Header graphic for print

Password Protected

Data Privacy & Security News and Trends

SEC Issues Guidance in Wake of WannaCry Ransomware Attack

Posted in Cybersecurity, Regulation

On Friday, May 12, the WannaCry ransomware attack struck hundreds of thousands of users across the globe, causing major disruptions in private and public networks. The attack, which encrypts a user’s files and holds them for ransom, may infect a computer without any action taken by the user.  With similar attacks expected, and as we have previously discussed, businesses would be well served to proactively take steps to protect themselves from WannaCry and other malicious cyberattacks.

On the heels of yet another high profile cyberattack, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued an alert to broker-dealers, investment advisers, and investment companies warning them of WannaCry and reminding them of the importance of addressing cybersecurity issues to protect investors and clients.  Regulated entities are required by Regulation S-P, 17 C.F.R. § 248.30(a), to adopt written policies and procedures (administrative as well as technical) to safeguard the personally identifiable information of their investors, clients, and customers.  The regulation requires that these procedures be reasonably designed to protect against anticipated cyber threats and unauthorized access to or use of customer records or information.

In 2015, OCIE launched its cybersecurity examination initiative, and the SEC’s Division of Investment Management and FINRA simultaneously offered guidance to regulated entities on cybersecurity.  The OCIE alert serves as a reminder to regulated entities of their obligation to safeguard client data.  In conducting a recent examination of 75 SEC registered broker-dealers, investment advisers, and investment companies, OCIE found that 26% of investment advisers and investment companies surveyed did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, and 57% of investment advisers and investment companies did not conduct penetration tests and vulnerability scans on critical systems.  Broker-dealers fared better, with only a 5% deficiency rate in both categories.

Both the SEC and FINRA have made enforcement of cybersecurity issues a focus, and recent SEC enforcement actions demonstrate its willingness to pursue firms that have suffered from cyberattacks and that lacked policies and procedures that the SEC deemed to be “reasonably designed” to safeguard customer information.  For example, R.T. Jones Capital Equities Management recently settled a cease-and-desist proceeding after an unauthorized, unknown intruder gained access to the personally identifiable information of over 100,000 individuals.  This breach cost R.T. Jones a $75,000 civil monetary penalty.

The WannaCry attacks and OCIE’s alert should serve as a reminder that regulators are watching how broker-dealers and other regulated entities safeguard customer data.  For a regulated entity, crafting effective cybersecurity policies and procedures is essential not only to preventing harmful and embarrassing attacks, but also to prevent a potentially costly regulatory action.  As a regulatory compliance matter, these policies and procedures are more than an IT policy and require scrutiny from well-advised in-house counsel.

UK Cyber- Security Breaches Survey

Posted in Cybersecurity, EU Data Protection

The UK government launched its 5-year National Cyber Security Strategy in November 2016, investing a reported £1.9 billion to protect UK businesses from cyber-attacks and make the country the safest place to live and do business online. This strategy has included the opening of the National Cyber Security Centre (part of GCHQ) and the creation of campaigns to support businesses with expert guidance on cyber security, such as Cyber Aware and Cyber Essentials.

More recently, on 19 April, the government produced its report into cyber security breaches, based on a survey of over 1500 UK businesses. According  to the government report, just under half of all UK businesses suffered at least one cyber security breach or attack in the last 12 months, yet only 1 in 10 businesses have a cyber security incident management plan in place and only a third have a formal policy that covers cyber security risks. The average cost of a breach is said to be around £20,000, but this is a conservative estimate and for many larger companies the cost is much more, not least in monetary terms. The risk of negative publicity and damage to reputation remains high, even when security measures are adopted and insurance cover is in place, so it is no wonder that businesses are confused about what to do to protect themselves and the data they hold. The danger is that companies do not sufficiently address the problems, perhaps because it seems impossible to eliminate the threat completely, or they are put off by scaremongering tactics by InfoSec consultants or cyber insurance brokers.

