May 9, 2015

The CFPB's Consumer Complaint Database Will Soon Include Consumers' Complaint Narratives. Are You Ready?

In case you missed it, the CFPB is trying to become the next Yelp or Angie's List.

The CFPB began accepting complaints from consumers as soon as it opened its doors in 2011—with over half a million currently on file.  In June of 2012, it started publishing a limited amount of data from the complaints on its website. Now, it has decided to give consumers a platform to "publicly share their stories." 

The CFPB's website already allows a consumer to describe his or her complaint in narrative form in a text box on the complaint webpage. The consumer can also attach documents to the complaint. The CFPB forwards the complaint to the company, requests a response, gives the consumer a tracking number, and updates the consumer on the status of the resolution.

In March, the CFPB revised its consumer complaint policy to allow consumers to publish their grievances—in their own words—on the CFPB's website.   Beginning later this month (May 2015), when consumers submit complaints to the CFPB, they will have the option to check a box to share their narrative. The narratives will have names, telephone numbers, account numbers, Social Security numbers, and other identifiers redacted. The CFPB will not, however, verify the truth or accuracy of the facts asserted in the consumer's complaint. 

Banks and other companies will be given the option to select from a limited list of structured response options within 180 days after the consumer complaint is routed to them. The response cannot be customized. Actually, the final policy says that the financial institution can "recommend" one of the pre-set response to the CFPB, but the CFPB reserves the right to reject the response.

Complaints will be listed in the public database only after the financial institution responds to the complaint or after it has had the complaint for 15 days, whichever comes first. The CFPB will publish the consumer complaint narrative when the financial institution provides its public-facing response, or after the financial institution has had the complaint for 60 days, whichever comes first. If, within 15 days of receiving a notice of the complaint, a financial institution tells the CFPB that it has no record of a financial relationship with the complaining person, or if the financial institution tells the CFPB that it believes the complaint is fraudulent, the CFPB is not supposed to publish the complaint.

Despite the fact that this sort of information can become stale and of marginal value over time, the CFPB has determined that complaints will remain on the public database indefinitely.  Furthermore, the final policy fails to address whether complaints will be removed or changed when a financial institution merges or is acquired, or when a division is spun out.

I have written and spoken before about the importance of online reputation management for financial institutions. This development underscores the need for each financial institution to have a comprehensive online reputation management strategy. Aside from behaving honestly and ethically, the best (but not the only) thing a financial institution can do to protect its reputation online is to inundate the web with positive content. While there are some legal concerns to address when a financial institution expands its presence on the web, this strategy is the most effective way to ensure that the overall narrative reflects the financial institution's mission and message.

Image credit: matt cordell using (x-ray delta one)

March 1, 2015

Data Security Breaches, Unauthorized Transfers, and Corporate Accout Takeovers ...What You Missed!

On Friday, I had the honor to join some distinguished speakers for an all-day continuing legal education seminar on computer technology and the law.  My fellow presenters were:
  • Clark Walton, former CIA forensic computer analyst, lawyer with Alexander Ricks, and founder of computer forensic firm Reliance Forensics (and formerly Chair of the NCBA Young Lawyers Division and the American Bar Association's Young Lawyer of the Year).
  • Ashden Fein, lead prosecutor of Private Bradley Manning in the WikiLeaks trial and now lawyer with Covington & Burling in Washington, D.C.
  • Chris Swecker, former Assistant Director of the FBI, lawyer, and security consultant.
  • Kim Korando, employment lawyer with Smith Anderson.
  • Joyce Brafford, law practice technology guru with the NCBA's Center for Practice Management.
It was a fascinating day, and I enjoyed hearing from these great speakers more than I enjoyed speaking myself.  (I was under the weather and quite hoarse.  My apologies to all who had to endure my voice.)

In the course of my presentation, we discussed the various legal response requirements following a data security breach, as well as liability for unauthorized transfers in consumer and commercial accounts. 

The program was well-attended in person and by webinar, but if you missed the opportunity to attend, I am providing a link to my slideshow here.  I hope you find it useful.

February 9, 2015

NC Commissioner of Banks Ray Grace Re-Appointed

Commissioner Ray Grace -photo by M. Cordell
Today, Governor McCrory appointed Ray Grace to serve as North Carolina's Commissioner of Banks for another term.  Although Commissioenr Grace has been "appointed," the process actually works like a nomination; His appointment must be confirmed by each house of the General Assembly. 

