Attorneys

Michelle Cohen Member

/ P (202) 524-4144

LinkedIn connect on LinkedIn / Twitter @MichelleWCohen

  • Michelle Cohen: Internet Privacy Lawyer on Internet Marketing

    Video 1 of 3

  • Attorney Michelle Cohen: Increased Federal Enforcement of Mobile Commerce in 2013

    Video 2 of 3

  • What to do if you think your company has had a data breach

    Video 3 of 3

Michelle’s unfailing dedication to her clients is evidenced by the fact that her first client, whom she worked with as a first-year associate over 20 years ago, remains an active client. She establishes strong and lasting relationships by committing herself to client service. Michelle understands her clients’ business goals, guides them in their use of new technologies, and communicates with them as their business activities unfold.

Michelle’s practice is focused on helping her clients establish powerful and lasting relationships with their customers and prospects. Whether engaging audiences through sweepstakes/contests, social networks, telemarketing, text, or email marketing, Michelle ensures that her clients’ communications comply with current marketing and privacy laws and regulations. For clients who have embraced the popularity of online promotions and gamification, Michelle keeps programs running smoothly by providing guidance on the necessary rules, thresholds and disclosures in the midst of a constantly changing legal landscape. As clients rely more on social media to publicize promotions, Michelle provides up-to-the minute legal counsel related to the rules on Twitter, Facebook and other social sites.

As Ifrah Law increasingly leads the way in iGaming, Michelle advises daily fantasy sports and e-Sports companies on privacy matters, including drafting online terms and conditions, and preparing legal opinions and analysis to support iGaming companies’ launching of their services, including working with payment processors.

When clients find themselves involved in an enforcement matter with the Federal Trade Commission, Federal Communications Commission or state agencies, Michelle’s deep knowledge in these areas and her strong footing in the privacy community help her to resolve issues in the most expedient manner possible. Michelle has extensive experience defending individual and class actions in the consumer protection context, including dozens of Telephone Consumer Protection Act cases. She obtained a rare rescission of an FCC citation in a TCPA enforcement matter.

Michelle also advises clients as to what policies and procedures can be put in place to show a company’s good faith efforts, should the government come knocking. When companies are involved in potential data or security breaches, Michelle knows which questions to ask to ensure they have a sound legal strategy. She works with the company step-by-step to resolve the situation from both the government’s, and her clients’ as well as their customers’ points of view.

Previously, Michelle was a partner at Thompson Hine where she was a member of their telecommunications, corporate transactions & securities and emerging technologies groups. She began her legal career in the litigation department at Paul Hastings, where she spent seven years honing her litigation skills, prior to moving into their corporate practice. Her litigation experience gives her a solid foundation for helping clients avoid litigation as well as in advising them when they are faced with litigation. This litigation experience, coupled with her regulatory and corporate experience, allow Michelle to offer her clients a full complement of services.

Awards + Recognition

  • National Law Journal, 2016 Top Rated Litigator
  • Certified Information Privacy Professional (CIPP) certification, International Association of Privacy Professionals
  • ALM 2013 Washington DC's Women Leaders in the Law
  • ALM 2012 Top Rated Lawyer - Technology Law
  • Martindale-Hubbell AV Preeminent Peer Review Rating
  • Editorial Board Member, Digital Business Lawyer (formerly E-Commerce Law & Policy)
  • Editorial Board Member, Payments & FinTech Lawyer (formerly E-finance & Payments Law & Policy)

