Friday, May 11, 2018

California May Be Poised To Dramatically Alter Consumer Privacy (Again)

I have previously written (for example, hereherehere, and here) that California law usually dictates U.S. privacy practices because it tends to be the most protective of consumer privacy (or aggressive, depending upon your perspective).  California may once again be poised to dramatically re-shape consumer privacy in the United States.
 
An aggressive consumer privacy proposal has gained enough signatures to be placed on the California ballot for a referendum in November. If enacted, it would effectively create a new set of standards for consumer privacy throughout the U.S., because most companies would likely adopt the California standards nationwide rather than treating California residents differently from other Americans.  
 
Background
 

The Consumer Right to Privacy Act of 2018 (specifically v.2, No. 17-0039, which I'll call the "Proposal") was filed October 12, 2017, and has gained almost twice the number of signatures necessary to be included in the November ballot (which is usually an indication that professional petition firms have been engaged).  The qualification deadline is June 28, and it appears that nothing stands in the way of this Proposal making its way onto the ballot.  The named sponsor of the Proposal is the lobbying/law firm of Remcho, Johnasen & Purcell, LLP out of Oakland California. However, it is said that Alastair A. Mactaggart,  a wealthy San Francisco-based real estate investor and executive, is funding this project. He seems to be a first-time political activist who has not been so heavily involved in ballot initiatives in the past.  
 
In a Nutshell
 

The over-simplified-but-concise explanation is that the Proposal:

  • Would give a consumer the right to demand an accounting of all disclosures made by a business of information about the consumer.
  • Would make it illegal to “sell” or "disclose" for a business purpose information about a consumer once a consumer opts out.
  • Would prohibit a business from conditioning any offering or service on a consumer's opt-out decision.
  • Would require very specific disclosures on all business websites.
  • Would be enforced primarily by class action litigation rather than a state entity.  
  • Would not require that any consumer actually suffer any harm (strict liability). 
  • Would result in penalties of $1,000 per person per occurrence, and up to $3,000 if the government concludes the violation was knowing.
  • Would deem a data security breach to be a violation of law by the breached company if the company's security procedures were not reasonable (judged, of course, with the benefit of hindsight).


In More Detail


The Proposal confers on a consumer the right to know what categories of personal information are being collected by a business. 
 
The Proposal gives a consumer the right, at any time, to direct a business that sells personal information about the consumer not to sell the consumer's personal information (the so-called “Opt-Out”). A business must give consumers a notice of this Opt-Out right and must honor Opt Outs after receiving them (presumably immediately). A consumer can authorize another person to Opt Out on his or her behalf, but the Proposal does not specify what form that authorization should take (e.g., a power of attorney).
 
A business cannot “discriminate against” a consumer because the consumer requested information or opted out, including by: (a) denying goods or services to the consumer; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; ( c) providing a different level or quality of goods or services to the consumer; or ( d) suggesting that the consumer will receive a different price or rate for goods or services, or a different level or quality of goods or services, if the consumer exercises the consumer's rights.  (It is worth noting that this provision goes further than even the GDPR)
 
A business must designate at least two methods for consumers to submit requests for information, including a toll-free telephone number, and if the business maintains a website, a website address.
 
Requests for information must be honored within 45 days, with no delay allowed for verifying the request. The look-back period is 12 months, and the consumer controls how the report is delivered. Only one demand may be made each 12 months.
 
Opt-out requests must be honored for at least 12 months, and then it appears that the Proposal would require an affirmative consent from the consumer in order for a business to begin sharing information again. [This provision is somewhat unclear.]
 
Website (and probably application) privacy policy statements must be revised to include a statement of rights that Californians have under the Proposal and a link to the opt-out mechanism titled.  The link must be “clear and conspicuous” and titled "Do Not Sell My Personal Information." 
 
There is a training provision in the Proposal that requires “all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with [the Proposal]” to be aware of how to handle those inquiries.
 
A business that suffers a security breach involving consumers' personal information may be held liable if the business has failed to implement and maintain "reasonable security procedures and practices."


The Proposal includes a private right of action, and the consumer need not show that he or she suffered a loss of money or property as a result of the violation in order to bring an action. Statutory damages are set at one thousand dollars ($1,000) or actual damages, whichever is greater, for each violation, but a knowing and willful violation can result in damages of three thousand dollars ($3,000), or actual damages, whichever is greater, for each violation. An intentional violation can result in a civil penalty.  Civil penalties of up to $7,500 for each violation are authorized for intentional violations. A civil enforcement action can be brought by the California Attorney General, by any district attorney, any city attorney of a city having a population in excess of 750,000, by any city attorney, or any full-time city prosecutor, in any court of competent jurisdiction.
 