After serving in the Marine Corps during the Vietnam War, Grace graduated from college and immediately joined the Office of the Commissioner of Banks as a trainee examiner in 1974. He has served in various roles over the years, and has deep experience in the regulation and supervision of North Carolina financial institutions. 

After former Commissioner Joseph A. Smith, Jr., resigned effective February 16, 2012 to become the nationwide mortgage settlement czar, then-Governor Beverly Purdue appointed Grace, then Deputy Commissioner, to serve as Acting Commissioner. Under the banking statute in effect at the time, Governor Purdue was required to submit the name of a permanent successor to the General Assembly within four weeks. She nominated Ray Grace by the end of the month, and he became Acting Commissioner. However, as I predicted back in February of 2012, the confirmation process took much, much longer.  Governor McCrory re-nominated Acting Commissioner Grace more than a year later, in March of 2013. The Senate approved on May 15, 2013, and the House approved on June 6, 2013.  Commissioner Grace's initial term was the remainder of what would have been Joe Smith's final term, expiring March 31, 2015.  

Under the new banking statute, Governor McCory was required to appoint a Commissioner of Banks by February 1.  Apparently it took a few days for that appointment to be publicly announced.  Assuming he is confirmed by the General Assembly, the Commissioner's term will continue for four years (until March 31, 2019).


January 16, 2015

What Would The White House's Data Security Breach Proposal Mean For North Carolina Businesses?

Earlier this week, the President announced a new cybersecurity initiative. The White House explained that:
"[t]here is a growing perception that individuals have lost control of their personal information; a negative implication of such a view is it may serve as an inhibitor of the use of technology, stymie innovation, and contribute to a less productive economy."
Of course, the President has no legal authority to implement most of his proposals. The Constitution gives Congress the sole power to introduce and pass legislation. The President's role is simply to sign or veto a bill once Congress approves. However, the President's bully pulpit gives him the practical ability to influence Congress' agenda. The primary purpose of the President's current cybersecurity push is to pressure Congress to enact comprehensive cybersecurity legislation.
As of now, the White House has not disclosed all of the text of the proposed bill--only bits and pieces. What we have been told is that the proposal has multiple components. One component that has been described in detail is the breach notification requirement (styled as "The Personal Data Notification & Protection Act"), the full text of which you can read here.

North Carolina and 45 other states already have a data breach notification law. This might suggest that there is no need for a nationwide breach notification rule. Are state breach notification rules inadequate? Is there a compelling need for nationwide uniformity? These are important policy questions. In order to evaluate them, it might be helpful to understand how the White House proposal differs from state laws--particularly the data breach notification requirement found in the North Carolina Identity Theft Protection Act. This blog post will compare the White House proposal to North Carolina's existing breach notification requirement.

Entities Covered. The North Carolina breach notice statute applies to any business in North Carolina or that "owns or licenses" information about North Carolina residents. Under the White House proposal, only businesses that hold sensitive personally identifiable information about more than 10,000 individuals would be covered.

The Reporting Requirement of a Security Breach. The White House proposal would require business entities to give notice of a "security breach" involving "sensitive personally identifiable information." The term "security breach" in the White House proposal would mean a "compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in...unauthorized acquisition... or access...."

The term is defined slightly differently under North Carolina law. Under our Identity Theft Protection Act, a security breach is "[a]n incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer."

Here's one difference: It would be harder to avoid reporting "low risk" incidents under the White House proposal. There are all sorts of scenarious that might result in unauthorized access, some of which can be relatively innocuous, and probably do not warrant reporting. You can imagine such situations easily. The White House proposal would make it harder to avoid reporting in these situations. Under the North Carolina law, a breach occurs when "illegal" use "has occurred or is reasonably likely to occur" or there is "a material risk of harm to a consumer." Under the White House proposal, there is a breach, and therefore a reporting requirement (at least to the FTC), if there is an "unauthorized acquisition" or " excess of authorization." Under the White House proposal, even if the incident presents a low degree of risk, it must be disclosed to the FTC.

