CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Largest Jury Verdict in TCPA History: Defendant Faces $925 Million in Damages

Posted on: April 18th, 2019

By: Jennifer Lee

On Friday, April 12, 2019, a federal jury in Oregon rendered a verdict in a certified class action that could leave ViSalus, Inc. on the hook for $925 million for making more than 1.85 million unsolicited robocalls in violation of the Telephone Consumer Protection Act (“TPCA”). The case is Wakefield v. ViSalus Inc., Case No. 3:15-cv-01857, in the U.S. District Court for the District of Oregon.

The TCPA prohibits prerecorded calls to cell phones and home phones without prior written consent from the recipient. The TCPA also prohibits the use of an automated dialing system (“ATDS”) to place calls to cell phones without prior written consent. This was a non-issue as ViSalus had already conceded that it used an ATDS for the calls at issue.

During the three-day trial, the named plaintiff and class representative Lori Wakefield testified that she had received four prerecorded calls from ViSalus on her home phone even though she did not consent to such calls. The jury believed her and concluded that the four calls received by Wakefield and the 1.85 million calls received by members of the certified class violated the TCPA.

Statutory damages for TCPA violations are $500 per call, and with more than 1.85 million calls at issue, this verdict could translate into approximately $925 million in damages for ViSalus. But there is more. Since the TCPA allows for treble damages for deliberate violations, if U.S. District Judge Michael Simon finds that ViSalus “willfully or knowingly” violated the statute, ViSalus may be subject to $2.775 billion in damages.

This verdict has wide-reaching implications for companies. It shows that jurors are receptive to TCPA class actions and do not view them as nuisance cases. This is in part because consumers are being bombarded by unwanted telemarketing calls, which are at historical highs and increasing every year. It also means that companies will have a harder time settling these cases and will lead to higher settlement amounts as the plaintiffs’ bar becomes more willing to take TCPA class actions all the way to trial.

If you have any questions regarding the TCPA, including compliance and defending against a TCPA class action, please contact Jennifer Lee at [email protected].

SEC Holds Public Forum as Part of Increasing Efforts to Regulate Digital Assets, Cryptocurrency Exchanges, and ICOs

Posted on: March 28th, 2019

By: Jennifer Lee

The Securities and Exchange Commission will be hosting a public forum on distributed ledger technology and digital assets in Washington DC on May 31, 2019. This is a part of the SEC’s increasing efforts to regulate cryptocurrency exchanges and initial coin offerings (ICOs) that have been proliferating unchecked until very recently.

Since digital assets are still an emerging concept, regulators, such as the SEC and the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of Treasury, have been struggling to figure out how the existing regulatory framework applies to cryptocurrencies, exchanges, and ICOs. However, as established financial institutions, such as Fidelity, begin to enter the digital asset space, the SEC has ramped up its efforts to ensure that companies are aware of and are in compliance with all applicable laws and regulations. Depending on the nature of the services provided, companies may be subject to the Securities Exchange Act of 1934, Bank Secrecy Act, and states’ money transmitter licensing statutes.

The push for more oversight over cryptocurrencies comes at the heels of high-profile scandals involving cryptocurrency exchanges and ICOs that left consumers and investors alike with nothing but questions after losing their fiat and digital currencies.

The very first incident involved Mt. Gox, a bitcoin exchange based in Tokyo, Japan that operated between 2010 and 2014. Cryptocurrency exchanges allow its users to exchange fiat currency (e.g., U.S. Dollars) into cryptocurrency and provide digital wallets for users to store their cryptocurrency. At its heyday, it was handling over 70% of all bitcoin transactions worldwide. However, it ran into a host of problems in 2013 continuing on to 2014 until it stopped operations and filed for bankruptcy. During the litigation that ensued, it was revealed that Mt. Gox somehow lost approximately 750,000 of its customers’ bitcoins, valued at around $473 million at that time.

More recently, in February 2019, the cryptocurrency exchange QuadrigaCX announced that it was missing approximately $145 million in digital assets. Its executives, consumers, and law enforcement are in a frenzy to determine what happened to the missing digital assets as the only person who had access was QuadrigaCX’s founder Gerry Cotten, who had passed away the month prior.

These incidents are not limited to cryptocurrency exchanges, especially as ICOs have become more popular in recent years. ICOs are similar to IPOs in the sense that investors can buy a stake in a particular cryptocurrency (referred to as a token), but unlike IPOs, a token’s value is not tied to the value or performance of an underlying company. In November 2018, the SEC settled charges against professional boxer Floyd Mayweather Jr. and singer/producer DJ Khaled for failing to disclose payments they received for promoting investments in ICOs. This suggests that despite the decentralized nature of cryptocurrencies and ICOs, the SEC has assumed jurisdiction over the space and its players.

Accordingly, broker-dealers and investment advisory firms looking to get involved in the digital asset space, including operating cryptocurrency exchanges, providing trading platforms for cryptocurrencies, or facilitating ICOs, must ensure that they are in compliance with all existing laws and regulations that govern traditional financial transactions and investments.

For more information or to inquire about the firm’s services related to digital currencies, please contact Jennifer Lee at [email protected].

Bold New Changes to Massachusetts’ Data Breach Notification Law

Posted on: March 15th, 2019

By: Michael Kouskoutis

Effective April 11, 2019, Massachusetts’ data breach notification law will compel notifying entities to follow several additional and unprecedented requirements when responding to a data breach.

First, the notifying entity must report to the state’s Attorney General whether it has implemented a written information security program (WISP). In the event the entity has no WISP in place, follow up inquiries and perhaps even penalties may result.

If applicable, notifying entities will also have to inform affected individuals of the name of their parent corporation or affiliated companies, which could generate negative publicity for companies whose subsidiaries suffer a data breach. Notably, the statute provides no threshold level of ownership before triggering this provision.

