The Federal Communications Commission (FCC) is continuing its efforts to clarify the Telephone Consumer Protection Act (TCPA) and its requirements.

To this end, the FCC is seeking comments by tomorrow, January 13, 2015, on eleven petitions seeking waiver of the FCC’s rule on opt-out notices on fax advertisements to recipients who have provided prior express invitation or permission.   Specifically, the petitioners seek retroactive waiver  of the opt-out notice requirement for fax ads which the petitioners assert were sent where prior express invitation or permission had been obtained from the recipient.  The petitioners argue that good cause exists because they are similarly situated to parties who were previously granted retroactive waivers from this requirement by the FCC because of uncertainty about whether the opt-out notice applied to “solicited” faxes.

Under the TCPA, unsolicited faxed advertisements are prohibited unless the sender has an established business relationship with the recipient; the recipient voluntarily communicated his or her fax number directly to the sender or a directory; and the faxed ad also contains an opt-out notice.

While comments are due tomorrow, reply comments are due January 20, 2015.

About two years ago, President Obama signed an executive order on the date that he delivered his State of the Union address which directed certain federal agencies to develop voluntary standards for achieving cybersecurity. Preparing for his 2015 State of the Union address, Bloomberg and other news outlets are reporting this morning that President Obama will be proposing legislation, including the Personal Data Notification & Protection Act, designed to increase protections for personal data. This announcement comes in advance of the President’s visit to the Federal Trade Commission today, and apparently will be a topic during the coming State of the Union address later this month.

According to the reports, the President wants a national standard for data breach notification, one that requires notice to customers within 30 days of discovering the breach. Criminal sanctions also would be enacted for persons engaged in illegal trading of identities, the economic engine behind massive payment card breaches. The President’s proposal also would tighten protections for student data and consumer data pertaining to energy use. The President also will seek to enact into law provisions of the Consumer Privacy Bill of Rights that the White House issued in February 2012.

White House Press Release

Over the past 10 or so years, there have been many calls for broad-based data security measures at the federal level, including a national data breach notification standard. Many members of the House and Senate proposed a number of laws in this area. Those efforts have largely failed. Whether the President’s call for action following a year of massive data breaches will yield a different result remains to be seen, particularly as the Republican Party has a stronger grip on the legislative branch.

As we reported, state Attorneys General have authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), pursuant to the authority granted under the Health Information Technology for Clinical and Economic Health (HITECH) Act. Shortly after announcing plans to seek legislation requiring stronger protections for personal and financial information, Indiana Attorney General Greg Zoeller reached a settlement with a dentist in his state, Joseph Beck, for improperly dumping patient records in violation of state law and HIPAA. The dentist agreed to pay $12,000 in fines.

According to news reports, over 60 boxes containing years of dental records pertaining to over 5,600 patients, and including very sensitive personal information, were found in a dumpster. Apparently, the dentist hired a third party vendor to dispose of the records; that vendor likely was a business associate under HIPAA and, if so, also subject to the HIPAA privacy and security rules.

For small medical or dental practices, as for other professional service businesses such as lawyers, accountants, and insurance brokers, data security can be both daunting and expensive if there is a breach. Like many businesses, small businesses rely on third party vendors to perform certain activities. When those activities involve personal information of the business’ customers, the business owner should be paying more attention. Ask the vendor about what steps it has in place to protect information, does it have a written information security plan, it is licensed, does it have insurance in the event of a breach, does it train employees about data security, and, yes, how does it dispose the records and data it is being asked to handle. In many states, businesses are required to have language in the service agreements with vendors about data security when the vendors are going to handle personal information. There is a similar provision under HIPAA for business associates.

It is troubling to see that sensitive records are still being found in dumpsters even after the many widely-publicized data breaches. But, as here, the owner of the records may not be able to avoid responsibility by shifting it to the vendor.

Complying with the Telephone Consumer Protection Act (TCPA) is a growing concern for employers and others. This is especially true given that suits under the TCPA have regularly resulted in damage awards of hundreds of thousands, if not millions, of dollars.

