If you are one of the many businesses licensed by the New York Department of Financial Services (DFS), and cannot avail yourself of the (very) limited exemptions, you must be ready for the first compliance transition date for the stringent DFS cybersecurity regulations – August 28, 2017.
Just in case you’d forgotten, the DFS cybersecurity regulations became effective March 1, 2017 and you can refresh your memory here. Continue Reading Are You Ready for the New York August 28th Compliance Deadline?
Recently, the Electronic Privacy Information Center (“EPIC”) asked the FTC to begin an investigation into a Google program called “Store Sales Management.” The purpose of Store Sales Management is to allow for the matching goods purchased in physical brick and mortar stores to the clicking of online ads, or as we refer to the practice, “Bricks to Clicks.”
The significance of this is immense. No longer will advertisers have to wonder how much revenue can be tied to a specific campaign, instead the Store Sales Management will give them insight into how actual consumers who viewed advertisements purchased certain products. Continue Reading FTC Asked to Investigate Google’s Matching of “Bricks to Clicks”
Wells Fargo’s inadvertent production of personal identifying information (“PII”) in a case involving a former employee became national news when the New York Times broke the story late last week. Discovery practices are hardly the stuff of salacious tweets and White House leaks, so when routine document production lands on the pages of the Times, you know something must be remiss.
By way of background, the Times reported that an attorney for Wells Fargo inadvertently produced confidential PII from approximately 50,000 customers to a former employee in response to a third party subpoena received in association with the former employee’s defamation case against his brother (also a Wells Fargo employee). The 1.4 gigabytes of materials produced reportedly contained voluminous spreadsheets detailing customer identities, social security numbers, Taxpayer Identification Numbers, and information relating to specific accounts and investment portfolios. The document production came to light only after the former employee’s attorney in a different action centering on a contract dispute (also involving the former employee’s brother) informed Wells Fargo’s attorney that the documents had been produced in the defamation action.
The makings of a soap opera?
Here’s the full story: Former Wells Fargo employee Gary Sinderbrand sued his brother, and former business partner, Steven Sinderbrand, who remains a Wells Fargo employee, for defamation in New Jersey state court in 2016. Wells Fargo was not a party to that case. Brother Gary also sued brother Steven and Wells Fargo in April 2017 alleging breach of both a consulting and a separation agreement. On February 13, 2017, Gary’s attorney in the New Jersey action served Wells Fargo with a third-party subpoena seeking electronic communications between Gary and other Wells Fargo employees. Wells Fargo agreed to conduct a search of four custodians’ e-mailboxes using various search terms. An e-discovery vendor conducted the searches and, upon completion, Wells Fargo’s attorney reviewed the search results, consisting of around 2,500 emails, marking them confidential or privileged.
Simple enough, right?
Unfortunately, an apparent combination of user error and production miscommunications led to the production of confidential and privileged documents that had not been reviewed to which the PII was attached. Those documents were produced by Wells Fargo’s attorney to Gary’s attorney in the New Jersey action on July 6, 2017. Surprisingly, it was not until July 20, 2017 that Gary’s attorney in the New York action notified Wells Fargo’s attorney that emails containing privileged communications and PII had been produced. Subsequently, the production of these emails was made known to the Times, which broke the story on July 21, 2017.
Most problematically, the documents were produced by Wells Fargo’s attorney without reference to any governing protective order or confidentiality agreement detailing steps to be taken by the parties to protect and minimize disclosure of PII. Moreover, without the benefit of such agreements, and the often attendant inadvertent disclosure clawback provisions, Wells Fargo and its attorney had no ability to seek the immediate return of the inadvertently produced PII without court intervention.
Wells Fargo’s attorney has since moved for an emergency restraining order barring Gary or his attorney from retaining the documents in the New York action and the court in the New Jersey action has ordered Gary and his attorney to turn the CD containing the documents over to the Court pending a hearing. However, the cat, as they say, is out of the bag. And, while two judges will decide the fate of the documents for use in these respective cases, the reputational damage has already been done to Wells Fargo.
Avoid this fate!
While accidents happen in even the most carefully coordinated document production, keep these questions and suggestions in mind whenever your organization’s data is going to be shared for purposes of litigation, whether with an outside attorney, a vendor, or, most certainly, an adversary.
