Photo of Sheila MillarPhoto of Tracy Marshall

This week, the U.S. House of Representatives passed two cybersecurity information sharing bills that gained qualified support from the Obama Administration.  Together, the bills (the Protect Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPAA)) would authorize companies to share cyber threat information and defensive measures with each other and the government, and would limit their liability in connection with such measures if certain privacy protections are implemented.  The Senate is already considering a similar bill, the Cyberthreat Information Sharing Act (CISA), and the President’s support for cyber threat information sharing measures may be key to passage there.  To read a more detailed summary, click here.

Photo of Sheila Millar

The Paris-based International Chamber of Commerce (ICC) today released a new guide to help companies manage their cybersecurity, including how to address cyberthreats and how to prevent cybercrime. The ICC Cyber security guide for business, prepared by the ICC’s Commission on the Digital Economy, was written to help companies address the new types of risks that have to be managed in an environment where new technologies and communications methods are rolled out constantly. The guide acknowledges the strong benefits that accrue to businesses through new technologies, including increased reach to new customers and newly available efficiencies, and aims to help businesses of all sizes – small, mid-sized, and large – grasp and handle the challenges. Connecting more people and more devices creates risks by opening a variety of vulnerabilities that must be addressed to secure individuals’ and organizations’ systems and communications.

There’s no turning back on cyber-connectedness – there are too many benefits for businesses, their employees, and their customers. There’s also no doubting the attendant risks and dangers, and legal and business authorities (including insurers) are increasingly pushing for businesses to take an active, rigorous, and thorough approach to managing their risks. The benefits of such an approach include not only security but potentially increased profits. The costs, on the other hand, are hard to overstate.

Photo of Sheila MillarPhoto of Tracy Marshall

The Federal Communications Commission (FCC) announced today that AT&T Services, Inc., will pay $25 million to resolve an investigation into whether the company violated Sections 201(b) and 222 of the Communications Act relating to consumer privacy at AT&T call centers in Mexico, Colombia, and the Philippines. According to the FCC’s order and consent decree, call center employees gained unauthorized access to customer names, full or partial Social Security numbers, and account-related information (known as “customer proprietary network information” or “CPNI”), and shared it with third parties who trafficked in stolen mobile phones or secondary market phones so that they could unlock the phones.

FCC Chairman Tom Wheeler said that the FCC, “[a]s the nation’s expert agency on communications networks, … cannot – and will not – stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands” of Americans. Nearly 280,000 customer accounts were reportedly affected.

This is the FCC’s second (and largest) enforcement action relating to data security, and the agency’s fifth major enforcement action in the last year relating to privacy and data security. As part of the settlement, in addition to paying a $25 million civil penalty, AT&T agreed to enhance its privacy and security practices, by (among other things) performing a risk assessment, adopting a written information security program, developing a compliance manual for employees and vendors, implementing a training program, and filing periodic compliance reports with the FCC.

This settlement is a reminder of the broad set of actors who are using their authority to police data breaches. Although the most prominent enforcers are the Federal Trade Commission (FTC) and a few select attorneys general (Kamala Harris in California and Eric Schneiderman in New York, for example), others are getting in the game. In fact, the Chief of the FCC’s Enforcement Bureau was previously Special Assistant Attorney General of California and a senior advisor to California A.G. Harris, suggesting that the FCC will continue to aggressively enforce privacy and data security violations. This settlement is also a reminder that U.S. data breach laws can extend outside U.S. borders to wherever a company handles information. Robust written procedures, including good hiring practices and training, and a sound data security program and breach response plan are necessary to assure that your customer and employee data is appropriately protected, wherever you process and store it.