Professional + Community

  • Member, IAPP Publications Advisory Board
  • Board Member, National Woman’s Party at the Belmont-Paul Women’s Equality National Monument; Executive Committee - Vice President, Legal
  • Women in Cable and Telecommunications Past Board Member Washington, D.C. - Baltimore Chapter
  • Federal Communications Bar Association
  • District of Columbia Bar
  • New York State Bar Association
  • Women's Bar Association of DC
  • Volunteer, Special Olympics
  • Brandeis University Alumni Admissions Council
  • Pro Bono Volunteer through the District of Columbia Bar
  • Former Board member for the Law Firms Division of the United Way, National Capitol Area
"US Banking Regulators Consider Enhanced Cyber Risk Standards," Cyber Security PractitionerDecember 2016
Michelle Cohen, Speaker, "Committee on Lotteries: Seeking Growth Opportunities, Converging with Casinos" National Council of Legislators from Gaming States, 2016 Summer Conference, Boston, MAJuly 29-31, 2016
"Amazon Case Shows Value of In-App Purchase Disclosures," E-Commerce Law and PolicyJune 2016
Michelle Cohen, Speaker, "The FCC’s New Broadband Consumer Privacy NPRM: What It Means For Your Client Program," American Bar AssociationMay 2, 2016
Michelle Cohen, Speaker, "The Telephone Consumer Protection Act: Avoiding Multi-Million Dollar Litigation," Clear Law InstituteApril 27, 2016 (updated repeat in September)
"Scoring Cash With Angry Birds?," iGaming Business North AmericaApril/May 2016
Michelle Cohen, Speaker, "The Golan v. Veritas Entertainment, LLC Ruling: Ensuring Your Firm’s Telemarketing Strategies Compliant," The Knowledge GroupMarch 31, 2016
Michelle Cohen, Speaker, "Update on State and Federal Legislative and Regulatory Developments in Cybersecurity and Breach Law," Annual Conference on Data Breaches and Cybersecurity, Law Seminars International, Seattle, WAJanuary 11, 2016
Michelle Cohen, Speaker, "Skill-Based Games: What Is the Best Model?" National Council of Legislators from Gaming States, 2016 Winter Conference, Orlando, FLJanuary 9, 2016
Michelle Cohen, Presenter, "TCPA: The New Guidance and What It Means," IAPP: Practical Privacy Series 2015, Washington D.C.November 17, 2015
"Is The Emergence of a U.S. ‘Right To Be Forgotten’ Likely?," E-Commerce Law & PolicySeptember 2015
Michelle Cohen, Presenter, "Technology and IP Forum: Back to School Marketing Primer – Marketing Through Technology, What is Allowed and What Isn’t?," Association of Corporate Counsel, National Capital RegionSeptember 30, 2015
Speaker, Michelle Cohen, "Committee on Casinos: Update on Internet Sweepstakes Café Enforcement Issues," National Council of Legislators from Gaming States, 2015 Summer Conference, Atlantic City, NJJune 12, 2015
"Progress Slow For Commercial Use of Drones In The US," E-Commerce Law and PolicyApril 2015
Michelle Cohen, Speaker, "Lotteries and Social Media" National Council of Legislators from Gaming States, 2015 Winter Conference, Las Vegas, NVJanuary 2015
"FTC Staff Recommendations for Mobile Financial Services," E-Finance & Payments Law & PolicyOctober 2014
"The FTC Releases Staff Report on Mobile Shopping Apps," E-Commerce Law & PolicySeptember 2014
Michelle Cohen, Speaker, "What’s Legal in Text Marketing!," Hybrid Telephony Summit 2014, Chicago, ILSeptember 22, 2014
"Managing Litigation in the Small Law Department Environment," WMACCA Small Law Department Initiative, McLean, VASeptember 11, 2014
"U.S. Banking Regulators to Review Laws," E-Finance & Payments Law & PolicyJune 2014
"The Wild World of Witnesses: When Good Witnesses Go Bad," WMACCA Litigation Forum, McLean, VAJune 26, 2014
"Zealous Counsel or Unethical Social Media Maven – How Far Can a Lawyer Go?," WMACCA E-Newsletter May 9, 2014
"Net Neutrality – Verizon v. Federal Communications Commission," E-Commerce Law ReportsFebruary 18, 2014
"Oral Arguments Heard in the FCC’s ‘Open Internet’ Dispute," E-Commerce Law ReportsDecember 2013
"Data Security: FTC v. Wyndham Corporation," E-Commerce Law ReportsOctober 3, 2013
Michelle Cohen, Speaker, "Don’t Litigate, Mediate: Here’s How," WMACCA Litigation Forum, McLean, VASeptember 11, 2013
"Smart House, Smart Car, Smartphones. The FTC Examines the ‘Internet of Things," E-Commerce Law ReportsJune 2013
"FTC issues privacy focused mobile payments report," E-Finance & Payments Law & PolicyMarch 2013
"FATCA: the end of hiding US accounts in foreign banks?," E-Finance & Payments Law & PolicyMarch 2013
Michelle Cohen, Speaker, "Trash Talk? Viral Leaks? What to do When Employees and the Public Take to the Internet Town Square," WMACCA Technology and IP Forum, McLean, VAFebruary 19, 2013
"Editor’s Insight – Mobile Marketing and Privacy," E-Commerce Law & Policy February 7, 2013
"The FTC reports to the US Congress on Dodd-Frank," E-Finance & Payments Law & PolicyJanuary 2013
"Visa/MasterCard Antitrust Litigation," E-Commerce Law ReportsSeptember 2012
Michelle Cohen, Presenter, "The Consumer Financial Protection Bureau: The Financial Industry’s New Watchdog," LeadsCon East Conference Presentation, New York City, New YorkJuly 2012
"Best Offense Is a Good Defense," Inside Supply ManagementMarch 2012

Winning Big with a Celebrity Sweepstakes Endorsement

After developing a solid online promotions program over several years with Michelle Cohen advising on sweepstakes and contests, Michelle’s long-standing client, a digital wellness company, decided to energize its online efforts with a celebrity endorsement sweepstakes. The celebrity, a known health advocate and popular entertainer, partnered with our client to give away VIP ticket packages to his sold out shows in multiple cities.

