December 22, 2016

What’s trending on NP Privacy Partner

Happy Holidays! We’re capping off a busy year in privacy and data security developments. Here’s what’s trending on Nixon Peabody’s Privacy Partner.

Threat Alerts and Guidance

FCC warns of massive IRS phone scam On December 19, the Federal Communications Commission (FCC), working with the Treasury Inspector General for Tax Administration (TIGTA) issued a public notice warning American consumers of a scam being perpetrated by telephone fraudsters posing as Internal Revenue Service (IRS) agents. The scam has already cost victims over $50 million.

The scam starts with an automated or live phone call from someone claiming to be an IRS agent or employee of the Treasury Department, who may even know the victim’s social security number or personally identifiable information to create an aura of legitimacy to the call. The caller ID number could show a Washington DC number or even appear as “IRS.” The caller will claim to be collecting IRS taxes that are immediately due and will threaten consequences such as arrest, deportation or loss of driver’s license. The caller will also warn that an arrest warrant will be issued if the receiving person hangs up the line, and there may be an immediate call upon the hang-up showing on the caller ID as “911.” The caller demands payment in the form of iTunes gift cards, prepaid debit or credit cards or wire transfers. Once the victim acquiesces and buys a gift or prepaid card, he or she will be asked to provide the account number.

As the FCC warns, the IRS generally contacts persons first by mail—not by phone—regarding unpaid taxes, and it never asks for payments by gift or prepaid cards or requests financial information by e-mail, text or social media. If confronted with the phone scam, consumers should just hang up and should not follow any instructions to hit a button to stop getting such calls. And the consumer should write down the caller ID number and file a complaint with the FCC, TIGTA and local law enforcement. Also, a consumer should ask his or her service provider if it offers a robocall blocking service.—Steven M. Richard

This newsletter is intended as an information source for the clients and friends of Nixon Peabody LLP. The content should not be construed as legal advice, and readers should not act upon information in the publication without professional counsel. This material may be considered advertising under certain rules of professional conduct. Copyright © 2015 Nixon Peabody LLP. All rights reserved. Telephone Consumer Protection Act

Ninth Circuit hears oral argument in TCPA class action against national fitness franchise The Ninth Circuit considers the scope of the TCPA, highlighting the dynamic nature of interpretations of the statute, and the need for businesses to ensure that they are TCPA-compliant when contacting consumers directly. The case may clarify the definition of an “Automatic Telephone Dialing System” under the TCPA and provide additional guidance to consumer-facing businesses seeking to avoid the threat of costly class action litigation under the TCPA. We provide an analysis in our latest Class Action Alert posted on our website.—Dan Deane and Patrick Duffey

Privacy Litigation and Class Action

Employee may litigate putative class action arising from W-2 data breach A plaintiff in Kansas brought a putative class action, claiming that an employer negligently permitted a data breach of approximately two thousand former and current employees’ personal information. She alleges that an unauthorized person posed as one of defendant’s employees and e- mailed a request for current and former employees’ 2015 Internal Revenue Service Wage and Tax Statements (W-2 Forms). An employee complied with the request, releasing forms including names, addresses, birth dates, wages and social security numbers. Thereafter, the plaintiff received a letter from the IRS indicating that someone filed a fraudulent tax return in her name. The plaintiff brought suit alleging negligence on the part of the employer, which moved to dismiss the claims asserting that the plaintiff lacked standing and her claims failed to raise claims upon which relief could be granted. The Kansas Federal District Court ruled that the plaintiff has standing and pled plausible claims that may be litigated. Hapka v. Carecentrix, Inc., Case No. 16-2372- CM (D. Kan. Dec. 19, 2016).

Regarding the court’s analysis of the plaintiff’s standing, it noted that she bears the burden of showing that (1) she suffered an injury in fact that is (a) concrete and particularized and (b) actual and imminent—not merely conjectural or hypothetical; (2) the injury is fairly traceable to the defendant’s conduct; and (3) a favorable decision is likely to redress her alleged injuries. The court found particularly dispositive to support standing the fact that the plaintiff’s personal information has been fraudulently used to file a tax return. The defendant asked the court to consider her other allegations of injury—such time spent with IRS agents, incurred and anticipated costs countering the tax fraud and a heightened risk for future tax fraud and identity theft—as being too speculative to withstand standing scrutiny. The court disagreed with the defendant’s contentions, ruling that it should not look at each of the plaintiff’s alleged injuries in a vacuum. “The fact that her stolen information has been used once has a direct impact on the plausibility of future harm.”

