TCPA: The Muddled Madness Continues!

This post was written by Judith L. Harris.

Tuesday evening, the Federal Communication Bar Association held a seminar in Washington designed to help practitioners make some sense of the ever-expanding number of class actions that have been brought under the Telephone Consumer Protection Act (“TCPA”) by often over-zealous plaintiffs’ attorneys; the inconsistent decisions that have been rendered by the courts; and the scores of requests for declaratory rulings that are currently pending before the Federal Communications Commission (“FCC,” “Agency,” or “Commission”). While the participants on the seminar’s two panels (the first designed as a litigation update and the second intended to provide a look down the road) quibbled over substance throughout the evening, they did seem to share one common perspective: the TCPA is a mess!

Not surprisingly, the panelists – especially the FCC’s representative – were much more adept at identifying open issues than at providing answers. Nonetheless, we were able to gain some insight into what are generally considered to be the most difficult TCPA-related issues and how some of the current confusion might eventually sort itself out.

  • There seems to be universal agreement that the FCC will issue an order “any day now” dealing with opt-out requirements in situations involving solicited faxes. We got the sense that an order is already signed by at least the necessary three Commissioners, and that the Agency will cut a little bit of slack in limited circumstances, to telemarketers responding to consumer requests or sending faxes to existing customers who have consented to receiving them. We’ll see.
  • It also seems that Commission staff is currently grappling with the definition of “called party” in the case of reassigned mobile phone numbers. The courts have recently reached differing conclusions regarding that definition for purposes of ascertaining consent, some holding that the called party is the intended recipient of the call and others concluding that it’s the current subscriber. We’re guessing that this will be the subject of the next important TCPA order issued by the FCC.
  • The good money is betting that the other big questions (in particular, the many pending requests for declaratory rulings relating to the definition of an ATDS, the capacity debate, etc.) will be wrapped into the omnibus rulemaking currently pending before the Agency. It appears that the Commission would be very interested in arriving at a compromise position that could be embraced by both businesses and consumers. Panelist Jason Goldman, Counsel at the U.S. Chamber of Commerce, offered that the Chamber is very focused on trying to proactively develop solutions to some of these issues as, not surprisingly, this whole area of the law is of grave concern to the Chamber’s members.
  • Interestingly, in the first panel, two different answers were given by private practitioners to the question of how many petitions for declaratory rulings are currently pending before the FCC (41 and 52). During the second panel, which included Kristi Lemoine – an attorney with the FCC’s Office of Consumer and Governmental Affairs who described herself as spending more than 90 percent of her time on TCPA issues – Kristi confessed that she herself doesn’t know which of those two numbers was accurate, as petitions keep coming on a regular basis, and even she is having a hard time keeping track of them. As expected, Kristi gave the usual caveats before she spoke: (1) that she was only speaking for herself and not on behalf of the Commission; and (2) that she wasn’t going to have a lot to say because virtually all the issues that the audience might be interested in were currently the subject of pending petitions for declaratory rulings, which she was not at liberty to discuss. Then she proceeded to say almost nothing and made no predictions. She did advise that the FCC was attempting to group the petitions by issue, but even just doing that was tough because of the frequency with which petitions were being filed, and the fact that many posed more than a single issue.
  • There seemed to be some consensus that, currently, one of the most interesting open questions relates to the scope of third-party liability for mobile marketing TCPA violations. Several panelists referred to the recent decision of the Ninth Circuit holding that companies that hire third parties to send unsolicited text messages on behalf of yet another entity can be held liable for TCPA violations. See, Gomez v. Campbell-Ewald Co., __F. 3d___, 2014 WL4654479. The Gomez case reversed and remanded an order granting summary judgment in favor of defendants, holding that a marketing company, hired by the U.S. Navy to run a recruitment campaign, could be held liable for violations by a third party with which the marketing company had subcontracted to send text messages in furtherance of the Navy’s recruitment campaign. While the FCC has previously opined that third-party liability should be based on common law principles of agency (actual/apparent authority/ratification), everyone agreed that this Ninth Circuit decision, holding, as it did, that a middle man that hired a vendor on behalf of an entity that contracted with the middle man to have calls made or messages sent, could be held liable for acts of the vendor with which the middleman contracted, is really pushing the envelope; and may or may not end up accurately reflecting the law.
  • Finally, there were several references during the seminar to the Federal Trade Commission’s (“FTC”) announcement in August of the winners of its “Zapping Rachel” robocall contest as evidence that the relevant federal enforcement agencies remain laser-focused. According to the description on the FTC’s website: “Zapping Rachel marks the latest step in the FTC’s ongoing campaign to combat illegal, pre-recorded telemarketing calls known as robocalls. The contest challenged participants to design a robocall honeypot which is an information system designed to attract robocallers and help law enforcement authorities, researchers, and others gain enhanced insights into robocallers’ tactics.” Beware! The award winners came up with some pretty innovative ideas!