Michelle crafted sweepstakes rules and reviewed promotional materials, including social media campaigns. The celebrity also used social media to organize in-person athletic meet-ups around the country, as part of his current touring schedule. This coast-to-coast campaign included sweepstakes at the on-site events. Michelle worked with our client on several aspects of its campaign, including social media messaging, drafting winner’s eligibility affidavits and ensuring compliance with state and federal sweepstakes laws, as well as social networks’ policies and requirements.

The result? Michelle’s client continues to develop exciting and clever online promotions that will engage their audience, while complying with applicable laws and regulations and maintaining positive relationships with key social networks.

 

Successfully Negotiating the Sale of Assets During a Government Investigation

When a company that is under investigation for money laundering decides to sell its assets, what was once a straightforward sales process becomes a complex negotiation. That is what happened with our client, a provider of diagnostic testing equipment.

Ifrah Law and Michelle Cohen represented the company in its sale of radiology and cardiology diagnostic services equipment, which involved numerous challenges. Understandably, the buyer was concerned about the ongoing criminal investigation, and Michelle worked closely with them to address their concerns about representations and warranties and possible post-sale seizure from the government. Additionally, since there were bank liens on some of the assets, Michelle worked with the bank’s outside counsel to arrange a prompt payoff, obtain a satisfactory pay-off letter and secure a release of the liens in order to close the deal. Michelle also worked with the buyer to create a creditor payment plan that would payoff unsecured creditors and obtain releases from them in order to address the buyer’s concerns about unsecured creditors seeking relief from the buyer. Finally, she created an employee fund (funded by the buyer) to pay for uncompensated leave time.

These complicated issues were resolved in less than two weeks, as a result of Michelle’s skilled negotiations with all parties. The buyer was represented by Delaware’s largest law firm.

 

Successful Resolution of a TCPA Class Action

Michelle Cohen’s client, a publicly-traded enhanced messaging provider, was involved in a large-scale class action alleging violations of the TCPA’s unsolicited facsimile advertising rules. In addition to having provided the client with TCPA advice for over 15 years, Michelle represented them in enforcement matters before the FCC, including obtaining the rescission of an FCC citation, a highly unusual ruling from the FCC, finding that the client had a valid defense to the citation.

This TCPA case involved the alleged sending of 125,000 unsolicited faxes. The class was suing for triple damages of $1500 per violation – up to $180 million. Michelle and her team handled discovery, including depositions and motions. When the other parties decided to enter mediation, Michelle represented her client through the mediation, to the settlement agreement and ultimate dismissal of the case. Given the damages at stake, this case was successfully resolved for Michelle’s client, whose settlement contribution fell below the limits of their insurance policy.

 

Ensuring TCPA Compliance for a Global Provider of Customer Management Services

On behalf of our client, a leading provider of customer management services with call centers around the world, Ifrah Law led a full-scale review of its customer communications to ensure that they comply with federal and state requirements, including those of the TCPA and the FTC’s Telemarketing Sales Rule (TSR). We addressed the many different types of calls that the company undertakes on behalf of its varied customer base – service calls, appointments, live sales calling and pre-recorded calls – to ensure that its call centers are using consistent protocols and controls in the United States, and that these protocols are in compliance with the TCPA and TSR. Our client trusted Ifrah Law with this extensive project due to our long history with managing TCPA matters – we have been involved with the TCPA since its inception in 1991 – and due to our prior work for the client, including successfully representing the client in two FCC inquiries.

We worked with the company’s Director of Privacy to develop a thorough understanding of the types of calls that the company makes for its customers, and the contractual protections that are in place and which could be revised to protect the company further. A critical aspect of this project was to educate leaders within the company that there are different TCPA requirements based on the type of call: technology used, person being called, whether the call is pre-recorded or live; mobile or business. We also wrote the call center guidelines and controls to ensure that all employees – from those being trained to the marketing team – had the same information regarding how to handle different types of customer call projects.

This large-scale process took a year to complete. Once the documentation was finalized, our client was ready to begin a company-wide training program on the guidelines, well in advance of TCPA rule changes.

