Consumer Protection Connection

Consumer Protection

What’s Happening at the CPSC

Posted in Product Safety

Acting Consumer Product Safety Commission (CPSC) Chair Ann-Marie Buerkle recently released an update regarding CPSC’s current projects, some of which involve stakeholder participation.

Mid-Year Adjustments

The Commission has approved its FY 2017 Mid-Year Review and Proposed Operations Plan Adjustments. Top priority has been given a project concerning improving the safety of lithium ion batteries. In addition, the Regulatory Robot project, which provides information to the regulated community about CPSC regulations, will be updated and improved. The CPSC’s e-filing study – which aims to discover the value of different types of information for assisting the Office of Import Surveillance in targeting products and shipments at import – is also moving forward.

CPSC will also be holding a public hearing on its priorities for Fiscal Year 2018 and Fiscal Year 2019. The hearing will begin at 10 a.m. on Wednesday, July 26, 2017.

Help for CPSC on Reducing Regulatory Burdens

The CPSC put out a request for information on ways to reduce burdens and costs of existing rules, regulations, or practices. CPSC is interested in hearing any and all ideas, big or small, that might help ease regulatory burdens, including comments on third party testing, eliminating or updating a rule, changing a practice, and providing guidance.

Comments on how to reduce regulatory burdens may be submitted electronically here. The deadline is September 30, 2017.

Recall Effectiveness Workshop

On Tuesday, July 25, CPSC will hold a workshop to explore and develop proactive measures that CPSC and stakeholders can take to improve recall effectiveness. The workshop will be held in the Hearing Room at CPSC’s headquarters in Bethesda, MD from 9 a.m.  to 3 P.m.

Register to attend here.

11 States Sue Department of Energy over Inaction on Efficiency Standards

Posted in Uncategorized

Eleven states, led by New York Attorney General Eric Schneiderman and California Attorney General Xavier Becerra, and including the city of New York, a Pennsylvania regulator, and three nonprofit groups, have jointly filed suit in federal court to sue the Department of Energy (DOE). The lawsuit seeks to compel implementation of new and updated energy efficiency standards for air compressors, commercial boilers, portable air conditioners, power supplies, and walk-in coolers and freezers.

The rules subject to the lawsuit were finalized in 2016. The coalition argues that federal law required the rules to go effect in March 2017, after the mandatory 45-day error correction review had passed. But in late January, the White House directed agency heads to impose a freeze on new regulations until they had an opportunity to review them, and newly appointed DOE Secretary Rick Perry left the status of the rules in limbo.

According to estimates, the new energy efficiency standards would collectively save U.S. consumers between $11 to $12 billion on electricity bills annually, and would reduce greenhouse gas emissions by more than 159 million tons over 30 years.

In the new environment where the federal government is taking an increasingly deregulatory stance, states, municipalities, and NGOs may become increasingly willing to take legal action to compel rulemaking. In April, the same coalition (less Maryland) brought suit in New York circuit court to compel the DOE to implement ceiling fan efficiency standards, but the DOE relented before the case was heard. DOE confirmed the ceiling fan regulations will go into effect in September 2017.

CPSC Issues Safety Warning for LayZBoard Hoverboards

Posted in Product Safety

It is no secret that hoverboards – two-wheeled, battery-powered, self-balancing scooters – have proved enormously popular with kids and teenagers. But allegations regarding defective battery packs have triggered recalls. The latest hoverboard incident was associated with a fatal fire in Harrisburg, Pennsylvania last March.

The U.S. Consumer Product Safety Commission (CPSC) started an investigation into the Harrisburg incident after fire officials blamed the accident on a charging hoverboard. Now, the CPSC has asked consumers to immediately stop using the brand of hoverboard used, LayZ Board. The CPSC made clear that the warning does not apply to Lazyboard scooters, which are a separate brand made by a different manufacturer.