Here's another difference: Under the North Carolina statute, if a hard drive is stolen, but it's encrypted, there is no breach. Under the NC statute, that ends the analysis, and there is no reporting requirement. Under the White House proposal, there is a breach, even if the information was encrypted, and the custodian of the information would then have to undertake a risk assessment to determine if there is a "reasonable risk that a security breach has resulted in, or will result in, harm to the individuals." Encryption might support a presumption that there is no reasonable risk of harm. However, under the White House proposal, the business would be required to self-report to the Federal Trade Commission within 30 days:
  • that it had experienced a breach and conducted a risk assessment,
  • the results of the risk assessment,
  • that it had concluded that there was no reasonable risk to individuals; and
  • logging data (i.e., records of access and changes to a database) for the six months prior and database users' and administrators' log-in information.

Definition of Personal Information. The term "sensitive personally identifiable information" is defined in the White House proposal similarly to the term "personal information" in the North Carolina statute, except that the White House proposal is slightly more broad and would also allow the Federal Trade Commission to create other categories of "sensitive personally identifiable information" by rule. In this way, the White House proposal might be more easily adjusted to changes in technology.

Timing of Notice. The days immediately following discovery of a security breach are difficult for a business, as well as being important to law enforcement. The first priority is almost always to identify and eliminate vulnerabilities. Businesses are reluctant to make public statements before they have obtained and analyzed the facts. Each of these steps may require outside help from forensic computer experts and security experts. It takes time. One of the ways in which the White House proposal differs from the North Carolina statute is the timing of reporting obligations. Under the both the North Carolina statute and the White House proposal, the breached business must notify affected customers "without unreasonable delay." However, under the White House proposal, that means no later than 30 days unless the FTC grants an extension.

Public Notice. In addition to notifying affected individuals, state statutes often require a public announcement, of some sort, of the breach. Under the North Carolina statute, the business must notify statewide media of the breach (and place a notice on its website) only if it chooses not to contact affected individuals directly because the cost of providing notice would exceed $250,000 or the number of affected individuals exceeds 500,000. Under the White House proposal, if more than 5,000 residents of any particular state are affected, the breached business must notify statewide "major media outlets" of the breach.

Under the White House proposal, if more than 5,000 individuals are affected by a breach, the business must notify the credit reporting agencies. Under the North Carolina statute, the threshold for making such a report is 1,000.

Allocation of Responsibility to Provide Notice. Under the North Carolina statute, the reporting obligation falls on the business that "owns or licenses" the personal information. A third party custodian who does not own or license the information must merely notify the owner or licensee of the information (not the affected individuals) in the event of a breach. The North Carolina statute does not address whether the owner/licensor can agree with the custodian that, in the event of a breach, the custodian would be responsible to provide notice to customers.

The White House proposal expressly allows owners/licensees and custodians to enter into a contract that allocates the responsibility to notify affected individuals of a breach; however, the notice must include reference to the party who has a direct business relationship with the affected individuals (i.e., the owner/licensee).

Summary. As you can see, the White House proposal differs from existing North Carolina law in a number of ways. From the perspective of a business that has consumer data, the White House proposal generally seems more burdensome; however, for businesses operating in multiple states, the additional obligations of the White House proposal might be outweighed by the benefits of having a uniform law across jurisdictions. (Responding to a multi-state breach is very challenging because of the variation in state breach response laws.) 

Whether Congress will take up the proposal in earnest, and whether legislation resembling the White House proposal will pass both houses, is anyone's guess, but one thing is clear at this point--the President has initiated a public dialogue on these issues.

January 11, 2015

When Your Identity Has Been Stolen: 10 Steps to Follow

On several occasions, I've been asked to help individuals whose identities have been stolen. However, most of the time, it is not cost-effective for a lawyer to handle the majority of the initial steps in responding to the theft of an individual's identity. Instead, the affected person is usually best advised to handle most of the first steps themselves. [FN1]

As a public service, I'm providing the following step-by-step guide for individuals who suspect that credit has been obtained in their name without their consent. (There are other kinds of identity theft, but this is the most common.) Although the Federal Trade Commission has an a good guide for victims of identity theft, it (i) requires you to read several different webpages instead of just one, and (ii) does not explain the state-law-specific aspects of recovering from identity theft. This is intended to be a simplified guide for North Carolina residents.