 

Is it a Lottery or is it Gambling? UK Regulator Slaps Lottoland for Misleading Radio Ad

Gambling, including online gaming, lotteries, and land-based gaming, has tremendous participation in the United Kingdom.  One study concluded that 75% of the UK’s adult population gambled in some manner.  UK regulators take an aggressive approach to licensing, supervision, and enforcement of gambling laws and regulations, including gaming-related advertising.  As more U.S. states permit online gaming, UK regulators’ decisions about promotions will be instructive to state authorities in the U.S.  One recent decision by the UK’s advertising regulator involving Lottoland, a company that allows players to bet on the outcome of actual lottery draws (including U.S. Powerball) provides guidance concerning how an ad can come under fireLottoland, a leading online gambling operator in the UK, Sweden, Eastern Europe, Brazil, and other markets, allows players to bet on the outcome of lottery draws around the world, including MegaMillions, PowerBall and EuroMillions  In other words, players gamble on the outcome of a lottery rather than buy an actual lottery ticket. Players bet on official lotteries draws — specifically, which lottery balls, or numbers, will be drawn in those draws. Participants select the numbers that they think will be drawn.  If a player guesses correctly, she wins cash or other prizes. The amount of the prize depends on the number of balls correctly guessed.  Players can participate without having to visit an actual lottery retailer and do not need to retain a ticket. And, the Lottoland entry can be cheaper than an official lottery ticket.

ASA’s Decision

On 1 February, the UK’s independent regulator for advertising, the Advertising Standards Authority (“ASA”), ruled that a radio ad for Lottoland breached the UK’s Broadcasting Advertising Code (“BCAP”) provisions prohibiting misleading advertising.  Among the parts of the ad that raised concern was when the announcer stated “Chimp can’t believe it. At Lottoland the EuroMillions still costs just £2. Not £2.50. This Friday’s jackpot 100 million. So with Lottoland you can win the big jackpot for less. Download the app or go to lottoland.co.uk and get your first bet free.”  The ASA concluded that the ad implied that players would be playing in a lottery rather than betting on a lottery in a gambling game, primarily because of the announcement of the EuroMillions and the jackpot.  Among the violations was BCAP Code 3.3.1 which requires the “main characteristics of the product or service” be provided in advertisements when an advertisement quotes a price. The ASA was particularly influenced by the discussion of the jackpot and the dollar amount of 100 million.

The regulator acknowledged the mitigating factors that the ad also directed players to the Lottoland app/website and offered “your first bet free.”  The ad further referenced a gambling help website.  Lottoland asserted that their advertisements across all platforms clearly distinguish between its gambling product and an actual lottery ticket due to the key term “bet”- which the announcer stated twice in the radio ad.  Lottoland argued that in the context of the short script and other marketing, consumers would understand that Lottoland is a gaming operator, not a lottery company.  Lottoland further claimed that the reference to the lottery was a factual statement in that consumers can win the same amount of money by betting on the outcome of a lottery (and paying less to play with Lottoland).

The ASA reasoned however, that lottery-related terms were stated early in ad in a “high pitched tone,” giving them prominence. These included references to winning “the big jackpot for less” and “this Friday’s jackpot 100 million.”  Another factor deemed by the ASA to be indicative of a lottery was a reference to “Jackpot estimated 24 September.”  In viewing the radio ad in its entirety, the ASA concluded that the references to “bet” did not completely mitigate the references to lottery because Lottoland “did not make clear that consumers would be gambling on the outcome of a lottery rather than actually participating it.”  In the end, the ASA found that the references at the beginning of the ad promoting a lottery implied that participants would be playing a lottery rather than a gambling game.

Lessons Learned

The ASA’s decision is instructive for all online gaming operators and those offering promotions such as sweepstakes and contests. It makes clear that regulators will scrutinize advertising, particularly where the ad uses terms interchangeably that may confuse consumers.  While a radio ad tends to be around 30-60 seconds and thus does not leave much time for disclosures, gaming operators should review ad copy to make sure the copy accurately describes the offering – and does not have the potential to make consumers think they are participating in a different type of offering – such as a lottery, sweepstakes, or a traditional skill contest.

We frequently guide clients through the laws governing their promotions including online gaming, sweepstakes, contests, social media promotions.  Laws across jurisdictions vary greatly and each analysis is very fact-specific.  It isessential to ensure that promotional materials – whether in traditional media such as radio or TV and print, on websites, and on social media, clearly convey the type of offering and the key terms. The promise of a big payout may understandably result in additional scrutiny.

As Lottoland learned, while a bet may mean gambling, when you pair it with lottery references, consumer confusion may result.  Ad buys do not come cheap and air time is precious, so it’s best to keep it simple and clear.

Read More

Online Reviewers Get New Protections

Your business booked a large charity event.  However, the customer contact turns out to be a nightmare. She complains (during and after the event) that the service was slow, the food looked and tasted like a frozen meal, and the drinks were watered down.  She even claims she was overcharged.  You reviewed the situation and, while you disagree, you offer her a credit.  She declines and instead decides to post scathing reviews on Yelp, TripAdvisor, and several other review sites.  She also gets her friends to post similar reviews.  You remember, however, that the booking contract this irate customer signed barred her from posting negative reviews and imposes a $200 per negative review penalty.  You ring up your attorney and ask her to send Ms. Nasty Customer a demand.  Your lawyer tells you there may be a problem with this approach – under a new law signed by President Obama in December, the Consumer Review Fairness Act of 2016 – form contracts restricting reviews or imposing penalties are void.