Photo of Sheila MillarPhoto of Evangelia C. Pelonis

Selling to consumers is generally a beneficial enterprise for all involved, but occasionally businesses will need to recall products, for a myriad of reasons. When that happens, different sets of rules apply depending on the type of product that is impacted. If your product falls under the U.S. Consumer Product Safety Commission’s (CPSC) jurisdiction, one set of rules applies. A different set of rules applies to recalls involving Food and Drug Administration (FDA) regulated food products. Below is a simple guide to the key elements and differences of the recall process in each of these regimes.

 

CPSC (consumer products)

FDA (food products)

Trigger

 When a product fails to comply with the law, including a specific consumer product safety rule.
When you learn that a product has a defect that creates a substantial risk of injury to the public.
When you obtain information that your product creates an unreasonable risk of serious injury or death.		 When the food product or its label/labeling violates FDA law, it is adulterated (e.g., contains a foodborne pathogen like Salmonella) or misbranded (e.g., it contains an undeclared allergen).

Investigation period

 You are permitted to investigate for up to 10 working days if you think you may have one of the triggers above, but if you know you have a reportable event, you have to report then. FDA does not establish a finite period of time in which one must conduct an investigation and reach a determination. That being said, if the public health is at risk it is the manufacturer’s/distributor’s responsibility to act as quickly as possible.

When you have to contact the agency

 When you “obtain information” of a potential substantial product hazard—one of the triggers above—you must report “immediately,” although the investigation period may apply. Reporting to FDA is only required when you have reached a determination that you have a “Class I” recall—a reasonable probability that the article of food is adulterated or misbranded and the use of or exposure to such article will cause serious adverse health consequences or death to humans or animals.

When you can recall products

 Technically, you can recall products at any time, but silent recalls—recalls without publicizing them—are discouraged. And the reporting obligation always applies.
Responsible businesses typically work with the CPSC. Often, a report will be filed first, then the CPSC will determine whether an issue violates the law or creates an unreasonable risk of injury or death or a substantial product hazard. If the issue is worthy of recall, you will be asked to submit a corrective action plan, which would include items such as a draft joint press release and a recall-and-repair, recall-and-replace, or recall-and-refund plan.		 Manufacturers and/or distributors may voluntarily initiate a recall at any time to fulfill their responsibility to protect the public health. Recalls may also be initiated after notification of a problem from FDA or a state agency, in response to a formal request by FDA, or as ordered by FDA (only in Class I recall situations).

Potential penalties for product recalls

 Civil penalties for violation of the CPSC’s laws and regulations can be assessed for $100,000 for each violation, and up to $15,150,000 for a related series of violations. Failure to comply with a mandatory FDA recall order, which FDA can only issue in Class I recall situations, can result in civil penalties—up to $50,000 for an individual and $250,000 for any other entity; capped at $500,000 for all violations adjudicated in a single proceeding; all costs associated with the recall. There are no statutory violations or penalties per se for not conducting a “voluntary” recall (whether Class I, II, or III).
FDA has also been known to issue press releases if a company fails to recall product the Agency otherwise believes should be recalled.

Companies that are more familiar with the FDA’s sphere or the CPSC’s sphere may think that the processes translate easily, but that is not always the case, as shown by the chart above. Indeed, the chart is a primer on the key differences: more complicated product issues (whether food or consumer) will often trigger more complicated processes.

Photo of Sheila Millar

For everyone concerned about the expanding burden of green chemistry reporting, here’s something that will really make your hair – and bankbook – stand on end: Vermont is proposing to implement the green chemistry law adopted last year by mandating SKU-level reporting.  Yes, you read that correctly.  (Read the proposed rule here.)  The impact is potentially enormous.  While Vermont’s green chemistry law (Act 188) was adopted with a promise to “harmonize” with other state laws, Vermont’s Department of Health is proposing to go beyond the Washington State’s – and all other jurisdiction’s – requirements. Without clearly identifying thresholds for reporting or allowing for an exemption where a manufacturing control program is in place.  Without the phase-in approach to reporting adopted in Washington.  Without accommodating trade secrets.  At $200 per report.

