Back in February, the California Court of Appeal in Hataishi v. First American Home Buyers Protection Corp., 223 Cal. App. 4th 1454 (Feb. 21, 2014), dealt a significant blow to call recording class actions across California. The Court held that plaintiffs asserting claims under California Penal Code section 632 (“Section 632”) had to establish that the telephone calls that were monitored or recorded were “confidential” – meaning that the plaintiffs had an objectively reasonable expectation that their calls were not being overheard or recorded. Applying this standard classwide was impossible. Each individual’s objectively reasonable expectations would turn on individualized inquiries, including the length of the class member’s experience with the defendant, whether the class member had ever been notified that her calls with the defendant may be monitored or recorded, and each class member’s experience with other businesses that record or monitor calls. We asked then whether call recording class actions were doomed.
Most companies are worried about external threats – things that are coming at their people, their group, their company, their government, all from an outside actor. Like government’s with an eye on counter-intelligence, however, savvy businesses also realize that their employees can also pose a very real, internal threat. While an insider breach is not necessarily a common event, when it does happen, it tends to happen on a large scale. Last year, the FBI reported that when a malicious insider breach surfaced, it cost industry $412,000 per incident, on average. Over ten years, the average loss per industry is $15 million. And, unless you’ve been hiding under a rock, you know that the Government is not immune to insider breaches and the reputational impact to federal contractors resulting therefrom. Exacerbating, or perhaps facilitating, this threat is the manner in which companies (and governments) store, transfer, and maintain vital company records and data. With the right password and a $16 thumb drive, an intern can steal the corporate keys to the kingdom, and still be home in time for lunch. Simply put, all employers face the risk of insider threats which are more perilous than ever in the computer age. Recognizing that internal threats are real, the issue, then, is how to stop these threats from manifesting. Learning from recent high-profile mistakes, the Government is trying to make sure its contractors stay ahead of the risk of an internal breach.
In July 2014, the Russian President signed data protection and information legislation that requires all “data operators” who are processing personal data of Russian citizens, including over the Internet, to do so from servers/databases within Russia. While the original law provided for a September 1, 2016 commencement date, new legislation is moving through the Russian Parliament that would advance the commencement date to January 1, 2015. This law should significantly impact the collection, processing and storage of personal data of Russian citizens.
This issue was recently reported on by our friends at Bird & Bird. Click this link to read the Bird & Bird alert.
California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information. AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer. The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.” It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”
Consumers frequently reveal personal information about themselves through a variety of daily online and offline activities. For fashion designers and retailers, this consumer information represents a valuable tool to identify, target, and expand customer advertising and messaging. This information can be utilized by employing a data broker, or a company who aggregates consumer information and do provide information about the relevant consumer marketplace. Data brokers collect, maintain, manipulate, and share a significant amount of data about consumers without ever directly interacting with them. While data brokers afford a major advantage for retailers, including fashion companies, they also raise privacy concerns for the consumers that data brokers profile. The Federal Trade Commission (“FTC”) recently issued a report summarizing the results of its study on the activities of nine data brokers, and recommended that Congress consider enacting legislation to make data broker practices more transparent or to give consumers greater control over the personal information that is collected about them and shared by data brokers. This post summarizes the portions of the FTC’s report that are most relevant for fashion retailers and designers.
Since early 2014, the Federal Trade Commission has charged at least fourteen U.S. businesses in varying industries, from fashion to telecommunications, for falsely claiming to participate in the US – EU Safe Harbor privacy. Three of the companies were also charged with similar violations of the US – Swiss Safe Harbor. The Safe Harbor provisions were designed to provide U.S. and European organizations a legal, cost-effective means for transmitting consumer data outside of European countries, which maintain strict data privacy laws. On June 25, 2014, the FTC reported approval of final orders settling charges of US – EU Safe Harbor violations against the fourteen entities.
As federal courts continue to grapple with the explosion of litigation brought by plaintiffs under the Telephone Consumer Protection Act (“TCPA”), the Federal Communications Commission (“FCC”) is increasingly being called upon to address complex questions arising from the application of this analog statute to the digital world. The latest example is a brief amicus curiae filed by the FCC in Nigro v. Mercantile Adjustment Bureau, LLC. In that case, Albert Nigro contacted a power company in New York to discontinue the service of his recently deceased mother-in-law and provided the company with his cell phone number in doing so. Thereafter, a debt collector (acting on behalf of the power company) called Nigro 72 times over a nine month period to collect on a $67 delinquency that remained on his mother-in-law’s account.
In Osorio v. State Farm Bank, F.S.B., No. 13-10951, 2014 U.S. App. LEXIS 5709 (11th Cir. Mar. 28, 2014), the U.S. Court of Appeals for the Eleventh Circuit has provided some guidance on the parameters of “prior express consent” under the Telephone Consumer Protection Act (“TCPA”). In particular, the court held: (1) consent can be given on behalf of another person if an agency relationship exists and (2) a party may orally revoke consent.
In Americana Art China Company, Inc. v. Foxfire Printing & Packaging, Inc., 743 F.3d 243 (7th Cir. Feb. 18, 2014), the U.S. Court of Appeals for the Seventh Circuit affirmed the district court’s attorneys’ fees award in a class action settlement arising from the defendant’s faxing of thousands of unsolicited advertisements in violation of the federal Telephone Consumer Protection Act. In doing so, the Seventh Circuit reaffirmed the district court’s discretionary power to use the lodestar method, rather than the percentage method, to determine an appropriate fee award for class counsel. The Seventh Circuit held that the lodestar methodology was properly applied and permissible under the circumstances.
The Telephone Consumer Protection Act, 47 U.S.C. § 227, et seq. (“TCPA”), prohibits “robo-calls” to cell phones, text messages and “junk” faxes without prior consent. It imposes statutory penalties from $500 to $1,500 per violation, regardless of any actual damage, and is thus increasingly popular with the plaintiffs’ class action bar. Though passed in 1991, there are relatively few Circuit Court of Appeals decisions regarding the TCPA. In August of 2013, however, both the Third and Seventh Circuits issued TCPA decisions—one involving the revocation of prior express consent and the other involving cy pres awards in TCPA class actions.