Current News and Events from the State Bar of California Business Law Section.
Here is your October eNews from the Business Law Section (“BLS”) :
The California Lawyers Association: New Possibilities and Opportunities for BLS Members
"Someone's sitting in the shade today because someone planted a tree a long time ago."
--- Warren Buffett
On October 2, 2017, Governor Edmund G. Brown, Jr. signed into law SB-36. As a result, starting in January 2018, the 16 voluntary Sections of the State Bar of California and the California Young Lawyers Association (“CYLA”) will transition into a newly-formed private 501(c)(6) non-profit association (“Association”). Wasting no time, the Sections have organized nine committees that are tasked with working through the issues arising from formation of the new Association. As they spend countless hours researching, drafting and debating the complex and voluminous questions facing the new Association, these committees are planting the trees that future Association members will rely upon for their shade.
The transition committees appointed by the Council of State Bar Sections (“CSBS”) are:
Governance & Bylaws
Budget & Finance
HR & Staffing
Communications & Marketing
Legislation (Association Policy)
The Future: 2018 & Beyond
Three members of the BLS serve as committee leaders: Jim Hill (Operations), Sarah de Diego (Technology) and Rob Harris (Communications & Marketing). Other BLS members also serve on the committees, contributing greatly to their time-sensitive and important work. They include: Roland Brandel, Peter Califano, Marie Hogan, Peter Menard, Donna Parkinson, Tom Phinney, Mark Porter, Myron Steeves, and Neil Wertlieb, among others. On behalf of the BLS and Sections, I would like to acknowledge and thank these individuals for their valuable contributions to the new Association.
The transition committees are still working through many critical issues, including where the new Association will be located, the number of employees, insurance, governance structure, membership, oversight of finance, nature of legislative advocacy, how the Sections will interact with each other, and use of social media and website. However, I can report on a number of decisions to date:
Name of Association: California Lawyers Association (“CLA”)
Mission Statement: Promoting excellence, diversity and inclusion in the legal profession and fairness in the administration of justice and the rule of law.
I’ll continue to provide updates in my monthly eNews messages as the CLA is formally formed and its bylaws and governance structure have been determined. If you’re interested in getting involved with the transition to the new Association, or wish to get involved once the CLA is up and running, please feel free to contact me (firstname.lastname@example.org) or Jim Hill (email@example.com), the BLS representative to the CSBS.
We look forward to the great possibilities the CLA will present starting in January 2018, including better opportunities for members to interact with each other regarding their valuable Section and committee work. In the meantime, we will keep producing the highest quality eBulletins, Business Law News articles, and practice guides. We look forward to you volunteering to help us in those tasks and, in addition, volunteering with other BLS members and friends to speak in BLS webinars and live programs. After all, the core function of the BLS, namely to help improve the practice of business law in California, will only grow stronger and more vibrant as we transition to the new California Lawyers Association, the state-wide bar association for California attorneys.
For a more detailed discussion of SB-36, click here.
Uzzi O. Raanan, Chair, Danning Gill Diamond & Kollitz (Los Angeles)
Wednesday, January 10, 2018, 12 noon - 1 p.m.
This program offers 1 hour participatory MCLE credit, including Elimination of Bias. You must register in advance to participate.
Presentation is geared toward compliance with California employment laws in 2018 and beyond. Topics covered include definitions of harassment and discrimination, protected classes, the California Department of Fair Employment and Housing Anti-Harassment Regulations, California’s Fair Pay Act, volunteer and intern protection, anti-bullying training and political correctness. Workplace Harassment Hypotheticals are used to illustrate employee and employer rights, responsibilities and remedies, including common sense solutions to typical situations.
Speaker: Lisa Von Eschen
Tuesday, January 30, 2018, 12 noon - 1 p.m.
This program offers 1 hour participatory MCLE credit, including legal specialization in Franchise & Distribution Law. You must register in advance to participate.
The program will discuss the impact of business regulation upon a variety of everyday transactions that may carry various disclosure, registration and licensing requirements and that may entail significant liability for noncompliance. The discussion will address the following types of scenarios that may be subject to specific business regulation:
Speakers: Gerard Davey and Michelle Jacko
The Nonprofit Organizations Committee’s past meetings have included presentations from Ruth Hauswirth, Special Counsel, Director of Litigation & E-discovery Services at Cooley LLP in San Diego, on document-retention and information-governance practices at nonprofit organizations and from Barbara Rhomberg, a long-time participant and member of the Committee and a partner in the law firm Kavanagh Rhomberg LLP in Belmont, California on establishing and maintaining endowments. The Nonprofit Organizations Committee is chaired by Myron Steeves.