Definitions


The devil is in the details, and at least some of the Proposal's terms are defined in ways that could be easily misunderstood:


The categories of personal information covered by the Proposal are:
 
(1) Identifiers such as a real name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, social security number, driver's license number, passport number, or other similar identifiers;
 
(2) All categories of personal information enumerated in Civil Code 1798.80 et. seq, with specific reference to the category of information that has been collected (any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.)
 
(3) All categories of personal information relating to characteristics of protected classifications under California or federal law, with specific reference to the category of information that has been collected, such as race, ethnicity, or gender;
 
(4) Commercial information, including records of property, products or services provided, obtained, or considered, or other purchasing or consuming histories or tendencies;
 
(5) Biometric data;
 
(6) Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer's interaction with a website, application, or advertisement;
 
(7) Geolocation data;
 
(8) Audio, electronic, visual, thermal, olfactory, or similar information;
 
(9) Psychometric information;
 
(10) Professional or employment-related information;
 
(11) Inferences drawn from. any of the information identified above; and
 
(12) Any information pertaining to minor children of a consumer.
 
"Personal information" does not include information that is publicly available or that is de-identified.
 
The terms "sell," "selling," "sale," or "sold," includes sharing orally, in writing, or by electronic or other means, a consumer's personal information with a third party, whether for valuable consideration or for no consideration, for the third party's commercial purposes.
 
"Third party" means any person who is not (i) the “business” that collects personal information from consumers or (ii) to whom the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract tightly restricts further resale, use or retention beyond the scope of the business purpose and includes a “certification” that the recipient understands the restrictions. 
 
The term "business" means any organization that is for-profit, has annual revenue of at least $50MM, or 100,000 or more consumers annually, or derives at least half of its revenue from selling consumer information. A business includes entities controlled by another (including by 50% or more voting equity), or businesses that share a common brand or trademark.


   
Opposition


Opponents are already pointing out some downsides to the Proposal:  For example, there’s no safety exception. Some businesses might not be able to send recall notices to consumers who have opted out. A car dealer might not be able to share consumer information with a car manufacturer for purposes of compiling recall notice lists.
 
There is also a fear that without a requirement to demonstrate any actual harm, frivolous litigation will run amok and drive up insurance costs and other costs of doing business.
 
There is also the argument that California should not be attempting to regulate the “world wide web.”  Some fear that businesses will begin to exclude California customers or will cease services in order to avoid the burdens of the Proposal.   
 
More Information


You can read the proposal in its entirety here and judge for yourself.


I intend to follow this Proposal closely, and will likely post more about developments here and on LinkedIn and Twitter



Sunday, April 1, 2018

South Dakota and Alabama Become the Last States to Enact Data Security Breach Notification Statutes


image of outine map of continental united states showing south dakota and alabama in color

South Dakota and Alabama have just become the 49th and 50th states to enact data security breach notification statutes, joining the other 48 U.S. states and four U.S districts/territories that already have similar laws in effect. Here is what you need to know:



South Dakota's Statute (SB 62) At A Glance


  • Signed on March 21, 2018 by Governor Dennis Daugaard (before Alabama's statute) and will take effect July 1, 2018 (after Alabama's statute).

  • The statute applies to “information holders” which is a term that seems to cover the concepts of data controller and data processor in other regulatory regimes. (This is just one more reason why data controllers and data custodians will want to carefully allocate responsibility for compliance in their contracts.)

  • Notice is required to South Dakota residents within 60 days after “personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.”

  • There are two categories of protected data (unlike most state statutes): “Personal Information" and "Protected Information,” and they include biometric data, in addition to other elements that are common among such state laws.

  • Personal and protected information includes health information (which is a recent trend in state laws that many think unnecessarily duplicative of HIPAA's breach notice provisions).

  • Access credentials (e.g., a username and password) for an online account are covered, reflecting a recent trend in state laws.

  • Notice to the Attorney General of South Dakota is required if more than 250 residents are affected. 

  • Notification to consumers is not necessary if the breached organization conducts an investigation and determines that consumers are not likely to be harmed (but notice to the AG is still required). That determination should be supported by a written analysis, which is to be retained. The AG may disagree with the conclusion and require notice to consumers. (This consultation approach is a relatively recent trend in state data breach statutes.)

  • The AG can impose fines of up to $10,000 per day per violation.

  • Violations of the breach notice requirement may also be criminal deceptive acts or practices under South Dakota’s Deceptive Trade Practices Act (37-24-6). (Note: I am not aware of any other state data security breach notification law that criminalizes a failure to comply.  If you are, please tell me.)