- Know your data
Where does PII manifest itself in your organization’s records? PII is not just a concern for financial institutions and is more than social security numbers and account numbers in the traditional sense. Does your organization keep records that contain customer names with internal account identifiers, phone numbers, addresses (even zip codes), or other unique identifiers? What about HR files with employee contact information, information related to an employee’s benefits, or direct deposit information? How about a customer service/contact logging database or application?
Know your files and engage actively with your attorney when discussing what documents may need to be collected, reviewed, or produced in association with the litigation. If there is a chance they contain employee or customer PII, make sure these documents are closely examined as they are collected.
- Narrow what is shared
Specificity is key. What are the documents being sought in the litigation and what sources need to be considered? Can non-responsive documents or sources that contain PII be easily segregated from the collection of otherwise responsive documents? If documents containing PII or attaching it come into play, how can PII be redacted or anonymized to the extent it is not relevant to the claims at issue before any documents are queued for review?
- Follow a strict collection and review protocol
How will documents be shared with your outside attorney or vendor? What safeguards will be put into place to guarantee that any documents containing PII will be redacted to the extent not relevant? What do the relevant state privacy statutes dictate with respect to the disclosure of PII?
- Check, check, and re-check
Machines and technology are only as good as their operators. Even if you or your attorney have reviewed for PII and redacted or removed whatever PII can be omitted, make sure you have a sufficient quality control process in place to confirm that all instructions are followed and only documents that have been clearly reviewed and determined to be appropriately coded are batched for production.
- Safeguard the production
When producing documents containing PII, make sure there is a mechanism in place to address inadvertently produced documents, inadvertently non-redacted documents, or documents lacking appropriate confidentiality coding. If you are a third party responding to a subpoena, ask the subpoenaing party if a protective order is in place that will apply to the document production. If not, discuss execution of a confidentiality agreement as a precursor to the production of documents. And always remember to consider restraints on the disclosure of produced documents beyond the immediate parties and case at hand, especially if you are a non-party responding to a subpoena.
If you are a retailer with locations in New Jersey, you will need to review your procedures in anticipation of a new law effective October 1, 2017.
New Jersey Governor Chris Christie has signed the Personal Information Privacy and Protection Act (we can now add #PIPPA to the alphabet soup of privacy acronyms…..), which limits the ability of retailers to collect PII scanned from customer driver’s licenses and identification cards and restricts the usage of any PII collected for the purposes identified in the Act.
Within recent years, retailers have commonly started a practice of scanning the barcodes on customer ID cards to verify the authenticity of an ID presented, verify identity when credit cards are used, or to prevent and control fraudulent merchandise return practices (or to identify consumers who abuse return policies).
Under PIPPA, retailers will only be permitted to scan ID cards to:
- Verify the card’s authenticity or the person’s identity, if the customer pays for goods or services with a method other than cash; returns an item; or requests a refund or exchange.
- Verify the customer’s age when providing age-restricted goods or services to the customer.
- Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the retailer uses a fraud prevention company or service.
- Establish or maintain a contractual relationship.
- Record, retain, or transmit information as required by state or federal law.
- Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Fair Debt Collection Practices Act.
- Record, retain, or transmit information by a covered entity under HIPAA and related regulations.
PIPPA prohibits retailers from sharing the information with marketers or other third parties that are unknown to consumers. It is unlikely that an online privacy notice describing sharing of scanned ID information with third parties would comply with PIPPA. In-store notice of any such practices will likely be required.
The big “however” in this legislation is the restrictions on retention of the information when collected for the permitted purposes. Under PIPPA businesses cannot retain information related to how the customer paid for the goods, whether the customer returned an item or requested a refund, and cannot store ages. Retailers will only be permitted to collect the customer’s name, address, and date of birth; the issuing state; and the ID card number. Any of this information collected from scanned ID cards Is required to be “securely stored” and PIPPA makes it clear that any security breach of this information is subject to New Jersey’s data breach notification law and must be reported to any affected individual and the New Jersey State Police.
And there are penalties. PIPPA provides civil penalties of $2,500 for a first offense, and $5,000 for any subsequent offices. Further the law allows for “any person aggrieved by a violation” to bring an action in NJ Superior Court to recover damages.
