22 October 2013

Recent Changes For Digital Marketers & Companies That Use Text Message Marketing

Many marketing consultants advise companies to employ text messaging and telemarketing as a component of their marketing and advertising strategies. 
Companies that do so, however, need to be mindful of complying with the 1991 Telephone Consumer Protection Act (the “TCPA”), which prohibits companies from sending auto-dialed text messages, voice calls, and faxes without specific consents and authorizations. 
Recent Changes
On October 16, 2013, two major changes to the TCPA went into effect:
  • Prior Express Written Consent Required For Telemarketing: Companies must obtain and hold unambiguous written consent from customers before initiating any telemarketing call/text message; and
  • “Established Business Relationship” Not Sufficient For Telemarketing: An established business relationship does not relieve companies of the obligation to obtain prior express written consent before making a telemarketing call/text message.
These changes follow a January 14, 2013 TCPA change that requires companies to ensure that artificial or prerecorded voice telemarketing or advertising calls have opt-out mechanisms.
What Should Companies Do Now?
The TCPA can affect any organization that sends text messages, voice calls, or faxes as part of its advertising / marketing campaign or outreach, whether such messages are sent through the company or a through a contracted third party marketing vendor.
Violations of the TCPA can be expensive. The TCPA permits a private right of action and statutory damages in the amount of $500 for each violation and up to $1,500 for each willful violation. The risk for companies is significant because the numbers of TCPA class actions are on the rise and the potential damages / settlement costs in these cases can run into the millions of dollars.
Given the changes that went into effect in October, businesses should review their TCPA / advertising policies to ensure that they are in compliance, so that they can avoid the possibility of paying onerous penalties or being involved in expensive class action litigation.
Further, even if companies that hire third party vendors to conduct telemarketing call / text message campaigns on their behalf, they should exercise care to minimize potential claims, including by requiring, for example, representations and warranties and risk shifting provisions in contracts.

24 May 2013

Data Breach And Governance Issues Find Investment Advisors

Two items of interest this week for investment advisors and their clients in how they deal with internal controls relating to confidential data and email:

On May 23, 2013, the Securities and Exchange Commission ("SEC") charged charged proxy adviser Institutional Shareholder Services ("ISS") for failing to safeguard the confidential proxy voting information of clients participating in a number of significant proxy contests. According to the SEC press release:
An SEC investigation found that an employee at ISS provided a proxy solicitor with material, nonpublic information revealing how more than 100 ISS institutional shareholder advisory clients were voting their proxy ballots. In exchange for voting information, the proxy solicitor provided the ISS employee with meals, expensive tickets to concerts and sporting events, and an airline ticket. The breach was made possible in part because ISS lacked sufficient controls over employee access to confidential client vote information, as this employee gathered the data by logging into the ISS voting website from home or work and using his personal e-mail account to communicate details to the proxy solicitor. 
The SEC's order finds that ISS willfully violated Section 204A of the Investment Advisers Act of 1940. The order censures the firm and requires ISS to pay a $300,000 penalty and engage an independent compliance consultant to review its supervisory and compliance policies and procedures. The consultant will evaluate whether ISS's procedures are reasonably designed to ensure that its proxy voting services business complies with the Advisers Act in its treatment of confidential information, communications with proxy solicitors, and gifts and entertainment. 
Section 204A of the Investment Advisors Act of 1940 requires every investment advisor to establish and enforce policies and procedures to prevent the misuse of of material, nonpublic information. 

The SEC Order is available here.

Also, on May 21, 2013, the Financial Industry Regulatory Authority ("FINRA") fined broker LPL Financial LLC ("LPL") $7.5 million for 35 separate, significant email system failures, which prevented LPL from accessing hundreds of millions of emails and reviewing tens of millions of other emails. Additionally, LPL made material misstatements to FINRA during its investigation of the firm's email failures. LPL was also ordered to establish a $1.5 million fund to compensate brokerage customer claimants potentially affected by its failure to produce email.

FINRA's website was down this morning, but the Securities Law Prof Blog has a nice entry here.