Some 3,000 LayZ Board hoverboards have been imported into the U.S. Among the incidents the CPSC investigated were reports of burns and property damage across 20 states, allegedly causing in excess of $2 million in property damage. In September 2016, the CPSC recalled 501,000 hoverboards from eight manufacturers after documenting 99 incidents stemming from the scooters’ lithium-ion battery packs overheating and, in some instances, catching fire or exploding. Since then, the CPSC added another 500 scooters from a ninth manufacturer to the recall.

Lithium ion batteries offer manufacturers the ability to design and produce devices that can run for long period of time without recharging. But, after a series of high-profile accidents, the dangers posed by cheaper makes of the batteries have been widely publicized. In June 2016, CPSC’s then-Chair Elliot Kaye stated: “Unless the manufacturer can show that the device has been certified as safe by Underwriters Laboratories (UL), it should be considered “a fire hazard waiting to happen.” He urged consumers to return any non-certified hoverboard back to the manufacturers for a refund.

The first hoverboard certification was granted by UL in May 2016, meaning that earlier models would have been manufactured before the UL hoverboard standards were in place. That does not automatically mean that earlier models are unsafe if the manufacturer used a high degree of due diligence when choosing batteries for use in their products, but it is likely that they will have to demonstrate that level diligence if investigated. It is unlikely that retailers will now accept new models of hoverboards that are not certified.

It is worth noting that while the CPSC’s has issued a warning notice about LayZ Board rather than a recall, the Commission can still initiate a recall down the road.

Kawasaki Settles with CSPC for $5.2 Million for Alleged Failure to Report Defects

Posted in Product Safety

Kawasaki Heavy Industries, Ltd., of Japan; Kawasaki Motors Corp., U.S.A., of Foothill Ranch, California; and Kawasaki Motors Manufacturing Corp., U.S.A., of Lincoln, Nebraska, agreed to pay a $5.2 million civil penalty over allegations that Kawasaki failed to report floorboards cracking during normal operation of various Teryx4 recreational off-highway vehicles (ROVs) during two separate periods, which the CPSC alleged amounted to defects that could create substantial product hazards.

  • April 2012–July 2014: Kawasaki allegedly received over 400 reports of certain models’ floorboards cracking or breaking during normal operation due to debris impacts/penetration. Three incidents resulted in injuries to consumers, including one serious injury.
  • July 2013–August 2015: Kawasaki allegedly received over 150 reports of certain models’ floorboards cracking or breaking during normal operation, with three of these incidents resulting in consumer injuries, including two serious injuries.

Federal law requires that manufacturers, distributors, and retailers must report potential product safety hazards to the CPSC within 24 hours of discovering evidence of a problem. Despite having received numerous reports of incidents caused by problems with the floorboards of thousands recreational off-highway vehicles (ROVs), Kawasaki allegedly detailed only one incident and an unspecified number of injuries, which the Commission believed amounted to a material misrepresentation of the extent of the problem. The CPSC asserted that the company impeded the CPSC’s investigation, and hampered the agency’s ability to accurately communicate the prevalence of the hazard to the public, creating an unreasonable safety risk.

The civil penalty relates to a recall initially announced in 2014 and subsequently expanded in 2015.

In addition to paying a civil penalty, the company also agreed to maintain a program to ensure compliance with CPSC-administered laws, and also to maintain a related system of internal controls and procedures to assure that it adheres to reporting obligations.

Making determinations about substantial product hazards for purposes of reporting to CPSC necessarily involves subjective judgments.  It can be difficult to sort through complex facts and information.  The CPSC, however, continues to urge companies to report promptly and fully, and this civil penalty settlement follows several multimillion dollar agreements in recent years.

The settlement was provisionally approved by the CPSC by a 4-to-1 vote, with the three Democrats and one Republican voting to approve the settlement, and Acting Chairman Ann Marie Buerkle voting to reject the provisional settlement. While it is possible that ultimately a change in the makeup of the Commission will result in the agency taking a new look at its approach to civil penalties, it remains essential for manufacturers to maintain accurate records of product defects, analyze them carefully, and to do their best to assure that agency communications are accurate.

