CLOSE X
RSS Feed LinkedIn Twitter Facebook
Search:
FMG Law Blog Line

Archive for August, 2015

Third Circuit Affirms FTC’s Authority Over Data Security: Decision Underscores Need for Cyber Policies and Procedures

Posted on: August 27th, 2015

option 1By: David Cole

This week, the U.S. Court of Appeals for the Third Circuit released its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corporation, unanimously upholding the FTC’s authority to regulate businesses’ data security practices under Section 5 of the Federal Trade Commission Act (FTC Act).  As a result, businesses can expect increased enforcement by the FTC and greater scrutiny of their data security practices.

Section 5 of the FTC Act declares it unlawful for a business to engage in any “unfair or deceptive acts or practices in or affecting commerce,” and it empowers the FTC to enforce this provision through administrative actions and civil actions in federal court.  In recent years, the FTC has taken the position that businesses with inadequate data security practices, and businesses that do not adhere to their published data security and privacy policies, engage  in unfair and deceptive practices.  This has caught by surprise many who have not thought of inadequate data security as a potential unfair or deceptive practice.

The Third Circuit’s decision originated from a lawsuit that the FTC filed in federal court alleging that Wyndham engaged in unfair and deceptive practices surrounding three data breaches that occurred in 2008 and 2009.  It alleged that Wyndham’s data security was insufficient in a number of ways, including that:

  • payment card information was stored in clear readable text (instead of encrypted);
  • simple, easily guessed passwords were used (instead of complex passwords and multi-factor authentication);
  • readily available security measures were not used to limit access between systems (like firewalls);
  • adequate information policies and procedures were not implemented;
  • measures to detect and prevent unauthorized access were not used (like intrusion detection systems); and
  • proper incident response procedures were not followed.

Wyndham moved to dismiss the lawsuit, arguing that the FTC is not empowered to regulate businesses’ data security practices under section 5 of the FTC Act.  Alternatively, it argued that the FTC had not given “fair notice” of the data security standards it would enforce, and which businesses needed to satisfy in order to comply with the FTC Act.  The district court denied Wyndham’s motion to dismiss, but allowed it to appeal to the Third Circuit.  Many had hoped that the Third Circuit would reign in the FTC’s efforts to extend itself into the field of data security, but instead got the opposite result.

The Third Circuit unanimously agreed with the FTC and rejected Wyndham’s arguments, holding that the FTC does have authority under the FTC Act’s “unfairness” prong to bring enforcement actions against businesses for having inadequate data security.  The court cited language in the FTC Act, which authorizes the FTC to declare an act or practice unfair, in violation of section 5, if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”  In Wyndham’s case, the court decided that consumers could not have reasonably avoided their injury because Wyndham’s published privacy policy misled them by suggesting that it took steps to safeguard confidential information, when, in fact, it actually did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.

The Third Circuit also rejected Wyndham’s fair notice argument, stating that it was not entitled to know with “ascertainable certainty” what cybersecurity standards the FTC would require.  Instead, it held that the requirement of fair notice is met so long as a business can “reasonably foresee that a court could construe [its] conduct as falling within the meaning of the statute.”  Since Wyndham allegedly lacked “any” firewalls, encryption for certain customer files, and password requirements, among other things, the court held that Wyndham should have been on notice of the possibility that a court could find that its data security practices were unreasonable.

It is not yet known whether Wyndham will seek further review of the decision.  In the meantime, the Third Circuit’s decision establishes precedent that may be followed by other courts and, unless and until there is further appellate review or a challenge in another circuit that is decided against the FTC, it seems that the question of the FTC’s authority to regulate the data security field is now established.  As a result, businesses can expect more enforcement by the FTC and greater scrutiny of their data security practice.

This underscores the importance that businesses must place on their data security practices.  As we have written before, it is critical that businesses implement policies regarding their data security practices and their procedures for responding to a data breach if one occurs.  To help our clients accomplish this, FMG has developed a Data Breach Toolkit, which consists of policy and form documents intended to provide your organization with everything it needs from a document standpoint to help prevent a data breach from occurring and respond effectively if one happens.  To discuss the toolkit for your organization, as well as training that is available for your workplace, please contact one of our Data Security, Privacy and Cyber Liability Practice Team  attorneys.