In other news, the FCC also released an Enforcement Alert. The Alert contains a warning (in this election season) that the TCPA’s prohibitions about auto-dialed calls and pre-recorded messages also apply to political calls, and that the Commission intends to enforce the law and its regulations in this regard. For you beleaguered defendants out there: turnaround is fair play!

From Epidemic to Bioterrorism: Mitigating Contractor Risks in a Worst-Case Scenario

This post was written by Lorraine M. Campos and Leslie A. Monahan.

While the current Ebola outbreak is a natural epidemic, the idea that the virus could be used as a bioterrorist threat has been considered. Accordingly, the potential for obtaining Department of Homeland Security (DHS) Support Anti-terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act) protection for products or services related to fighting the Ebola virus is not completely far-fetched.

As background, the SAFETY Act was established to facilitate the development and use of effective anti-terrorism products and services. The SAFETY Act creates systems of risk and litigation management by providing liability protections for manufacturers and sellers of qualified anti-terrorism technologies (QATT) that could save lives. Specifically, sellers of QATT are granted limited liability for third-party claims arising out of the deployment of the QATT with respect to acts of terrorism. The maximum liability is determined by DHS on an applicant-by-applicant basis based on information contained in the application, and the seller is required to maintain liability insurance at that level.

Although the SAFETY Act may seem limited in scope, it applies to comprehensive terrorism prevention, response, and mitigation, and has covered vaccines and screening technology in the past. For example, in 2006, SAFETY Act designation and certification was given to the developer of a vaccine to prevent the symptoms associated with infection with anthrax. That same year, the manufacturer of a sterile antibody product that can be used for the treatment of adverse reactions to the smallpox vaccine, or other uses relating to exposure to the smallpox virus, received SAFETY Act protection. Additionally, biological screening kits for multiple bioterrorism agents have been covered by the SAFETY Act.

In the event DHS would offer SAFETY Act protection to businesses developing new medical treatments and interventions to treat and contain the Ebola virus, this protection does not eliminate all risks and uncertainties for developers. SAFETY Act coverage only applies to claims stemming from designated acts of terrorism, and does not protect against non-terrorism related risks. Since there is also a risk of contracting Ebola outside of terrorist events, claims stemming from these incidents would be outside the scope of SAFETY Act protection.

Opportunity for Government Contractors to Develop Ebola Countermeasures

This post was written by Lorraine M. Campos and Nkechi Kanu.

The Ebola epidemic in West Africa is the worst medical outbreak of the disease in recorded history. Currently, there are no treatments or vaccines proven to be safe or effective for the Ebola virus, and investigational vaccines and treatments are only in the early stages of development. As such, the primary approach to containing the virus includes identifying and isolating infected people, and ensuring that health care workers have access to protective equipment.

In response to the Ebola outbreak, the U.S. government has been actively working with private and public entities and international organizations to facilitate the development of treatments and vaccines with the potential to help mitigate the Ebola epidemic. Additionally, the U.S. Food and Drug Administration (“FDA”) has utilized a mechanism under its regulatory framework to enable access to an investigational medical product that can detect the Ebola virus.

Under section 564 of the Federal Food, Drug, and Cosmetic Act (FD&C), the FDA can issue an Emergency Use Authorization (EUA), which allows for the use of unapproved medical products or unapproved uses of approved medical products in an emergency to diagnose, treat, or prevent serious or life-threatening diseases when there are no adequate, approved, and available alternatives. The FDA recently utilized an EUA to authorize the use of an Ebola diagnostic test, developed by the Department of Defense (DOD). The FDA declared that the DOD’s diagnostic test could help facilitate an effective response to the ongoing epidemic in West Africa by rapidly detecting patients infected with Ebola virus, and facilitating appropriate containment measures and clinical care. After the issuance of the EUA, the FDA encouraged other diagnostic product developers to pursue an EUA, or other appropriate mechanisms, for their investigational products that can be used to test for or treat Ebola. Although the EUA issued October 10, 2014 waived certain labeling, storage, and distribution requirements, developers should be mindful that section 564 of the FD&C Act does not establish a liability protection scheme or tort immunity for manufacturers or others who carry out any activity for which an EUA is issued.