Congress sought to address situations where businesses threaten or file lawsuits against customers who post negative reviews, relying upon form contracts or website terms of use. In one case involving the Union Street Guest House in New York, the venue reportedly threatened a wedding party with $500 in fines for each bad review wedding guests submitted on Yelp, based upon the venue’s posted policy. The Guest House initially sought to keep part of the wedding party’s deposit.  (The business subsequently faced a barrage of bad press once word of its policy went viral.  It has since closed).  In another situation, a company called KlearGear sought a $3,500 “disparagement fee” based upon a Utah couple’s online review from years before. KlearGear argued the non-disparagement clause was in its standard terms (a fact disputed by the couple).  KlearGear eventually sent the alleged debt into collections, causing havoc to the couple’s credit score.  The couple sued KlearGear and obtained a six-figure default judgement.

What’s Prohibited

The new protections in the Consumer Review Fairness Act bar form contracts (including website terms of use) that prohibit or restrict an individual who is a party to that contract from engaging in a “covered communication”  – a review or assessment of the goods, services or conduct of a person who is also a party to that form contract.  The Act also prohibits form contracts that impose a penalty (such as withholding a security deposit) or fee against an individual who posts a review.  The law further proscribes form contracts that transfer or require individuals to transfer intellectual property rights in their reviews.  Some companies invoked the Digital Millennium Copyright Act to force review sites to “take down” negative reviews, claiming intellectual property of customer reviews. The Consumer Review Fairness Act makes it unlawful for a person to offer a form contract that contains any of these prohibited terms.

Exceptions and Carve-Outs

There are several significant exceptions to the new law, offering some protections to organizations. First, individually-negotiated agreements are not covered by the new legislation. Second, Congress carved out employer-employee and independent contractor agreements from the “form contract” definition. Thus, under the new Act, employment provisions barring negative online reviews of an employer are not void.  However, the National Labor Relations Board strongly disfavors restrictions on employees’ rights to discuss wages and working conditions in public forum. Further, some states may also seek to bar restrictions on online reviews. California and Maryland already have enacted laws barring non-disparagement clauses in consumer contracts.

Third, the Act does not bar an organization or individual from suing for defamation, libel, or slander.  Thus, companies may still file suit for reviews containing false statements (and presumably include a clause in a form agreement or terms and conditions addressing such statements).  Fourth, the law preserves any confidentiality required by law – such as HIPPA.  Fifth, the Act expressly allows a party to remove or to refuse to display on a website/webpage operated by that party the content of a “covered communication” :  (1) that contains personal information or the likeness of another person; (2) is libelous, harassing, abusive, obscene, vulgar, sexually explicit “or is inappropriate with respect to race, gender, sexuality, ethnicity or other “intrinsic characteristic”; or (3) that is false or misleading.  Thus, companies that host their own webpages for customer comments and interactions may remove customer reviews meeting these standards. It would also appear lawful to advise customers in company terms and conditions or form contracts that such content may be reviewed.

Congress further created a carve-out from the Act’s consumer review protections for trade secrets or commercial or financial information considered privileged or confidential, personnel and medical files where disclosure would result in an invasion of personal privacy, records compiled for law enforcement purposes, content that is unlawful, and content containing computer viruses, worms, or other damaging code.

Federal Trade Commission Enforcement

The Federal Trade Commission (“FTC”) will enforce the Consumer Review Fairness Act of 2016.  State Attorney Generals may also bring a civil action in federal court to obtain relief for their residents. The new law requires the FTC (within 60 days) to conduct education and outreach to businesses, including non-binding “best practices” for complying with the Act.  Companies get 90 days (until March 14, 2017) before their contracts containing the now-proscribed practices are considered void.

What’s Next?

The Consumer Review Fairness Act of 2016 will further empower individual reviewers and review sites. While the FTC will release compliance guidance, companies should review any restrictions on reviews in their form contracts and terms of use.  When dealing with negative reviews (for instance, through direct consumer communications or replies on a message board), organizations should be careful about their wording to avoid future claims of adverse actions based upon that review.

The FTC may target a few “brand name” organizations in early enforcement actions to garner industry attention. Companies should be aware, however, that they retain the right to object to assessments that are exempted, including those that disclose confidential or personal information, or that are defamatory, misleading, obscene, vulgar, or unrelated to the products and services offered on the company’s webpage.  So, while consumers cannot be penalized through a form contract by posting reviews, their rights to post are not unfettered.  Contrary to the popular adage, as the Union Street Guest House learned, not all press is good press – and companies may still address false or defamatory reviews and those reviews containing other exempted content.