Corto Olive Co, owned by Dino Cortopassi, hosted the Agribusiness Committee for an Olive Oil Tour and Tasting on October 27, 2017 in Lodi, California. Committee members toured the facility and learned about the growing, harvesting, and pressing of olives for olive oil.
The Agribusiness Committee is chaired by Lauren Layne of Baker Manock & Jensen, PC.
The Internet & Privacy Law Committee published an e-bulletin on October 20, 2017 on a new decision by the United States District Court for the Northern District of California, addressing the extent of liability as an “advertiser” when commercial emails with allegedly misleading headers are sent in violation of California Business & Professions Code section 17529.5. The e-bulletin can be found here.
The Internet & Privacy Law Committee is chaired by Mark Adlrich of Aldrich Law Group and Ginny Sanderson of Kronenberger Rosenfeld, LLP.
Courtesy of CEB, we are bringing you selected legal developments in areas of California business law that are covered by CEB’s publications. This month’s feature is from the September 2017 update to Privacy Compliance and Litigation in California. References are to the book’s section numbers. See CEB’s BLS Landing Page for special discounts for Business Law Section members. The most significant legal developments since the last update include developments in such important topic areas as constitutional and common law privacy protections, special protection of children, information security and data breaches, internet privacy, regulation of marketing and sales, financial data and health information privacy, workplace privacy, international data protection, identity theft, and standing to sue.
PRIVACY COMPLIANCE AND LITIGATION IN CALIFORNIA
September 2017 Update
Constitutional and Common Law Protections
A federal district court in Washington state held that Microsoft could proceed with its claims that the government practice of barring ISPs from informing customers of warrants for their data violates the First Amendment as a prior restraint on speech. Microsoft Corp. v United States Dep't of Justice (WD Wash, Feb. 8, 2017, No. C16-0538JLR) 2017 US Dist Lexis 18691. On the other hand, the Ninth Circuit Court of Appeals held that the FBI's use of national security letters that bar service providers from telling users about government requests for their data does not violate the First Amendment. In re National Sec. Letter, Under Seal v Sessions (9th Cir, July 17, 2017, No. 16-16067) 2017 US App Lexis 12721. See §4.43.
Following the United States Supreme Court decision in Riley v California (2014) ___ US ___, 134 S Ct 2473, the California Supreme Court found that a warrantless search of a suspect's cell phone is unconstitutional. People v Macabeo (2016) 1 C5th 1206. See §2.4A.
In a case involving Pen C §632, which makes it a crime to eavesdrop or record a confidential communication without consent, the Ninth Circuit found that the facts in the case were sufficient to establish a prima facie cause of action for invasion of privacy by eavesdropping. Safari Club Int'l v Rudolph (9th Cir, Feb. 10, 2017, No. 14-56236) 2017 US App Lexis 2416. See §§2.4A, 4.37.
In a case involving public disclosure of private facts, even though the court found that much of the defendant's posting about the plaintiff was celebrity gossip, the defendant's publication of a sonogram and summary medical report about the plaintiff were a cognizable basis for an invasion of privacy claim. Jackson v Mayweather (2017) 10 CA5th 1240. See §2.11.
Special Protection of Children
The FBI issued a rare warning to parents about the privacy and safety risks to children associated with Internet-connected toys. FBI Public Service Announcement Alert No. I-071717- PSA (July 17, 2017). In addition, the FTC has updated its guidance regarding the application of the Children's Online Privacy Protection Act of 1998 (COPPA) (15 USC §§6501–6506) to Internet-connected toys. Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business (June 2017). See §§1.3, 5.4.
The civil penalty for violations of the Children's Online Privacy Protection Act of 1998 (COPPA) (15 USC §§6501–6506) has been adjusted upward to $40,654 per violation. 81 Fed Reg 42476 (June 30, 2016). See §5.27.
Information Security and Data Breaches
The California Attorney General has published a report compiling and analyzing data breaches occurring from 2012 to 2015, entitled California Data Breach Report (Feb. 2016). https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf. See §§3.10, 4.56.
The FTC has published an online guide to how businesses may secure their sensitive data, titled Start With Security: A Guide for Business; Lessons Learned From FTC Cases (see §3.13), as well as a guide for businesses in handling security breaches, titled Data Breach Response: A Guide for Business (Sept. 2016) (see §3.51).
