In the news, yet more breaches of data security and the potential disclosure of personally identifiable, non-public information about you. From Wells Fargo to the Veterans Administration, breaches are becoming almost daily news. In response, more and more states are enacting breach disclosure laws requiring companies to notify consumers if there is an actual or potential breach of security compromising (or potentially compromising) your information. Even Congress is getting into the act of considering legislation at the national level. Although not all the definitions are uniform, nor are the requirements identical, most have common themes—but to understand what they are, how they affect you and what obligations you may have, you have to contact me, or you can simply wait for the next issue of Legal Bytes—stay tuned.
Although many people think the Trojan Horse story comes from Homer, the Iliad ends before Odysseus comes up with the famous deception and the Odyssey occurs after Troy has fallen. It is Virgil, the most famous poet of Ancient Rome, who wrote the Aeneid that actually fills the gap. In Book II, the priest Laocoon warns the Trojans not to accept a giant wooden horse placed outside the walls and gates of Troy: “Quidquid id est, timeo Danaos et dona ferentes”—which translates into “Whatever it is, I fear Dardanians [Greeks] even when they bring gifts.” While we have come to think of a “Trojan” Horse as a form of malicious code—a computer virus wrapped in a friendly cocoon—the “Trojan” Horse wasn’t really Trojan at all: it was a Greek horse figure filled with Greek fighters who deceived and overpowered the drunken Trojans who thought it was a gift. The English expression “beware of Greeks bearing gifts” is derived from Virgil’s Aeneid.
Deception is also at the heart of legislation regulating gift cards, gift certificates, e-cards, gift codes and similar instruments—we’ll call them all gift cards in this article. Essentially plastic or electronic prepaid or stored value cards, they can be purchased or obtained by one person, freely transferred or gifted to another, used in promotions, or used by the original purchaser. Years ago, prepaid phone cards adorned the walls of gas stations and retail outlets. Today, newsstands, retail stores, the Internet are filled with them—adorning walls, displays, check-out counters, e-greeting card websites and online digital music services.
Gift cards owe their origins to pieces of paper issued by merchants allowing one person to pre-purchase value that can be given to someone else as a gift and which they can then use at an establishment to purchase goods or services available from that merchant. When you engage in a transaction with a merchant at the point of sale, you are presumed to know (or you should be able to know) the terms and conditions that apply. While there are legal exceptions, a posted sign that says “no refunds, no exchanges—store credit only” is part of the bargain you make when buying from that retailer. But what about a gift? If I hand you a gift card, how will you know what restrictions or limitations apply…the Trojan Horse!
Not limited by geography, gift cards can be used virtually (pardon the pun) anywhere. Chain store near you? Buy a gift card for your nephew across the street or across the country. Know a teenager who loves rock and roll, but prefer not sending a check for $100 and hope they head for the CD rack? Send a gift card that enables downloads, CD or subscription purchases online.
For failing to preserve records, Morgan Stanley is paying $15 million to the SEC and a number of other regulators under an agreement reached with the SEC’s Division of Enforcement. Although any such settlement requires approval of the Commission, and Morgan Stanley is still in settlement discussions with the NASD. If you recall, last year Morgan Stanley ended up paying $1.57 billion resulting from a lawsuit in which much of the attention was devoted not merely to its inability to produce documents, but also because the judge concluded that Morgan Stanley’s conduct was knowing, in bad faith and deliberate.
The $15 million current fine, the highest ever imposed for a firm’s inability to retain and produce records, may have been the result of the SEC’s belief that an agreement relating to document retention previously agreed upon, was not being complied with.
Pennsylvania is among the most recent to enact an “information security breach notification” statute bringing the total to well over 30 in one form or another in just the past few years. In case you are keeping score, Pennsylvania’s law goes into effect in June of this year, while Montana and Rhode Island have breach notification statutes which become effective March 1. And you thought legislatures move at a snail’s pace!
Most state statutes relating to breach notifications apply to entities that conduct business in the state, have databases or information in the state, and/or have customers who reside in the state, but the Pennsylvania law also covers anyone that “destroys” records. As a general rule, “breach of security” is defined to mean any unauthorized access to personal information, and some state laws only cover “unencrypted” personal information—but not all state laws are consistent in their definitions and what constitutes covered information is defined in each statute. If you want to generalize, name, address, email and other similar non-public personally identifiable information, driver’s license, credit or financial account information, date of birth, and the like are almost always included within the definition.
When it comes to notification, in addition to the protected consumers involved, some states require notification to law enforcement, others require notification to the consumer reporting agencies, and some require all of these. Although states may differ slightly, one can learn some general themes from the common denominators that we see in most of them. First, on or about the time that notice is given, the integrity and confidentiality of the network, database or system whose security has been compromised, should be restored. As a general rule, the notice should be able to identify (or you should know) the cause and extent of the breach that has occurred and should include an indication of the steps that have been taken to prevent a repetition and the continuation of the breach that has been identified. In virtually all states, government officials (e.g., the Attorney General, federal and state law enforcement agencies) can defer or suspend the notification obligation if an investigation would be impaired by disclosing the information normally required in a notice.
