In This Issue
Congress Considers More Data Security, Breach Laws
Late last month lawmakers introduced two new data protection bills that would require companies to take measures to secure customer data and notify them of any security breach.
Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) introduced the Data Security Act of 2011, which would apply to data brokers, government agencies that possess nonpublic personal information, and all retailers who take credit card information. Under the proposed legislation, covered entities must implement, maintain, and enforce “reasonable data security policies and procedures,” as determined by the size, complexity, and scope of their business and the sensitivity of the information they maintain.
A covered entity would be required to investigate if it determines that sensitive information was, or may have been, compromised. If the entity determines that information was compromised and “is reasonably likely to be misused in a manner causing substantial harm or inconvenience,” then it must notify all consumers, government agencies, and regulators affected by the breach. If the covered information is “maintained or communicated” in a manner that is not usable to commit identity theft or to make fraudulent transactions, a breach notice is not required. Information that is “encrypted, redacted, altered, edited, or [in] coded form” is deemed unusable by the legislation.
Those who fail to comply could be fined, ordered to conduct corrective measures, or banned from working in their respective industries.
If enacted, the law would preempt state data security and breach notification laws. The Federal Trade Commission would enforce the law, which explicitly prohibits private suits.
A second bill was introduced by Sen. Dianne Feinstein (D-Calif.), the Data Breach Notification Act of 2011, which would require companies to notify consumers when their personal and sensitive identifiable information has been compromised.
The bill defines “personal and sensitive identifiable information” to include Social Security numbers, credit card account numbers, driver’s license numbers, unique biometric information and passwords.
Notification would be required “without unreasonable delay,” but not more than 14 days after the discovery of the breach.
Covered entities would include any agency or business that “uses, accesses, transmits, stores, disposes of or collect[s]” covered data. The Attorney General would have enforcement powers, and entities that violate the law could be subject to a $1,000 per day per individual fine up to a maximum of $1 million.
Civil suits are precluded under the legislation and the law would preempt existing state laws.
To read the Data Security Act of 2011, click here.
To read the Data Breach Notification Act of 2011, click here.
Why it matters: In a press release announcing his bill – which he modeled on the data security provisions of the Gramm-Leach-Bliley Act – Sen. Carper decried the current legal framework of data security laws. “We need to replace the current patchwork of state and federal regulations,” he said. Currently, 49 states have their own laws on the books addressing data breach notification and/or data security, making compliance an uphill battle for companies.
back to top
FTC Takes Action Against Payday Lender
The Federal Trade Commission filed suit against an online operation that asked consumers seeking a payday loan to complete an application form, the bottom of which included unrelated programs for discounts on travel and merchandise or long distance calling, the FTC alleged.
Consumers who chose to submit their applications were often unwittingly enrolled in the various programs, costing them up to $59.90 each month, and some consumers were charged even when they specifically declined the offer to enroll. “Defendants’ websites are not online applications for payday loans, but instead are vehicles to collect financial information from consumers. With this information, defendants enroll consumers into their programs for which they charge membership fees,” according to the complaint.
The defendants shared consumer bank account information with payment processors to debit the accounts, the FTC said, and consumers typically discovered the debit only when it appeared on their statement or their account was overdrawn. In addition, the FTC said the defendants gave consumers who sought a refund a “run-around.”
The agency filed suit in Florida federal court, alleging that the defendants – Direct Benefits LLC, Voice Net Global, and various company officers – violated the FTC Act by obtaining consumer account information and debiting the accounts without consent, and by failing to make adequate disclosures about what information would be used for purposes other than to process payday loan applications.
A U.S. District Court Judge halted the defendants’ operation and froze its assets.
To read the complaint in FTC v. Direct Benefits Group, click here.
Why it matters: The suit – part of its “continuing efforts to protect financially strapped consumers during the economic downturn,” the agency said – is yet another recent action by the FTC against payday lenders. The FTC previously took action against an online payday lender site and its directors for using Web advertising to trick loan applicants into purchasing prepaid debit cards, and a U.S. District Court judge ordered the defendants to pay the agency $4.8 million. In a press release, the FTC said it is “closely monitoring payday lending and other financial services to protect financially distressed consumers.”
back to top
Controversy Over Basketball Wives
NBA star Gilbert Arenas filed suit against the production company behind the VH1 reality show Basketball Wives, arguing that the show – which features his ex-fiancée, Laura Govan, the mother of his four children – violates his right of publicity and dilutes his trademark.
Arenas is seeking an injunction that would prevent Shed Media, the producer of the show, from using his name or from using the term “basketball wives” in a way that suggests affiliation with basketball players like him.
“The show. . .provides these women with a vehicle and worldwide platform to use, without permission or authorization, the names and/or likenesses of famous NBA professional basketball players they know on a personal level for their own commercial gain,” according to the complaint. Laura Govan is included solely to enhance the marketing of the show, his suit argues.
In addition to trademark infringement, Arenas alleges that the show is falsely advertised, that it implies a false endorsement, and that it misappropriates his likeness and right of publicity.
Shed Media fired back with an anti-SLAPP (strategic litigation against public participation) counterclaim, calling the suit “a showing of unparalleled hubris.”