The FTC recently issued a settlement order in the AshleyMadison.com enforcement action, in which the defendants deceived consumers and failed to protect user accounts and information in relation to a massive July 2015 data breach, imposing an $8.75 million judgment. FTC v Ruby Corp. (D DC, Dec. 14, 2016, No. 1:16-cv-02438) FTC File No. 152 3284. See §3.13.
In a stipulated final judgment against Target Corporation in an action brought by the California Attorney General for a massive data breach Target suffered during the 2013 holiday season, Target agreed to pay a record $18.5 million in damages. State of California v Target Corp. (SF Super Ct, May 23, 2017, No. CGC-17-559105). See §3.14.
The California Legislature has amended the Civil Code to provide that a person whose encrypted personal information is subject to a data breach must be notified of the breach, even if the information was encrypted, when the encryption key or security credential was included in the breach and the business that was subject to the breach has a reasonable belief that the encryption key or the security credential could render the personal information readable or usable. CC §1798.82(a). See §§3.46, 4.2, 7.16, 10.49.
In April 2017, the President signed into law the repeal of the FCC's Internet service provider (ISP) broadband privacy rules, which had been adopted by the FCC in October 2016 but had not taken effect. Pub L 115–22, 131 Stat 88. See §1.3.
The Seventh Circuit Court of Appeals has held that there is no reasonable expectation of privacy in IP addresses and that law enforcement may obtain that information from third party communications companies without a warrant. U.S. v Caira (7th Cir 2016) 833 F3d 803. See §4.2. The First Circuit Court of Appeals held that using an app was sufficient to make the user a "consumer" for purposes of pleading under the Video Privacy Protection Act (VPPA) (18 USC §2710). Yershov v Gannett Satellite Info. Network, Inc. (1st Cir 2016) 820 F3d 482. See §4.9A.
The California legislature enacted a new Civil Code provision, effective January 1, 2017, prohibiting online entertainment employment services from revealing age information about individuals employed in the entertainment industry (CC §1798.83.5), although the constitutionality of the new provision is already in question. IMDB.com, Inc. v Becerra (ND Cal, Feb. 22, 2017, No. 16-cv-06535-vc) 2017 US Dist Lexis 30776. See §§4.12, 5.94A.
An e-mail sender who obtained permission from a social networking site user to send e-mails on a user's behalf had not used false pretenses or false representations to obtain the user's consent and did not violate the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) (15 USC §§7701–7713). Facebook, Inc. v Power Ventures, Inc. (9th Cir 2016) 844 F3d 1058. See §§4.21, 5.48.
The California Attorney General has developed a standard complaint form by which consumers can report potential violations of the Online Privacy Protection Act of 2003 (OPPA) (Bus & P C §§22575, 22579) by websites and online services such as mobile apps. It is available at https://oag.ca.gov/privacy/caloppa/complaint-form. See §§4.21, 4.23, 4.25.
The California Legislature has enacted the Invasion of Privacy Act (Pen C §§630, 638.55) to make it a crime to unlawfully eavesdrop on or record a confidential communication with a health care provider, and imposing monetary damages on a per violation basis for violations of the Act. Stats 2016, ch 855. See §§4.36, 4.38, 7.16.
A federal district court granted the plaintiff's requests for class certification under the Invasion of Privacy Act, finding common facts existed among the claimants who were subjected to the defendant's practice of having its agents gather some personal information from customers on calls before issuing the required advisory that the calls might be recorded. Raffin v Mediacredit, Inc. (CD Cal, Jan. 3, 2017, No. CV 15-4912=GHK (PJWx) 2017 US Dist Lexis 5311. See §4.36.
In a case involving the Communications Decency Act (CDA) (47 USC Â§230), in which the defendant created a website intended to elicit personal information and nude photographs from unwitting victims, the court held that the defendant was not immunized from liability under the CDA by asserting that he did not provide any content and was a mere publisher. People v Bollaert (2016) 248 CA4th 699. See §§4.48, 10.37. Similarly, no CDA immunity was found in a case in which the Ninth Circuit reversed the district court's dismissal of a failure-to-warn negligence claim against the dating website Match.com, which matched the plaintiff with a man who assaulted her. Beckman v Match.com, LLC (9th Cir, Sept. 1, 2016, No. 13-16324) 2016 US App Lexis 16218. See §4.48.