We have developed a comprehensive set of frequently asked questions concerning TCPA. If you are interested in learning more about the TCPA, and its impact on your business:

On December 19, 2014, the FCC published Chairman Thomas Wheeler‘s response to Senator Bill Nelson’s (D-FL) letter regarding the FCC’s recent proposed $10 million fine against two telecom companies.

In the response, Chairman Wheeler reiterated the need for FCC action in this area and explained that consumers regularly entrust their most personal, confidential, and sensitive information to communication networks and service providers.  The Chairman went on to state that the FCC has a responsibility to ensure that service providers and network operators are taking reasonable steps to “honor the public trust, and to protect consumers from harm caused by violations of the Communications Act.”

With some of the strongest language to date concerning the FCC’s role in this area, the Chairman said:

As the nation’s expert agency on communications networks, the Commission cannot – and will not – stand idly by when a service provider’s lax security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.  I assure you that the Commission will exercise its full authority against companies that fail to meet their statutory requirements of safeguarding the personal information of consumers.

In light of the prior FCC action and the Chairman’s most recent statements, service providers and network operators must ensure their data security practices are up to date and they are appropriately safeguarding the personal information of consumers with which they are entrusted.

As we reported, there are a number of signs pointing to a significant tightening of regulation and increased enforcement of data security mandates. Following efforts in New Jersey, New York and Oregon, Indiana Attorney General Greg Zoeller announced his office is seeking legislation that would better protect the online personal and financial information of Indiana residents. Indiana State Sen. Jim Merritt plans to sponsor the legislation during the 2015 session of the Indiana General Assembly.

The Attorney General proposes a three-pronged approach to increasing security – (i) stricter requirements for the safe storage of sensitive data, (ii) reducing harm to consumers following a data breach, and (iii) increasing transparency of online privacy policies. In proposing stricter requirements for storing sensitive data, Attorney General Zoeller’s approach would include a requirement to delete and not retain the data beyond what is necessary for business purposes. Effective and efficient record retention and destruction policies and procedures present significant challenges for businesses, but as new laws like this emerge, companies will need to get better about keeping only what they need, and making sure what is deleted is really deleted.  The proposal also includes requirements for businesses to share or sell information only when authorized by law or when consumers are informed in advance, and to inform consumers by conspicuous notice when data must be collected and how long it will be stored.

The Hoosier state already has a data breach notification law, however, the Attorney General wants to make notice under the law more timely and informative. Additionally, his proposal would extend the notification mandate to breaches of paper and handwritten records. Like the breach notification laws in many other states, the Indiana law applies only to electronically generated or computerized records.

If the third item in the proposal becomes law, Indiana would join California in requiring website operators and online entities that collect personal or financial information from state residents to conspicuously post their privacy policies online. The policies would need to identify what personal information the site collects from site visitors and whether the operator of the site shares or sells any of that information, and with whom.

We will be following this and other developments of this kind in the year ahead. However, we recommend businesses be more proactive in taking steps to safeguard and management personal information. These steps should go beyond the IT department and include administrative and physical safeguards to protect data in all forms, including paper documents. Additionally, data security is only one of a number of important reasons for a rigorous record retention and destruction policy. These include the development of more efficient data management practices, keeping data storage costs down, and controlling e-discovery costs.

The New Jersey Assembly on December 15 unanimously approved, by a vote of 75-0, a bill designed to better protect consumers from identify theft.  Bill A3146, if approved by the Senate, would expand the state’s law to include disclosure of a breach of security of online accounts.

Per the Identity Theft Resource Center, between 2005 and 2014, there have been 4,695 breaches exposing 633 million records. with the cost of a breach to an organization averaging an estimated $3.5 million.

Under the NJ bill, the definition of “personal information” set forth in Section 10 of P.L.2005, c.226 (C.56:8-161) would be amended and expanded to include a combination of user name or email address with any password or security question and answer that would permit access to an online account.  Currently, the law covers breaches involving a combination of a Social Security number, driver’s license number or State identification card number, or account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.  The expansion would allow consumers, upon notice of a breach, “to change their online account information quickly following a breach and put consumers on notice to monitor for potential identity theft,” said one of the bill’s sponsors.