  • There is no express right of civil action in the new statute, but because violations are also deemed violations of the Deceptive Trade Practices Act, civil suits seem foreseeable. 



Alabama’s Statute (S.B. 318) At A Glance


  • Signed on March 28, 2018 by Governor Kay Ivey (after South Dakota's) will take effect June 1, 2018 (before South Dakota's).

  • Notice is required to Alabama residents within 45 days after discovery.

  • “Sensitive personally identifying information” includes elements that are common among other state breach notification laws.

  • Access credentials (e.g., a username and password) for an online account, are also covered, reflecting a recent trend in state laws. 

  • Notice to the Attorney General of Alabama is required if more than 1,000 residents are affected. 

  • Those who knowingly violate the notification law are subject to penalties of up to $500,000 under the Alabama Deceptive Trade Practices Act, plus additional amounts up to $5,000 per day for continuing failure to comply.

  • There is no express right of civil action in the new statute, but the Alabama Attorney General may bring a “representative action” for named individual victims to recover actual damages plus attorney’s fees and costs.

At long last, every state has some sort of data breach notification law. They vary, of course, in the details. [Georgia's statute, for example applies only to governmental "information collectors" and "data brokers" that collect and share data for compensation, severely limiting the reach of the statute.] Some of them have idiosyncrasies that preclude a once-size-fits-all breach notice. [Compare California's statute with Massachusetts' statute, for example.] For a handy reference of all states' and territories' data security breach laws, see the website of the National Conference of State Legislatures, here.





It should also be noted that the U.S. Congress seems to consider a federal breach notification statute in almost every session, and almost every proposal would preempt all state breach notification statutes.  None, however, have yet been enacted (for reasons you may have heard me describe on social media or in presentations).





As a result of these two new statutes, organizations may want to update cyber incident response plans to reflect the new notice requirements and categories of data covered.





Friday, March 16, 2018

Finally, Clarity on Telemarketing and Text Messaging to Reassigned Mobile Numbers

Today, the U.S. Court of Appeals for the District of Columbia Circuit gave some clarity to companies that send marketing messages to consumers. The ruling addresses four issues, but this post will focus on one: text (SMS or MMS) messages to reassigned numbers.
For the past couple of years, companies have been fretting over how to deal with mobile phone numbers that have been reassigned from consumers who have agreed to receive robocalls or text messages to new consumers who have not agreed to receive them. The FCC said in 2015 that companies that inadvertently send these messages to reassigned numbers get one free pass, but after that, whether or not the company knows or should know that the number has been reassigned, all other messages will result in liability.
The case is ACA Int'l v. FCC (2018 WL 1352922, No. 15-1211), and was the result of several organizations and trade groups who sued the FCC soon after the 2015 declaratory ruling, arguing that the FCC’s position on this issue was unfair and so removed from reality as to be “arbitrary and capricious.” The suit focused on four issues covered by the FCC’s order:
  1. Which types of automated dialing equipment are subject to the Telephone Consumer Protection Act’s restrictions;
  2. Does a call violate the TCPA if, unbeknownst to the caller, the intended recipient's mobile phone number has been reassigned to a different person who has not consented;
  3. What methods can a consumer use to revoke a prior consent to receive text messages; and
  4. Is the FCC's exception for healthcare-related calls too narrow?
For this post, I am focusing only on the issue of text messages to reassigned numbers.  [Note that the FCC’s ruling focused on robocalls (autodialed or pre-recorded voice messages), but the rules applicable to robocalls apply equally to text messages.] 

Background 

In 2015, the FCC issued a declaratory ruling which indicated that if a mobile telephone number is reassigned from one consumer to a new consumer, an organization that previously was allowed to solicit that number gets only one “free” solicitation to that number (in the hands of the new consumer). After that, the calling organization risks strict liability for further solicitations. The calling organization is required to verify that the number has not been re-assigned during that one “free” call. The problem is that there may be no way for the calling organization to know that the number has been reassigned, for example, if the consumer doesn’t respond at all to the message.  If the new owner of the number does not object (following the first message), the calling organization will naturally continue to send messages, and the FCC took the position that the organization would be liable if the new owner of the number had not consented to receive messages--whether or not the calling organization knew or could have known.  

Millions of mobile phone numbers are reassigned every year in the US, and while some mobile phone carriers have begun sharing lists of reassigned numbers with certain telemarketing firms, not all have agreed to do so.  The FCC's ruling had effectively created a legal risk that was impossible to avoid entirely.  