The Kansas Federal District Court noted that other courts nationally dealing with similar “loss of data” cases have split on the issue of whether an alleged increased risk of identity theft and fraud is an injury in fact sufficient to confer standing to sue. The Kansas court chose to follow rulings finding that plaintiffs had standing when they suffered from an incident of identity theft after a data breach. Regarding the merits of the pled allegations, the court concluded that the plaintiff had plausibly pled allegations to survive their dismissal. The plaintiff pled sufficiently allegations that the defendant had a duty to exercise reasonable care in collecting and storing employees’ personal information, including the implementation of reasonable data security measures to prevent an unauthorized disclosure.

The litigation will proceed with further questions of class certification and whether a record developed in discovery can support the plaintiff’s claims. Nonetheless, the decision is significant in allowing claims to proceed flowing from an employer’s unauthorized release of W-2s, especially given that similar phishing expeditions have inflicted employers nationwide throughout this year.—Steven M. Richard

Consumer Privacy

FTC issues annual Do Not Call Registry Data Book The FTC has issued its National Do Not Call Registry Data Book for Fiscal Year 2016 (October 1, 2015–September 30, 2016). The Registry allows consumers to register their preference not to receive telemarketing calls. Consumers may register their phone number(s) on the Registry by either calling a toll-free number (888-382-1222) from the telephone number(s) they wish to register or use the do-not-call website (https://www.donotcall.gov). The do-not-call rules require telemarketers and sellers to remove the numbers on the Registry from their call lists at least every 31 days.

The Data Book provides statistical data regarding registrations on the Registry, the subscriptions of entities (e.g., telemarketers and sellers) accessing phone numbers on the Registry and the consumer complaints that the FTC has received alleging violations of the do not call rules. At the end of FY 2016, the Registry contained over 226 million actively registered phone numbers, an increase of three million from the prior year. Consumer complaints about unwanted telemarketing calls exceeded 5.3 million in FY 2016, a 1.7 million increase from the prior year. The FTC reported that it received many complaints about telemarketing robocalls that ranged monthly from a low of 134,029 in November 2015 to a high of 265,676 in August 2016.

This is the eighth year that the FTC has issued the Data Book, which includes the following useful and interesting information:

• The number of active registrations and consumer complaints since the Registry began in 2003; • FY 2016 complaint figures by month and type; • FY 2016 registration and complaint figures for all 50 states and the District of Columbia, by population; • Rankings of the number of Do Not Call registrations, by state population; • The number of entities accessing the Registry by fiscal year; and • An appendix with registration and complaint figures organized by state and area code.

The FTC has proactively targeted illegal robocalls, including its commencement of enforcement actions. It also recently provided comments to the Federal Communications Commission on the use of robocalls to collect debts owed to the federal government. We will continue to monitor developments with the FTC and FCC regarding the protection of consumers’ interests and privacy against such calls.—Steven M. Richard Social Media

Journalist seeks to unmask Twitter user A senior Newsweek writer, Kurt Eichenwald, has turned to the Texas state courts to learn the identity of a Twitter user against whom he seeks to bring an assault and battery claim. Eichenwald, who has epilepsy, is a commentator/writer on American politics and President-elect Trump’s business affairs. Recently, Eichenwald appeared in a television interview during which he and a Fox News host engaged in a heated discussion. Shortly thereafter, a Twitter user tweeted Eichenwald an image known to trigger seizures in people with epilepsy—a strobe light image flashing at a rapid speed. The strobe included the words “You deserve a seizure for your posts.” Eichenwald suffered a seizure, and he intends to sue the Twitter user for assault and other intentional torts.

Eichenwald filed a petition in Texas state court seeking to discover from Twitter the identity of the individual, referenced as John Doe in the action. Eichenwald does not intend to sue Twitter, which has suspended the user’s account. He wants to depose a Twitter representative in order to identify John Doe and any persons who acted in concert with him. As noted in the court petition, Twitter’s registration process requires a user to provide a name and address, and records account information and IP addresses. Twitter’s privacy policy requires a court order prior to releasing personal information about its users.

The Texas state court promptly entered an order allowing Eichenwald to take the requested deposition of Twitter, and initiate other discovery as may be appropriate, to determine the identities of John Doe and anyone who assisted him in his tweet. Twitter, notified of Eichenwald’s court filing, agreed to the expedited discovery.

This case is the latest of several we have recently followed where litigants seek to unmask social media users. The results have been mixed, as the courts factor the underlying conduct and claims, as well as any First Amendment or privacy interests.—Steven M. Richard

For more information, please contact:

— Daniel Deane at [email protected] or 603-628-4047 — Patrick R. Duffey at [email protected] or 312-977-4388 — Steven M. Richard at [email protected] or 401-454-1020

NP Privacy Partner Blog Staying ahead in a data-driven world: insights from our Data Privacy & Security team.