1.   Put a Fraud Alert on Your Credit Report. Call any one of the three major credit reporting agencies and instruct them to place a fraud alert on your credit report. (Tell the agency you contact to tell the other two to do the same...although there's no harm in calling all three yourself). You'll be required to prove your identity when placing a fraud alert. There is no cost to you to place a fraud alert. The purpose of an initial fraud alert is to make it harder for an identity thief to open more accounts in your name. An initial fraud alert lasts 90 days, but can be renewed.

You can contact the credit reporting agencies at the following: Equifax - 1-800-525-6285,, P.O. Box 740241, Atlanta, GA 30374-0241; Experian - 1-888-397-3742,, P.O. Box 2104, Allen, TX 75013-0949; TransUnion - 1-800-680-7289,, P.O. Box 1000, Chester, PA 19022.
2.   Order Your Free Credit Reports. When placing a fraud report, you are entitled to a free credit report from each of the three major credit reporting agencies. The agency that you call (as instructed in #1 above) will explain your rights and how you can get a free copy of your credit report. You could also use this form.

3.   Submit an Affidavit to the FTC. Write out a description of how you learned about the suspected identity theft and everything you've learned about it since, in as much detail as you can. Next, you need to put this information into the form of an affidavit (a sworn written statement). The Federal Trade Commission has a helpful tool (called the "FTC Complaint Assistant") to put your information into the proper form, which you can use for free at When finished, submit the affidavit to the FTC through the website. Print or save a copy for your records. (Alternatively, you can use this form.)

4.   File a Police Report. Call the local law enforcement agency (a) where the theft appears to have occurred, or (b) where you live, or (c) both. In North Carolina, this is usually a police department if you live in a city or town, or a county sheriff's department if you live outside a municipality (though there are exceptions to this general rule). File a police report. (Either they will send an officer to you, or will ask you to come to the station.) Give the officer a copy of your FTC Identity Theft Affidavit. Also give the officer a copy of the FTC's official memo to local law enforcement agencies, a copy of which is available here. Ask to be given a copy of the police report once it's ready.
5.   File an FTC ID Theft Report. Together, your FTC Affidavit and the police report comprise an "FTC ID Theft Report." An FTC Report can help you (i) get fraudulent information removed from your credit report; (ii) stop a company from collecting debts that result from identity theft, or from selling the debt to another company for collection, (iii) extend the fraud alert on your credit report; and (iv) get information from companies about any accounts the identity thief opened or misused. Send the ID Theft Report to the credit bureaus and to any organization affected by the ID theft (such as a retailer or credit card company).
Send an ID Theft Report to the credit reporting agencies, and tell them whether you want to extend the fraud alert or initiate a security freeze (see #6 below). In either case, you should notify all three of the credit reporting agencies.

6.   Decide Whether You Want to Extend the Fraud Alert or Institute a Credit Freeze. Next, you need to decide whether to (a) extend the fraud alert or (b) initiate a security freeze.

Once you have created an ID Theft Report (FTC affidavit plus police report), you are entitled under federal law to extend your fraud alert for seven years. When you extend the fraud alert, you can get two free credit reports within 12 months from each of the three major credit reporting bureaus, and they must take your name off marketing lists for prescreened credit offers for five years, unless you ask them to put your name back on the list.

North Carolina residents are entitled by state law to "freeze" their credit reports. When a security freeze is in place, a consumer reporting agency may not release your credit report or information to a third party without your prior express authorization. If you want someone (such as a lender or employer) to be able to review your credit report (for a credit application or background check), you must ask the credit reporting agency to lift the security freeze. You can ask to lift the security freeze temporarily or permanently. (The credit reporting agency is required by NC law to give you a unique PIN or password when you initiate the security freeze to be used by you when requesting a temporary or permanent lift of the freeze.) If you request a lift to the freeze by mail, the agency has three business days to comply, but if you request electronically or by telephone, the agency must comply with the request within 15 minutes, pursuant to NC law. Putting a credit freeze on your credit file does not affect your credit score.