CPSC Staff Recommends Rejecting Organohalogen Petition

Posted in Product Safety, Regulations

In 2015, a group of non-government organizations (NGOs) filed a petition with the U.S. Consumer Product Safety Commission (CPSC), asking CPSC to categorically ban additive organohalogen flame retardants (OFRs) from the market in the U.S. in many significant consumer product categories. OFRs include a very broad set of diverse chemical compounds added to consumer products to retard the spread of flames, often to comply with regulatory requirements or voluntary safety standards. OFRs have been used in a large variety of consumer and household products available in the U.S. and other countries over the years.

The petitioners sought to prohibit the use of OFRs in children’s products, furniture, mattresses, and electronics casings. They claim that OFRs as a class are toxic, leading to widespread human exposure, and present a serious public health concern. Their claims were challenged by a number of groups, some of whom argued that the individual chemicals within the broad class of “organohalogens” described by petitioners were too distinct to treat as a class. Additionally, opponents asserted that the petition failed to establish that OFRs as a class pose a hazard based on the criteria the Commission must consider under the FHSA.

After nearly two years, CPSC staff submitted a 537-page briefing package to the Commission describing staff’s conclusion that insufficient evidence supported the petitioners’ claims. Accordingly, CPSC staff recommended that the Commission reject the petition for lack of evidence, as required under the Federal Hazardous Substances Act (FHSA). Chief among the reasons staff cited were:

  • The data on the hazards of OFR toxicity is insufficient “to conclude that all products defined by the petitioners with OFRs are hazardous substances under the FHSA.” Further, data indicates “that not all chemicals in this class have the same toxicity under the FHSA or the same exposure potential.”
  • The mere presence of OFRs in household dust does not establish a link to the four product categories in the petition.
  • The FHSA requires consideration of the connection between the toxicity of a substance, exposure to that substance through customary and reasonably foreseeable use of a product, and resulting substantial personal injury or substantial illness associated with the exposure. Given the varying properties of OFRs and lack of a connection between OFR measurements in environmental media and use in products in the petition, the petition does not support a conclusion that products containing any OFR are all hazardous substances under the FHSA.

The recommendations conclude with a statement that staff will continue to monitor flame retardants in children’s products and mattresses, and will work closely with voluntary standard setting organizations as well as with EPA “to coordinate activities on FR chemicals, including OFRs.”

A briefing package of this magnitude not only requires time for Commissioners and their personal staffs to review, but is often decided in an open hearing. Given the summer holidays, it will likely take several months before a decisional meeting is scheduled.

FTC Announces Date for PrivacyCon 2018 and Call for Presentations

Posted in Privacy

The Federal Trade Commission (FTC) has announced that its third annual PrivacyCon will take place in Washington, D.C., on February 28, 2018.  The conference will bring together researchers, academics, industry representatives, consumer advocates, and government representatives to explore an array of consumer privacy and data security issues, with a particular focus on emerging technologies, such as the Internet of Things and artificial intelligence.

Acting FTC Chairman Maureen Ohlhausen, in line with other recent public statements, said she wants the conference to draw attention to research on how the economics of privacy are implicated in the larger discussion about privacy:

“Deepening the FTC’s understanding of the economics of privacy and consumer harm in the context of information exposure is integral to the FTC’s enforcement and educational efforts. I have made studying the economics of privacy a centerpiece of my consumer protection agenda, and I hope that PrivacyCon 2018 will highlight important research in this area.”

The call for presentations asks for research into a wide array of issues, including:

  • Privacy and security risks associated with emerging technologies and threats to consumer privacy, such as phishing, business email account takeovers, unpatched software, Internet of Things vulnerabilities, ransomware, distributed denial of service attacks, and identify theft.
  • Quantifying the costs and benefits of privacy from consumer and business perspectives.
  • Incentives for manufacturers and software developers to implement privacy and security by design.
  • Market failures in the area of privacy and data security, and available tools for overcoming or mitigating such failures.
  • What interventions would most appropriately address any consumer injury resulting from market failures (e.g., ex ante regulation vs, ex post enforcement).