Cybersecurity should be a priority for company directors. Under the Companies Act 2006, they have a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the performance of their role. Failing to adopt and maintain appropriate security measures to protect personal data and confidential information against cyber-attacks could be considered a breach of these duties and expose the company and individual directors to legal liabilities, including fines and claims for compensation, under data protection legislation and potential action from regulators, such as the ICO or FCA, for businesses in the financial sector. Continue Reading

Facebook Fined €110 Million For Inaccurately Describing How it Can Use Data

Posted in EU Data Protection, Information Management, Social Media

On May 18, 2017, the European Commission imposed a “proportionate and deterrent” fine of €110 million on Facebook for providing misleading information during the Commission’s investigation under the EU merger control rules of Facebook’s acquisition of WhatsApp. This decision – which it is understood Facebook will not appeal – is an example of the importance that the Commission puts on complying with all aspects of the EU merger rules.  The information at issue concerned how Facebook would be able to use its and WhatsApp’s data.  Although the case did not directly concern the processing or use of data as such, its factual background raises data protection issues and it is notable that similarly high fines will soon be possible under the EU’s General Data Protection Regulation (GDPR) for data protection infringements.

During the acquisition notification procedure in 2014, the Commission had some concerns about Facebook’s ability to establish automated matching between users’ accounts in the two services. Such matching could be a way for Facebook to introduce advertising on WhatsApp and/or to use personal data sourced from WhatsApp to improve its targeting of advertisements. From a competition perspective, this could strengthen Facebook’s position in the online advertising market and hamper competition in such market. From the data protection side, data subjects and data protection authorities should be informed of any such data sharing between Facebook and WhatsApp, as well as possible new processing resulting from that matching.

Facebook informed the Commission that it would be technically impossible to achieve reliable automated matching between Facebook users’ accounts and WhatsApp users’ account.  However, WhatsApp updated its Terms of Service and Privacy Policy in August 2016, which update included the possibility of linking WhatsApp user’ phone numbers with Facebook users’ identities.  The Commission investigated and found that the technical possibility of this automatic matching of identities existed in 2014, that Facebook staff were aware of this and that Facebook was aware of the relevance of the issue for the Commission’s investigation. Facebook’s answers in 2014 had been incorrect or misleading and a fine was justified.

Separately, in a letter of October 2016, the Article 29 Working Party (WP29, gathering all EU data protection authorities) called into question the validity of the existing WhatsApp users’ consent to this change under data protection rules.  This is because, at the time they signed up, users were not informed that their data was to be shared among the “Facebook family of companies” for marketing and advertising purposes.  The WP29 announced an investigation, urged WhatsApp to communicate all available information on this new data processing and required the company not to proceed with the sharing of users’ data until appropriate legal protections could be assured.

This investigation by the Article 29 Working Party demonstrates once again, against the background of the increased sanctions soon to be introduced under the GDPR, the importance of compliance with data protection law in the EU.  For example, companies engaged in a merger or acquisition should integrate data protection compliance programs (in addition to those covering, at least, general corporate, competition and bribery/corruption matters). Such programs should include at least the following measures:

  • Map and assess the privacy risk involved in the new processing to be carried out in the context of the corporate operation (due diligence audits, international transfers, etc.), as well as the privacy risk involved in the new processing that will be carried after the operation.
  • To the extent required by law, inform the data subjects (employees, clients, stakeholders, etc.) about those new processing and purposes, taking into account confidentiality issues.
  • Take all steps necessary to make the new data processing, data transfers and processing purposes compliant with the various applicable data protection rules.

Trump’s Cybersecurity Executive Order: Has Anything Really Changed?

Posted in Cybersecurity, Data Security

Last week, President Trump signed an executive order (EO) designed to strengthen national cybersecurity and critical infrastructure. The EO focuses on the modernization of the federal information technology (IT) network and national cybersecurity risk management. While the order does not specifically address private-sector business procedures, companies will likely be forced to adjust operations in response to cybersecurity risks.

Modernization of Federal IT

To promote IT modernization, the EO specifically directs agencies to “show preference” for shared IT services including email and cloud services, requests strategies to reduce threats from botnets, and seeks a plan to help secure critical infrastructure. As a part of the modernization process, the order states that agency heads will be held accountable for promulgating cybersecurity initiatives and adequately protecting and managing cybersecurity risks. The tone of accountability woven throughout the order is particularly noteworthy, as the order suggests that President Trump may be much more interested in holding senior officials personally accountable for cybersecurity failings than were past presidents.