The cost to place and lift a freeze, and how long the freeze lasts, depends upon state law. Here in North Carolina, a freeze lasts as long as you wish, and a consumer reporting agency cannot charge a fee to put a security freeze in place, remove a freeze, or lift a freeze if your request is made electronically. If you request a security freeze by telephone or by mail, a consumer reporting agency can charge up to $3.00 (unless you are 62 or older, or have submitted a police report--see #4 and #5 above).
So, to summarize, a "security freeze" generally stops all access to your credit report unless you lift it, while an "extended fraud alert" permits creditors to get your report as long as they take steps to verify your identity. My general preference is the freeze, because it gives you the most control.
7.   Review Your Credit Reports and Dispute Errors. Carefully review your credit reports for errors. If errors on your credit report are the result of identity theft and you have submitted an Identity Theft Report, you are entitled to tell the credit reporting companies to block the disputed information from appearing on your credit report. Here is a sample letter that may be helpful.
The credit reporting agency will notify the relevant business of any disputed information, after which the business has 30 days to investigate and respond to the credit reporting agency. If the business finds an error, it must notify the credit reporting agency so your credit file can be corrected. If your credit file changes because of the business’ investigation, the credit reporting agency will send you a letter to notify you. The credit reporting agency cannot return the disputed information to your file unless the business says the information is correct. If the credit reporting company puts the information back in your file, it will send you a letter telling you that.
8.   Contact Any Businesses Involved. If you are aware of specific accounts that have been opened in your name without authorization, or existing accounts that have been accessed without your authorization, contact those organizations, even if you have already notified the credit reporting agencies of the problem. Ask to speak to someone in the fraud department. Ask them to reverse any unauthorized charges and to preserve all records for use by law enforcement. You might also want to ask them to simply close the accounts, and open new accounts for you. [Use different access credentials (such as a PIN or password) for the new accounts.] Ask for copies of any documents used by the identity thief. (Here's a sample letter.) Ask for a letter confirming that any fraudulent information has been removed or transactions reversed. Also ask them to stop reporting information relating to the fraud to credit reporting agencies. As soon as you conclude the conversation, memorialize your discussion in a certified letter to the organization. Here is a sample.
9.   Stop Debt Collectors from Contacting You about Fraudulent Debts. If an identity thief opens accounts in your name and doesn’t pay the bills, a debt collector may contact you. To stop debt collectors from contacting you, in addition to the steps described above, you can send them a letter using this form.

10.  Additional Tips:
  • Remember to record the dates you made calls or sent letters.
  • Keep copies of all correspondence in your files.
  • A number of sample letters are available here.
I hope you find this guide helpful. Please feel free to share it with your family, friends, and colleagues. Although I hope you never need it, I encourage you to bookmark this post for quick reference, along with the FTC's ID Theft website and the NC DOJ's website, just in case.


[FN1] When the person whose identity has been stolen either (a) lacks the ability to respond themselves, whether due to a disability, age, or otherwise, or (b) is someone whose time is sufficiently valuable that it makes economic sense for them to hire someone else to remedy the situation, a lawyer/paralegal team may be well-position to handle these matters. Otherwise, it makes sense for the affected person to handle most aspects of resolving a stolen identity, with limited guidance from a knowledgeable lawyer.

IMPORTANT: This blog post is for educational purposes only, and does NOT constitute legal advice. You should consult with your own attorney about your specific situation. This blog post does not create an attorney-client relationship, and it will not be updated to reflect changes in law or practices, so you should refer to other sources to ensure you receive the most accurate, up-to-date information.

January 8, 2015

Has the FTC Overstepped Its Bounds on Privacy and Information Security?

One of the most frustrating things about privacy and information security law is the lack of certainty when it comes to acceptable uses and protocols.  This piece is intended to explain some of the reasons for the uncertainty, and to highlight a pending case that might shed additional light.

Bills to create nationwide privacy and information security rules seem unable to gain traction in Congress. (Perhaps that will change with the new class of legislators having just been sworn into office.)  At present, the United States has no comprehensive privacy statute nor is there a comprehensive set of privacy regulations.  Instead, we have a "patchwork" of privacy regulation:
Most privacy laws in the United States are industry-specific and enforced by industry-specific agencies.  For example, the federal banking agencies (the FDIC, OCC, FRB, and NCUA) govern financial institutions' handling of financial information, and the Department of Health and Human Services holds healthcare providers responsible for following the health information privacy rules.

At the federal level, the Federal Trade Commission is the agency with the broadest reach to address privacy and information security issues.    The FTC has taken the role of filling the gaps left by the patchwork of regulations by pursuing enforcement actions against all sorts of companies for all sorts of privacy-related issues.  But from where does the FTC's broad authority over privacy practices come, and how far does it reach?  Certain specific federal statutes give the FTC authority over specific issues, like the privacy of children's information on the internet, and credit reports, but what about the FTC's authority over the broad spectrum of privacy-related issues?