Even the form of notice is specifically spelled out in most statutes. All of them provide for notice in writing, but also permit electronic communications if the consumer has elected to receive messages electronically, and some allow notice by phone. In addition, many states have enacted substitute notification rules that are triggered when the notice requirements affect a number of consumers or a dollar amount for sending notifications above a certain threshold, or if there is not enough information to send mail or an electronic message. That said, the substitute notification rules are often significantly more public and generally require email notification, posting on your website and notice to all major media (news, television, radio). In fact, at least one state requires that the cumulative total readership, viewing or listening audience be equal to or greater than a specified percentage of the total population of the state.
While we hope it never happens to you, simply reading the newspaper after ChoicePoint’s announcement on February 15, 2005, and a chronology of only those incidents that have been publicly reported, is frightening indeed. An ounce of prevention…well, you know the rest.
In November 2005, Legal Bytes told you about how branded entertainment and product placement was one of the forces shaking up the world of advertising and marketing. We add to these forces even more creative innovations that are challenging the advertising and marketing world, as well as the legal and regulatory experts. “Buzz” or “viral” marketing is word-of-mouth advertising that promotes a product without disclosing any direct connection between the advertiser and the message. If you are a marketing professional, of course you want to identify people who will be interested in a particular message, and deliver the message in a way that makes it enjoyable and encourages them to share it with more people—you remember the hair color commercial on TV that ends with something like “she tells two friends and they tell two more friends and so on and so on….”
Now clearly, if an individual makes deceptive or misleading statements that weren’t induced, authorized or controlled by the advertiser, it’s hard to hold that advertiser responsible. But now advertisers are paying buzz “agents” to relay messages and encourage further word-of-mouth advertising. Thus, if the advertiser pays, it is hard to argue the advertiser is not liable for the truthfulness of authorized statements. But what happens if the buzzer’s unscripted message (i.e., their own message in their own words) is deceptive? Are their words similar to testimonials, regulated by the Federal Trade Commission, or a form of social spam, requiring disclosure like that mandated in the CAN SPAM Act? False testimonials have been the subject of state and federal actions for years. In some cases, actors in commercials looked so real, some Attorneys General required them to superimpose the words “dramatization” as a disclaimer on the TV screen. Years ago, a motion picture studio had billboards and commercials praising their movies. Unfortunately, the quotes and the purported journalist were invented by marketing staff at the studio.
These cases clearly establish that an advertiser is responsible for deceptive or misleading net impressions created by its advertising. Similarly, the FTC’s Guides Concerning Use of Endorsements and Testimonials in Advertising provides that, “When there exists a connection between the endorser and the seller of the advertised product which might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience) such connection must be fully disclosed.” There is no reason to believe these same standards do not apply to buzz marketing.
If an otherwise ordinary consumer becomes a buzz agent and is paid or given free products or other consideration in exchange for creating “buzz,” appropriate disclosure is likely to be required. Keep in mind, that to prevail in an action alleging a violation, the FTC must still show the activity was deceptive or misleading under Section 5 of the FTC Act—recall from November’s issue, that to make advertising actionable under Section 5 of the FTC Act depends on whether there is a representation or omission likely to mislead the consumer, viewed from the perspective of a reasonable consumer in the situation involved, and the representation or omission must be “material.” As noted in that issue, “if the consumer knew or was told the truth, is it likely to affect a consumer’s behavior in connection with the product.”
The FTC has proposed rules under the CAN-SPAM Act, in which an advertiser is not subject to the Act’s technical requirements if the “send this to a friend” forwarding or sending feature on the website or in the e-mail is not “procured” by the advertiser. In other words, the advertiser hasn’t paid or provided other consideration or induced anyone to initiate the message on behalf of the advertiser—otherwise, the advertiser must comply with all of the CAN-SPAM Act requirements, including disclosing that the message is an advertisement.
While traditional advertising law principles apply, in fact there has been very little actual regulation of viral or buzz marketing. Don’t feel complacent. We should expect the lack of enforcement activity to change reasonably quickly as more advertisers turn to non-traditional avenues to get their message across. New approaches to buzz or viral marketing and, as mentioned in prior issues, product placement, serve to only increase legislative concerns and pressure from consumer advocacy, protection and other groups. As these marketing techniques become more sophisticated and advertisers become more involved in the creative surrounding the medium and the message, the risks increase. Are consumers deceived by information that appears to reflect independent views, when the relayers are actually being compensated for delivering an advertiser’s message? The law appears quite clear that lack of disclosure could violate state and federal law, depending upon the materiality of the statement to a reasonable consumer and corresponding consumer harm.
Psssssst—pass it on.
This past November, the New York Giants and the NFL filed suit against Clear Channel Communications alleging breach of contract, trademark infringement, unfair competition and fraud. Apparently, a number of Clear Channel websites advertised a promotion that would enable listeners to win tickets to Giants’ football games. Both the Giants and the NFL allege that the stations were not authorized to use tickets as prizes in connection with any such promotion, and since the printed text on the back of the tickets specifically indicates tickets may not be used for advertising, promotion or other commercial purposes without the written consent of the NFL and the Giants, they sued. The complaint alleges that these promotions were unauthorized and (because apparently this was not the first time promotions like this were attempted) were a “willful and bad-faith” attempt to trade on the Giants’ and NFL’s famous trademarks and their goodwill. That, the complaint says, is likely to confuse consumers into believing that these promotions were sponsored or endorsed—authorized. The NFL and the Giants are seeking to enjoin the websites (and presumably any other medium) from using these tickets for promotional purposes or using their trademarks at all.