In addition to the FDA’s authority to issue EUAs, the Public Readiness and Preparedness Act (PREP) authorizes the Secretary of the U.S. Department of Health and Human Services (HHS) to issue a PREP Act declaration in response to a public health emergency. Unlike an authorization under an EUA, a PREP Act declaration provides immunity from tort liability claims to individuals or organizations involved in manufacturing, distributing, or dispensing medical countermeasures. Covered countermeasures include vaccines, antidotes, medications, medical devices or other FDA-regulated products used to respond to pandemics, epidemics, or any biological, chemical, radiological, or nuclear threat. If HHS chooses to issue a PREP Act declaration for the Ebola virus, manufacturers who decide to distribute or dispense medical countermeasures under a declaration should be advised of the liability protections they can receive.

New VETS Rule Changes Reporting Requirements for Government Contractors - Veterans in the Aggregate

This post was written by Lorraine M. Campos and Nkechi A. Kanu.

The U.S. Department of Labor’s Veterans’ Employment and Training Service (“VETS”) recently issued a final rule altering the reporting requirements on veteran employment and hiring for federal contractors. The new rule revises the regulations implementing the reporting requirements under the Vietnam Era Veterans’ Readjustment Assistance Act of 1974 (“VEVRAA”). Although the rule becomes effective October 27, 2014, federal contractors and subcontractors will not be required to comply with the reporting requirements until the reporting cycle in August 2015.

The new rule rescinded obsolete regulations and changes the manner in which federal contractors and subcontractors report on their employment of veterans. Significant changes made in the final rule include:

  • Rescinding 41 C.F.R. Part 61-250: VETS rescinded the regulations in part 61-250, which generally apply to contracts entered into before December 1, 2003. VETS found that the rules were obsolete because the Federal Acquisition regulations (FAR) generally limit the length of government contract to a maximum period of five years. As such, any contracts entered into prior to December 1, 2003, have likely terminated.
  • Changing Reporting Requirements: The final rule renames the VETS-100A Report to VETS-4214 Report. The new rule provides that under VETS-4214, contractors can now report the total number of “protected veterans” in their workforce in the aggregate, rather than by each category of veterans protected by the statute. Previous reporting requirements under VETS-100A called for contractors to provide the total number of veterans protected under each of the four categories of “covered veterans”: (i) disabled veterans; (ii) other protected veterans; (iii) Armed Forced service medal veterans; and (iv) recently separated veterans.
  • Change in the Definition of Protected Veteran: The new regulation eliminates the definitions for “covered veteran” and “other protected veteran,” and provides a new definition of “protected veteran” to mean a veteran who may be classified as a disabled veteran, recently separated veteran, active duty wartime or campaign badge veteran, or an Armed Forces service medal veteran.

VETS believed that reporting aggregate data, rather than the data for each category of veterans protected, will provide more meaningful data to Congress. Specifically, the aggregate information will allow for cross-year comparisons of federal contractors’ employment and hiring of protected veterans, as well as the proportion of contractors’ workforce and new hires made up by protected veterans.

Additionally, VETS indicated that comprehensive data recording under the new rule will assist contractors in effectively monitoring the success of their recruitment and outreach efforts to attract protected veterans. Under the final rule, contractors and subcontractors may have to adjust their recordkeeping systems in order to comply with the revised data collection.

Court Finds, Again, That Device ID Is Not Personally Identifiable Information (PII) Under The Video Privacy Protection Act (VPPA)

This post was written by Lisa B. Kim.

On October 8, 2014, a district court judge in Georgia dismissed with prejudice a Video Privacy Protection Act (VPPA) action against The Cartoon Network (CN), holding that the disclosure of the plaintiff’s Android ID was not actionable because the Android ID did not qualify as “personally identifiable information” (PII). The full order is attached.

