CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for April, 2018

Yahoo Fined $35M for Delay in Disclosing 2014 Cyberattack

Posted on: April 30th, 2018

By: Theodore C. Peters

On April 24, 2018, the U.S. Securities and Exchange Commission hit Altaba, Inc. (formerly known as Yahoo) with a $35 million fine.  The penalty stems from Yahoo’s failure to disclose a 2014 cyberattack until 2016, even though it knew of the breach within days after it occurred.

In its order, the SEC said that Yahoo’s information security team was promptly advised that Russian hackers had acquired highly sensitive information that Yahoo itself referred to as its “crown jewels,” namely Yahoo usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers for hundreds of millions of accounts.  Despite such knowledge, however, Yahoo waited until September 2016, on the eve of a pending sale to Verizon Communications, Inc., before it officially disclosed the breach.

Yahoo’s disclosure of the breach resulted in an immediate 3 percent decline (estimated at $1.3B) of Yahoo’s share price, and caused Verizon to renegotiate the purchase price, lowering it by $350M (representing a 7.5% discount).  Before publicly acknowledging the breach, Yahoo released annual and quarterly reports that the SEC concluded were “materially misleading” insofar as “they claimed the company only faced the risk of potential future data breaches that might expose the company to loss of its users’ personal information…”(emphasis added).

Yahoo later amended its risk factor disclosures and MD&A (Yahoo management’s discussion of financial condition and results of operations) to reflect the 2014 breach in its subsequent public filings.  On October 9, 2016, Yahoo acknowledged that the breach occurred in 2014.  Yahoo also corrected prior public disclosures for 2014 and 2015, which indicated that Yahoo’s disclosure controls and procedures were effective.  The amended filings stated that such controls and procedures were not effective.

As part of its agreement with the SEC, Altaba neither confirmed nor denied the statements in the order.  Whether further action will be taken against any of the Yahoo executives who were employed at the time of the 2014 cyberattack remains to be seen.  Altaba must pay the $35M penalty.

Separately, a U.S. District Court Judge, for the Northern District of California, held off on sentencing of a 23-year-old Canadian “international hacker-for-hire,” Karim Baratov. At an April 24, 2018 sentencing hearing, Judge Vince Chhabria told federal prosecutors that he was concerned that Baratov could potentially face a tougher sentence solely based upon the fact that among Baratov’s clients were certain Russian nationals who committed the 2014 Yahoo cyberattack, even though there was no evidence that Baratov himself was involved in the Yahoo breach.  Prosecutors sought a near eight year term of imprisonment.  During the sentencing hearing, Judge Chhabria stated that he had “multiple concerns” about the sentence and noted that other hackers engaged in similar conduct had received lesser sentences.  Further briefing was ordered on the issue of what national sentencing ranges are for hackers convicted in federal court.

If you have questions or would like more information, please contact Ted Peters at [email protected].

PA Fed. Ct. Finds UberBLACK Limousine Drivers Maintain Independent Contractor Status

Posted on: April 30th, 2018

By: John P. McAvoy

On April 12, 2018, Uber Technologies, Inc. won its legal battle on the recurring issue of independent contractor misclassification when the Eastern District of Pennsylvania granted the company’s motion for summary judgment in Razak v. Uber Technologies, Inc., No. 16-cv-573 (E.D. Pa. Apr. 11, 2018) (Baylson, J.). In so holding, the court concluded that UberBLACK limousine drivers are not employees of Uber covered by state and federal wage laws.

Uber has been defending independent contractor misclassification cases in state and federal courts throughout the country since the company first opened its doors in 2009. Like several other ride-sharing companies, Uber has persistently maintained that its drivers are independent contractors and that, as such, the company is exempt from the state and federal wages laws of all jurisdictions in which it conducts business. Despite these salient arguments, the vast majority of courts have concluded that the workers were Uber employees subject to wage laws, indicating that a slightly different set of facts may have swayed the decision in the other direction. However, based on the Honorable Michael M. Baylson’s opinion in the Razak case, it appears this pattern has reached its natural end.

Unlike other federal and state courts that have addressed this issue, the Eastern District concluded that almost all of the factors the court considered weighed heavily in favor of classifying UberBLACK limousine drivers as independent contractors that do not enjoy the rights, benefits and securities provided by state and federal wage laws.

The Eastern District reached its decision by applying the six factor test set forth in Donovan v. Dialamerica Marketing, Inc., 757 F.2d 1376 (3d Cir. 1985); namely, (1) the degree of Uber’s right to control the manner in which the work is performed (“Right to Control”); (2) the UberBLACK limousine drivers’ opportunity for profit or loss depending on their managerial skill (“Opportunity for Profit or Loss”); (3) the UberBLACK limousine drivers’ investment in equipment or materials required for their task, or their employment of helpers (“Employee Investment”); (4) whether the service rendered requires a special skill (“Special Skills”); (5) the degree of permanence of the working relationship (“Relationship Permanence”); and (6) whether the service rendered is an integral part of Uber’s business (“Integration”). The court found that all but two of the factors (i.e., Special Skills and Integration) strongly favored independent contractor status. Accordingly, the court concluded that the UberBLACK limousine drivers had not met their burden of showing that they are employees and that Uber is their employer.