23 May 2013

Idaho State University Settles HIPAA Security Case for $400,000

Idaho State University ("ISU") has agreed to pay $400,000 to the U.S. Department of Health Human Services ("HHS") for violations of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Security Rule. The settlement involves the breach of unsecured electronic protected health information ("ePHI") of 17,500 individuals who were patients at an ISU clinic. HHS found that ISU did not:
  • conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process; 
  • adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level; and
  • adequately implement procedures to review regularly records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner.
Read the HHS press release here.

24 April 2013

Baseball Stats and Law Firm Performance

I am a huge baseball fan. I have been so since the 80s when the greatness of Don Mattingly tormented me on an annual basis because of his not-so-great Yankees' supporting cast (especially oh those pitchers!). A pennant never materialized for me back then, but through it all, every stat, pitching AND hitting, was etched in my brain. I thought that if I only studied the stats enough, I could show everyone -- even those Mets fans -- that the Yankees (and every player on the team, even third baseman Mike Pagliarulo) was the absolute best at his position in the major leagues. Of course, the stats to which I had access were only those in the newspaper and the backs of trading cards, namely the big ones: ERA, batting average, RBIs. My ground-shaking epiphany on how it all fit together never came. 

Then came Billy Beane. Beane is a former professional baseball player and current front office executive for the Oakland Athletics. Beginning in the mid-90s, Beane began to apply statistical analysis to player evaluations. Beane was the subject of Michael Lewis' 2003 book on baseball economics, Moneyball, which was made into a 2011 film starring Brad Pitt as Beane. Not too shabby.

The essence of Moneyball was an emphasis on the numbers:

01 April 2013

Judges & Social Media

On February 21, 2013, the American Bar Association released Formal Opinion 462, "Judge's Use of Electronic Social Networking Media," which finds that a "judge may participate in electronic social networking, but as with all social relationships and contacts, a judge must comply with relevant provisions of the Code of Judicial Conduct and avoid any conduct that would undermine the judge’s independence, integrity, or impartiality, or create an appearance of impropriety." The Opinion includes guidance on when a judge would have an affirmative duty to disclose a social media connection to parties that appear before that judge (conclusion: not most of the time).

11 March 2013

Can A Company Maintain Attorney Client Privilege After Its Executives and Attorneys Communicate With A Consultant Through Another Company's Email System?

Magistrate Judge Paul S. Grewal of the Northern District of California says yes. Here is what Judge Grewal writes:

Bill Campbell . . . works for [] Google[], but he is no mere employee, and perhaps not even that. He earns at best a nominal salary, often without any formal agreement or even understanding. And yet Campbell occupies an elite niche in the technology industry that, with apologies to Robert Redford, is best described as an "executive whisperer." Either as consultant or part-time employee, Cambell has advised Google's senior-most management even as he did the same for [Apple] and others, all while serving as Chairman of the Board of [Intuit]. Campbell's unique status lies at the heart of the motion to compel now before the court. Citing their disclosure to Campbell [through Intuit's corporate email network], Plaintiffs [] seek production of emails that Google either redacted or failed to produce on the grounds that the documents were privileged. Having considered the parties' papers, supplemental documents, and oral arguments, the court DENIES Plaintiffs' motion to compel but without prejudice to in camera review of certain documents as discussed below. 
. . .  
Although the court finds that the Asia Global [In re Asia Global Crossing, Ltd., 322 B.R. 247 (S.D.N.Y. 2005) (propounding four factors that it found most relevant to the question of confidentiality of emails sent over an employer's email system in the attorney-client privilege context)] factors are evenly split, the court finds that the importance of the attorney-client privilege as well as the lack of evidence that Intuit in fact monitored Campbell's emails supports the preservation of the privilege in this case. The fact that Campbell sent and received messages from his Intuit email address does not destroy the confidentiality necessary to maintain the privilege.

Read all of Judge Grewal's opinion in In re High-Tech Employee Antitrust Litigation, No. 11-CV-2509-LHK-PSG (N.D. Cal. Feb. 28, 2013), by clicking here.