Businesses, large and small, making children’s products that are affected by this proposal should make their views known to the state.  Comments are due this Friday, and can be sent via e-mail to AHS.VDHRules@state.vt.us (more details here).

Photo of Sheila Millar

A California appeals court has affirmed a trial court ruling that averaging exposure to reproductive toxicants over a relevant “window of susceptibility” time period specific to the chemical, and across product lots, was appropriate in a Proposition 65 case involving lead in baby and toddler foods.  Environmental Law Foundation v. Beech-Nut Corp., (A129831, Alameda County Super. Ct. No. RG11597384, March 17, 2015).  The plaintiffs have long contended that exceeding the maximum allowable dose level (MADL) on any day would trigger Proposition 65’s warning requirements.  The ruling is a clear victory not only for food manufacturers and retailers, but for all industry members facing similar Proposition 65 challenges based on a single exposure theory.  That theory, of course, is affecting current debates about food safety, consumer product safety, chemical regulation, and green chemistry.  This decision reflects a principle that we have long advocated: regulatory decisions must be grounded on sound scientific principles.

Photo of Sheila Millar

The flow of data over the Internet creates privacy concerns in strange situations. For instance, when Pandora, the music streaming service, integrated its subscribers’ profile pages with their Facebook accounts, Pandora apparently made music preferences and listening choices available to the subscribers’ friends. The result was a suit alleging a violation of a Michigan statute that forbids the disclosure of personal information related to the renting or borrowing of movies and sound recordings.[1] Ultimately, the lawsuit was thrown out because the judge found that the technology employed by Pandora did not put its business within the scope of the Michigan law. Similar suits have been brought against other purveyors of streamed content.

One case that resulted in a financial settlement in favor of plaintiffs was against Netflix.[2] In the Netflix litigation, plaintiffs alleged, among other claims, violations of the federal Video Privacy Protection Act (VPPA). The VPPA was passed in the wake of the disclosure during the confirmation hearings on Supreme Court nominee Robert Bork’s video rental records in a newspaper. The complaint charged that Netflix unlawfully retained and disclosed personally identifiable information and rental history for former members. Netflix’s practice allegedly violated the VPPA because Netflix failed to destroy personally identifiable information as soon as practicable and disclosed the information for marketing and advertising purposes without members’ informed, written consent, or an opportunity to prohibit such disclosures. Netflix agreed to settle the claim by agreeing to decouple identification data from rental histories of former members and to pay $9 million dollars into a common settlement fund.

A second case, against Hulu, has been before the court for 3½ years over the issue of whether disclosure to Facebook violated the VPPA. Other cases brought under the VPPA related to disclosure to metrics companies have been dismissed.

The trend of increasing privacy lawsuits – see our December post on the subject here – indicates that plaintiff’s lawyers are scrutinizing company practices regarding consumer information and disclosure of that information in all its forms using whatever legislative avenues are arguably available. Companies should pay close attention to the ways in which they collect and disseminate personal information and ensure that their data retention policies meet the requirements imposed by federal and state regulations.

[1] Deacon v. Pandora Media, Inc., 901 F. Supp. 2d 1166 (N.D. Cal. 2012).

[2] In re Netflix Privacy Litig., No. 5:11-cv-00379, (N.D. Cal. filed Sept. 12, 2011).

Photo of Sheila Millar

Technology is advancing fast, but would you use an app to figure out if you had cancer? According the Federal Trade Commission (FTC), that’s just what two app developers were recommending, but the FTC said they lacked the evidence to back their claims up. The FTC entered into consent agreements with two companies, MelApp and Mole Detector, involving claims that their apps could detect melanoma (press release here, blog post here). The settlements are a reminder not only of the FTC’s interest in health claims, app advertising and privacy, but also the FTC’s view on when the likely perception of claims is so clear that extrinsic evidence isn’t necessary.