The Federal Trade Commission Act prohibits "unfair and deceptive acts and practices in or affecting commerce.”  The FTC relies upon this broad language to justify its sometimes aggressive enforcement actions against organizations that do not handle customer information in the way the FTC finds acceptable.  For example, the FTC has pursued, and extracted large sums of money from, many website operators and social media platforms that it alleged had failed to carry out the promises those companies had made in their privacy policy statements, on the grounds that such shortcoming were "deceptive acts" (and more recently, also "unfair").  Privacy lawyers have observed that the FTC seems to take a very expansive view of its statutory authority in these contexts, but most companies that have found themselves in the crosshairs of the FTC have settled rather than challenge the FTC's authority (such as Facebook, Twitter and Google, as I've written about here). 

Another significant problem with the FTC's broad and ambiguous authority is that the FTC has not been given the explicit authority to write and publish regulations governing privacy and data security generally.  As a result, the FTC "regulates by enforcement," meaning the primary way in which we know what will draw the FTC's ire is by looking at the instances in which it has brought enforcement actions in the past and drawing inferences from the court filings and settlement agreements that become public.  The obvious problem is that the rules of the game are not given to the players at the outset of the game, and are never made perfectly clear.  Only by carefully observing the FTC's public actions and public statements can we begin to infer the kinds of activities that might trigger FTC action.  Regulating privacy and information security in this way (after-the-fact punishment based on very broad principles) leaves a lot of room for uncertainty, and many organizations are craving clarity in these areas.

A case pending before the Third Circuit Court of Appeals may result in additional certainty:  The FTC brought an enforcement action against Wyndham Hotels following information security lapses by the hotel chain, but Wyndham is fighting back, arguing that the FTC lacks the authority under the FTC Act to bring data security enforcement actions, as well as arguing that the FTC failed to give it fair notice of the security practices the FTC expects.  Wyndham further challenges the FTC's claim that its practices were "unfair."  (A practice is "unfair" under the FTC Act only if it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”) 

Because most FTC enforcement actions in this area result in settlement, this is the first time a federal appeals court will be asked to clarify the FTC's role in data security.  You can bet privacy and information security lawyers and other InfoSec professionals will be watching this case closely!

In Good Company

I am very honored to be included--along with a number of fine lawyers across the state--in the 2015 "Legal Elite."  This year I was listed in the "Business" category, as well as the "Young Guns" category.  Business North Carolina magazine surveys more than 20,000 North Carolina lawyers by asking the following question: "Whom would you rate among the current best in these categories [of law]?"   The results are compiled, and fewer than 3% of the lawyers in North Carolina are then named to the list.

My sincere thanks go out to all of the lawyers across North Carolina who participated in the peer review process conducted by Business North Carolina magazine.  I certainly do appreciate your support.  I know that many of you read this blog, and I have the privilege to work with many of you through the North Carolina Bar Association on important issues affecting our state and our profession.  I truly appreciate your friendship and trust.  I consider it a privilege to be able to recommend several of you for well-deserved recognition, and I am pleased to see some very deserving names on this year's list (although there are several others I wish had also been included).   May this new year bring each of you the success and recognition you have earned.

November 15, 2014

Yet Another Reason to Handle Consumer Electronic Consents Correctly

From time to time, clients balk when I describe the components of an effective consumer consent to an electronic transaction.  They say "I've seen lots of other websites, and they don't require this." 

They are correct, in part.  Most websites do not do what I advise my clients to do, because most websites have deficient disclosures and consent language.  Most of the time, these do not result in anything catastrophic.  But that does not make it legal...or smart. 

One aspect of consumer electronic transactions that people question most often is affirmative consent.  They ask whether it is truly necessary to provide detailed disclosures and obtain affirmative consent from consumers when entering into agreements through electronic means.   Affirmative consent means that the consumer expressly agrees to the terms, or "opts in."  An example of affirmative consent is the following:
"By clicking the button labelled 'Accept' below, you agree to the terms and conditions of this Agreement and acknowledge that you have read and understand the disclosures provided above."
Most businesses would generally prefer negative consent, also referred to as "constructive" consent or "opt out."   An example of negative consent is the following:
"By using this website, you are agreeing to these Terms and Conditions."
Obviously, negative consent is easier for businesses to handle than getting affirmative consent.  The question, however, is whether a negative consent is effective for all purposes.