Further, the entity will not be permitted to delay notifications on the ground that the total number of residents has not yet been determined. In effect, the entity may have to issue breach notifications on a rolling basis instead of waiting for the investigation to conclude.

Lastly, Massachusetts’ Office of Consumer Affairs and Business Regulation will publish on its website the entity’s individual notification letter in addition to other details about the breach. It will also assist Massachusetts residents in filing public records requests to the Attorney General to obtain state agency notification letters.

These changes are not the type we have seen other states make in recent years; Massachusetts is taking a very bold step towards a more involved notification procedure. We will be monitoring changes to other data breach notification laws to see whether other states follow Massachusetts’ lead. If you have any questions or would like more information, please contact Michael Kouskoutis at [email protected].

What Constitutes a Reasonable and Defensible Process?

Posted on: February 27th, 2019

By: John Goselin

Society has coalesced around the general principle that businesses, governments or individuals in possession of personal confidential information (whether medical or financial) or personal identifiable information have a duty to protect that information from cyber bad guys stealing it. The reputational damage and financial costs associated with a cyber incident cannot be ignored.

But how much protection is enough? How many safeguards is it realistic to expect those in possession of information to put in place to protect that information? In other words, is there a recognized standard of care where the possessor of confidential information can feel comfortable that the protections/safeguards they have put in place are consistent with what the rest of the world is doing? Can you feel comfortable as a business owner, officer, director or IT specialist that what you are doing is reasonable and defensible in front of regulators, judges and potentially a jury?

Five years ago, the U.S Department of Commerce’s National Institute of Standards and Technology rolled out the “Framework for Improving Critical Infrastructure Cybersecurity.” The NIST’s Cyber Security Framework was last updated on April 18, 2018, and is a 48-page process outline that businesses should consider adopting as they assess the appropriate cyber security safeguards for their specific circumstance. According to the NIST, the Framework has been downloaded more than 500,000 times. The NIST Framework is not a definitive list of precisely what steps you should undertake, but it outlines a process for addressing this extremely complex issue. With a vetted, federally-endorsed process, you and your business can credibly state that you took reasonable steps to address a known problem and that the security measures you implemented were the result of a reasonable and defensible process. You will have something to say in your defense! That is a lot better than simply having your head in the sand.

In November 2018, the state of Ohio passed legislation that included a “safe harbor” against cyber liability for covered businesses that have adopted one of fourteen (14) recognized cyber-security process frameworks. In layman’s terms, if a business can show that they followed one of the approved “frameworks,” the business can avoid liability after the bad guys steal the data. The NIST Cyber Security Framework is one of the recognized industry frameworks. More states are likely to follow Ohio’s lead.

There is plenty of information available to help businesses develop a legally defensible process for handling cyber threats. Buckle down, adopt a process, get some help and put your business in a more defensible position vis-à-vis an unfortunate cyber incident.

If you have any questions or would like more information, please contact John Goselin at [email protected].

Ninth Circuit Tightens FCRA Disclosure Requirements

Posted on: February 12th, 2019

By: Matthew Foree

Ninth Circuit Holds Combining State and Federal Disclosures Violates FCRA’s Standalone and Clarity Requirements

The Court of Appeals for the Ninth Circuit recently issued a decision regarding the disclosure requirements under the Fair Credit Reporting Act (“FCRA”).  The FCRA includes certain requirements for employers prior to obtaining a consumer report on a job applicant. For example, employers must provide the applicant a “clear and conspicuous disclosure” that they may obtain such a report “in a document that consists solely of the disclosure.”

The Ninth Circuit took the FCRA’s language literally, prohibiting the employer from including any superfluous information in the disclosure document.  The case at issue, Gilberg v. California Check Cashing Stores, LLC, involved a class action filed by Desiree Gilberg, a former employee of CheckSmart Financial, LLC (“CheckSmart”). Before she began working with CheckSmart, Gilbert signed a disclosure regarding background information, which provided that CheckSmart could obtain her background report and that she had the right to request a copy of the report. The form also included information regarding her right to obtain a copy of the report under various state laws. Gilberg alleged that the disclosure violated the FCRA and California’s state law disclosure statute. The Ninth Circuit agreed and reversed the District Court’s grant of summary judgment to CheckSmart.

The Ninth Circuit interpreted the statute literally by holding that providing other state disclosure information in the disclosure form violated the FCRA’s stand-alone document requirement. The Court held that such “extraneous information is as likely to confuse as it is to inform” and, therefore, does not further the FCRA’s purpose.

The court also held that the disclosure, although conspicuous, was not clear. The court focused on the following language of the disclosure at issue:

The scope of this notice and authorization is all-encompassing; however, allowing CheckSmart financial, LLC to obtain from any outside organization all manner of consumer reports and investigative consumer reports now and, if you are hired, throughout the course of your employment to the extent permitted by law.

Among other things, the court recognized the lack of clarity in the first part of the sentence and the typographical error in the second part of the sentence, which lacked a subject and was incomplete. Therefore, it determined that this provision contained “language that a reasonable person would not understand.” The court also held that the disclosure would confuse a reasonable reader because it combined federal and state disclosures.

According to the Gilberg decision, employers in the Ninth Circuit cannot include disclosures required by other state laws in the same document that contains the FCRA disclosure. The obvious result of the decision will be the increase in documentation driven by separate disclosure statements. Although it is unclear whether other courts will adopt the Ninth Circuit’s holdings, employers would do well to revisit their forms to ensure compliance. Given the court’s position that language that would confuse a “reasonable person” would violate the clear and conspicuous requirement, employers should also ensure that their disclosures are clear.

If you have any questions or would like more information, please contact Matthew Foree at (770) 818-4245 or [email protected].