In Ellis v. The Cartoon Network, Inc., the plaintiff alleged that he downloaded the Cartoon Network App (“CN App”) and began using it to watch video clips on his Android device. Plaintiff alleged that each time he used the CN App, a complete record of his video history, along with his Android ID number, was transmitted to Bango. Bango, as a third-party analytics company that collects a wide variety of information about consumers from other sources, would then allegedly reverse-engineer the consumers’ identities by using the Android ID.

Plaintiff claimed that CN’s practice of sharing his Android ID and viewing history to Bango without his consent was a violation of the VPPA.

The court dismissed the case with prejudice, finding that the Android ID did not qualify as PII, and thus, CN’s practices of sharing device IDs to Bango did not fall within the purview of the VPPA. Citing to the In re Hulu and In re Nickelodeon cases, the court explained that in order to be considered PII, the information had to link an actual person to actual video materials. Where an anonymous ID was disclosed to a third party but that third party had to take further steps to match that ID to a specific person, no VPPA violation occurred. The court likened this case to the disclosure of cable box codes, which could not identify consumers without corresponding billing records. Here, too, Bango needed to go through an additional step of matching PII gathered from other sources to identify the user. This was not a situation where video viewing habits were linked to a Facebook account, where the specific person could be identified without any additional steps. Accordingly, the court found that the disclosure of an Android ID alone, as happened here, does not qualify as PII under the VPPA, and dismissed the case with prejudice.

The court also considered and rejected arguments by CN that plaintiff had no standing to bring the case because he did not suffer an injury in fact, and that plaintiff was not a “subscriber” to any of CN’s services, and thus, not a “consumer” under the VPPA. The court found that an invasion of a statutorily created right established standing even if no injury would have existed without the statute. Since plaintiff alleged a violation of the VPPA, the court found that plaintiff alleged an injury. The court also found that plaintiff was arguably a subscriber because he downloaded the CN App and used it to watch video clips. However, given that the court ultimately dismissed the case, these rulings would be considered dicta.

With this ruling, courts appear to be drawing a line with regard to applying the VPPA to sharing information with analytics companies. Plaintiffs have certainly been testing the waters with VPPA cases against various news and entertainment organizations (see May 5, 2014 blog post). This ruling demonstrates that the courts are hesitant to push the bounds of the VPPA to include the simple sharing of device IDs without more. Time will tell if the other courts follow suit.

U.S. Supreme Court Upholds Fourth Circuit Victory for Omnicare, Inc. in High-Profile, Precedent-Setting False Claims Act Case

This post was written by Eric A. Dubelier, Lawrence S. Sher, Katherine J. Seikaly, Mel BerasJames C. Martin, and Colin E. Wrabley.

In a decision that has significant repercussions both for the pharmaceutical and health care industries and False Claims Act jurisprudence more broadly, the U.S. Supreme Court denied review of a groundbreaking Fourth Circuit decision affirming the dismissal of a novel False Claims Act suit against Reed Smith client Omnicare, Inc. In its February 2014 decision, the Fourth Circuit rejected the qui tam relator’s claim that Omnicare violated the FCA when it sought reimbursement for drugs that it allegedly packaged in violation of certain federal packaging regulations. The significance of these rulings is especially great as FCA suits proliferate, and settlements and judgments explode. In fiscal year 2012 alone, nearly 800 FCA lawsuits were filed, more than half of which involved the health care industry. And in that same year, according to the U.S. Department of Justice, there were settlements and judgments in FCA cases of nearly $5 billion, more than $3 billion of which involved the health care industry.

Click here to view the full issued Client Alert.

ICO Publishes its Report on Big Data and Data Protection

This post was written by Cynthia O’Donoghue.

On 28 July, the ICO released its report ‘Big data and data protection’ (the ‘Report’).

The Report defines ‘Big Data’ and sets out the data protection and privacy issues raised by Big Data, as well as compliance with the UK Data Protection Act 1998 (‘DPA’) in the context of Big Data.

The ICO defines Big Data by reference to the Garter IT glossary definition, and further explains that processing personal data must be of a significant volume, variety or velocity.

When announcing publication of the Report, Steve Wood, the ICO’s Head of Policy Delivery, stated that “Big Data can work within the established data protection principles….The principles are still fit for purpose but organisations need to innovate when applying them”.

