Information Intersection > Troutman Sanders LLP

New TCPA Class Action: Expansion into Service Calls

On August 29, yet another Telephone Consumer Protection Act class action was filed in the Middle District of Florida. This suit, however, is a bit different than others that we have seen.

In Gillmore v. Lokey Automotive Group, Inc., the complaint alleges that text messages sent to the plaintiff April Gillmore by an automobile dealership relating to a recall for her 2003 Volkswagen were sent without her prior express consent. More importantly, because the recall identified in the text messages were not covered under the car’s warranty, these texts were allegedly a sham to solicit the consumer to schedule an appointment at the dealership. Gillmore seeks to represent a broader class of individuals who received text messages without having consented.

While many companies have become accustomed to seeing debt collection and telemarketing-related TCPA lawsuits, Gillmore is a twist on the average TCPA case because it focuses on “service-related” text messages. Companies today must understand the potential “contextual consent” argument that many plaintiffs’ lawyers will try to make in litigation. As always, the types of outbound telephone communications a company makes to a consumer should be guided by the reason and purpose that the consumer provided his or her telephone number. Obtaining broad consent and documenting such consent is vital.

September 1, 2017   No Comments

Join Us for a NAPBS Webinar on September 27: Compliance Management Systems – The Next Generation

We are pleased to announce that Troutman Sanders attorneys Ron Raether and Megan Nicholls will be featured speakers for a webinar hosted by the National Association of Professional Background Screeners on September 27, 2017 from 3:00 – 4:00 p.m. ET.

In this session, they will discuss the basic elements of a compliance management system, how to maintain it and how do you take it to the next level as you grow. We will also address the important role cyber security should have in your everyday compliance practices and how to navigate C-Suite skepticism.

For additional information or to register, click here.

August 31, 2017   No Comments

Join Us for a Webinar on September 21 – How to Engage Your Legal Department in Data Incident Response

Join Troutman Sanders attorneys Melanie Witte and Megan Nicholls for a webinar on September 21. During the webinar, the presenters will:
  • Present the landscape of incident response laws and generally discuss how to determine what laws apply to your organization – state laws present a myriad of reporting requirements and, depending on your industry, federal laws may apply as well.
  • Discuss the incident response life cycle.
  • Discuss key prophylactic steps necessary to an effective incident response.
  • Provide an overview of key components to a comprehensive incident response plan.
  • Provide tips on coordinating with your insurance company and outside counsel.
  • Discuss where legal needs to be involved to protect privilege.
  • Define lessons-learned and remediation steps.

Registration is complimentary. Scheduling conflict? Register to receive the recording after the webinar.

August 30, 2017   No Comments

Join Us at the ASIS International 63rd Annual Seminar and Exhibits in Dallas

We are pleased to announce that Troutman Sanders partner Ronald Raether will be a featured speaker at the ASIS International 63rd Annual Seminar and Exhibits event in Dallas September 25-28, 2017.

Ron will speak on Tuesday, September 26 from 2:00 – 3:00 p.m. on “Governing Without Clear Standards: Lessons Learned.” The term “standard” is used loosely in the context of data usage and security. While standard-setting organizations work to provide guidance, the variables are too numerous, leading to the conclusion that a single, universal standard is not possible.Ron will explore actual examples to provide tips on developing a program that will stand up under scrutiny while avoiding common pitfalls.

For additional information or to register, click here.

August 30, 2017   No Comments

Illinois Federal Court Refuses to Certify TCPA Robocall Class Action Based in Part on Article III Standing

On August 15, the United States District Court for the Northern District of Illinois denied a motion for class certification in Legg v. PTZ Insurance Agency, Ltd., a putative class action under the Telephone Consumer Protection Act.  The plaintiffs in the lawsuit, Christopher Legg and Page Lozano, sued PTZ and affiliated companies alleging violations of the TCPA, including placing unsolicited robocalls to Legg’s and Lozano’s cellular phones.

PTZ offers pet insurance and offered a 30-day free gift of pet insurance to adopters of pets with safety microchips from certain animal shelters.  The adoption process involved filling out paperwork, which asked the adopting consumer to provide a telephone number.  The paperwork included a statement that unless the consumer opted-out, they may be contacted by marketing partners.  One such partner, PTZ, allegedly placed prerecorded robocalls on at least two occasions to Legg and Lozano, which the plaintiffs claimed violated the TCPA.  Legg and Lozano sued on behalf of themselves and a putative nationwide class of persons who received similar calls from PTZ and, following discovery, moved to certify a class of 341,288 members.