The Risks

The stakes here are high. The TCPA contains a private right of action, which means consumers can sue for at least $500 for each call made (or text message sent) in violation of the statute, and up to three times that amount for each “willful or knowing” violation. (47 U.S.C. § 227(b)(3))  

The Case 

Organizations and trade groups also objected to the FCC's position, and quickly filed a lawsuit arguing that the FCC's decision was arbitrary and capricious and fundamentally unfair.  That case had been pending before the D.C. Circuit for quite some time (oral arguments were held more than a year ago), and as we learned today, the Court rejected the FCC’s “one call” standard, and rather than modifying the FCC's ruling, the Court invalidated the FCC's entire approach to reassigned numbers.  The FCC will have to start over to create new rules for dealing with reassigned numbers.

What Is Next?

If the FCC's position seemed unfair to you, you are not alone.  When the 2015 declaratory ruling was issued, Commissioner Pai, among others, strongly dissented, saying that organizations should have the right to continue to assume, until actually notified to the contrary, that a number has not been re-assigned. As you may know, Pai has very recently become the Chair of the FCC.  Accordingly, the FCC was already working to design rules that would avoid the problems of the 2015 ruling’s one-call safe harbor. The Commission recently solicited input on potential methods for requiring mobile phone carriers to report reassignments. [32 FCC Rcd. 6007 (2017)]. The FCC was also considering a "safe harbor" for calling organizations that inadvertently message reassigned numbers after consulting the most recently updated information. 

This decision, and the FCC's recent attempts under Chairman Pai, should give organizations comfort that their telemarketing and text messaging compliance efforts will be viewed more fairly by the FCC in the future.  



Friday, February 9, 2018

The American Bar Association Has Authorized a New Specialization in Privacy Law

At the American Bar Association's mid-year meeting in Vancouver, B.C. earlier this week, the Standing Committee on Specialization did something that I frankly did not expect:  It approved International Association of Privacy Professionals' certifications for purposes of ABA designation as a legal "specialist." 


IN A NUTSHELL: For those who already hold the IAPP CIPP/US and either the CIPM or the CIPT certifications, this means that they may soon be permitted to begin referring to themselves as "specialists" in privacy law.


image of gavel lying on a computer keyboard

The development came as a surprise to me because the Standing Committee on Specialization had previously considered the proposal at the 2017 Midyear Meeting and again at the 2017 Annual Meeting and declined to move forward, after significant debate; however, the proposal, known as Resolution 103A, was brought for a vote once again at the Committee on Specialization's meeting this week.  According to the ABA, there was "a spirited debate" with "several people" expressing concerns with the scope of the subject matter (i.e., the way IAPP defined the field of privacy law) and the potential for confusion about what a privacy law specialization entails.  The Committee’s role, however, was to determine whether the IAPP's certification process had met the requirements set out in the ABA’s Standards for Accreditation of Specialty Certification Programs For Lawyers. The "ayes" and "nays" were so close, according to the ABA, that the chair of the House of Delegates had to call for a second voice vote to determine the outcome.  The approval is valid for five years, after which the Committee will re-evaluate the IAPP for continued approval.

The specialization credential requires each of the following:
  1. Be an attorney admitted in good standing in at least one U.S. state. 
  2. Hold a current IAPP CIPP/US certification. 
  3. Hold one of the following IAPP certifications: CIPM or CIPT
  4. Pass a new IAPP examination on professional responsibility in the practice of Privacy Law. 
  5. Demonstrate current and ongoing "substantial involvement" in the practice of Privacy Law (meaning that in the prior three years, devoting at least 25% of one's time to the practice of privacy law). 
  6. Submit evidence of at least 36 hours of participation in qualified continuing legal education in the field of privacy law for the prior 3-year period. 
  7. Provide five to eight peer references attesting to applicant’s qualifications and "substantial involvement" in the practice of Privacy Law.
Roughly one-half of U.S. state bars recognize the ABA’s specialty certification programs. Some states require attorneys to be acknowledged as specialists by their own state-level programs, while others do not require certification by an accredited program before a lawyer can call himself or herself a "specialist," and a few do not allow advertising of specialty regardless. 


North Carolina's Rule of Professional Conduct 7.4 allows lawyers who are certified under the ABA's specialty certification programs to use the term "specialist" to describe themselves. 


The Privacy and Information Security Law Specialization Committee of the NC State Bar, which I chair, continues its work on a North Carolina State Bar certification, notwithstanding the ABA's decision.  North Carolina State Bar certification will be materially different from ABA certification in ways that I think are meaningful, and I look forward to describing how and why North Carolina State Bar certification will be attractive for attorneys and useful for clients in an upcoming post. 






Friday, September 8, 2017

A Note About TrustedID Premier (Equifax ID Monitoring Service) Terms of Use

Some people are concerned that by enrolling in the TrustedID Premier credit monitoring service offered by Equifax following the Big Breach, they will be waiving their right to recover from Equifax in the event of a class action.  I thought I'd share my thoughts on that issue.