Despite the fast pace of technological change, the FTC has announced the upcoming workshop well in advance; the deadline for submissions for PrivacyCon is November 17, 2017.

White House Issues New Cybersecurity Executive Order

Posted in Cybersecurity

On May 11, President Trump issued Executive Order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which centers on federal networks, critical infrastructure, and the nation’s overall cybersecurity. The order largely expands on cybersecurity recommendations developed during the Obama administration. The order calls for a review of vulnerabilities and preparedness by the Secretary of Homeland Security and the Director of the White House Office of Management and Budget (OMB), who are directed to “jointly assess each agency’s risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch.” Key provisions include:

  • Federal agency heads will now be held accountable for cybersecurity in their agencies. They are required to review their computer security measures and submit a risk management report to the Secretary of Homeland Security and the Director of OMB within 90 days.
  • The head of the Department of Homeland Security is responsible for oversight of the cybersecurity measures of companies that DHS has determined are “at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,” and must report on the adequacy of the security protocols of such businesses to the President within 6 months.
  • Federal agencies are instructed to implement the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The NIST Cybersecurity Framework is intended to “help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid,” and was developed in consultation with industry, academia, and government agencies.

Many analysts are calling the executive order a good first step but note there is considerable work still to be done, including details of how expanded cybersecurity infrastructure will be funded and how the new regime will be implemented.

The recent, destabilizing “Wanna Cry” ransomware attacks made all too apparent how important it is to have a strong cybersecurity regime in place. As predicted, the government is looking to the NIST Cybersecurity Framework as a guide for managing cybersecurity risks for government agencies and critical infrastructure businesses. Whether or not your business is part of a critical infrastructure industry, the Framework can be a useful tool in understanding and managing security risks.

Are Your Security Tools Up to Date?

Posted in Cybersecurity, Data Security, Privacy

The effects of the massive cyberattack using ransomware known as “Wanna Cry” are still being felt all over the world. Tens of thousands of organizations have been infected, including the UK’s National Health Service, which ran some services on an emergency-only basis the day the attack began in earnest. Some security experts surmise that the virus is activated using a malware worm that, once activated, travels automatically between computers. Businesses with numerous partners and suppliers that connect to their network were especially at risk. If and when Wanna Cry is contained, the attack will fade from the public’s view, but legal repercussions may follow for affected users.

Image of worm reaching up toward nothing in particularWanna Cry, also known as “Wanna Decryptor,” is a hacking tool thought to be developed by the U.S. National Security Agency (NSA). Wanna Cry exploits a vulnerability in Windows operating systems that allows the ransomware to spread automatically across multiple networks. The attack is the first incidence of self-spreading ransomware that cannot be stopped once it infects a network.

Microsoft issued a patch on March 14, 2017, to fix the hole in Windows. However, many organizations failed to apply the patch and found themselves susceptible to Wanna Cry over the last couple weeks. Indeed, in some regions, a large proportion of affected users were using pirated copies of Windows. Unusually, Microsoft has even released patches for such systems.

The damage caused by the Wanna Cry attack was both predictable and possibly preventable. In April 2017, a group calling themselves the Shadow Brokers released onto the web what they claimed where NSA-developed hacking tools (report here). Many security experts predicted it was only a matter of time before the Shadow Brokers’ tools were exploited on a large scale.