Read More

How The FTC Guides Businesses Through Data Breaches

71852715_thumbnail

The Federal Trade Commission (“FTC”) recently released a data breach guide for businesses, along with a video and blog to help companies following the immediate aftermath of a data breach.  The FTC also provides a model data breach letter to notify individuals of a breach.  The agency – which views itself as the nation’s primary “privacy police” has faced scrutiny from private parties and courts for allegedly enforcing privacy and data security standards without promulgating specific rules. The agency instead favors outreach efforts, such its blogs, guides and roundtables to educate industry and the public regarding what it views as best practices.

In this vein, the Guide and the model letter are not a “safe harbor” but offer suggestions on important steps that organizations can follow once they discover data breaches.  The FTC emphasizes that the Guide does not pertain to the actual protection of personal information or prevention of breaches, because the agency has already issued separate guidance documents on those subjects.  In fact, the FTC also recently updated its guide on protecting personal information.

Following a data breach, the Guide suggests key steps organizations can take, which include:

  • Mobilizing the company’s breach response team to prevent further data loss – the team may include legal, information security, IT, human resources, communications, investor relations, and management; companies may consider hiring an independent forensics team;
  • Securing physical areas – lock any physical areas affected by a breach; consider changing access codes;
  • Taking affected equipment offline immediately – monitor all entry and exit points, and update authorized users’ credentials and passwords;
  • Removing improperly posted information from the company’s website, for instance in a situation where personal information affected by the breach is posted on the company’s website. The FTC also advises companies to search the Internet to see if breached information has been posted on other websites and to contact the owners of those websites;
  • Protecting evidence – the FTC reminds companies to retain forensic evidence (e. do not destroy it);
  • Documenting the investigation, including interviewing people who discovered the breach and making sure employees (such as customer service representatives) know where to forward information that might assist the company in its investigation;
  • Examining service provider relationships, to determine if providers have access to personal information and whether provider access privileges should be changed;
  • Determining whether data was encrypted at the time of the breach (note: encryption may obviate the need for data breach reporting in many states);
  • Implementing a communications plan that explains the data breach to employees, customers, investors, partners, and others such as the press. The FTC recommends “plain English” answers on a company’s website;
  • Following legal requirements – such as state data breach notifications and notifying law enforcement;
  • Offering at least a year of free credit monitoring – while not required, free monitoring has become standard and most regulators and consumers expect to see the offer in data breach notifications.

As to data breach notification letters, in addition to following the requirements of state laws, the FTC urges companies to advise people what steps they can take, based on the information exposed.  When a breach compromises social security numbers, individuals should be directed to contact the credit bureaus to request fraud alerts or credit freezes.  Since some scammers pounce on data breach victims, the FTC counsels organizations to tell consumers how they will be contacted going forward.  For instance, if the company will never contact individuals by phone, the company should tell consumers that – so individuals can detect telephonic phishing schemes.

The FTC encourages businesses to use the Guide and its accompanying materials to educate employees and customers, such as through newsletters and websites.  However, when facing an enforcement action or a lawsuit, will a company’s compliance with the Guide offer any relief from FTC or state Attorney General penalties or assist organizations in their defense in private data breach lawsuits?  Ultimately, the crux of breach liability usually relates to how it occurred, but taking swift, corrective actions following a breach should aid an organization when dealing with regulators and third parties by showing good faith actions to prevent further damages. Conversely, a company that fails to take corrective actions can exacerbate a breach and further negatively impact affected individuals and the organization.

The FTC’s Guide and accompanying materials are helpful references, particularly for smaller businesses.  As a practical matter, the words of advice I give companies facing a possible data breach is to first, take the time to determine what happened, how it happened, whether the breach continues, and what you can do to prevent it in the future.  While several states require reporting within a set number of days (e.g., 45), the laws allow organizations time to conduct factual inquiries, take corrective measures, and prepare to notify affected individuals.  Organizations should not rush through these key steps.  Second, communication is key.  A company facing a breach should develop a clear, consistent statement regarding the breach, the steps being taken and a single contact point.  The lack of a communication plan or a consistent message can cause a huge loss of customer and employee confidence and raise regulators’ interest.  Third, when preparing data breach notifications, organizations should note that it is likely that the letter will become public due to some states’ open records laws.  Numerous websites exist that track and publicize data breaches, based upon information in the notifications – often including copies of the actual letters.  Companies should not assume that regulators and consumers simply file the letters away.  While your organization cannot prevent the publicity, having a clear, concise data breach notification that meets each state’s requirements without providing excess data will help the company through the process and associated publicity.