(By way of background, as described in my earlier post, when Equifax announced yesterday that the personal information of 143 million Americans was potentially exposed in a massive data security breach, it began offering individuals the option to enroll, free of charge, in TrustedID Premier, a credit monitoring and ID theft response service.)








The TrustedID Premier terms do include an arbitration provision that purports to (and likely does) waive a consumer's right to sue or participate in a class action.















The terms relate to "TrustedID, Inc." and its "Products," however, and not to Equifax and the Big Breach.  Furthermore, the waiver is not prominently disclosed to consumers when they enroll through the Equifax breach response website (www.equifaxsecurity2017.com).



In sum, I just don't think that consumers should be concerned about being unable to participate in a class action lawsuit against Equifax if they enroll in the TrustedID Premier service. 







On the other hand, if TrustedID Premier is breached or otherwise botches the remediation services, consumers will be precluded from bringing a class action against TrustedID, Inc.






[Update: Equifax has revised its FAQ to specifically address this issue.  The explanation is consistent with my early analysis.]

The Morning After: What You Can Do To Protect Yourself After The Equifax Breach

You've probably heard that Equifax revealed yesterday that it was the subject of a data security breach that resulted in the exposure of 143 million Americans--almost half the population.  It is likely the largest data security breach in U.S. history.   The information exposed included names, social security numbers, addresses, credit card numbers, drivers license numbers, and sensitive documents.  In other words, this is very, very bad news.

If you're an American (or live in the U.S.), this is a step-by-step guide for protecting your own identity:

1.  First, take advantage of the opportunity to ask Equifax whether your information was exposed. 

Equifax has set up a website for consumers to inquire whether their personal information was among the exposed data.  Go to www.equifaxsecurity2017.com and enter your last name and the final six digits of your social security number. 



Next, click on "Potential Impact" at the bottom left side of the screen.  A new page will open. 
Click on "Check Potential Impact" at the bottom left side of this page as well.

Enter the information where prompted.




If you're lucky (like me), you'll see the following screen:




If your information was potentially exposed, you'll be notified of that instead.  (Please accept my condolences!)

2.  Enroll in free credit monitoring.

When you complete the step described above, Equifax offers to enroll you in a credit monitoring and identity theft protection program called TrustedID Premier.  You can enroll with a single click.
Equifax says that TrustedID Premier includes credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; a type of identity theft insurance; and Internet scanning for Social Security numbers – free for one year.
If you have additional questions, you can call Equifax at 866-447-7559 between 7:00 a.m. and 1:00 a.m. Eastern time.



(Note that if you sign up for the TrustedID Premier service, you will be bound by a mandatory arbitration provision and will be unable to joiny any class action lawsuit against TrustedID, Inc., but you will not be excluded if there is a class action lawsuit against Equifax.  If you are concerned about the ability to join a class action against Equifax, you can send an opt-out notice to Equifax within 30 days.

3. Check for ID Theft.

Because the Equifax breach occurred beginning in May, your identity may already have been assumed by a nefarious character.  You should check you credit report immediately for unfamiliar credit accounts.  Although Equifax will give you a free Equifax credit report, I suggest you obtain your report from Experian and TransUnion (the other two major credit reporting bureaus) as well. You can do that by phone or online:
You could also use this form if you prefer pen-and-ink.




4.  If you find evidence of fraud, put a fraud alert on your credit report.  

If you see any fraudulent credit accounts on your report, you can call any one of the three major credit reporting agencies and instruct them to place a fraud alert on your credit report.  (Tell the agency you contact to tell the other two to do the same...although there's no harm in calling all three yourself). You'll be required to prove your identity when placing a fraud alert.  There will be no cost.  The purpose of a fraud alert is to make it harder for an identity thief to open more accounts in your name. An initial fraud alert lasts 90 days, but can be renewed.  You can contact the credit reporting agencies at the following:


5.  If you are the victim of identity theft, submit an affidavit to the Federal Trade Commission.
 
Write out a description of how you learned about the suspected identity theft and everything you've learned about it since, in as much detail as you can.  Next, you need to put this information into the form of an affidavit (a sworn written statement).  The Federal Trade Commission has a helpful tool (called the "FTC Complaint Assistant") to put your information into the proper form, which you can use for free at https://www.ftccomplaintassistant.gov/.  When finished, submit the affidavit to the FTC through the website.  Print or save a copy for your records. (Alternatively, you can use this form.)