07 March 2013

Mastering Data Breach, ID Theft & Privacy Laws

My handout materials for this morning's New Jersey Institute for Continuing Legal Education's Mastering Data Breach, ID Theft & Privacy Laws seminar can be found here. It was an enjoyable panel of which to be part. Thanks to Robert Chesler for organizing and moderating, and to Cynthia Borrelli, Joshua Gold, Andrew Obuchowski, and Paul Paray for co-presenting. 

25 February 2013

MLATs and Government Seizure Of Financial Records

Interesting case of out of the Southern District of Florida that deals with the issue of whether the Justice Department can turn over a company's financial records to a foreign government under a Mutual Legal Assistance in Criminal Matters Treaty ("MLAT").

In Palmat Int'l, Inc. v. Holder, No. 12-20229 (S.D. Fla. Feb. 14, 2013), the Court held that the Fifth Amendment of the Constitution does not provide a cognizable right to privacy for bank records when those records are held by a third party bank. The Palmat court held that even if the Constitution did provide such a right, the United States' interests in fulfilling its obligations under a MLAT "far outweighed" any interests in keeping the records private.
Interestingly, the Palmat court acknowledged that it had federal question jurisdiction over the constitutional claim (that is, whether a treaty obligation comported with the Constitution), and also acknowledged that there exists a constitutional interest "in avoiding disclosure of personal matters." It stated, however: 
Neither the Parties nor the Court has found a case addressing the issue of whether the "right of confidentiality" strand applies to financial records held by a third party. However, in U.S. v. Miller, 425 U.S. 435 (1976), the Supreme Court held, in the context of the Fourth Amendment, that a bank customer has no protected interest in the copies of checks and other records retained by his bank, and therefore could not assert a challenge to a grand jury subpoena to the bank for those records. The Court determined that bank records are not the account holder's private papers but rather "the business records of the banks," in which a customer "can assert neither ownership nor possession." Based on the foregoing authority, no constitutionally protected privacy interest exists for Petitioners' bank account records held by [the] Bank. Moreover, even assuming that such an interest exists, it is outweighed by the United States' compelling interests in fulfilling its treaty obligations. (internal citations omitted).
As the Court stated, since Miller, it has become a given that there is no constitutional expectation of privacy over bank records held by a third party bank.
But what about other records that are now increasingly held by third parties such as Google or Apple, for example, e-mails? 
The Sixth Circuit, in United States v. Warshak, 631 F.3d 266 (6th Cir. 2010), was the first court that held that there is a reasonable expectation of privacy under the Fourth Amendment in the content of e-mails even if they are stored on third party servers of an internet service provider ("ISP"). The Warshak court specifically distinguished Miller by ruling that Miller involved simple business records, while the emails at issue in Warshak were confidential and concerned a wide variety of topics. And unlike the third party bank in Miller (which used the records in the ordinary course of business), the third party ISP was an intermediary, not the intended recipient of the records. 
Some interesting questions: Would the United States' interests in fulfilling its obligations under a MLAT "far outweigh" any interests in keeping private e-mails or other electronic records that are stored on a third party ISP's server? Would a subpoena be sufficient to obtain these records from the third party, or would the Government require a search warrant (or show probable cause)? What if the United States' obligations under the Constitution differed from the MLAT agreements?
The issue of MLATs and privacy is an interesting one. I hope to revisit the topic in more depth in the coming months.

12 February 2013

President Obama's Focus on Cybersecurity

President Obama addressed cybersecurity during his State of the Union address tonight:
America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.  
That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.
That full text of the executive order is expected to be released on Wednesday, February 13. The White House did, however, release a statement that listed the executive order key components [here]:

11 February 2013

I Always Feel Like Somebody's Watching Me - Warrantless Searches of Computer Hard Drives by the Government

This article [pdf] focuses on some ‘big data’ issues as they relate to white-collar criminal practice, which typically involves the analysis of electronic communications; cellphone, blackberry, and computer hard drive data; information from third parties in the cloud; etc. Specifically, this article broadly reviews recent case law regarding the government’s power to review, with and without a warrant, electronic data from computer hard drives and cellphones. The focus of the article is on federal power, which, of course, may or may not be the same on the state and local law enforcement level. This article was originally published in the February 2013 issue of New Jersey Lawyer Magazine, a publication of the New Jersey State Bar Association, and is reprinted here with permission.

