods to prevent unauthorized transfers by a criminal that gained the online banking credentials of a construction company.  The criminal was able to steal $345,000 from the construction company’s account.  It was then reported on November 30 that the bank agreed to resolve the lawsuit by reimbursing the construction company for all of the money that was taken plus $45,000 interest.  

The First Circuit decision and resulting settlement highlight the risk to banks if they do not implement and maintain adequate security solutions, especially as the attack vectors used by criminals continue to evolve.  This summer, a crime ring operating what became known as the  Eurograbber campaign—a sophisticated operation that used customized versions of the Zeus and Zeus in the mobile (ZITMO) Trojans to bypass two-factor authentication measures to gain access to customer bank accounts—stole $47 million from over 30,000 customers across more than 30 banks in Europe.

The lessons-learned and issues to consider we included in our July post on the First Circuit’s decision were:

(1) Implementing a one-size fits all security solution or failing to implement the solution as designed will leave a bank vulnerable to a finding of commercial unreasonableness, especially if the tools give the bank sufficient information to detect and prevent the fraud (e.g. reviewing high-risk transactions before processing) but the bank does not.

(2) When bank employees are contacted by customers who report suspected fraud, what instructions are being given to customers?

•Are customers instructed to engage a qualified computer forensic expert to examine their computer network and appropriately preserve relevant data?

•It may be beneficial to develop a standard set of recommendations that can be sent to customers in this scenario, and documentation of sending that communication should be preserved.

•Are there protocols that results in at least temporarily blocking or adding heightened monitoring to all orders on accounts where the customer reports suspicious activity to prevent fraudulent orders from being processed after the bank receives the first report of suspicious activity?

(3) If banks are communicating with customers regarding available features and options to enhance the security of Internet banking, are those communications being preserved and documented appropriately so that they may be properly introduced as evidence to show security options made available but not implemented by the customer?

(4) In addition to other security features and best-practices, are banks advising customers to use a dedicated computer that is used only for accessing their Internet banking account (e.g. the computer is not used to browse any other sites on the Internet or to check e-mail)?

(5) In deciding how to address the dispute with customers, one factor to consider is that the commercial reasonableness of the security will be judged by courts and juries several years after the incident occurred. And even though the security should be judged based on what was appropriate at the time of the incident, given the speed at which technology and attack vectors change, the passage of time will likely negatively impact the perception of whether the security was commercially reasonable.