“The series is not about basketball, let alone basketball players,” Shed Media argued. “Rather, the series focuses on the women’s lives and their relationships with one another, as well as their careers, personal lives, and how they have been affected by their romantic connections – past or present – to professional basketball players.”
The advertising and promotion of the show have not yet used Arenas’s name or likeness, the defendant pointed out, and despite his fame, Govan has a constitutional right “to tell her story,” Shed wrote.
Arenas’s complaint violates California’s anti-SLAPP law because Basketball Wives is an expressive work protected by the First Amendment, Shed argued, and the show itself – with millions of viewers – is clearly an issue of public interest.
“[Arenas] apparently believes that his fame permits him to prevent Govan from using her name in connection with anything – a television show with the word ‘basketball’ in the title, girls’ basketball shoes, or even basketball shaped cookies – because she used to date him and he is a famous basketball player,” Shed wrote. “No [case law]. . .supports the extreme stretch of the law requested in plaintiff’s complaint.”
To read the complaint in Arenas v. Shed Media, click here.
To read the defendant’s motion to strike, click here.
Why it matters: The complaint represents yet another step in the recent trend to broaden a celebrity’s right of publicity. Arenas seeks to expand the protections of trademark and right of publicity to include the actions of his ex-fiancée and the mother of his children. Arenas is not the only NBA player to object to Basketball Wives. Chris Bosh, whose ex-girlfriend is also featured on the show, filed a similar suit, while Dwight Howard and Shaquille O’Neal have both threatened litigation over the show.
back to top
Privacy Suit Filed Over Use of ETags
The latest lawsuit over online tracking was filed against KISSmetrics, a company that utilizes ETags to track visitors to Web sites.
The California-based plaintiffs alleged that the tracking violates consumer privacy rights, and they named additional defendants including Hulu, Spotify, and iVillage, sites that worked with KISSmetrics.
The suit claims that the defendants violated state and federal laws by using ETags that track consumers even after they delete cookies from their computers.
“While it is generally reasonable to expect a website to use cookies for tracking, the website defendants and KISSmetrics created numerous, alternative, ‘shadow’ mechanisms for tracking; defendants engaged in tracking by exploiting. . .class members’ browsers and other software in ways that consumers did not reasonably expect,” according to the complaint.
Specifically, the defendants repurposed user browser cache of users’ browser software and Adobe Flash LSOs to store information, the suit contends.
The plaintiffs maintain that their information is a personal asset to which online third parties have no presumptive right of access. They further argue that loss of such information lessened the economic value of their information, reduced the performance of their computers (which were slower to load while the transfer of information occurred), and violated their privacy rights.
In addition to injunctive relief, the suit seeks statutory damages of $10,000 per individual under the Electronic Communications Privacy Act.
To read the complaint in Kim v. Space Pencil, click here.
Why it matters: KISSmetrics CEO Hiten Shah told MediaPost he was “blindsided” by the allegations against the company and noted that courts have “repeatedly held” that similar claims against other defendants “have no merit.” However, the company revised its privacy policy after the complaint was filed. According to the new policy, the company will not track users who delete cookies or otherwise indicate their intention not to be tracked.
back to top
NAD Weighs In on Dietary Supplement for Lung Health
The National Advertising Division recommended that Nu Century Herbs modify or discontinue claims made for its Resprin dietary supplement to properly qualify claims related to traditional Chinese medicine and remove claims based on in vitro testing and a clinical study.
The advertising claims came under review as part of the NAD’s initiative with the Council for Responsible Nutrition.
On its Web site, the advertiser made claims for Resprin, a dietary supplement for lung health, like “The natural way to clearer breathing” and “This natural herbal breathing enhancer is specifically formulated with a unique blend of 23 herbs, clinically shown to support respiratory health and clearer breathing.”
Reviewing the Federal Trade Commission’s advertising guidelines on Dietary Supplements, the NAD noted that traditional use is not itself the equivalent of scientific substantiation, and that advertisers should not make claims that suggest a disease benefit.
While Nu Century could make certain claims based on the fact that ingredients in Resprin have been recognized and used in traditional Chinese medicine for lung health, the NAD said the company could not support its claims independently of the traditional evidence. The in vitro studies, ingredient research and one clinical study relied upon by the company were insufficient to support any performance and efficacy claims.
Therefore, “NAD concluded that the advertiser can support certain claims based on [traditional Chinese medicine] for the ingredients in Resprin, to the extent they clearly state as such, in accordance with the FTC’s Guides. ‘Claims based on historical or traditional use should be substantiated by confirming scientific evidence, or should be presented in such a way that consumers understand that the sole basis for the claim is a history of use of the product for a particular purpose.’ ”
Specifically, the panel recommended that Nu Century discontinue claims that Resprin could “enhance” breathing but also stated that, with the appropriate cautionary language, Nu Century could advertise general lung health claims and claims that the supplement contains traditional Chinese medicine that may help inflammatory lung conditions.
Why it matters: “Advertising for a dietary supplement claim cannot claim to prevent or treat a disease,” the NAD cautioned. In addition, “Animal and in vitro cell studies alone cannot support claims for products designed and marketed to humans.”
back to top