Among the developers’ claims were that the apps used “patent protected state-of-the-art mathematical algorithms and image-based pattern recognition technology to analyze the uploaded image [of a skin lesion]” to “provide a risk analysis of the uploaded picture being a melanoma” and “assist[] in the early detection of melanoma.” The settlements prohibit the developers from making any false melanoma detection claims, including representations without scientific substantiation that the apps detect or diagnose melanoma or risk factors of melanoma, or increase users’ chances of detecting melanoma in early stages. Here, competent and reliable scientific evidence must consist of blinded human clinical testing of the device that includes a range of lesions and is conducted by researchers qualified by training and experience to conduct such testing.

Republican Commissioner Maureen Ohlhausen dissented, suggesting that while she agrees with basic principles requiring substantiation, the Commission was imposing an unduly stringent substantiation burden on a relatively safe product. She opined that the Commission should have obtained extrinsic evidence on the question of whether consumers thought the app would match a dermatologist’s accuracy. So long as app developers convey the limitations of their products, there is no need to unduly restrict their ability to make claims.

The majority, on the other hand, felt that the app claims clearly conveyed to users that the app was just as good as going to the doctor.

As we have said previously in this blog, when it comes to evaluating advertising claims, it’s all about consumer perception. At least in this case, four out of five Commissioners agreed that they were capable of determining what consumers would take away from the ads without the need for extrinsic evidence.

Photo of Sheila Millar

For the consumer products industry, there is little question that state green chemistry laws are becoming increasingly complex and challenging. Laws are in place from California to Maine, and proposals are bubbling up around the country. States as diverse as Connecticut, New York, Florida, Oregon, and even Mississippi are considering their own green chemistry laws. Although it’s doubtful that all of these laws will pass, some will, and with it the landscape of chemical compliance will continue to be more complicated and costly. Barring TSCA reform (never a sure thing, though this year it seems more possible than ever), or other federal action, companies need to carefully thread their way through the various requirements. To get an overview of the state of the states when it comes to green chemistry laws and chemical limits, see this Keller and Heckman LLP client alert here.

Photo of Sheila MillarPhoto of Jean-Cyril Walker

The Federal Trade Commission (FTC) is proposing updates to its labeling and packaging requirements under the Fair Packaging and Labeling Act (FPLA), including deleting specific requirements for commodities advertised using terms such as “introductory offer,” “cents off,” and “economy size.” The proposed changes would also modernize place-of-business requirements, allowing businesses to omit addresses if their street addresses is available online or in any other “readily accessible, widely published, and publicly available resource.” The new rule would also incorporate a comprehensive metric chart from the National Institute of Standards and Technology’s (NIST) Handbook 130. The interplay of FPLA requirements with state laws, however, should not be ignored.

The FPLA was enacted in 1967 to help consumers evaluate and compare the value of competing products, and to prevent certain unfair and deceptive packaging and advertising practices. To achieve this goal, the Act requires the labeling of certain household goods or “consumer commodities” with the common name or identity of the product, the net quantity or content of the product, and the name and address of the product’s manufacturer, packer, or distributor of the product. In March 2014, the FTC sought public input on the Act to ensure the Act maintains its relevance, which led to this proposal. Importantly, not all products are “consumer commodities” under the FPLA. The Act covers products that are expendable commodities for consumption by individuals, used for personal care, or used for household services, such as adhesives, or light bulbs, but does not cover non-expendable products such as appliances or toys.

Note that even if a product does not qualify as a consumer commodity under the FPLA its package labeling may be subject to similar labeling requirements under state weights and measures statutes. Most states have enacted some version of the Uniform Weight and Measures Law and Uniform Packaging and Labeling Regulations set out in NIST Handbook 130 (Uniform Laws and Regulations in the Areas of Legal Metrology and Engine Fuel Quality) and Handbook 133 (Checking the Net Contents of Packaged Goods). The FTC’s FPLA modernization effort is welcome, but other requirements must also be kept in mind when developing product labels.