07 February 2013

Commissioner Issues First Anti-Bullying Decisions

The education commissioner issued its first two decisions under New Jersey's Anti-Bullying Bill of Rights Act, which was signed into law in 2011. One case dealt with a Tenafly boy who publicly identified another student with head lice, and the other case involved an East Brunswick sixth grader who called a classmate "gay" and said he "danced like a girl." In both cases, the school district’s response was found to have been appropriate. Of special note is the head lice decision, which indicates that perhaps invasion of a student's privacy may satisfy the statutory definition of "HIB", or "harassment, intimidation, or bullying."
To read more, and to access the text of the decisions, click here.

22 January 2013

Financial Regulators Propose Guidance on Social Media

The Federal Financial Institutions Examination Council ("FFIEC") today released proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as non-bank entities supervised by the Consumer Financial Protection Bureau and state regulators.

From the FFIEC press release:
The FFIEC is responding to requests for guidance in this area from various industry and consumer interests. The guidance is intended to help financial institutions understand potential consumer compliance, legal, reputation, and operational risks associated with the use of social media, along with expectations for managing those risks. Although the guidance does not impose additional obligations on financial institutions, the FFIEC expects financial institutions to take steps to manage potential risks associated with social media, as they would with any new process or product channel. 
The FFIEC invites comments on any aspect of the proposed guidance. It is specifically seeking comments on the following questions:
  • Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
  • Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
  • Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?
The proposed guidance can be accessed here. Comments must be received 60 days from publication in the Federal Register.

21 January 2013

The Importance of Leadership and Differentiation in Attorney Marketing

Let’s not beat around the bush. The end business goal of any attorney in private practice is to make a living by gaining knowledge and then distributing it. Attorneys are the original ‘knowledge workers’ -- people who add value to clients by processing existing information to create new information that can be used to define and solve problems. To read more, click here.

10 January 2013

Medical Professional Liability When Told To Draw Blood By Law Enforcement

Yesterday, the United States Supreme Court heard arguments in Missouri v. McNeely, No. 11-1425. The issue in the case is whether police need a warrant to get a blood sample from an individual suspected of drunk driving. The case 
began in the early morning of October 3, 2010, when a state highway patrolman, Corporal Mark Winder, pulled over a truck that he had clocked speeding eleven miles over the limit. The truck was driven by Tyler G. McNeely of Cape Girardeau. As he got out of the truck, he was unstable. The officer put McNeely through several field sobriety tests, which he failed. McNeely was put into the officer’s patrol car, and the officer asked him if he would take a breath test; McNeely refused. The officer then drove to a hospital, where McNeely refused to consent to a blood test. Corporal Winder told a hospital lab technician to take a blood sample anyway. 
An analysis of the sample showed that McNeely’s blood alcohol level was 0.154 percent, almost double the legal limit of 0.08 percent. Before he went on trial, McNeely and his lawyer sought to block the use as evidence of the test result, contending that the involuntary taking of the sample was a warrantless search that violated his Fourth Amendment rights. The patrolman testified that, at the time of the incident, he did not believe that he needed a warrant, although he said he had obtained a warrant in similar situations in the past.  
He testified that he had since read a magazine article which said that, under Missouri state law, drunk driving meant that a driver had given implied consent to be tested.  
The trial judge ordered the blood evidence barred from the case . . . . The trial judge found no “exigency” that justified the blood search. While that result was overturned by a middle-level state appeals court, the Missouri Supreme Court ruled for McNeely, and barred the test result.
[(emphasis added.)]

The above facts were posted on SCOTUSBlog, which has an excellent preview and recap of the argument here and here. According to Lyle Denniston, the Court did not appear too pleased with the notion that police anywhere in the country could force a lab technician to stick a needle in your arm without a neutral judicial officer granting permission to do so. Makes sense.

The case is interesting, but I am intrigued also that McNeely refused a blood test and the officer told a hospital lab technician to take a blood sample anyway. 

What kind of liability could a health care provider face in such a situation?