The district court found the class satisfied the requirements of Rule 23(a), noting that each class member received the same call and that the claims arose from a single set of facts.  The court also found Legg and Lozano, as well as their counsel, to be adequate representatives of the class.  However, although the proposed class satisfied the class requirements of Rule 23(a), the court found it did not satisfy sub-part (3) of Rule 23(b).

The court focused its inquiry on Rule 23(b)(3)’s predominance requirement, noting it is “far more demanding” than mere Rule 23(a) commonality.  With that in mind, the court held it could not certify the class because of questions of class member consent.  Specifically, it found individualized questions of consent by each class member predominated over common questions of law and fact.  The court noted many class members had agreed, during the adoption process, to receive communications by phone.  From that recognition, the court expressed concern that if an adopter agreed and expected to receive calls, they would not have suffered a “concrete injury” sufficient to confer Article III standing, thus enmeshing the standing jurisdictional analysis with class certification.  The court concluded it could only determine whether any class member consented through an individual analysis of evidence about each class member, an inquiry that would easily overwhelm the benefits of the class mechanism.

Ultimately, the court rejected the plaintiffs’ argument that consent could somehow be established based on generalized evidence, concluding that do so would instead present an insurmountable individual issue that defeated class certification.

August 25, 2017   No Comments

Ninth Circuit Holds TCPA Claims Are Invasion of Privacy Claims

August 24, 2017   No Comments

New Jersey Bill Limits Use of Driver’s License Information by Retailers

The New Jersey legislature recently passed a bill that places restrictions on retailers’ ability to collect and use personal information gleaned from driver’s licenses.  The bill, known as the Personal Information and Privacy Protection Act, is intended to give consumers more control and security over their personal information.  A copy of the bill can be found here.

Under the new legislation, retailers can scan a driver’s license or identification card only for seven specific purposes:

(1)    to verify the authenticity of the identification card or to verify the     identity of the person if the person pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;

(2)    to verify the person’s age when providing age-restricted goods or services to the person;

(3)    to prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system;

(4)    to establish or maintain a contractual relationship;

(5)    to record, retain, or transmit information as required by state or federal law;

(6)    to transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Fair Debt Collection Practices Act; or

(7)    to record, retain, or transmit information by a covered entity governed by the medical privacy and security rules under the Health Insurance Portability and Accountability Act (“HIPAA”).

If a driver’s license or identification card is scanned, the retailer can only collect the person’s name, address, date of birth, state of issuance, and identification card number.  The retailer must also securely store any retained information and not disclose it to any third party.

The Act establishes a civil penalty of $2,500 for an initial violation and $5,000 for any subsequent violation.

It is important to note that the Act is limited to retail establishments only and has no impact on any other uses of driver’s license information.

July 28, 2017   No Comments

Join Us on August 10 for a Webinar on A Review of the New York Cybersecurity Framework

Join Troutman Sanders attorneys Shannon VanVleet Patterson and Sheila M. Pham for a complimentary webinar on August 10, 2017 from 3:00 – 4:00 p.m. ET.

On March 1, 2017, the revised Cybersecurity Requirements for Financial Services Companies adopted by the New York Department of Financial Services (“NY DFS”) became effective.  This regulation requires banks, insurance companies, and other financial services institutions to establish and maintain a cybersecurity program and to take other measures to protect against data breaches and cyber attacks. This action by the NY DFS is a significant development in the regulatory landscape for cybersecurity. Even financial institutions not subject to regulation by the NY DFS should be aware that this regulation may be the first in a series of incremental steps by state and federal banking regulators as they continue to consider ways to enhance protection of digital information and management of cyber risks.

Registration is complimentary. Scheduling conflict? Register to receive the recording after the webinar.

July 24, 2017   No Comments

Second Circuit Affirms Dismissal of Putative Data Breach Class Action Against Michaels


On May 23, 2017, in Whalen v. Michaels Stores, Inc., the United States Court of Appeals for the Second Circuit issued a summary order affirming the district court’s dismissal of a putative data breach class action based on lack of Article III standing.

As background, the named plaintiff Mary Jane Whalen made credit card purchases at a Michaels stores in 2013.  In 2014, Michaels suffered a data breach of its systems.  Whalen’s credit card was thereafter allegedly presented for a payment to a gym in Ecuador. Whalen did not allege that any fraudulent charges were actually incurred on the card, or that she was in any way liable for the fraudulent presentations.