We will let you know as the two-minute warning approaches.
Product placement is an advertising activity which has grown for decades in the motion picture industry, going virtually unnoticed by legislators. When television began aggressively using product placement for advertising, concerns (and regulation) began increasing. Unlike motion pictures, television is legally required to distinguish between advertising and programming.
First, “infomercials” that looked and felt like programming were targeted by regulators, because they believed the infomercials were deceiving. After a number of cases, the industry developed and implemented disclosures to allay fears of regulators at the FCC and the FTC. Enter reality TV. Suddenly programs were using affiliations with sponsors as part of the content or story line, prompting fresh concerns. As cable television, pay-per-view and video-on-demand services, time-shifting and digital recording devices, and fast-forward buttons have become commonplace, advertisers have struggled to capture viewers’ attention with product placement. In 2004, product placement advertising rose to about $4.25 billion.
Why the fuss? Because product placement is advertising, subject to the same laws and regulations that govern commercials. On television, both the FTC and the FCC can regulate advertising, mandate disclosures and determine if something is deceptive or misleading. Where the line between harmless product placement and deceptive practices is drawn is increasingly blurred.
Whether a product placement is deceptive or misleading—sufficient to make it actionable under Section 5 of the FTC Act—depends on whether there is some representation or omission likely to mislead the consumer. The depiction of the product must be viewed from the perspective of a reasonable consumer in the situation and the representation or omission must be “material.” In other words, if the consumer knew or was told the truth, the consumer’s behavior would likely be affected in connection with the product.
The FCC also regulates deceptive product placements: viewers may not realize they are advertisements, hence the FCC requires disclosure. Failure to properly disclose the commercial nature of a product placement could amount to “payola” and would be illegal. Again, where the line is drawn between harmless inclusion of products in programming versus commercialization which misleads consumers is hardly clear.
The FTC and FCC regulations puts advertisers between a rock and a hard place. The FCC requires disclosure for a paid placement—which makes the product placement commercial speech. If it is commercial speech, is the placement then also subject to FTC disclosure rules? What if the advertiser has no control over the creative content and no approval over scripts or editing or even the extent of the product placement itself? Under those circumstances, how could the advertiser be responsible for the depiction of its product; the director, producer, actors, even the editorial staff, have ultimate creative control of what shows up on the screen. The advertiser could pay a substantial sum of money to watch its product wind up on the cutting room floor in post-production. Ouch.
In New York’s Westchester County, legislators are proposing a new law to compel commercial businesses (including home offices) that have an open wireless access point to have the “network gateway server” fitted with a firewall to block intrusions. Under the proposed legislation, not only may “public Internet access” not be provided without a gateway server equipped with a firewall, but any business or home office that stores personal information as well must install a server with a firewall—even if the wireless connection is encrypted and not open to the public. Publicly available Internet access sites would have to post a sign: “You are accessing a network which has been secured with firewall protection. Since such protection does not guarantee the security of your personal information, use discretion.” Come on.
On January 25 and 26, 2006, the Association of National Advertisers hosts its second annual Advertising Law and Business Affairs Conference in New York City. For information contact Doug Wood. On January 31, Joe Rosenbaum will be speaking about “The New World of Branded Entertainment Transactions” at the New Technologies and New Media in Advertising Law Conference hosted by Law Seminars International. Information can be obtained from Joe.
Want some scary statistics for Halloween? In the first six months of 2005, the average number of “phishing” e-mails went from about 3 million to more than 5½ million, according to the Symantec, distributor and licensor, among other things, of firewall and virus protection software. Phishing, in case you’ve missed the news, is a scam which uses e-mail to spoof legitimate businesses such as banks and airlines, and attempts to entice you to enter personal data which can then be used by criminals. “Update your account” or “Your Security May Have Been Compromised and We Need You to Verify Your Password” are typical messages, often accompanied by logos and names that appear to be all too real.
Symantec also discovered 1,862 new software vulnerabilities, over the six month period—almost all moderate to high security threats and 60 percent were in Web-based applications. Symantec also found that the average number of denial-of-service attacks jumped from 119 to 927 a day during the first half of 2005. Why the increase? Personal computers are being overwhelmed with “bots”—penetrating vulnerabilities in personal computer software that allow the hackers—online criminals—to remotely control home computers. Not convinced? By monitoring customers and their networks the numbers of active bots more than doubled from 4,348 to 10,352 bot computers. The SANS Internet Storm Center, a not-for-profit organization that tracks hacking trends, detects an average of 260,000 bots each day that are out there looking for computers that are vulnerable to attack. No longer limited to “denial of service” attacks by triggering junk data to attack—and ultimately overwhelm—a legitimate website, these bots now are beginning to be used to generate SPAM and malicious code.