A new section has been added in chapter 4 discussing the Consumer Finance Protection Bureau's enforcement of business obligations affecting personal information. See §4.57B.
Regulation of Marketing and Sales
In an FTC settlement with two robocall telemarketing operations who violated the Telemarketing Sales Rule (TSR) (16 CFR pt 310) by contacting consumers who had been listed on the federal DNC Registry since 2012, the defendants were subject to a civil penalty of $2.2 million. FTC v Ramsey (SD Fla, Apr. 11, 2017, No. 9:17 cv-80032 KAM) FTC File No. 132 3254. See §5.55.
Although a consumer can give express consent to be called by a business by providing a telephone number to the caller as part of an application or contract, merely canceling the contract does not constitute revocation of consent under the Telephone Consumer Protection Act (TCPA) (47 USC §227). Van Patten v Vertical Fitness Group, LLC (9th Cir 2017) 847 F3d 1037. See §§5.56E, 12.6A.
When an unsolicited fax that does not promote the sale of products is sent in the context of a commercial relationship, it is not an "unsolicited advertisement" for purposes of the TCPA. Florence Endocrine Clinic, PLLC v Arriva Med., LLC (11th Cir, June 5, 2017, No. 16-17483) 2017 US App Lexis 9904. See §5.64.
Financial Data Privacy
The SEC fined the firm Morgan Stanley Smith Barney $1 million when an employee impermissibly accessed and transferred data regarding more than 700,000 accounts to his personal server, which was in turn hacked by third parties. SEC Administrative Proceeding (June 8, 2016) File No. 3-17281. See §6.13.
The Fifth Circuit held that the Fair Credit Reporting Act (FCRA) (15 USC §§1681–1681x) does not cover reports used or expected to be used only in connection with commercial business transactions. Bacharach v Suntrust Mortgage, Inc. (5th Cir 2016) 827 F3d 432. See §6.18.
Health Information Privacy
In a decision involving a medical testing laboratory that was alleged to have exposed the personal information of over 10,000 consumers, the FTC held that a company's mere public exposure of sensitive consumer information can constitute a substantial consumer injury supporting an "unfairness" violation without evidence of misuse of the information, and the company may also commit an unfair practice if its data security practices risk consumer injury of large magnitude, even if the likelihood of injury is low. In the Matter of LabMD (Sept. 29, 2016, No. 9357) FTC File No. 102 3099. See §§3.13, 4.56.
The California Supreme Court found that a state medical board's accessing of patient prescription records while investigating conduct of their physician did not violate the patients' privacy rights because the board's actions were justified in light of the investigation. Lewis v Superior Court (July 17, 2017, No. S219811) 2017 Cal Lexis 5129. See §§2.7, 7.2.
The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced its first settlement based on late reporting of a breach and assessed a fine of $475,000 on a health system for failing to give timely notice concerning 836 patients whose information had gone missing. https://www.hhs.gov/sites/default/files/presence-ra-cap.pdf. See §7.15A.
The OCR has issued a Fact Sheet, Ransomware and HIPAA, which includes guidance on when a ransomware attack is considered a reportable breach. https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf. See §7.15B.
Federal regulations protecting the confidentiality of alcohol and drug abuse (which is now called substance use disorder) patients' records underwent a major revision in 2017 and now have a much broader application, including new definitions and new consent requirements for disclosures of patient information. 42 CFR pt 2. See §§7.93–7.97.
The California Labor Code has been amended to provide that an employer or a prospective employer may not inquire about any arrest, detentions, or court dispositions that occurred when an employee or prospective employee was subject to juvenile court law. Lab C §432.7(a)(2). See §§8.14, 8.18.
International Data Protection
The Second Circuit Court of Appeals held that the Stored Communications Act (SCA) (18 USC §§2701–2712) does not apply extraterritorially, so that the U.S. government could not use search warrants to access consumer data that Microsoft had stored on a server located in Ireland. Microsoft Corp. v U.S. (2d Cir 2016) 829 F3d 197. See §4.41.
The European Union General Data Protection Regulation (GDPR) (EU Regulation 2016/79) was approved by the EU Parliament on April 14, 2016, and starting in May 2018 will apply directly throughout the EU and the European Economic Area as well as to data controllers and data processors outside of the EU when their processing activities are related to EU residents. A detailed discussion of the provisions of the new GDPR has been added to chapter 9. See §§9.8–9.82.
The China Cybersecurity Law was enacted effective June 1, 2017. See §9.146.