Read More

Wells Fargo Learns That Recording Calls In California Can Be Costly

iStock_000050698192_Small

In the past few years, many organizations such as Capital One, Bass Pro Outdoor, and the Cosmopolitan Hotel have faced class actions alleging violations of California’s call recording law.  This week, California’s Attorney General demonstrated that her office, working with state prosecutors, will also vigorously enforce the law under the state’s criminal statutes.  Attorney General Harris announced an $8.5 million dollar settlement with Wells Fargo Bank, N.A. over the alleged failure to provide call recording announcements to California consumers.

The complaint alleged violations of Sections 632 and 632.7 of California’s Penal Code, including the purported failure of Wells Fargo’s employees to “timely and adequately disclose the recording of communications with members of the public.”  These laws form part of California’s Invasion of Privacy Act. Section 632 makes it illegal to eavesdrop (monitor) or record a “confidential communication” without the consent of all parties. The statute defines a “confidential communication” as including “any communication carried on in circumstances as may reasonably indicate that any party to the communication desires it to be confined to the parties thereto.“ The law specifically excludes communications in circumstances “in which the parties to the communication may reasonably expect that the communication may be overheard or recorded. “ Section 632.7 bars the recording of cell phone conversations, without the consent of all parties.

Wells Fargo Bank settled the case, agreeing in a stipulated judgment to the $8.5 million settlement and certain compliance requirements.  Specifically, Wells Fargo must make a “clear, conspicuous, and accurate disclosure” to any consumer in California of the fact that Wells Fargo is recording the call.  The settlement requires that this disclosure occur “immediately at the beginning” of the call, but allows Wells Fargo to precede the disclosure with an introductory greeting identifying the customer service representative and the entity on whose behalf the call is made (presumably, a Wells Fargo-affiliated entity). Wells Fargo also committed to a compliance program for one year and periodic internal testing of its employees’ and agents’ compliance with the call disclosure requirement.  The bank agreed to appoint an officer or supervisor with specific oversight responsibility for compliance with the settlement obligations.  Within a year following the stipulated judgment, Wells Fargo must provide the Attorney General with a report summarizing the testing.

Interestingly, the Attorney General previously pursued a similar action against home improvement platform Houzz Inc. for allegedly failing to notify all parties of its recording of incoming and outgoing telephone calls.  In that case, Houzz agreed to appoint a Chief Privacy Officer to oversee Houzz’s compliance, a first for a California Department of Justice settlement.

As we have advised before, all organizations recording calls – whether inbound or outbound – should immediately disclose to called parties that the call is being recorded.  The disclosure should occur at the outset of the call.  One type of introduction could be, “This is Michelle, calling on behalf of XYZ Company. This call is being recorded and/or monitored.”  Some companies may wish to announce the option of a non-recorded line, available via a key press. It is also important to time the recording to begin after the announcement, to avoid potential liability based on even a few seconds of a recorded call before an announcement is given.

A few important reminders are worth repeating:

  • The announcement requirement applies to inbound and outbound calls, including requested return calls.
  • Recording announcements apply to all types of calls – not just sales calls.
  • Maintain proof of the announcement.
  • Implement a short, written call recording policy.
  • Train customer service representatives to understand the call recording policies.
  • Periodically “test” call recording procedures.
  • Promptly investigate any call recording complaints and take appropriate corrective action.
  • Have customer service representatives sign an acknowledgment that they understand they are being monitored and/or recorded.

The recording of customer service and other calls is an important component to prevent fraud, fulfill legal requirements and augment customer service, among other reasons. Companies can implement call recording effectively, but must comply with announcement requirements and should take proactive measures, such as training and testing, to protect against civil and criminal liability and to safeguard consumer goodwill.

Read More

Guitar Hero for Cash! New Jersey Issues Temporary Regulations for Skill-Based Gaming

guitarhero2_2

Just last month at the National Council of Legislators from Gaming States (“NCLGS”) winter meeting in Orlando, I discussed the strong interest in skill-based games by casino owners, regulators, legislators, and the public. In an effort to appeal to millennials, fill empty slot seats, and expand the demographic at Atlantic City casinos, New Jersey’s Division of Gaming Enforcement (“DGE”) just announced new temporary regulations for “skill-based gaming.”  Although the DGE already has authority to permit skill-based games – and last year allowed a $10,000 free throw basketball tournament at the Borgata – the agency issued these regulations to provide additional guidance to industry.  DGE hopes to encourage companies with skill-based games to bring their products to Atlantic City before other jurisdictions. The regulations can be found here.