The United States District Court for the Eastern District of New York originally dismissed the putative class action complaint, holding that Whalen did not allege facts sufficient to establish Article III standing “because Whalen neither alleged that she incurred any actual charges on her credit card, nor, with any specificity, that she had spent time or money monitoring her credit.”  The Second Circuit agreed.

“Whalen does not allege a particularized and concrete injury suffered from the attempted fraudulent purchases,” held the Second Circuit.  For instance, Whalen was never “asked to pay, nor did pay, any fraudulent charge.  And she does not allege how she can plausibly face a threat of future fraud, because her stolen credit card was promptly canceled after the breach and no other personally identifying information . . . is alleged to have been stolen.”  Whalen’s Complaint also did not allege any “specifics about any time or effort that she herself has spent monitoring her credit.”  Without any such allegations, the Second Circuit found that Whalen “has alleged no injury that would satisfy the constitutional standing requirements of Article III, and her claims were properly dismissed.”

May 31, 2017   No Comments

NY AG Settles with IoT Company over Security Practices


On May 22, 2017, New York Attorney General Eric Schneiderman announced a settlement with Safetech Products LLC (“Safetech”) over allegations that the Internet of Things (IoT) company sold insecure wireless door and padlocks.  According to the Attorney General, the settlement marks the first time a state Attorneys General has taken legal action against a wireless security company for failing to protect their consumer’s personal and private information.

Safetech offers customers Bluetooth-enabled locks.  According to the Attorney General, Safetech represented to consumers that its products would allow users to protect personal belongings inside their homes by turning doors and closets into secure areas.  However, in 2016, independent researchers found that Safetech’s Bluetooth-enabled locks transmitted passwords between the locks and the user’s smartphone in plain text without encryption, allowing potential perpetrators to intercept the passwords and open the locks.  The researchers also discovered that the locks contained weak and insecure default passwords that could easily be solved or discovered through brute force attacks of automated software used to generate a large number of consecutive guesses.

As part of the settlement agreement, Safetech agreed to establish and implement a written comprehensive security program that is reasonably designed to (1) address security risks related to the development and management of new and existing devices that use security information, and (2) protect the privacy, security, confidentiality, and integrity of security information, including:

  1. The designation of an employee or employees to coordinate and be accountable for the security program;
  2. The identification of material internal and external risks to (a) the security of the devices that could result in unauthorized access to or unauthorized modification of the device, and (b) the privacy, security, confidentiality, and integrity of security information;
  3. The risk assessments considering each area of relevant operation, including, but not limited to: (a) employee training and management, including secure engineering and defensive programming; (b) product design, development, and research; (c) secure software design, development, and testing; (d) review, assessment, and response to third party security vulnerability reports, and (e) prevention, detection, and response to attacks, intrusions, or systems failures;
  4. The design and implementation of reasonable safeguards to control the risks identified through risk assessment;
  5. Regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures including reasonable and appropriate security testing techniques such as vulnerability and penetration testing, security architecture reviews and code reviews;
  6. The development and use of reasonable steps to select and retain service providers (if any are hired) capable of maintaining security practices consistent with the agreement, and requiring service providers by contract to implement and maintain appropriate safeguards consistent with the agreement; and
  7. The evaluation and adjustment of Safetech’s security program in light of the results of the testing and monitoring required by the agreement.

The New York Attorney General’s action is notable in that it marks the first time that a State Attorney General has taken action against an IoT company over security representations.  In recent years, the FTC has established itself as a lead regulator in the space. As we noted here, the FTC recently brought an action against D-Link alleging UDAP violations related to the company’s security vulnerabilities.  There, the FTC alleged that D-Link failed to adequately secure software for D-Link routers and IP cameras, and misrepresenting through their security event response policy, router and IP camera promotional material, and router graphical user interface that the software was secure.  Similarly, last year, the FTC settled with another IoT company, ASUSTek Computer, Inc. Read our blog post here.  There, the FTC alleged that ASUS had engaged in unfair and deceptive acts or practices by marketing their routers and cloud services as “secure” while knowing about and failing to fix serious vulnerabilities.

Going forward, IoT companies should expect continued scrutiny not only from the FTC, but also state Attorneys General.

The Cyber Security, Information Governance & Privacy team at Troutman Sanders is well-positioned to help companies develop procedures for effectively handling security issues.  Because of our team’s technical background, we are uniquely positioned to understand companies’ IoT technology concerns and to address any risks from a legal perspective.  We routinely advise businesses on security and privacy best practices with respect to connected devices, which help to avoid acts or practices that may be considered unfair or deceptive.

May 30, 2017   No Comments