Under the DPA 1st Principle (fair and lawful processing), the Report emphasises that the complexity of Big Data analytics should not become an excuse for failing to seek consent where required, and that organisations must process data fairly, particularly where Big Data is used to make decisions affecting individuals. A study by Barocas and Selbst entitled ‘Big Data’s Disparate Impact’ found that Big Data has the “potential to exacerbate inequality”, and use of Big Data that resulted in discrimination would violate the fairness principle.

The Report addresses the significant issue of data collection when using Big Data analytics, and stresses that an organisation must have a clear understanding from the outset of what it intends to do with, or learn from, the data to ensure that the data is relevant and not excessive for the purpose. The Report seeks to address the growing concern that Big Data analytics tends to involve collecting as much data as possible, but that under the DPA, data minimisation remains an essential element of Big Data.

The Report also cautions that organisations seeking to use analytics must ensure against purpose-creep by following the purpose limitation principle to ensure that data collected for one purpose is then not used for another purpose incompatible with the original purpose. With this in mind, the ICO suggests that organisations employ a risk-based approach to identify and mitigate the risks presented by Big Data.

The Report also addresses whether the growth of Big Data leads to an increased data security threat, and highlights how The European Union Agency for Network and Information Security (‘ENISA’) has identified a number of emerging threats arising from the potential misuse of Big Data by so-called ‘adversaries’. In contrast, the Report also illustrates that there is evidence illustrating how Big Data can be used to improve information security.

To address these concerns, the ICO recommends several ‘tools for compliance’, including:

  • Privacy Impact Assessments (PIAs)
  • Privacy by Design
  • Promoting transparency through Privacy Notices

Big Data is a fast-growing area that offers many opportunities and commercial advantages. It also presents many challenges. As the Report argues, the benefits of Big Data can only be realised by adhering to current DPA Principles and safeguards. Only through compliance will individuals trust organisations and become more open to the use of their data for Big Data analytics.

Did California Just Impose a First-in-the-Nation Requirement for Breaching Companies To Offer Identity Theft Prevention and Mitigation Services?

This post was written by Paul Bond, Lisa B. Kim, and Leslie Chen.

Spurred by the security breaches at Target, Neiman Marcus, and The Home Depot, California Gov. Jerry Brown signed into law Assembly Bill No. 1710 September 30, 2014. The bill expands requirements on persons or businesses that own, license, and maintain personal information about a California resident. Specifically, the new law amends sections 1798.81.5, 1798.82, and 1798.85 of the California Civil Code to reflect the following changes:

  • Expands the provisions that require businesses to provide security measures involving personal information to include businesses that “maintain” information about a California resident, not just those who “own” or “license” that information.
  • Requires that if the person or business providing a security breach notification was the source of a breach that involved the exposure or possible exposure of social security numbers (SSNs) or driver’s license numbers, then “an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months.”
  • Prohibits the sale, advertisement for sale, or offer to sell of an individual’s social security number, except in specific circumstances.

Previously, only businesses that owned or licensed personal information about a California resident were required to implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Owned and licensed personal information include “information that a business retains as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates.” For example, financial institutions have long been deemed “owners” of personal information under the existing law, and frequently have to issue notices of breach in situations when the actual incident did not even occur at a bank or credit union. However, with the new bill, as long as a business maintains personal information, it will be responsible for disclosing that a breach occurred. This expands the data breach laws to include retailers that have personal information about their customers, but do not use it in the manner defined above.

In addition, AB 1710 requires businesses that are the source of a security breach involving SSNs or drivers’ license numbers to provide, if any, identity theft prevention and mitigation services at no cost to the affected person for a minimum period of 12 months. The plain text of the statute makes the requirements regarding cost and length of services conditional on the company offering services at all. By saying that “an offer…if any” must meet certain requirements, the statute precludes very short-term “offers” that really function as teasers to get people to subscribe for services at their own expense. However, many commenting on the bill before and after passage have essentially read the “if any” language out of the text by construing the provision to make credit monitoring or a like service mandatory. Regardless of the interpretation, the new provision reflects the legislature’s interest in offering security breach victims a means to ameliorate the situation.

Finally, the new bill also provides that a person or entity may not sell, advertise for sale, or offer to sell an individual’s SSN except in specific circumstances allowed by the law. For example, businesses are not prohibited from incidentally releasing social security numbers when it is necessary to do so to accomplish a legitimate business purpose. Note, however, that it is not permissible to release an individual’s social security number for marketing purposes.