The “business compromise email” is what the FBI calls the “$5 billion scam,” but apparently an insurance company did not agree with an insured company that they had been the victim of a crime.
A federal court recently found that a crime policy afforded coverage for a $4.8 million wire transfer that an insured company was duped into making. See Medidata Solutions, Inc. v. Federal Ins. Co., 15-CV-907 (SDNY July 21, 2017). In this case, the thief took advantage of “real” facts, posing as the insured’s attorney for a corporate transaction. More specifically, the insured was contemplating an acquisition and, as part of that process, the president instructed the finance department to be prepared, on an urgent basis, to assist with the transaction. Continue Reading Court Holds Crime Policy Covers Business Compromise Email Loss
The Internet of Things (“IoT”) can be thought of as a group of different devices that can communicate with each other, perhaps over a network such as the internet. We have written extensively about many of the privacy challenges that IoT devices can create. Recently, the Federal Trade Commission (“FTC”) made clear that its Children’s Online Privacy Protection Rule (the “COPPA Rule”) would continue to be applicable to new business models, including “the growing list of connected devices that make up the Internet of Things. That includes connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data.”
To assist companies in complying with their COPPA obligations, the FTC has released an updated Six Step Compliance Plan. These steps are:
Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement
Notably, per Step 1, the FTC has made it clear that COPPA defines “Website or Online Service” broadly, to include “mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads), internet-enabled gaming platforms, plug-ins, advertising networks, internet-enabled location-based services, voice-over internet protocol services, connected toys or other Internet of Things devices.” A key takeaway for companies everywhere is that, if your service collects personal information from kids under 13, it is unlikely that the FTC will be swayed by an argument that your service is not subject to the COPPA Rule. Instead, entitles would be wise to either limit their data collection activities such that personal information is not collected, or take the time to understand and comply with their COPPA obligations from the outset.
If your IoT device or app does collect personal information from kids under 13, “verifiable parental consent” is the most important compliance concept, and also tricky to implement. There are exceptions to this “verifiable parental consent” requirement in the COPPA Rule, but those exceptions are limited and reliance on any exception should only be done with careful consideration of your collection practices and the COPPA Rule.
Similarly, the FBI has warned consumers, regarding Internet connected toys presenting privacy concerns for children. Companies may wish to pay particular attention to the recommendations that the FBI has for consumers, as many of them involve the consumer researching whether the company has used basic measures to protect the privacy of children that use these toys, including using authentication and encryption as well as providing for security patches at the device level. Companies may wish to consider whether these suggestions could form part of the basis for a reasonable standard of care, and whether, given their IoT devices “use case,” a failure to support one or more of these measures could subject them to additional liability.
If you have any questions regarding COPPA compliance, please do not hesitate to contact the team at Mintz Levin.
Decisions you make when founding and/or investing in an insurtech venture can dictate your regulatory obligations, tax liability, operational structure and, ultimately, profitability.
Here are five seemingly simple questions to ask when launching an insurtech venture (and do not miss question #3): Continue Reading Five Questions for Investors in Insurtech
In a decision sure to have wide-ranging implications for cross-border discovery and governing privacy regimes, the Supreme Court recently held in Water Splash, Inc. v. Menon, that the Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil and Commercial Matters (the “ Hague Service Convention” or the “Convention”) does not prohibit service by mail. While the Court stated explicitly that its holding does not affirmatively authorize service by mail, the Court concluded that the Convention does not prevent service by mail if: (1) the receiving country has not objected to service by mail; and (2) service by mail is authorized under otherwise-applicable law.
For any corporate entity with global operations or employees and consumers abroad, take a close look at the terms of the Convention, the applicable service laws of the countries in which you maintain operations, and, as always, be mindful of where you might need to look for documents or other things that might be implicated in relation to a complaint served or received aboard. At the very least, pop Bob Dylan into Pandora and enjoy this warm summer day.
Oregon’s legislature recently expanded the scope of statutory consumer protections by passing a bill to amend the state’s Unlawful Trade Practices Act (the “Act”). Recently, Oregon’s Governor Kate Brown signed H.B. 2090 into law after near unanimous passage by state lawmakers. The bill is particularly notable because it squarely targets online commerce and imposes liability on businesses for publishing false or misleading online privacy policies. Continue Reading Oregon Ramps up State Consumer Protections in an Era of Deregulation