Although most of these modernization efforts will take time, one immediate effect from the order is that each agency is now explicitly required to follow the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST). Notably, the EO does not include the language, “at a minimum” preceding that requirement.  By excluding that language the order potentially disincentives, or at least fails to incentivize, agencies from exploring security policies and procedures beyond what NIST requires.

In order to implement such an extensive modernization effort, there are legitimate budgetary concerns. To help address this issue, the Secretary of Commerce, among others, are charged with reporting on the budgetary considerations involved with the federal transition to a secure and shared IT service. However, it is unclear how the new budgetary requests will be managed by Congress and whether budget cycles and associated processes will impede the expedited reforms that the President is seeking.

Risk Management

The order seeks to determine to what extent the country is prepared for and could respond to a prolonged cyber incident. As a part of the information gathering process, the EO requires several difference agencies to prepare reports which are due within 45 to 240 days; most of the reports are due within the next 90 days. These reports include:

  • addressing the country’s strategic options for deterring adversaries and protecting against cyber threats;
  • the assessment of cybersecurity-related education, training, and apprenticeship programs;
  • the sufficiency of existing policies to promote market transparency of cybersecurity risk management practices by critical infrastructure entities;
  • the potential scope and duration of a prolonged power outage associated with a significant cyber incident; and
  • the cybersecurity risks facing the defense industrial base and recommendations for mitigating those risks.

While the relatively short 90-day reporting deadline illustrates a sense of urgency on this matter, it does raise the concern that agencies may be forced to rely on existing perspectives and information or to generate relatively cursory analysis rather than engage in comprehensive studies of the matters outlined in the order.

The EO does not fundamentally change U.S cybersecurity policy but it does lay the groundwork for changes to future policy initiatives. The seriousness of implementing new cybersecurity policy, especially the EO’s request for deterring advisories, was unfortunately reinforced by the unprecedented global ransomware attack as well as the Federal Communications Commission falling victim to a distributed denial-of-service attack. Given the increasing regularity of cyber disruptions, the administration is likely to continue focusing on this issue throughout the year.

The WannaCry Cyberattack: Steps Businesses Must Take Now

Posted in Cybersecurity, Data breach, Data Security, Privacy

With the commencement of the workweek, experts predict the WannaCry cyberattack will spread further through systems that rely on older or unpatched versions of Microsoft Windows. The following alert explains the WannaCry ransomware and its impact on businesses and organizations as well as the preventative measures they need to take immediately.

What: Like other forms of ransomware, WannaCry — aka WanaCrypt0r and WCry — locks users off their computers and gives malicious actors control of operating systems. This can result in the loss of system functionality (as long as the computer remains infected) and often involves the destruction of data.

Those in control of WannaCry seek ransom payments in the form of bitcoin. Ransom demands started at $300 and escalated to $600 before system files were being deleted. WannaCry is indiscriminate in its effects (i.e., it is not focused on a discrete target set or industry and it has the potential to continue to propagate through systems that have not taken appropriate defensive measures). Notably, it can spread among network users without users taking any action.

The WannaCry messages that users encounter are presented in the following safe images.

Cyberattack-WannaCry1 (002) Cyberattack-WannaCry2 (003)

Who: While the originators of WannaCry are unknown, as of May 14, it had victimized at least 200,000 users in more than 100,000 organizations. Victims include the UK’s National Health Service (multiple hospitals and facilities); Federal Express in the United States; Chinese universities; Russia’s Interior Ministry; Telefonica, Gas Natural and Iberdrola (electrical) in Spain; and Renault in France.

Where: As of May 14, WannaCry had infected computers in over 150 countries (noting that the ransomware’s ability to operate in at least 27 languages has increased its transnational potency).

When: The new variant of WannaCry began creating significant effects on May 12, with infections and ransom demands expected to continue. Another strain of WannaCry began infecting computers over the weekend.

Why: WannaCry takes advantage of a known vulnerability (MS17-010 or ETERNALBLUE) in Microsoft Windows computers, and some experts believe it may have the ability to exploit other vulnerabilities. Because this vulnerability had been identified some time ago, Microsoft released a patch approximately two months earlier. However, many Microsoft users did not upload the patch.

The Way Ahead: It is possible that the variant of WannaCry discussed above (and its successors) will continue to wreak havoc on computer systems for the near future. Effects would be felt across industries globally.