The new amendments go into effect January 1, 2015. Beginning then, businesses that violate the law may be subject to civil actions by customers seeking to recover damages or injunctive relief. Cal. Civ. Code § 1798.84(b) and (e).

It's a Bird...it's a Plane...it's a Drone; FAA Approves Limited Use of Drones as Camera Platforms for Film and TV Production

This post was written by Hilary St. Jean.

Unmanned aerial cameras have been legal in other parts of the world but prohibited for commercial use in the United States until last week, with the limited exception of two commercial-drone operations, which the FAA had previously approved for Alaskan oil operations. On September 25, 2014, the FAA announced that it approved certain uses of drones or unmanned aircraft systems (“UAS”) in the National Airspace System for film and TV productions. This is a breakthrough for the entertainment industry because drones allow filmmakers Superman-like abilities to take images at angles never before captured. Drones are able to cover altitudes lower than helicopters but higher than cranes, and can navigate indoor areas that are otherwise difficult or impossible to get to. However, the FAA’s approval is not without restriction.

The FAA must grant permission for all non-recreational (commercial) drone flights. Thus far, FAA permission has been granted to only six aerial photo companies for film and TV production. Additionally, various safety requirements are associated with the approval process. The FAA stated that these six applicants submitted UAS flight manuals with detailed safety procedures that were a key factor in their approval. Nevertheless, the requirements leave open the opportunity for operating requests from companies in other fields. In fact, the FAA stated it is currently evaluating requests from 40 companies (allegedly including Amazon.com Inc., which desires to test prototype delivery drones at its Seattle headquarters). Meanwhile, abroad – at DHL headquarters in Germany – drones are beginning deliveries of medications and other urgent goods to the island of Juist, after securing approval from state and federal transport ministries and air traffic control authorities to operate in restricted flight areas. These are referred to as “parcelcopters,” and illustrate the widespread potential future use and capability of UAS both domestically and abroad.
 

Click here to read the full issued Client Alert.

UK Competition Authority acted irrationally in hotel room on-line pricing case

This post was written by Edward S. Miller and Marjorie C. Holmes.

A decision by the UK’s former competition authority, the Office of Fair Trading (OFT – now replaced by the Competition and Markets Authority (CMA)) to accept commitments to settle its investigation into on-line prices for hotel rooms has been quashed by the UK Competition Appeal Tribunal and sent back to the CMA to decide again.

As noted in a previous alert on the case, a striking feature of the commitments given to resolve the original investigation was the absence of a clear commitment regarding MFN or price parity clauses which oblige hotels to guarantee that a website is being offered the best price by the hotel. Indeed, a feature of the commitments was that, although websites would henceforward be allowed to discount room prices by sacrificing a part of their commission, the websites could be obliged to keep these deals secret by limiting them to certain classes or “clubs” of customers. Price comparison sites, such as the appellants, Skyscanner and Skoosh (also the original complainant) had made the point to the OFT that the effect of hiding these discounts was that the discounted prices would not be picked up by the search tools used by price comparison sites, thus restricting transparency and competition.

Click here to read the full issued Client Alert.

PCI Addresses Payment Security Risks with New Guidance

This post was written by Cynthia O’Donoghue and Kate Brimsted.

In August, the Payment Card Industry (“PCI”) Security Standards Council published the Third Party Security Assurance Information Supplement (“Supplement”) to help organisations reduce their risk by better understanding their respective roles in securing card data.

The Supplement was developed by the PCI Special Interest Group (“PCI SIG”) consisting of merchants, banks and third-party service providers, to help meet PCI Data Security Standard (“PCI DSS”) Requirement 12.8.

Under PCI DSS Requirement 12.8, an entity must maintain policies and procedures to ensure that service providers are securing cardholder data. In addition, under PCI DSS 3.0, effective from 1 January 2015, entities will be required to obtain a written acknowledgement of responsibility for the security of cardholder data from their service providers.

The Supplement focuses on practical recommendations to help meet the Requirements. Examples include:

  • Conducting due diligence of Third-Party Service Providers (“TPSP”)
  • Implementing a process to help organisations understand how services provided by TPSP meet the PCI DSS Requirements
  • Developing written agreements and policies and procedures
  • Monitoring TPSP compliance status

The Supplement could not come at a better time. Worldpay, a payment processor, reported in August that at least 6.57 million cards in the UK have been put at risk over the past three years as a result of security breaches. UK consumers are now becoming increasingly wary, and a survey commissioned by payments-provider PayPoint in May found that 55 percent of UK consumers view payment security as the most important factor in deciding how to pay.