FMG Data Breach Response Team

To best service our clients, you have 24/7 around-the-clock access to our Data Breach Response Team. Our attorneys provide you with a single point of contact for an immediate determination of the appropriate response to the breach and, where warranted, they will dispatch appropriate support service providers to your location to begin any investigation or resolution work that is needed. The lead members of our Data Breach Response Team are:

David Cole – Cyber Team Chair
(770) 818-1287 (o)
(404) 805-6558 (c)
[email protected]John Goselin (Atlanta office)
(770) 818-1423 (o)
(678) 478-3570 (c)
[email protected]

Jonathan Romvary (Philadelphia office)
(267) 758-6009 (o)
(609) 304-2883 (c)
[email protected]

Behnam Salehi (Philadelphia office)
(267) 758-6013 (o)
(949) 294-9230 (c)
[email protected]

Kacie Manisco (San Francisco office)
(415) 689-1215 (o)
(909) 969-3757 (c)
[email protected]

Mission: Impossible – Rogue Onions

Posted on: August 20th, 2015

run-explosion-2By: Seth Kirby

After trailing the tractor-trailer from the shipyard to the warehouse facility, the surveillance team scrambled to obtain a view of the unloading process. Using their sophisticated camera equipment they hoped to be able to record evidence that the billionaire and his henchmen had been adulterating this precious commodity. Peering through the darkness, the lens captured what they had all feared. The horror…

No, this is not the opening scene of the next installment of the Mission Impossible move franchise, but rather my overly dramatic summary of a recent agricultural enforcement action here in Georgia concerning of the State’s most revered commodities, the Vidalia onion. While I have taken some dramatic license in retelling the story, the essential facts are entirely accurate.

“The Vidalia onion is a sweet onion that, by federal law, can be grown and packaged in only one region in Georgia.  Celebrity chef Bobby Flay wrote that Vidalia’s are not just the most famous onions in the world: I think they may be the only famous onions in the world.”  It is estimated that the annual market for Vidalia onions exceed $150 million.  Vidalia’s are the champagne of the onion world, and their growers have every reason to protect their exclusive brand.  The action movie script set forth above is based on the actual efforts of Vidalia farmers to prove that a Georgia farm owned by non-other than Bill Gates was attempting to pass off Florida grown yellow onions as prized Vidalia’s.  Indeed, competing farmers began tracking shipments of onions from Florida to Gates’ Georgia farm and tipped off state authorities with videos and photographs of the shipments.  This prompted an investigation by the state which uncovered irregularities in how the farm was storing the different varieties of onions and resulted in an order placing the farm under probation.  While no evidence was uncovered that the yellow onions had been improperly shipped as Vidalia’s, the improper comingling of the produce in the same facility seemed suspicious.  In the delay caused by the investigation, over $100,000 worth of onions spoiled.  The agricultural authorities felt that the spoilage “was discipline enough” for the violations, but future violations could cause the farm to lose its license.

This cloak and dagger story is a sharp reminder of how sophisticated and complex our modern economy has become, and the resulting challenges that are created for businesses and their insurers.  In this example, Onion farmers were compelled to take steps preserve the integrity of their brand and did so through corporate espionage.  While their conduct seems to be have been warranted under these circumstances, consider the risks that the farmers encountered as a result of their efforts.  Their surveillance attempts could have resulted in a lawsuit alleging invasion of privacy or trespass.  People could have been injured and property could have been damaged during the effort.  Their reporting to the authorities could have resulted in a claim for liable, slander or malicious prosecution.  Taking such risks may have been worth it to stop the violations, but I must question whether the farmers actually considered these risks before engaging in the mission.  Moreover, I doubt that their insurance underwriters considered these risks in pricing their insurance.  Fortunately for the farmers, these hypothetical claims might be entitled to coverage under common general liability policy terms.

Most recent discussions over emerging risks faced by businesses and insurers focus on cyber risk and new technology.  Such discussions are warranted as emerging technologies will undoubtedly change the way certain industries conduct business and expand their risk profiles.  But in focusing on the new, we should not forget that unanticipated risk can be generated any time a business strays from its typical activities.  When considering side projects, prudence dictates that businesses should evaluate whether the new venture exposes the business to risks that fall outside the scope of their insurance coverage.  By the same token, insurers would be wise to inquire about whether new ventures are planned by their insureds and price their products accordingly.

 

 

 

Petitioners Submit Statements of Issues in Appeal of FCC’s TCPA Ruling

Posted on: August 20th, 2015

phoneBy: Matt Foree

As reported previously, the Federal Communications Commission (FCC) issued its Declaratory Ruling and Order (Order) regarding the Telephone Consumer Protection Act (TCPA) on July 10, 2015.  That ruling was immediately appealed by several business organizations including ACA International and Sirius XM Radio, Inc. (XM Radio), which filed appeals in the U.S. Court of Appeals for the District of Columbia Circuit. The Professional Association for Customer Engagement, Inc. (PACE) filed a similar petition in the 7th Circuit Court of Appeals.  On July 24, 2015, the three petitions for review were consolidated into the Court of Appeals for the District of Columbia Circuit.