Organizations should take preventative measures immediately:

  • Ensure that all systems and software are protected against WannaCry. Windows users should confirm they have the latest Windows security updates installed (e.g., MS17-010) and organizations should only use supported versions of software. As always, organizations should systematically monitor patch availability and promptly download and implement available patches.
  • Organizations that rely on internal cybersecurity defensive tools, software or services, or that use outside vendors or other external defensive options, should confirm they have layered defenses that account for, and are capable of addressing, the latest variant of WannaCry and its successors.
  • Back up data, make certain that backup files are as current as possible, and implement measures to ensure resilience and business continuity in the event of infection by WannaCry. Backups should be isolated and segmented and interconnectivity should be avoided whenever it is not essential. Limit internal (workstation-to-workstation, server-to-server) communication and user permissions to help prevent the spread of WannaCry.
  • Review incident response plans and update them as necessary to address distributed ransomware attacks. Conduct training exercises tailored to distributed ransomware scenarios.
  • Deliberate now as to whether or under what circumstances the organization would pay the ransom — decisions driven by considerations specific to particular businesses. Considerations may include, but are not limited, to:
    • harm to the business or those it serves if the system remains inoperable and/or files are destroyed;
    • the cost of payment and whether that cost is incurred for a single computer or for multiple computers;
    • whether there is a sufficient basis to believe that payment will result in the system and/or files being released to the user (noting that some of the recent ransomware attacks resulted in computers being left inoperable even after meeting ransomware demands); and
    • the potential that payment in this instance will perpetuate ransomware attacks against the business and others in the future.
  • Review insurance policies and consider whether they cover a WannaCry infection; whether additional coverage is needed; and whether they permit the use of outside cybersecurity vendors and qualified legal counsel, under what circumstances and when in the process (e.g., not until after notification to the insurer if the insurer will be responsible for paying for cybersecurity and legal services).
  • Train and test — on a continuing basis — employees and other persons with access to company computer systems on identifying and avoiding phishing and spear phishing.
  • Ensure comprehensive, functional and effective cybersecurity strategies and/or written information security programs are in place. These strategies and programs should address vulnerabilities created by the existence of disparate systems, networks and cybersecurity responsibilities that may exist across lines of businesses or business infrastructure and involve regular testing for vulnerabilities and strategy/program compliance.
  • Review second-tier plans, policies, procedures and cyber hygiene practices to ensure they address vulnerabilities in other devices (e.g., tablets, mobile phones, personal laptops) that may connect to business systems and networks.
  • Ensure that crisis response team members have been identified. Consider who, specifically, they will call for assistance (e.g., cybersecurity firm, outside counsel, public relations, government agency) in the event of an infection.
  • Understand legal obligations with respect to a ransomware incident (e.g., must the organization report the incident to customers, employees, regulators, attorneys general, etc.?).
  • Consider whether to join an Information Sharing and Analysis Center, if one exists for the specific industry, to share threat information and learn best practices for combatting cyber incidents.



Second Circuit Holds Data Breach Class Action Plaintiff Lacks Sufficient Injury to Support Standing

Posted in Data breach, Litigation

Those who tuned in to McGuireWoods’ data breach class action webinar last month know that attacking the plaintiff’s standing can be an effective defense strategy in these cases.  Here’s our analysis of the most recent appellate decision on that issue.

Last Tuesday, the Second Circuit Court of Appeals affirmed the district court’s dismissal of a putative class action filed against a merchant in connection with a data breach of customer information, holding that the cardholder failed to allege sufficient injury to establish standing.

The decision adds yet another data point for practitioners feeling out the boundaries for when the exposure of personal information creates a legal right to sue.

In Whalen v. Michaels Stores, Inc., the plaintiff alleged that shortly after she made in-store purchases with her credit card, her card information was used in Ecuador in attempted purchases of a gym membership and concert tickets.  She cancelled her card upon learning of those attempts, and did not allege those charges were ever approved.

In rejecting the plaintiff’s arguments in favor of standing, the Second Circuit emphasized that she failed to allege that she actually incurred or paid those charges, and also discounted her assertion that she faced risk of future identity fraud—noting that she had already cancelled her card, and failed to allege that her name, birth date, or social security number were among the information stolen.