Federal Appeals Court Holds Employee Directly Liable for Penalties and Duties Related to Negligently Declared Goods - What are the Implications?

This post was written by John P. Donohue, Leigh T. Hansson, and Michael J. Lowell.

On September 16, 2014, the Court of Appeals for the Federal Circuit published its long-awaited decision in United States v. Trek Leather Inc., and its opinion may have created an unintended level of concern among compliance professionals and import departments.

Trek Leather is an importer of men’s suits. Its business plan called for the importer to supply at no cost to the foreign producer, the raw materials used in the production of the finished goods. The delivery of input raw material at no cost to the producer is not unlawful, but the law requires that – at the time of entry – the cost or value of the input material must be added to the international transfer price to arrive at a correct dutiable value. The delivery of merchandise at no cost or at a reduced cost is known in this area of law as an “assist.”

In 2002, the president/shareholder (the “Corporate Officer”) of the importer failed to advise his import broker of the assists used in the production of the imported wearing apparel. This error was identified by U.S. Customs, but resolved with the payment of additional duties and without ancillary enforcement proceedings. In 2004, however, the same importer, through the same Corporate Officer, again failed to declare the assists, and this time – in addition to the collection of duties – Customs instituted enforcement proceedings against both the importer and the Corporate Officer, alleging grossly negligent conduct.

Customs proceeded against the importer and Corporate Officer under 19 U.S.C. § 1592, which provides that no “person” may “enter or introduce or attempt to enter or introduce” merchandise into the United States negligently, grossly negligently or fraudulently, and enumerates the penalties available for each level of misconduct. The position of U.S. Customs was that the Corporate Officer and importer were both liable for introducing or entering the merchandise into the United States with an incorrect declaration of dutiable value. The critical question raised in the enforcement proceedings was whether the United States could seek the imposition of penalties against the Corporate Officer personally, since he was not the importer of the goods; did not make the false “declaration” supporting entry; and had no personal obligation to pay the duties allegedly due.

In the Court of International Trade (“CIT”) proceedings, the corporate defendant (Trek Leather) conceded liability for grossly negligent conduct, but the Corporate Officer argued that the statute did not extend to him personally because he was neither the importer of the goods nor the party legally obligated to pay the duties. The CIT nonetheless sustained the position of the United States and held that both the importer and the Corporate Officer could be held jointly and severally liable, not simply for the penalties relating to the grossly negligent conduct, but also for the duties themselves. The Court of Appeals for the Federal Circuit initially reversed the CIT as to the personal defendant, and the United States sought an en banc review. The en banc panel vacated the Federal Circuit’s holding and held that the United States could properly pursue the officer because the officer qualified as a “person” under the statute. In addition, the en banc panel conceded that the Corporate Officer did not make entry, but also noted that the statute extended not only to those who “entered” merchandise (which might be read to apply only to the importer of record), but also to those who “introduce” such merchandise, which could extend to a broader class. Finally, in dictum that will be sure to cause concern in all importing companies, the en banc panel specifically declined to affix liability to the Corporate Officer because of his legal status as an officer, but rather held the Corporate Officer liable because the evidence demonstrated that he committed the acts complained of. In short, the Federal Circuit had the opportunity to limit the breadth of its decision by pointing to officer, director or fiduciary status, but declined to do so.

The Federal Circuit’s opinion will likely cause concern among the compliance and supply chain professionals and other mid-level employees in Customs and International Trade departments of importing companies. Under the rationale of this decision, these employees may be subject to higher individual risks than they would have previously anticipated, including fines and penalties, in addition to duties due on the imported merchandise. To ensure that company employees who now operate in a higher-risk environment are given the support of their management, companies may have to review policies on assumption of liability, indemnification, and even absorption of attorneys’ fees and court costs. Similarly, while this decision may have resulted in Customs having a new vehicle for enforcing compliance against individual company employees, Customs will have to adopt its own policies to ensure that these individual employees – though technically now at risk – will not be indiscriminately pursued.