ACA International, XM Radio and PACE (Petitioners) have each filed their Statement of Issues per the court’s rules. In their Statements of Issues, the Petitioners set forth the issues that form the basis of their appeals. For example, the Petitioners criticize the FCC’s definition of “automatic telephone dialing system” (ATDS) in the Order. ACA International asserts that Congress enacted a precise definition of ATDS that excludes telephones that do not fall within the definition of ATDS, but the FCC disregards the definition to expand the type of equipment that the TCPA covers. Therefore, it argues, the Order extends the FCC’s jurisdiction to regulate telephones that are not within the definition of ATDS. Furthermore, ACA International criticizes the Order’s treatment of “capacity” in determining whether a device is an ATDS such that it does not comport with a caller’s constitutional right of due process.

The Petitioners also criticize the Order’s definition of “called party” in the context of the “prior express consent” defense. As noted by XM Radio and PACE, the FCC concluded that the term “called party” means “‘the subscriber or customary user’ of the number in question, not the intended recipient of the call, even though callers often have no way of knowing that a number has been reassigned from one person to another.” As ACA International asserts, this definition “misinterprets the statutory text and will result in liability for innocent and unknowing conduct.” XM Radio and PACE then note that the FCC, “[r]ecognizing the unfairness of that outcome,” interpreted the TCPA’s prior express consent provision to give callers “one liability-free call to a number that has been reassigned.” They also note that, even if the one call does not provide the caller with information about the status of the number, “callers remain liable for any subsequent call made without the prior consent of the subscriber or customary user.” ACA International asserts that the FCC’s conclusion that “we deem the caller to have constructive knowledge” of a reassigned number after one call is arbitrary, capricious, and an abuse of discretion.

Significantly, ACA International notes that the Order disregards Congress’s findings in the TCPA. It states that, when Congress enacted the statute, “it found that ‘[i]ndividuals’ privacy rights, public safety interests, and commercial freedoms of speech and trade must be balanced in a way that protects the privacy of individuals and permits legitimate telemarketing practices.” ACA International contends that the Order rejects that balance and disregards “commercial freedoms of speech and trade” to create a “regulatory web so tangled that it snares legitimate, compliant, law-abiding actors along with the abusive and intrusive callers at whose conduct the law is aimed.”

The Petitioners’ Statements of the Issues underscore the problems that were compounded by the Order, the lack of common sense that remains in interpreting the TCPA, and the potential for increased litigation unless the Order is modified.

 

 

Practice Pointer for Local Government Lawyers: In zoning Enforcements Matters, Try to Get Injunction Language in the Final Order

Posted on: August 10th, 2015

option 2By: Coleen Hosack

Glynn County residents had to sit by and watch property owners use their ocean front beach house as a commercial event venue in violation of the Glynn County Zoning Ordinance during the pendency of an appeal because the County did not have an injunction order prohibiting the property owners from doing so.  While the County was successful in convincing the trial court that the property owners were using their property in a manner that was inconsistent with the zoning district and obtained an order saying as much, the trial court did not also enjoin them from using their property as a commercial event venue.  This case illustrates there is a fine line between declaring the rights of parties on a question of law and ordering a party to perform or refrain from performing a specified act. Burton v. Glynn County, S15A0082, Georgia Supreme Court (July 13, 2015). The automatic stay in the Georgia Appellate Practice Act applies to a declaratory judgment order; but the trial court has discretion to enforce an injunction during an appeal.

The Burtons built a lavish ocean-side home in 2008 on property zoned R-6 in Glynn County. The zoning restricted the use of the property to primarily residential use by a single family and other uses that are customarily incidental. In 2010, the Burtons began to regularly allow special events at the house, marketing and promoting the house as “Villas de Suenos” or “House of Dreams” allowing up to 100 or more guests. Following complaints by residents regarding noise, traffic, and parking issues arising from the large scale gatherings, Glynn County issued a cease and desist letter requesting the Burtons immediately discontinue the use because it violated the zoning ordinance.

The Burtons thereafter sued the County seeking declaratory and injunctive relief to stop the County’s efforts to enforce the zoning ordinance so as to prohibit the use of the property as an event venue. The County brought a counter claim requesting the opposite relief. Following an evidentiary hearing, the trial court agreed with the County and issued an order on December 20, 2013 adopting the County’s interpretation of the zoning ordinance and directing the Burtons to comply with the ordinance, so interpreted, in their future use of the property. The Burtons appealed challenging the trial court’s interpretation of the zoning ordinance.