Key Consumer Protection Disclosures

The temporary regulations define “skill based gaming” as “any Division approved casino game where game outcome is dependent in whole or in part upon the player’s physical dexterity and/or mental ability.” This definition is broad enough to cover a wide variety of skill-based games – from basketball and golf to “Trivia Crack” and various brain teasers. The DGE mandates certain consumer protections, including that skill-based games clearly display:

  • Rules of play
  • Amount required to wager on the game
  • Amount to be paid on winning wagers
  • Any rake or fee charged to play the game
  • Total amount wagered by the player
  • Statement that the outcome of the game is affected by player skill (applies to skill and “hybrid” games), and
  • Other information sufficient for the player to reasonably understand the game

In addition, “unless otherwise disclosed to the player,” once a player begins a skill-based game, the gaming device cannot be altered during play based on a player’s skill.

Special Advantages/Identifiers Allowed with Conditions

DGE’s regulations allow player-purchased enhancements, randomly awarded enhancements, or other advantages, provided all players are advised of these features. The DGE put certain protections in place for these features.  Specifically, players must be advised both, that the feature is available, and of the benefit it offers. A skill-based game offering these advantages is required to explain how to obtain the feature and to provide players “with sufficient information to make an informed decision, prior to game play, as to whether or not to compete against a patron” who has this advantage.

Skill-based games may use an “identifier” (such as the skill of the player) to determine which games are available to a player.  The regulations also allow players to compete against a computerized or skilled house-sponsored opponent, provided the game discloses when the opponent is participating and allows a player to opt-in or opt-out of a computerized or house-sponsored opponent.  To establish fairness, the computerized or house-sponsored opponent must be prevented from having access to information that is otherwise unavailable to a player (for instance, knowledge of upcoming events).

Peer-to-Peer Skill Gaming

All peer-to-peer skill-based games are to be monitored for collusion and money laundering activity using an automated feature (following the internal controls of the casino licensee).

Payout

The temporary regulations require that slot machines with a skill-based component have a payout of at least 83 percent for each wager available for play on the device. However, games, which rely “entirely” on skill or do not use a random number generator (“RNG”) are not required to achieve a minimum hold percentage.

Approvals

Skill-based games will continue to require DGE approval.  A special “New Jersey First” process allows companies that bring their skill-based products to New Jersey before or simultaneously with submission to any other jurisdiction or testing lab, a 14-day approval process from testing to placement on the casino floor.

The temporary regulations mirror Nevada regulations on skill-based gaming adopted in September 2015. Therefore, any skill games approved in New Jersey would be permissible in Las Vegas and vice versa.

Massachusetts, Pennsylvania Close Behind/Trends

Other states are exploring permitting skill-based games at casinos. Just last week, Massachusetts issued draft regulations  – comments are due by March 7. Pennsylvania is also reviewing allowing skill games at casinos.

Empty chairs at traditional slots mean zero revenues. Casinos are, understandably, looking to attract new patrons and recognize that millennials are used to interactive gaming experiences, having grown up with Xboxes, Wii games, and popular online games such as Candy Crush.  Caesars Entertainment’s CEO recently reportedly advised slot makers to speed the development of new products, such as skill-based gaming machines. We expect to see the roll-out of a variety of skill-based games and other contests, including many that may appeal to millennial and Generation “X” and “Y” nostalgia, such as Guitar Hero, Pac Man, and other popular arcade games.

Regulators and casino operators will likely continue to develop rules and procedures during the approval processes and following reviews on the initial roll-out.  We see several issues that will need to be addressed depending on the type of game. For instance, when playing head to head, what happens if there is an unanticipated stop of play due to a player issue, a tech issue or some other act?  Who ultimately decides the winner in the event of a dispute/tie?  Can professionals (for instance e-Sport-sponsored players) play skill-based video games?  What about college athletes playing “their” sport in a skill-based athletic game? How will wagers work? Who will host the games? Will there be exclusivity?

The key to answering many of the operational questions will be for the manufacturers and casino operators to develop clear “rules of the game” that address the varied situations – similar to current rules for skills contests run online or in brick and mortar locations.  Detailed rules and disclosures can help the games run smoothly and prevent later disputes and litigation.

We applaud New Jersey’s DGE for encouraging innovation through these new regulations and the New Jersey First program. The DGE recognizes the need for games that appeal to expanded demographics.  The DGE’s speedy implementation of skill-based gaming regulations, as well as  its outreach and willingness to engage with industry demonstrate the agency’s commitment to economic growth while ensuring consumer protections are in place.

Read More

Information on www.ifrahlaw.com is for general use and is not intended as legal advice. Sending an e-mail through this Web site, and receipt of same, does not constitute an attorney-client relationship. Information sent via e-mail is not considered confidential or privileged unless we have agreed to represent you. By sending this e-mail, you confirm that you have read, understand and agree to this notice.

Accept Cancel

  • Like Us on Facebook