An amendment to the Japanese Personal Information Protection Act, effective September 2017, introduces new restrictions on transferring personal data. See §9.161.
The Civil Code has been amended to provide that a consumer reporting agency must place a security freeze for a "protected consumer" under certain circumstances. A protected consumer is a child or foster child under 16 years old or an incapacitated person for whom a guardian or conservator has been appointed. CC §§1785.11.9–1785.11.11. See §10.59.
The California Legislature has enacted the Identity Theft Resolution Act (Stats 2016, ch 376), which provides that a debt collector, on receipt of a police report and written statement from the victim, must initiate a review of the account within 10 days if it furnished adverse information about the debtor to a consumer credit reporting agency, and it must send notice of its determination to the debtor within 10 days after conducting the review. CC §§1785.16.2, 1788.18. See §10.75.
Copies of birth certificates may be requested electronically until January 1, 2021, and state or local officials may accept an electronic acknowledgment verifying the identity of applicants. Health & S C §103526(a)(3). See §10.80.
Standing to Sue
Circuit courts have split in various decisions testing the limits of Spokeo, Inc. v Robins (2016) ___ US ___, 136 S Ct 1540, as follows (see §12.6A):
The Third Circuit Court of Appeals held that a violation of the FCRA gives rise to injury-in-fact sufficient for constitutional standing even without evidence that the plaintiffs' information was used improperly. In re Horizon Healthcare Servs. Data Breach Litig. (3d Cir 2017) 846 F3d 625.
The Fourth Circuit Court of Appeals found that the plaintiffs had no standing based on alleged harm from an increased risk of future identity theft in a class action by veterans for two data breaches at a medical center. Beck v McDonald (4th Cir 2017) 848 F3d 262.
The Seventh Circuit Court of Appeals held that even if the defendant cable provider had failed to destroy a former subscriber's personally identifiable information, the plaintiff did not have standing because he failed to allege or provide evidence of any concrete injury that had resulted. Gubala v Time Warner Cable, Inc. (7th Cir 2017) 846 F3d 909.
The 15 BLS Standing Committees publish eBulletins announcing developments in their area of law and upcoming events open to BLS members. Click HERE to sign up to receive these eBulletins from any BLS Standing Committee completely free of charge.
We all know that social media can help drive new business. Did you know that the BLS maintains a presence on LinkedIn, Twitter, and Facebook where it posts regular updates about new cases, new regulations, key legislative developments, and news and events from the BLS’s Standing Committees? What you may not know is that you can not only send items to the BLS to post or tweet, but also suggest items from your own social media pages for the BLS to re-post, re-tweet, or like. Doing so expands the reach of what you have to say to everyone who likes or follows the BLS on its various social media platforms, and may result in the BLS following you! Please submit your suggested items for consideration or direct any questions to BLS Social Media Coordinator, Dennis J. Wickham (firstname.lastname@example.org) and join the ever expanding discussion!
Standing Committees continue to accept applications to fill vacant seats. Practitioners and other legal professionals who are members of the BLS and who have at least five years of experience are eligible to apply. Membership on a committee affords unique opportunities to participate in the creation of law in your practice area, to get to know and be known by other practitioners, to work with the recognized leaders in your field, and to stay on the cutting edge of developments and practice techniques. Membership is a rewarding experience that keeps one ahead of, and in touch with, business law developments. Most committees meet once a month, often by phone. A description of the required commitment and application process, along with a link to the application, can be found HERE.
The BLS achieves its goals through the work of its 15 Standing Committees. You are invited to attend the regular monthly meeting of any BLS Standing Committees (see below for meeting dates). These monthly meetings provide attendees an excellent opportunity to chat with committee members and other lawyers with a similar expertise. Some committees even offer free MCLE credit! Please see the contact person listed below to RSVP or request more information. Follow us on Twitter @calbarbuslaw. Use a Standing Committee’s hashtag to search for tweets by that committee in its designated field and to re-tweet.
For a list of upcoming meeting dates and contact persons, click HERE.
Dennis Wickham, Editor-in-Chief
Cathryn S. Gawne, Contributing Editor
Kenneth Minesinger, Contributing Editor
Corey R. Weber, Contributing Editor
Monique D. Jewett-Brewster, BLS Vice Chair of Publications
Uzzi O. Raanan, BLS Chair
For contact information, see the Executive Committee Roster HERE.
To join the BLS and receive membership benefits