During the pendency of the appeal, the Burtons continued to use the house for special events. The County filed a motion for contempt arguing that their use of the property in this manner was in violation of the trial court’s order; but the trial court denied the motion on the grounds that it lacked jurisdiction because the filing of the notice of appeal acted as an automatic supersedeas pursuant to O.C.G.A. § 5-6-46.  While the County argued this provision did not apply because the order was not just a declaratory judgment order; it was also an injunction order under O.C.G.A. § 9-11-62; the Georgia Supreme Court disagreed. While the order did require the Burtons to use their property consistently with the zoning ordinance, an order is not converted to an injunction merely because it directs a party to comply with the law.

The opinion affirming the trial court’s December 20, 2013 order was not decided until July 13, 2015. This means the Burtons were able to use their beach front property as a commercial venue in violation of the zoning ordinance for an additional eighteen months. Had the trial court included additional language enjoining the Burtons from doing so, the trial court would have had the authority to hold the Burtons in contempt of its injunction order during the pendency of the appeal. The result of this case is a good reminder to make sure you ask the trial court for language in the final order that not only declares the rights of the parties; but affirmatively enjoins the property owner from using the property in a manner that is in violation of the zoning ordinance. Had the trial court’s order enjoined the Burtons from using the property as a commercial event venue, they would have been prohibited from doing so during the pendency of the appeal or at the very least; the trial court would have had the discretion and the teeth to hold them in contempt if they did not comply.

“My Boss is Making Me Sick!” California Appellate Court Denies Anxious and Stress-Ridden Employee Relief Under The FEHA

Posted on: August 6th, 2015

option 2By: Allison Shrallow

If you have not muttered “my boss is making me sick” at some point in your life, consider yourself lucky.  As for the millions of California employees who have suffered at the hands of a tyrant, while such a situation is indisputably stressful, a California court has recently confirmed stress or anxiety that renders an employee unable to work for a particular supervisor does not constitute a mental disability under Fair Employment and Housing Act (“FEHA”).  This is a small victory for employers in an area of law where they are few and far between.

Stress and anxiety may amount to mental disabilities under the FEHA if they make the achievement of a major life activity—including working—difficult.   With the exceedingly large amount of employees who claim to be “stressed” or “anxious,” employers are typically left questioning whether employees are experiencing everyday work-related stress or anxiety, or whether their mental state has reached the level of a disability. Employers generally provide accommodations to employees when they provide medical notes certifying they are disabled, regardless of whether the employee has truly been diagnosed with a stress or anxiety disorder. A California court has now stepped in and declared one instance in which stress and anxiety do not amount to a mental disability, regardless of what the doctor says.

In Higgins-Williams v. Sutter Medical Foundation, Sutter Medical Foundation hired Plaintiff as a clinical assistant in its Shared Services Department.  Three years later, Plaintiff reported to her physician she was stressed because of interactions with her direct supervisor.  Plaintiff’s doctor diagnosed her with anxiety, and Sutter granted her a leave of absence.  Upon Plaintiff’s return, she received a negative performance evaluation, was subjected to negative treatment by her supervisors and her regional manager allegedly grabbed her arm and yelled at her, which caused her to suffer a panic attack and leave work.  Thereafter, Plaintiff requested a leave of absence and transfer to a different department upon her return.  Sutter granted Plaintiff another leave of absence.  While Plaintiff was out, her doctor provided a medical note stating she needed to be transferred out of the Shared Services Department under a different regional manager.  Sutter terminated Plaintiff on the grounds her doctor failed to provide any information regarding if, and when, she could return to her old position.

California and federal courts have long held employers need not accommodate employees by transferring them to a different supervisor because the current supervisor causes the employee stress-related disorders.  In Higgins-Williams, the Court extended these holdings by stating that, to qualify as a disability, an impairment must limit employment generally.  That is, if the employee could do the same job for another supervisor, she is not disabled.  Traditionally, courts have granted a great amount of deference to medical notes certifying an employee is disabled.  The Higgins-Williams case refreshingly calls the bluff.  The transitory nature of the plaintiff’s condition—her ability to turn it on or off depending on which supervisor she was assigned—cuts against a court finding she was truly disabled.

Note, the court’s holding in Higgins-Williams is extremely narrow and applies only to situations where an employee allegedly suffers from a mental disability as a result of working under a particular supervisor.  Employers should be careful not to mistake this holding as an entitlement to forego engagement in the interactive process, refuse to accommodate or terminate an employee who otherwise suffers from stress or anxiety.