Notably, the court considered her allegation that she suffered damages “based on the opportunity cost and value of time” that she spent monitoring her account also insufficient to establish injury.  In so holding, the court interpreted the “particularized” component of Article III’s “concrete and particularized injury” requirement to require the plaintiff to plead specifics about the time and effort expended.

The Second Circuit expressly distinguished prior decisions from the Seventh Circuit holding the victims of a data breach alleged sufficient injury to invoke Article III standing.  On a closer review, however, it is not always easy to draw a clean line between the injuries alleged in Whalen and some of those deemed sufficient by the Seventh Circuit.

For example, in Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit held the plaintiffs had sufficiently alleged injury based on an increased risk of future fraudulent charges and identity theft, notwithstanding that the data breach in that case also only involved the theft of card information and not personal information such as social security numbers or birth dates.

Similarly the court in Remijas deemed sufficient allegations that the plaintiffs lost time and money protecting themselves against future identify theft—allegations not dissimilar from those rejected in Whalen.

Although we are yet to arrive at a unified theory of standing in data breach cases, Whalen does provide a helpful piece of line-drawing, illustrating that a plaintiff who does not incur fraudulent charges—and cancels her card before any fraudulent charges are incurred—may have trouble convincing a court that she has suffered sufficient injury from a data breach to confer standing.

AT&T Privacy Rule Goes Too Far Says NLRB

Posted in Litigation, Privacy

Last week a National Labor Relations Board (NLRB) administrative judge ruled that AT&T Mobility interfered with employees’ labor rights with an overly broad privacy rule. The rule prohibited employees from recording any conversation without approval from the company’s legal department.

The judge found that the rule was in violation of Section 8(a)(1) of the National Labor Relations Act (Act) which prohibits employers from interfering with Section 7 rights. Section 7 gives employees the right to organize and engage in other concerted activity for the purpose of collective bargaining.

The rule was questioned by sales associate, Marcus Davis after he attended a termination notice meeting for another employee and recorded audio of the meeting without management’s prior knowledge.

After the meeting, local area sales manager, Andrew Collings, contacted the human resources department for guidance. Collings then instructed the local store manager to retrieve the company owned phone, delete the 20 minute recording and coach Davis on the company policy. Davis challenged the rule and filed an unfair labor practice charge at the NLRB.

In defense of the rule, AT&T argued that the policy was in place to protect the privacy of customer information. The judge found that although AT&T has a pervasive and compelling interest in protecting customer information, when balanced against employees’ Section 7 rights, the rule is overbroad and in violation Section 8(a)(1) of the Act. Specifically, the judge noted that recent NLRB decisions had suggested that “protected conduct may include a number of things including recording evidence to preserve it for later use in administrative or judicial forums in employment-related actions,” and there were narrower ways for the employer to protect its legitimate interests without interfering with these employee rights. The judge also found that the employee was illegally threatened with disciplinary action, possibly termination, if he violated the privacy rule.

Accordingly, AT&T was ordered to rescind the rule and refrain from any action that would limit the exercise of employees’ Section 7 rights. It remains to be seen whether the company will comply now, or contest the decision before the NLRB itself. The order fits into the trend of NLRB decisions the last few years finding against work rules prohibiting photography and other forms of recording in the workplace. It does not entirely prohibit all rules limiting workplace recordings, but does reject broad rules containing a blanket ban on all workplace recordings.

New Mexico Enacts Data Breach Notification Law

Posted in Data breach, Legislation

On April 6, 2017, New Mexico enacted a data breach notification law. The “Data Breach Notification Act” (H.B. 15) will take effect on June 16, 2017. The recent passage of this statute leaves Alabama and South Dakota as the only two remaining states with no law requiring companies to notify individuals of data breaches involving their personally identifiable information. Earlier drafts of the bill had failed to get past the New Mexico Senate Judiciary Committee because of concerns about the $150,000 damages cap and thirty (30) day notification requirement. The bill’s sponsor, Rep. Bill Rehm, stated that he worked closely with the New Mexico business community to make compromises on the bill so that it would pass this time around. The bill that passed this year still contains the damages cap but the previously proposed thirty (30) day notification requirement was replaced with a forty-five (45) day notification requirement.