Notably, the New York assembly earlier introduced Bill A10190 which would amend New York’s data breach notification law (NY Gen. Bus. Law 899-aa).  The proposed amendment would require entities which conduct business in New York State, and which own or license  computerized  data  which  includes  private information to develop, implement, and maintain a comprehensive information security program which must be consistent with the safeguards for protection of personal information.  The New York amendment would impose requirements nearly identical to those required under Massachusetts law.

Each of these developments should be closely monitored so that companies can ensure compliance.

On December 9, Oregon’s Attorney General, Ellen Rosenblum, announced to the Oregon House and Senate Judiciary Committee that she would be introducing legislation to expand existing personal data protections for Oregon consumers while implementing additional enforcement measures to combat non-compliance.

According to Ms. Rosenblum, Oregon’s laws have not kept up with the rapid increase in the use and maintenance of consumer data.  As stated to reporters:  “We essentially need a consumer bill of rights so that people know what their rights are online . . . There’s great things about technology, but we have to inform the people, we have to inform parents and the kids so we can be protected better online as well as offline.”

Ms. Rosenblum’s proposal would allow the state Department of Justice to more broadly enforce civil penalties against non-compliance with enhanced data privacy standards.  Oregon’s present identity theft statutes ORS 646A.600‐628, vest the Director of the Department of Consumer and Business Services with enforcement authority.

Oregon’s push towards additional privacy protections follows a large data breach at the Oregon Employment Department and Secretary of State’s Office, which compromised the personal information of more than a million people.

According to the Oregon AG, retail data breaches have also compromised the personal information of 70 million customers worldwide, including 800,000 in Oregon.

 

Some have called 2014 the “Year of the Data Breach.” That may be true given the steady stream of large-scale data breaches affecting tens of millions of individuals. We do not know if this time next year commentators will be saying the same thing about 2015, but there are signs pointing to a significant tightening of regulation and increased enforcement of data security mandates – some are discussed below. No matter a company’s size or industry, maintaining personal data can be a risky business, more so for companies that are not prepared and that have not taken reasonable steps to safeguard personal data.

New York regulators announce new cyber security preparedness assessments for banks. Following an announcement in October concerning third-party vendors, Benjamin M. Lawsky, Superintendent of Financial Services, issued an industry guidance letter on December 10 to all New York State Department of Financial Services (DFS)-regulated banks outlining enhanced examinations as part of “new targeted, DFS cyber security preparedness assessments.” According to the announcement, and in the letter to banks, DFS examinations will be looking at safeguards such as protocols for detection of cyber breaches and penetration testing; corporate governance related to cyber security; defenses against breaches, including multi-factor authentication; and security of their third-party vendors. This is not just an issue for the banks because as part of their efforts to be ready for these increased examinations and assessments, they will need to be looking at the practices of their third-party vendors.

Another HIPAA settlement and Phase 2 audits expected to commence soon. Earlier this month, the Office for Civil Rights announced it reached a resolution agreement with Anchorage Community Mental Health Services (ACMHS) to settle potential HIPAA violations. Under the agreement, ACMHS will pay $150,000 and adopt a corrective action plan with regard to its HIPAA compliance program. Like a number of prior OCR investigations, this one was opened when ACMHS, a nonprofit organization providing behavioral health care services, informed OCR of a breach of unsecured electronic protected health information affecting 2,743 individuals. The breach resulted due to malware compromising the security of its information technology resources. According to OCR, ACMHS had adopted sample policies and procedures, but was not following them. In addition, OCR alleged that ACMHS failed to identify and address basic risks, such as not regularly installing updates and security patches for its software. Again, as with financial institutions, healthcare providers and health plans are not the only entities under OCR’s scrutiny. Under HIPAA, and as clarified by HITECH, the privacy and security obligations extend downstream to business associates and subcontractors, and possibly others. If your business is in the healthcare industry, there is a likelihood you will be affected by these requirements.