The (federal) E-SIGN Act and the (state) Uniform Electronic Transaction Act require that if any other statute, regulation, or rule requires that a consumer be given a document or disclosure in writing, then in order to for a consumer to effectively agree to receive it in electronic format, the consumer must affirmatively consent after having been given very specific disclosures.  In some circumstances, it may be difficult to identify a specific law requiring a written disclosure in connection with the contemplated transaction.  You may think, "we are not under any legal obligation to give any notices or disclosures to these customers after this transaction."  However, there are a large number of disclosure requirements contained within the millions of pages of law affecting consumer transactions.  Just because you can't think of one off the top of your head doesn't mean none exist.  For this reason, I almost always advise my clients to obtain affirmative consent from consumers for online agreements.

In this post, I'm going to give you a real-world example of a situation in which obtaining a proper consumer electronic consent could save a lot of money:

ABC Corp. (fictional) sells products and services to consumers in North Carolina through its website and the telephone.  It has collected information from tens of thousands of consumers over the past few years, and stores that information on its database on its own server.  Included in the information are the consumers' credit card numbers (so that regular customers will not have to provide all of their information with every order).  The credit card numbers are not encrypted on the database.  ABC Corp. becomes aware of an incident of unauthorized access to its database.  Customer information likely has been accessed, and the available information indicates that the person who accessed the information has nefarious intent. 

Under North Carolina law, ABC Corp. is obligated to notify each consumer of the data security breach.  The North Carolina Identity Theft Protection Act says that ABC Corp. can notify the consumers via email only if the consumer's consent has been properly obtained in accordance with the E-SIGN Act.  If ABC Corp. has records of consumers' email addresses, but has not obtained the proper consent to provide subsequent legally-mandated notices by email, ABC Corp. cannot satisfy its obligations by providing the notice by email.  Instead, the Identity Theft Protection Act requires that the notice be provided in hard copy (if mailing addresses are available).  In this situation, because ABC Corp. has failed to obtain consumer consent in the proper way at the outset, the cost of responding to a subsequent data security breach will be tens of thousands of dollars more as a result printing and postage costs alone. 

This is just one example of the many ways in which handling consumer consent carefully at the start of an electronic relationship with a consumer can pay off for a business later.

November 7, 2014

Public Service Announcement: "Combatting Financial Exploitation: A New Tool"

Regular readers of this blog know that preventing the financial exploitation of older or disabled folks is something that I am passionate about.  I've written and spoken on the topic frequently over the past couple of years.

This week, I had the privilege to join a distinguished panel of experts for a series of training webinars on combatting financial exploitation of the elderly and disabled.  The webinar was coordinated by the NC Administrative Office of the Courts (specifically, the inimitable Lori Cole), and included representatives of the NC Department of Justice (the ever-risible Raj Premakumar), UNC School of Government (the erudite Aimee Wall), NC Bankers Association (the staid Jan Dillon), and NC Department of Health and Human Services (the passionate triumverate of Nancy Warren, Renae Minor and LeShana Baldwin).  More than 300 participants registered, most of whom were lawyers, judges, clerks of court, financial professionals, and social services officials from all across North Carolina.

Here are a few quotes from participants who contacted us after the webinar to profide feedback:

"Thank you so much for all the great information I received with the combatting financial exploitation webinar class. This will help me to stay up to date with the new change." - an Assistant Clerk of Court

 "Thank you for an informative CLE!" - a County Attorney

 "Thanks for the program and the info!" - a County Attorney

 "The webinar today was a very good introduction." - an Assistant Clerk of Court

 "It was a very good program." - a Social Services Attorney

"The information was very helpful." - an Assistant Clerk of Court
For those who were unable to join us, a copy of the materials from the presentation is available here.

A video of the presentation will be available soon, and I will update this post to include it.

If you encounter circumstances that lead you to suspect the financial exploitation of an older or disabled person, whether in your professional life or your personal life, please report your suspicions appropriately. 