For the most part, the New Mexico law requires companies to comply with data breach obligations required by a majority of other states. Like a handful of other states, including Illinois and Texas, the law’s definition of Personal Identifying Information (PII) explicitly includes biometric data along with other more commonly included categories of information like social security number, driver’s license number and financial account numbers.

Some important provisions from the New Mexico security breach notification statute:

  • Like the majority of states, New Mexico’s statute applies only to “computerized data” and not data in paper or other forms.
  • Notifications to New Mexico residents (and to the Attorney General and Consumer Reporting Agencies if over 1,000 residents are affected by a single incident) must be made within forty-five (45) calendar days of discovery of the security breach.
  • Entities subject to GLBA or HIPAA are entirely exempted from the provisions of this statute.
  • Third-party service providers are also required to notify the data owner or licensor and must comply with the same forty-five (45) calendar day notice requirement.
  • However, notification obligations are only triggered if a security breach meets the harm threshold of posing a “significant risk of identity theft or fraud”.
  • Civil penalties for knowing or reckless violations of the statute are the greater of $25,000 or in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.
  • Also, unlike Massachusetts’ and California’s data breach notification laws that outline prescriptive security processes that companies must follow, New Mexico’s new law generally gives businesses a lot of discretion in determining how to best protect PII. However, one area in which the New Mexico law is very specific is the requirement that businesses disclosing PII to third-party vendors contractually require such vendors to implement and maintain reasonable security procedures and practices.

The fragmented landscape of state data breach notification laws will only get more complex as states continue to amend current legislation, making compliance with state data breach notification laws increasingly difficult for businesses. Companies wanting to remain compliant with such laws across multiple jurisdictions will now have to contend with the laws of 48 states and 3 territories. Calls for a federal data breach notification requirement that would allow companies to follow one set of rules have received pushback from consumer advocates who fear a superseding federal law might weaken the data breach notification laws of states with heightened requirements.

Trump Privacy Rollback Continues, States Step Up

Posted in Consumer Privacy/FTC, FCC, Legislation, Privacy, Surveillance

On April 3, 2017, President Trump signed a repeal of new Federal Communications Commission (FCC) rules that would have subjected broadband internet service providers (ISPs) to more stringent consumer privacy regulations. Specifically, the FCC’s rule would have required ISPs to obtain opt-in consent from consumers before using and sharing sensitive information such as geo-location, web browsing history and app usage history.  This repeal allows Internet providers to compete with “edge providers” (which were not covered by the new FCC rules) in mining consumer browsing history and contributing to targeted online advertising.

This repeal, in and of itself, does not create any landmark changes in the legal landscape–the new FCC rules were only passed late last year, and had not yet taken effect. However, it is symptomatic of the Trump administration’s antipathy towards government regulation of consumer privacy.  More importantly, President Trump’s retreat has already begun to spur state legislatures and Attorneys General to strengthen their stance on privacy, concentrating scrutiny at the state level.

For example, in Massachusetts, Republican state senators introduced legislation on April 7 that would bar ISPs from selling browsing histories without customers’ explicit permission. That bill would also prohibit ISPs from charging increased rates to consumers who refuse to share their personal information.

Similarly, last week in Illinois, lawmakers introduced multiple measures that would impose new restrictions on companies that collect or use geo-location information, enable or turn on device microphones, and transfer Illinois consumers’ data to third parties. Illinois legislators are also scheduled to hear two more bills, introduced in March, that specifically target commercial website operators.  Other state legislatures that have introduced or otherwise begun to consider Internet privacy bills in the last three weeks include Connecticut, Kansas, Maryland, Montana, New York, Washington, and Wisconsin.

This shift is also becoming evident via increased executive enforcement at the state level. Advertisements and applications that use and share consumers’ location appear to be an area of particular concern.  For example, in March, the Massachusetts AG’s office obtained a settlement with an advertising company that used geofencing to send targeted anti-abortion ads to consumers in certain cities who entered reproductive health clinics.  In New York, the Office of the Attorney General (OAG) recently entered settlements with three health and fitness mobile application operators, which demand, among other things, that the app providers limit or obtain affirmative consent prior to collection of certain sensitive information.