In addition to continued enforcement, OCR also is preparing to commence Phase 2 of its audit program. OCR representatives have been reported as stating unofficially that OCR hopes to start Phase 2 by the end of 2014, or the beginning of 2015. Those audits are expected to focus on (i) risk analysis and risk management, a fundamental requirement under the HIPAA Security Rule, (ii) breach notification compliance, and (iii) compliance with notice of privacy practices requirements. The audits are expected to reach both covered entities and business associates.

States enhancing breach notification laws and enforcement. During 2014, a number of states enhanced their existing breach notification laws (e.g., CA and FL) and Kentucky became the 47th state to enact such a law. Other states, such as Oregon, have announced a desire to enhance their own laws. Additionally, states like Massachusetts continue to announce fines for companies violating that state’s data security mandates.

Cyber insurance offerings to small business grow. In July 2014, CNBC explained “Why cyber-insurance will be the next big thing.” But it also is worth noting that during 2014 a number of carriers, syndicates have announced cyber products with a focus on small and mid-sized businesses. One example is an announcement that former Pennsylvania Governor and the first U.S. Secretary of Homeland Security, Tom Ridge, formed Ridge Insurance Solutions Company which seeks to close “a dangerous cyber insurance gap… particularly [for] small- and mid-cap firms”. Also, in November, Nationwide announced that it will be joining with Hartford Steam Boiler “to offer cyber insurance coverage for small business owners.”  The insurance market’s movement in this direction is one indicator of higher data risks for businesses beyond large organizations in the financial services industry and retail.

 

These are just a few of the signs in 2014 that point to more regulatory and enforcement activity ahead in 2015. Businesses large and small need to focus on their data privacy and security practices, which starts with assessing their risks across their organizations.

We reported earlier that the National Labor Relations Board had been considering changing its previous position that  “employees have no statutory right to use the[ir] Employer’s e-mail system for Section 7 purposes.”  The NLRB’s position in this regard was established in 2007, under the NLRB’s ruling in Register Guard.  Today, in Purple Communications Inc. and Communications Workers of America, AFL-CIO, the NLRB overruled the Register Guard decision as “clearly incorrect” and held that employees have a right to use their employers’ email systems for nonbusiness purposes, including communicating about union organizing.  Specifically, the NLRB held “employee use of email for statutorily protected communications on nonworking time must presumptively be permitted by employers who have chosen to give employees access to their email systems.  [The NLRB] therefore overrule[s] the Board’s divided 2007 decision in Register Guard to the extent it holds that employees can have no statutory right to use their employer’s email systems for Section 7 purposes.” It is important to remember that this ruling applies to employers whether or not they have union employees.

At issue in Purple Communications and Communications Workers of America, AFL-CIO, was the right of employees under Section 7 of the National Labor Relations Act to effectively communicate with one another at work regarding self-organization and other terms and conditions of employment.  In deciding the case, the NLRB said the workplace is “uniquely appropriate” and “the natural gathering place” for such communications, and the use of email as a common form of workplace communication has expanded dramatically in recent years.

The NLRB was careful to limit its holding as follows:

  • Only applies to employee who have already been granted access to the employer’s email system in the course of their work and does not require an employer to provide such access;
  • An employer may justify a total ban on nonwork use of email by demonstrating that special circumstances make the ban necessary to maintain production or discipline;
  • Absent justification for a total ban, the employer may apply uniform and con­sistently enforced controls over its email system to the extent such controls are necessary to maintain production and discipline;
  • The ruling does not address email access by nonemployees;
  • The ruling does not address any other type of electronic communications systems.

Our Labor Group plans a more thorough analysis of the NLRA issues, as employers must now take certain steps or risk potential Board action.

In light of this decision, employers must reexamine their existing electronic communication, bring your own device (BYOD), and social media policies which may have been adopted post 2007.  This is especially true if any of those policies do not permit, or prohibit, an employee’s use of company-provided communication systems for nonwork-related purposes, such as to fulfill certain union-related purposes or other “protected concerted activities” under Section 7 of the National Labor Relations Act.  Similarly, employers will now need to exercise caution in monitoring company email and what actions are taken in connection with employee use of the company’s email systems.