6.  File a Police Report

If you are a victim of ID theft, after you complete the FTC affidavit, you should call the local law enforcement agency (a) where the theft appears to have occurred, or (b) where you live, or (c) both.  In North Carolina, this is usually a police department if you live in a city or town, or a county sheriff's department if you live outside a municipality (though there are exceptions to this general rule).  File a police report.  (Either they will send an officer to you, or will ask you to come to the station.)  Give the officer a copy of your FTC Identity Theft Affidavit.  Ask to be given a copy of the police report once it's ready.

Sadly, some local law enforcement agencies are reluctant to take reports on ID theft. You can give the agency a copy of the FTC's official memo for local law enforcement agencies, a copy of which is available here

7.   File an FTC ID Theft Report.

Together, your FTC Affidavit and the police report comprise an "FTC ID Theft Report." An FTC Report can help you (i) get fraudulent information removed from your credit report; (ii) stop a company from attempting to collect debts from you that result from identity theft, or from selling the debt to another company for collection, (iii) extend the fraud alert on your credit report; and (iv) get information from companies about any accounts the identity thief opened or misused. Send the ID Theft Report to the credit bureaus and to any organization affected by the ID theft (such as a retailer or credit card company).


Send an ID Theft Report to the credit reporting agencies, and tell them whether you want to extend the fraud alert or initiate a security freeze (see below). In either case, you should notify all three of the credit reporting agencies.


8.  Decide Whether You Want to Extend the Fraud Alert or Institute a Credit Freeze.  


Next, you need to decide whether to (a) extend the fraud alert or (b) initiate a security freeze.
 

Once you have created an ID Theft Report (FTC affidavit plus police report), you are entitled under federal law to extend your fraud alert for seven years.  When you extend the fraud alert, you can get two free credit reports within 12 months from each of the three major credit reporting bureaus, and they must take your name off marketing lists for prescreened credit offers for five years, unless you ask them to put your name back on the list.


North Carolina residents (and residents of certain other states) are entitled by state law to "freeze" their credit reports. When a security freeze is in place, a consumer reporting agency may not release your credit report or information to a third party without your prior express authorization. If you want someone (such as a lender or employer) to be able to review your credit report (for a credit application or background check), you must ask the credit reporting agency to lift the security freeze. You can ask to lift the security freeze temporarily or permanently.  (The credit reporting agency is required by NC law to give you a unique PIN or password when you initiate the security freeze to be used by you when requesting a temporary or permanent lift of the freeze.)  If you request a lift to the freeze by mail, the agency has three business days to comply, but if you request electronically or by telephone, the agency must comply with the request within 15 minutes.  Putting a credit freeze on your credit file does not affect your credit score.

The cost to place and lift a freeze, and how long the freeze lasts, depends upon state law.  Here in North Carolina, a freeze lasts as long as you wish, and a consumer reporting agency cannot charge a fee to put a security freeze in place, remove a freeze, or lift a freeze if your request is made electronically. If you request a security freeze by telephone or by mail, a consumer reporting agency can charge up to $3.00 (unless you are 62 or older, or have submitted a police report--see #4 and #5 above). 
  
So, to summarize, a "security freeze" generally stops all access to your credit report unless you lift it, while an "extended fraud alert" permits creditors to get your report as long as they take steps to verify your identity.  My general preference is  the freeze, because it gives you the most control.

9.  Review Your Credit Reports and Dispute Errors. 


You will have already reviewed your credit reports for unauthorized accounts.  Review them on an ongoing basis.  If errors on your credit report are the result of identity theft and you have submitted an Identity Theft Report, you are entitled to tell the credit reporting companies to block the disputed information from appearing on your credit report.  Here is a sample letter that may be helpful.

The credit reporting agency will notify the relevant business of any disputed information, after which the business has 30 days to investigate and respond to the credit reporting agency. If the business finds an error, it must notify the credit reporting agency so your credit file can be corrected. If your credit file changes because of the business’ investigation, the credit reporting agency will send you a letter to notify you. The credit reporting agency cannot return the disputed information to your file unless the business says the information is correct. If the credit reporting company puts the information back in your file, it will send you a letter telling you that.
\
10.  Contact Any Businesses Involved.


 If you are aware of specific accounts that have been opened in your name without authorization, or existing accounts that have been accessed without your authorization, contact those organizations, even if you have already notified the credit reporting agencies of the problem. Ask to speak to someone in the fraud department. Ask them to reverse any unauthorized charges and to preserve all records for use by law enforcement. You might also want to ask them to simply close the accounts, and open new accounts for you. [Use different access credentials (PIN or password) for the new accounts.] Ask for copies of any documents used by the identity thief. (Here's a sample letter.) Ask for a letter confirming that any fraudulent information has been removed or transactions reversed.  Also ask them to stop reporting information relating to the fraud to credit reporting agencies.  As soon as you conclude the conversation, memorialize your discussion in a certified letter to the organization.  Here is a sample.