If upheld on appeal to the Third Circuit, the Razak decision could finally put to rest the issue of whether Uber drivers and workers at companies that employ similar business models are being misclassified as independent contractors under the Fair Labor Standards Act and any state wage laws that test for independent contractor status in the same or similar fashion.

If you have any questions or would like more information about this case, please contact John P. McAvoy at [email protected].

Banks Attempt to Expand the Scope of Liability for Escrow Companies

Posted on: April 27th, 2018

By: Bryce M. Van De Moere

The collapse of the subprime mortgage market in 2008 created shock waves still felt today.  Over-extended lenders such as Washington Mutual and Countrywide failed; larger financial institutions absorbed their loans and were tasked with trying to administer, process and enforce hastily executed loans poorly documented.

As the surviving financial institutions complete clearing out the remaining bundled loans, a trend has emerged where large institutions attempt to shift responsibility for collection of outstanding loans to other professionals in the real estate sales market.  A target of big banks seeking to protect themselves from bad debt, uncollectible loans or defective security instruments has become the title insurers and the escrow holder.  Historically, escrow has held the position of the third party in a real estate sales transaction that holds money while ownership, money and title transfer. The escrow holder is the fiduciary to the buyer and seller, tasked with following the buyer and sellers’ instructions in the sale of real property that ordinarily includes extinguishing existing loans in favor of buyer’s new mortgage.  The title insurer protects the buyer and buyer’s lender to ensure the new mortgage is in priority to protect the lender’s security interest.

Where this issue has arisen is in the repayment of the mortgage after the sale of property, usually a home equity line of credit (HELOC) that was offered by the now-defunct lender.  Much of this commercial paper was acquired in pools as opposed to individual transactions with a matching promissory note and deed of trust.  New lenders change loan numbers from the old defunct lender’s account number to account numbers matching the system by the new owner of the paper.  Other instances, the loan is marked as a secured but the original deed of trust is missing or no assignment of the security interest is recorded.  A third situation occurs where there is an accounting issue when a seller claims to have made payments that are not credited on the account.  Finally, in the waning days of Countrywide and Washington Mutual, people refinanced their loans but the paid deed of trust was not re-conveyed and included in the pool of notes and trust deeds transferred.  Buyers and their lenders want free and clear title.  Escrow can only rely on what the principle tells them the loan number on any HELOC is or if the old loan number is printed on the deed of trust pulled from the assessor’s office.  If the loan number is the old number, a payoff demand may or may not pick up the correct loan account.  Big lenders use clearing houses to issue reconveyances that may or may not record within the statutory 75 days required under California Civil Code 2941.  A new buyer may receive a notice from its lender that has picked up an re-conveyed lien on the property that was to be free and clear.  A title insurer wants to protect its insured so it will issue a release to clear title.

All the while big bank is putting the pieces of the puzzle together on the old account and realizes they have been underpaid.  Civil Code 2943(d) offers a remedy, but it is often an empty remedy since the loan obligation is still enforceable, but only as an unsecured contract debt and their former borrower is long gone.  What to do?  Big Bank sues the escrow for preparing a faulty payoff statement and the title company for statutory violation of Civil Code 2941(b)(6), wrongful recording of the release.

Although existing case law holds the escrow holder’s duty is only to the depositors and not a third party outside of the escrow (Summit Financial v. Continental Lawyers Title, 27 Cal. 4th 705 (2007)); more and more trial courts are allowing bank’s claims against escrow companies to survive summary judgment forcing escrow companies to the exposure and risks of trial.  Second, on statutory violations against title insurers, banks are using the remedy of subsection (b)(6) as a statutory indemnity, threatening title insurers with exposure to the remaining balance plus all accrued interests, costs, penalties and attorney fees.

Big institutional lenders are well positioned to force changes, legislatively and judicially in what was once thought of as solid law limiting insurers and professional clients’ liability.  The next new horizon looks to be an assault on those limits of liability.

If you have any questions or would like more information, please contact Bryce Van De Moere at [email protected].