Though the Trump administration’s laissez-faire approach toward privacy might, at first glance, appear to signal a shift towards lightening the burden of privacy regulations, it may well have the opposite effect, by creating backlash at the state level.  Accordingly, businesses, particularly those who operate online, will need to be more cognizant than ever of differing state policies moving forward.

D.C. Circuit Strikes FCC’s Rule Requiring Opt-Out Notice on Solicited Faxes

Posted in Privacy

On March 31, the U.S. Court of Appeals for the D.C. Circuit struck down a Federal Communications Commission (FCC) rule requiring that solicited fax advertisements contain a notice on how to opt out of future faxes. Following the ruling, such opt-out notices will be required only in unsolicited fax advertisements. The decision in Bais Yaakov of Spring Valley, et al. v. Federal Communications Commission, et al. will significantly impact litigation — particularly class action litigation — involving the failure to include an opt-out notice on fax advertisements.

Under the Junk Fax Prevention Act of 2005, an amendment to the Telephone Consumer Protection Act applicable to fax communications, businesses are prohibited from faxing unsolicited advertisements. “Unsolicited advertisements” are defined as advertising material “transmitted to any person without that person’s prior express invitation or permission.” The law contains an exception when three requirements are met: (1) the sender and recipient have an established business relationship; (2) the sender obtained the fax number from the recipient, through their communications or by virtue of the recipient publishing it to a directory or website; and (3) as relevant here, the advertisement contains an opt-out notice. The law goes on to require the opt-out notice to be “clear and conspicuous” and provide a free mechanism to opt out from future faxes.

In 2006, the FCC, purporting to exercise its authority to issue regulations and implement the law, issued a rule requiring that solicited fax advertisements contain opt-out notices. The law already required unsolicited fax advertisements to include an opt-out notice. Accordingly, under the FCC’s revised rules, businesses had to include opt-out notices on all fax advertisements — even if the recipient expressly consented to receive them.

This rule was challenged by a petitioner facing a $150 million class action lawsuit for failing to include opt-out notices on fax advertisements, many of which it had permission to send. The FCC argued that because the law required businesses to include opt-out notices on unsolicited fax advertisements, the FCC also had the authority to require businesses to include opt-out notices on solicited faxes.

The majority of the D.C. Circuit panel disagreed, finding nothing in the text of the law to convey such authority. Instead, the court noted that Congress had drawn a line between unsolicited and solicited fax advertisements, but the law did not require (or give the FCC authority to require) opt-out notices on solicited faxes. That was all the court needed to know to resolve the case.

The D.C. Circuit also rejected the FCC’s argument that it could require opt-out notices on solicited faxes because Congress did not define the phrase “prior express invitation or permission” in the law. The court found the argument “difficult to follow,” noting that the phrase “prior express invitation or permission” went to whether a fax was solicited or unsolicited (and requiring an opt-out notice) — not the other way around. The court also found the FCC’s argument that its rule was good policy to be irrelevant because a “good policy does not change the statute’s text.”

Notably, Judge Pillard, who also serves on the panel deciding ACA International’s appeal of the FCC’s 2015 TCPA Omnibus Order, dissented. Judge Pillard determined that the FCC had the implicit authority to require opt-out notices for solicited fax advertisements stemming from Congress’ direction to the FCC to prescribe regulations to implement the law. In addition, Judge Pillard adopted the FCC’s difficult-to-follow argument that “the inclusion of an opt-out notice is part of what makes subsequent faxes ‘solicited’ at all.”

Judge Pillard’s opinion appears to be motivated by a desire to provide a uniform mechanism for opting out. She reasoned that if a fax contains an opt-out mechanism and a recipient does not opt out, then the recipient has agreed to receive future advertisements (i.e., solicited advertisements). As the panel recognized, such reasoning removes any distinction Congress drew between solicited and unsolicited advertisements in the law. Judge Pillard’s ruling in this case may suggest that she will also rule in favor of the FCC in the much-anticipated decision in the ACA International appeal.

The D.C. Circuit’s decision will impact litigation relating to the absence of an opt-out notice on fax advertisements. First, there is no longer any liability for the failure to include an opt-out notice where the recipient consented to receive the fax. Second, the decision will undoubtedly impact class certification in actions arising from the failure to include an opt-out notice because the question of whether the opt-out notice is required is now an individualized question that turns on whether the recipient consented to receive the fax.