UK High Court considers implications of the Google Spain case for the first time

This post was written by Cynthia O’Donoghue and Kate Brimsted.

In July 2014, the High Court (the ‘Court’) considered for the first time the implications of the landmark decision in Google Spain, when delivering an interim judgment in the case of Hegglin v Persons Unknown [2014] EWHC 2808 (the ‘Judgment’).

Mr Hegglin (the ‘Claimant’), a businessman who lived in London but now resides in Hong Kong, sought to have removed a number of abusive and defamatory allegations about him that had been posted on various websites by unknown persons. Google was a defendant in the case as portions of the offensive material appeared in search results, and because Mr Hegglin requested the court to order that the identities of the anonymous posters be disclosed to him.

While the substantive claims remain to be decided, the Court considered certain interim matters, including an interim injunction and permission to serve the claim on Google, Inc., incorporated and located in the United States.

The Claimant sought an interim injunction against Google based on sections 10 and/or 14 of the Data Protection Act 1998 (‘DPA’), which allow individuals the right to prevent the processing of their personal data where it is likely to cause damage or distress, or where it is otherwise inaccurate. The Court rejected Mr Hegglin’s application for an injunction on the grounds that there was insufficient notice (less than two clear working days) and it was too extensive, as it would have required Google to take “all reasonable and proportionate technical steps as might be necessary in order to ensure that [the] material does not appear as snippets in Google search results.” However, the Court did issue an order requiring Google to disclose information in its possession which could assist the Claimant in identifying the individuals who are responsible for the posts.

When considering whether the Claimant should be granted permission to serve the proceedings out of the jurisdiction, the Court considered the Google Spain case and noted that the Court of Justice of the European Union (‘CJEU’) had concluded that Google was a data controller for the purposes of Data Protection Directive 95/46/EC. As a result, there was “at least a good arguable case” that Google was required to comply with the DPA when processing the Claimant’s personal data. On this basis, permission was granted.

While this case is not concerned with the “right to be forgotten”, which has been subject to extensive press and political attention, it highlights the fact that the CJEU’s decision is in fact much broader. The full consequences remain to be seen, and the case is set to come to full trial in November 2014.

Direct Marketing Association releases New Privacy Code of Practice

This post was written by Cynthia O’Donoghue and Kate Brimsted.

On 18 August, the Direct Marketing Association (‘DMA’) issued its new Privacy Code of Practice (‘Code’) to address customer concerns about data privacy. The Code is a result of an 18-month consultation with the Information Commissioner’s Office, the Department for Culture, Media & Sport and Ofcom.

The Code focuses on five key principles:

  • Put your customer first
  • Respect privacy
  • Be honest and fair
  • Be diligent with data
  • Take responsibility

The Code contains desirable outcomes for each principle. For example, a customer receiving a ‘positive and transparent experience throughout their association with the company’ is a specified outcome against the ‘put your customer first’ principle.

The principles form a useful tool that encourages self-regulation and seeks to cultivate a relationship of trust with customers. Rather than issue a rule-based system, the DMA’s new Code provides flexibility to members to determine the way they will comply with both the principles and the law.

The Code will be enforced by the DM Commission, the industry’s independent watchdog. Breaking the Code will result in DMA members being expelled from the association, a move which is likely to cause reputational damage.

President of the EC calls for a finalisation of Europe's data protection rules and review of safe harbor

This post was written by Cynthia O'Donoghue and Kate Brimsted.

Incoming president of the European Commission, Jean-Claude Juncker, has radically transformed the EU executive to help him pursue his vision for the next five years.

Juncker seeks to make the EU “an area of justice and fundamental rights based on mutual trust,” and has led to him calling for the “conclusion of negotiations on the reform of Europe’s data protection rules,” and the review of the Safe Harbor agreement to be completed within six months’ time, particularly in light of recent mass surveillance revelations.

In Juncker’s mission letter, he requests Vice President Andrus Ansip, former Prime Minister of Estonia, to be Vice President of the ‘Digital Single Market’ team, with the aim of bringing to an end the Safe Harbor saga and the reform of Europe’s data protection rules.

What conclusions will be reached, if any, remain to be seen. Moreover, it will be interesting to see how Ansip’s attitude will differ toward data protection regulation from that of Vice President Viviane Reding, who threatened to suspend the EU/U.S. Safe Harbor Agreement in January 2014.