Circuits Now Split Three Ways Over False Claims Act Limitations Period

Posted on: April 26th, 2018

By: Robyn Flegal

The Eleventh Circuit Court of Appeals (governing Georgia, Alabama, and Florida), recently held that the three-year statute of limitations for the False Claims Act (FCA) begins when the government learns of alleged violations of the FCA, rather than when a whistleblower/relator learns of alleged violations.  As we previously explained in the FMGBlogLine, the FCA allows whistleblowers to bring claims for violations on behalf of the government in return for a share any recovery.  In United States of America ex rel. Billy Joe Hunt v. Cochise Consultancy, Inc. d/b/a The Parsons Corporation, a former employee alleged that certain contractors defrauded the Department of Defense out of millions of dollars for work performed pursuant to a wartime contract in Iraq.  According to the Complaint, an Army Corps of Engineer officer forged contract documents after accepting bribes and gifts.  The United States declined to intervene in the lawsuit.

The United States District Court for the Northern District of Alabama dismissed the suit on the basis that Billy Joe Hunt (the employee) was outside of the three-year limitations period for FCA claims.  FCA claims must be filed (1) within six years after the violation occurred, or (2) within three years of the time the appropriate government body is made aware of the violation and within ten years of when the fraud occurred.  The Eleventh Circuit determined that this second, three-year limitations period applies even where the United States declines to intervene in a qui tam action.  Indeed, although the employee knew of the fraud more than three years before he filed suit—his claim was timely because he filed the suit within three years of disclosing the underlying facts to the United States officials.  Simply put, in the Eleventh Circuit, the limitations period begins to run when the relevant federal government official learns of the facts; when the whistleblower learns of the fraud is simply immaterial to the statute of limitations.

There is now a three-way circuit split in the Federal Courts of Appeals regarding the tolling deadlines for FCA claims.  In contrast to the Eleventh Circuit’s holding above, the Fourth, Fifth, and Tenth Circuits have ruled that the three-year limitations period does not apply to whistleblowers at all.  The Third and Ninth Circuits have held that the three-year period begins when the whistleblower learns of the fraud.  As there is a split in the circuits, this particular action could be ripe for a decision by the Supreme Court if the defendants petition for a writ of certiorari.

As such, we will continue to monitor developments in this area.  For questions please contact Michael Bruyere at [email protected], Robyn Flegal at [email protected], or Ali Sabzevari at [email protected]

Countries Around the World Are Investigating Facebook’s Cambridge Analytica Event

Posted on: April 26th, 2018

By: Allen E. Sattler

On March 18, 2018, news broke of the Cambridge Analytica event where the data of an estimated 87 million Facebook users was disclosed to the UK-based political consulting firm.  The breach of user data resulted in several U.S. investigations, including by Congress and by the Federal Trade Commission (“FTC”).  Facebook entered into a consent decree with the FTC in 2011, where Facebook agreed to never make deceptive claims concerning users’ privacy and to obtain users’ informed consent before changing the way in which it shares their data.  The FTC is investigating whether Facebook violated the terms of this agreement which carries a possible $40,000 per-violation fine.

On April 10 and 11, Mark Zuckerberg appeared before Congress where he testified that Facebook failed to protect its users’ data and that Facebook “didn’t take a broad enough view” of its responsibility in ensuring the privacy of its users following its initial discovery of the Cambridge Analytica event.  He also accepted personal responsibility for the matter as the company’s founder and CEO.

What might have been lost in the flurry of domestic activity is the amount of scrutiny Facebook is receiving by nations around the globe.  This breach involved users from many countries, with over 1 million affected users in each of four different countries.

The European Union launched an investigation into Facebook on March 19, and the United Kingdom and Australia quickly followed.  Under Australian privacy laws, the government has the authority to issue fines against Facebook of up to $1.6 million if it determines that Facebook violated those laws.

Countries of southeast Asia soon followed with investigations of their own.  Indonesia, which is home to over 115 million Facebook users, 1 million of whom were affected by this breach, launched an investigation on April 6.  Under Indonesian law, the government can assess fines against Facebook representatives personally of up to $870,000.  Singapore has opened an investigation as well, where it has already questioned Facebook executives located in their country.

The Philippines announced its investigation into Facebook on April 13.  The county was rated as the biggest user of social media several years running.  Research indicates that Filipinos spend almost four hours per day on various social media platforms.   This breach affected nearly 1.2 million Filipinos, and news reports indicate that Cambridge Analytica might have helped President Rodrigo Duterte in his successful 2016 campaign.  The event therefore has enormous significance to Filipinos.

On Friday, April 20th, Germany became the latest country to open an official investigation into the Facebook.  Germany’s data privacy regulator said fines could be levied against Facebook in the amount of 300,000 euros ($366,000).

Facebook had revenues of more than $40 billion last year, so the fines that each country might assess against the company seem relatively insignificant.  The investigations launched against Facebook can nevertheless have a big impact on the company and on the entire industry.  This event has garnered the attention of countries around the world, and it has already led to a greater awareness of privacy concerns that exist on social media platforms.

If you have any questions or would like more information, please contact Allen Sattler at [email protected].