11.  Stop Debt Collectors from Contacting You about Fraudulent Debts


If an identity thief opens accounts in your name and doesn’t pay the bills, a debt collector may contact you. To stop debt collectors from contacting you, in addition to the steps described above, you can send them a letter using this form.


12. Additional Tips: 
  • Remember to record the dates you made calls or sent letters.
  • Keep copies of all correspondence in your files.
  • A number of sample letters are available here.



I hope you find this helpful. 


Please feel free to share it with your family, friends, and colleagues.  


I encourage you to bookmark this post for quick reference, along with the FTC's ID Theft website and the NC DOJ's website.  This post is for general information only, and is not legal advice.  No attorney-client relationship is created by this blog post.

Tuesday, July 25, 2017

Why A Recent Federal Decision Involving A Grocery Store Matters to Most Organizations with Websites and Apps




A recent case has organizations all over the U.S. concerned about litigation over website accessibility.

In the first federal decision of its kind, a federal judge in Florida concluded that Winn-Dixie, a regional grocery store chain, was obligated to make its website accessible to a blind man, and that it failed to do so.

As a result, the court awarded the plaintiff his attorneys' fees and ordered the parties to agree on a compliance deadline by the end of this month.

I've written previously about the trend in demand letters and the uncertainty in the law regarding the applicability of the Americans With Disabilities Act to websites, applications and other online interfaces. 

Background

By way of background, when the Americans with Disabilities Act was first drafted in 1988 (and adopted in 1990), it is unlikely that even a single member of Congress contemplated that it could be applied to the Internet. The ADA (and specifically Title III) was applied to brick-and-mortar facilities and intended to ensure that people with disabilities could access and enjoy them. Common examples are wheelchair ramps and braille menus. In the quarter-century since, almost everything that was once only brick-and-mortar now has a presence on the Internet.

One of the greatest ADA questions of our day is whether the ADA applies to websites, apps, and other online interfaces. Only a few courts have addressed this issue, and the results have been mixed, and sometimes very fact-specific. Courts must decide whether a given website is a "public accommodation" and, if so, whether the website operator has made "reasonable modifications" to make the website available to people with disabilities. 

The ADA is enforced by the U.S. Department of Justice (DOJ) and through private litigation. The DOJ is reviewing organizations' websites to determine whether they comply with the law’s access requirements. In addition, a number of plaintiffs' law firms across the country are filing lawsuits alleging that organizations' websites are in violation of the ADA. Internet companies, including Netflix, have settled cases that alleged their websites were inaccessible to people with disabilities.

There are currently no specific federal standards for websites under the ADA. Since 2010, the DOJ has been telling us that it is in the process of developing regulations for website accessibility, but those standards are not expected until 2018 or later. In the meantime, the DOJ says it expects organizations to make their websites accessible to the disabled. The DOJ has indicated that it considers the Web Content Accessibility Guidelines (WCAG) [2.0 Level AA] to be satisfactory for the time being (and perhaps these standards go further than legally necessary), and many organizations have been working towards compliance with those standards on the assumption that any future DOJ standards will be consistent with them (although there are no promises).

Why the Winn-Dixie Case Matters

The decision in Gil v. Winn Dixie is the first federal court opinion addressing the applicability of the ADA to the website of a brick-and-mortar retailer. While it is not binding throughout the U.S., it sets an important precedent. 

The court concluded that the ADA applied because Winn Dixie's website is “heavily integrated” with and serves as a “gateway” to its physical stores. That's an important consideration for brick-and-mortar retailers, who may want to re-evaluate accessibility in light of this recent development.





Monday, May 8, 2017

Can Young Lawyers Learn Something From Older Lawyers About Managing Their Professional Reputations Online (and Vice Versa)?

Here's an article that was published this week in the North Carolina Lawyer magazine that might be of interest to some of you.


Can Young Lawyers Learn Something From Older Lawyers About Managing Their Professional Reputations Online (and Vice Versa)?


by Matt Cordell, NCBA YLD Chair


When I have the opportunity to give advice to law students and young lawyers, one of the things I try to impress upon them is the importance of their reputations, including their “online reputations.” Usually the comment is quickly met with a knowing nod. Everyone seems to know that their reputation is important. However, having witnessed many lawyers of all ages impair their professional reputations online, I have begun to realize that many of us fail to recognize some aspects of maintaining our online reputations, and I have begun to be much more specific in my advice to younger lawyers.

...Read the rest here.