There are several lessons apparent at the outset:

First, organizations and individuals should update their systems frequently. Organizations both large and small sometimes wait before applying security patches issued by major software providers. Reasons may include other priority IT initiatives, concerns about the compatibility of specialized or legacy software, a lack of understanding of the seriousness of the vulnerability that the patch is intended to address, or simply manpower limits. The Wanna Cry attack, however, illustrates the importance of implementing patches and updates promptly to avoid falling prey to an attack that takes advantage of the unpatched vulnerability. Businesses should also bear in mind that failure to keep systems updated can result not only in disruption of business, but in the potential for theft of confidential company, client, and employee information, and could lead to lawsuits or regulatory enforcement actions alleging a lack of due diligence. While no protection or patch can be foolproof, systematic application of updates is a key security imperative in an increasingly integrated world.

Backing up crucial files on a separate server is also helpful in case the main network becomes compromised.

All businesses should have a breach response plan in place before an attack occurs, especially in the event of a ransomware attack that paralyzes internal systems and blocks access to data until a ransom is paid. Assessing an organization’s data collection and security practices, assembling a breach response team, and identifying legal obligations, law enforcement contacts, and forensics experts before an event occurs can help ensure an effective and timely response if, despite precautions, a company becomes the target of a data breach or ransomware demand. Regular training for directors, employees, and contractors is also important to raise awareness throughout the organization and mitigate risks. Automating updates and patching through your system can also help.

You don’t want to wait for the next wave of attacks to plan to protect your business, your employees, and your customers.

New Mexico Enacts Data Breach Notification Law; Tennessee Reinstates Encryption Safe Harbor

Posted in Privacy

New Mexico is the 48th state to enact a data breach law. That law, the Data Breach Notification Act (HB15), is scheduled to take effect on June 16, 2017.  Alabama and South Dakota are now the only states without a data breach notification law.

The New Mexico law is like other state breach notification laws in that the notification requirement is tied to the unauthorized acquisition of unencrypted computerized data that compromises the security or confidentiality of “personally identifiable information” (PII).  As is also customary, PII is defined as an individual’s first name or initial plus last name and either a social security number, driver’s license number, government-issued identification number, or account or credit card/debit number plus security code or password.  Unlike many states, however, the law also includes biometric data in the definition of PII.  The law also requires that owners and licensees of PII properly dispose of it and implement reasonable security procedures to protect PII, and companies must require service providers to likewise implement and maintain reasonable security procedures appropriate to the nature of the PII.

Companies that experience a reportable breach must notify all affected New Mexico residents within 45 days of discovery of the breach, unless a company determines that the breach does not give rise to a significant risk of identity theft or fraud.  If more than 1,000 New Mexico residents are affected, then a company must also notify the Attorney General and the three major consumer reporting agencies within 45 days.

Tennessee recently amended its data breach notification law by reinstating an encryption safe harbor.  Tennessee was the first and only state to extend data breach notification obligations to encrypted data as well as unencrypted data, so the recent amendment realigns the Tennessee law with those of other states in that regard.

To view Keller and Heckman LLP’s latest summary of all U.S. state data breach notification laws, available on our website, click here.

FTC Seeks Comments on Proposed Changes to TRUSTE’s COPPA Safe Harbor Program

Posted in Privacy

In a Federal Register notice, the FTC has asked for comments on intended changes to TRUSTe’s existing safe harbor program under the Children Online Privacy Protection Act (COPPA). TRUSTe proposed the changes following its settlement earlier this month with the New York Attorney General over allegations that the compliance and security company did not adequately assess whether companies certified under its safe harbor program allowed third party sites to track children.

In its submission of the proposed changes to the FTC, TRUSTe stated its changes would “address regulatory expectations related to: (1) third party tracking technologies and (2) the timing for seal removal for participants who have not completed annual review and remediation by the anniversary of the prior year certification date.” TRUSTe also said that it “is making structural changes to its Children’s Privacy Certification Standards to align them with the TRUSTe Enterprise Privacy Certification Standards since many participants in our COPPA Safe Harbor program also participate in the TRUSTe Enterprise Privacy Program.” In particular, the FTC is seeking input on whether the compliance mechanisms and the incentives for operators’ compliance with the updated safe harbor program are effective.

The comment period ends May 24, 2017.

Consumer Protection Connection