November 6, 2014

A Message to New North Carolina Lawyers

The following article was published by the NC Bar Association in The Advocate earlier this month.  If you know any newly-licensed lawyers in North Carolina, I encourage you to share it with them:

Welcome to the YLD
by Matt Cordell, Division Director

Welcome to the Young Lawyers Division, which is affectionately known as the “YLD”! If you are younger than 36 or in your first three years in the practice of law in North Carolina (regardless of your age), you have been inducted automatically into the YLD effective upon joining the North Carolina Bar Association. Make no mistake—despite the fact that admission did not require much effort on your part, YLD membership is something from which you should derive great pride. (Second-career lawyers tend to be eager to call themselves members of the Young Lawyers Division—a feeling you will understand one day if you do not already—but this is not the sort of pride to which I refer.) You have joined the ranks of a dynamic, transformative organization that will ask for your talent and enthusiasm and, in return, give you meaningful experiences, skills, and relationships. The YLD has a tremendous legacy of developing effective young lawyers and serving our communities in powerful ways. In this special issue of The Advocate, we hope to show you how the YLD makes a difference in the world and can make a difference in your career.

The Young Lawyers Division Yields Lasting Dividends
The YLD is the largest division of the NCBA, with 6,500 members. It is also widely acknowledged that the YLD is the most active service arm of the NCBA. It is the source of many of the NCBA’s service initiatives, and has provided an enthusiastic workforce to carry out virtually all of the Association’s service projects—service to our members, our neighbors, and our communities. The YLD’s heritage of service dates back to its founding in 1954 and is the first goal expressed in its mission statement:
To promote the general welfare of the public, advance the professional education and welfare of young lawyers, involve young lawyers in the activities of the NCBA, promote fellowship among all members of the bar, and advance the standards of both the legal profession and the administration of justice. 

On our strong backs rest the responsibility and opportunity to carry out the vital work of the profession for the public good. The YLD has risen to the challenge in many ways, and most of its 21 committees are oriented toward service. From Murphy to Manteo, YLD members are effecting positive change across our state.
The YLD is where the future leaders of the NCBA, the State, and the nation gain valuable leadership experience. This is evident from a brief summary of the accomplishments of the prior YLD chairs:
  • Six prior YLD chairs have become presidents of this Association.
  • One became president of the ABA.
  • Nine became NCBA Section chairs.
  • Seven chaired NCBA committees.
  • Two became president of the State Bar.
  • Two more took the helm of Legal Aid.
  • A significant number went on to hold public office.
To underscore the point, note that these accomplishments reflect only the Division Chairperson—one person each year. Scores of other YLD officers and committee chairs honed leadership skills in the YLD that enabled them to accomplish great things later in life.

The YLD is Important for Your Legal Development
Legal publications and the editorial pages of newspapers have recently made common knowledge something we in the profession have known for some time: many law schools do not fully prepare students for the practice of law. As a new lawyer, you need practical experience and opportunities to develop leadership and other skills. These can be acquired in countless ways through the YLD’s many committees. You can watch more experienced lawyers counsel clients, and practice doing so yourself, through Wills for Heroes clinics or Project Grace clinics. You can develop your public speaking skills through any number of committees and events. You also can sharpen your writing by joining for the Newsletter Committee. Take advantage of opportunities to hone a host of additional skills—advocacy, event planning, speaking, or drafting—while making a difference in your community. The YLD is where newly-minted lawyers acquire the skills and experience to lead their communities, organizations, the legal profession, and society.  
This brings me to another significant benefit of YLD involvement: relationships. I have made many great friends through the YLD, and continue to encounter exceptional people each time I participate in a YLD event. If you have not discovered it already, you will learn that relationships matter tremendously in your professional life, just as they do in your personal life. The YLD is a great way to meet the very best young lawyers in the state—young lawyers who are motivated, committed, and service-oriented…and fun to be around. Basically, if you want to make friends with the leaders of the future, it is easy to do. Sign up for a YLD committee or service project. You will be surrounding yourself with some of the best young minds and hearts in this great state. But, as LeVar Burton used to say on Reading Rainbow, “you don’t have to take my word for it.” Give it a try. If you don’t make friends with lots of other bright, friendly, committed young lawyers, we’ll refund your membership fee. (Your first year of NCBA dues have already been waived!)  
Matt Cordell practices in the areas of banking, corporate, and privacy law with Ward and Smith, P.A., and serves as a YLD Division Director. This bar year marks his eighth year as an active member of the YLD. He looks forward to meeting each of you at a YLD event soon.