Sunday, March 5, 2017

A New Chapter


This photo was taken
for the firm's website
when I joined in 2007

In 2005, I met two exceptional people, Don Eglinton and Leigh Wilkinson, during on-campus interviews at my law school.  I could immediately tell from the way they talked about Ward and Smith and its people that there was something special about the firm.   In the years since, I've experienced firsthand the remarkable culture of this firm and the people who make it so special. I have also had the opportunity to work with some incredibly smart, innovative clients in a number of fields, and I've learned a great deal from many of them.  

My practice has evolved over the past decade, and I have found that I very much enjoy practicing in the areas of privacy law, information security law, and technology law, in particular.  A very attractive opportunity has arisen which will enable me to work on these issues on a global scale.

I will be joining the legal department of VF Corp in Greensboro, N.C. If you are unfamiliar with VF, you are likely familiar with its brands, which include The North Face, Lee, Wrangler, Vans, Timberland, Nautica, Smartwool, Reef, Eagle Creek, Eastpak, JanSport, Kipling, and others.  VF has more than 50,000 employees globally and about $12 billion in annual revenue.  The legal department, like the rest of the company, spans the globe.  I will be managing a small group within the legal department handling privacy, information security, and information technology contracting.

Volunteering at a workday at Camp Challenge
(a financial literacy camp for underprivileged kids)
with my Ward and Smith colleagues
just a few months after joining the firm in 2007
Even though I will miss my law partners and clients, I am looking forward to this new challenge and to starting a new phase of my career.  I am also looking forward to spending a little more time with my family.  We will be moving to the Triad area very soon.

I am confident that all of the clients with whom I have worked over the years are in good hands with the other (nearly 100) lawyers at Ward and Smith.

I intend to continue to write about interesting legal developments on my personal blogs: www.BizLawNC.com and www.LawOfPrivacy.com / www.PrivacyLawNC.com.  I hope you'll continue to check back in from time to time. 



Saturday, December 17, 2016

The FCC Creates Privacy, Data Protection, and Data Breach Rules for Internet Service Providers



Image of Federal Communications Commission Seal


The Federal Communications Commission is venturing into new areas of privacy regulation.  By a narrow vote, the FCC has approved new rules that govern how internet service providers ("ISPs") use consumers' information.

 

ISPs long ago realized that customer data is valuable, and are continuing to develop ways to monetize that information.  For example, last month, AT&T explained that a major factor in its decision to bid on Time Warner was the lure of new possibilities in targeted advertising.  Last year, Comcast bought targeted advertising firm Visible World for similar reasons.

 

Efforts by ISPs to monetize user data have triggered concerns among privacy watchdogs and the FCC.  On October 27, 2016, the FCC adopted new rules to control when and how this information can be used and shared.  "It's the consumers' information.  How it is used should be the consumers' choice" said FCC Chairman Tom Wheeler. 

 

According to the FCC, the rules "do not prohibit ISPs from using or sharing their customers’ information – they simply require ISPs to put their customers into the driver’s seat when it comes to those decisions.”  The new rules require specific notices to consumers about:


  • The types of information the ISP collects from them

  • How the ISP uses and shares the information

  • The types of entities with whom the ISP shares the information

The rules also require ISPs to give a degree of control to the consumer.  ISPs will be required to obtain consumer consent (an "opt-in") before sharing certain categories of "sensitive" information, including:


  • Health information

  • Financial information

  • Geo-location

  • Children’s information

  • Social Security numbers

  • Web browsing history

  • App usage history

  • Content of communications

For other categories of information (those not deemed “sensitive," such as an email address or service level), ISPs must still offer users the opportunity to “opt-out” of the use and sharing of their information, with some exceptions.  Customer consent can be inferred for certain uses, such as providing services and for billing and collection activities.

 

ISPs are prohibited from rejecting a customer for refusing to provide a requested consent.  Because it is more profitable for the ISP if the customers permit data use and sharing, the rules permit an ISP to give customers a discount or other financial incentive to provide a requested consent.

 

The FCC has made it clear that its rules “do not regulate the privacy practices of websites or apps, like Twitter or Facebook, over which the FTC has authority.”  Websites and apps currently collect much more data than ISPs, so the practical impact of the rules on consumer privacy is likely to be limited.

 

The new rules impose a requirement that ISPs implement reasonable data security practices, including robust customer authentication and data disposal practices.  The rules also include a data breach notification requirement, which preempts those in existence in 47 states, but only to the extent that the FCC rules are inconsistent with a state's requirements.   

 

The rules become effective with respect to different sections at different times, with all of the rules likely becoming enforceable within one year. 

 

This action by the FCC creates just one more piece in the mosaic of statues, regulations, and treaties that together comprise privacy and data security law.