May 31, 2013

The FTC and Attorneys General Are Hunting for Faulty Online Privacy Policies and Practices. Don't Get Caught in the Crosshairs.


Photo credit: Truthout.org / Foter.com / CC BY
Historically, the FTC and other government agencies have relied on complaints from consumers, advocacy groups, and others to initiate investigations of privacy policies and practices.  These days, however, the FTC and some states' attorneys general are taking a more proactive approach.

The FTC has recently served so-called "educational" letters on approximately 90 businesses alerting them to upcoming changes in regulations--ostensibly "to encourage you to review your apps, your policies, and your procedures for compliance."  The primary targets seem to have been operators of mobile apps.

But it's not just the feds who are taking an active role in identifying and addressing deficient privacy policies and practices. California has some of the most extensive online privacy requirements of any U.S. jurisdiction, and any business with a website directed to a nationwide audience should take care to observe the California rules.  About a year ago, California's Attorney General announced the creation of a Privacy Enforcement and Protection Unit assigned to "focus on protecting consumer and individual privacy through civil prosecution of state and federal privacy laws."  In February of 2012, California's Attorney General entered into an agreement with seven leading mobile and social app platforms – Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research in Motion – to conform to California law.  Then, in October of 2012, the Attorney General sent letters to 100 mobile app operators across the country demanding they comply with the California Privacy Protection Act.  The Attorney General warned that companies can face fines of up to $2,500 each time a non-compliant app is downloaded.  Atlanta-based Delta Airlines was one of the recipients of the letter, and based upon Delta's failure to comply with the Attorney General's demand within 30 days, the Attorney General sued Delta in December of 2012 in federal court in San Fransisco. The Attorney General has threatened to bring actions against non-compliant website operators and app operators under California’s Unfair Competition Law and/or False Advertising Law, which could result in hefty penalties.

Maryland's Attorney General has also established a special “Internet Privacy Unit,” following in the footsteps of California's Attorney General.  He has written in a press release that ""Internet privacy is one of the most essential consumer protection issues of the 21st century," and he is leading a national initiative among state attorneys general entitled "Privacy in the Digital Age" to expand and enforce privacy rights across the nation.  Last year, Maryland's Attorney General led 36 state attorneys general in a fight against Google's privacy policy change.  You can be certain that the Internet Privacy Unit will be responding aggressively to inadequate privacy policies and practices.

In the future, website operators and mobile app operators will have increasing difficulty staying beneath the radar of the FTC and attorneys general, and compliant privacy policies and practices will be more important than ever to avoid  lawsuits and prosecution. There will be no better time than now to review privacy policies and procedures for compliance with all applicable legal requirements.



Bank of North Carolina to acquire Randolph Bank

According to a press release issued today, BNC Bancorp, the parent holding company of Bank of North Carolina, will pay $10.4 million to acquire Randolph Bank, which has $302 million in assets and six branches in Asheboro, Burlington, Mebane and Randleman, by merger.  Randolph shareholders will receive an 80:20 stock/cash payment. 

The acquisition will give Bank of North Carolina 31 branches in North Carolina and $3.2 billion in assets.

BNC will buy out Randolph's preferred shareholders, including the US Treasury's TARP shares, with cash. (BNC has recently repurchased its own TARP shares by issuing debt.)

The deal is expected to close by September 30.

BNC continues to grow by acquisition.  The deal follows its purchase of Blue Ridge Savings Bank, First Trust Bank, KeySource, Carolina Federal Savings Bank, Beach First National, Regent Bank, and branches of The Bank of Hampton Roads. 

May 30, 2013

Website Operators: The Children's Online Privacy Protection Act Rules Will Change on July 1, 2013.


Online privacy and information security are areas of ever-increasing concern for the FTC, prosecutors, plaintiff's lawyers, and consumer advocates.  There are now a smattering of laws and regulations that operators of websites, applications and advertisers must now comply with relating to these issues.  In particular, anyone who operates a website designed for kids or a website geared to a general audience but that is aware that it is collecting information from someone under 13 should understand and comply with the Children's Online Privacy Protection Act, the FTC's rules, and the FTC's guidance.  

Photo credit: Mike Licht, NotionsCapital.com / Foter.com / CC BY

The Children's Online Privacy Protection Act became law almost 15 years ago, but on July 1, 2013, the Federal Trade Commission's revisions to the Children’s Online Privacy Protection (COPPA) Rule, which are designed to modernize the Rule, will become effective.  Therefore, affected website operators should consider whether revisions to their policies and practices are appropriate.

What Is the Children's Online Privacy Protection Act Rule?
 
The COPPA Rule requires operators of websites or online services directed to children under 13 years of age (and operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age, even if not by design) to provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children, and prohibits them from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities.
What Revisions Take Effect on July 1, 2013?
The lengthy revisions are designed to achieve the following:
  • Modify the definition of "operator" to make clear that the Rule covers an operator of a child-directed site or service where it integrates outside services, such as plugins or advertising networks, that collect personal information from its visitors;
  • Modify the definition of "Web site or online service directed to children" to clarify that the Rule covers a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child-directed Web site or online service;
  • Modify the definition of "Web site or online service directed to children" to allow a subset of child-directed sites and services to differentiate among users, and requiring such properties to provide notice and obtain parental consent only for users who self-identify as under age 13;
  • Modify the definition of "personal information" to include geolocation information and persistent identifiers that can be used to recognize a user over time and across different Web sites or online services;
  • Modify the definition of "support for internal operations" to expand the list of defined activities;
  • Streamline and clarify the direct parental notice requirements to ensure that key information is presented to parents in a succinct ‘‘just-in-time’’ notice;
  • Expand the non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent;
  • Create three new exceptions to the Rule’s notice and consent requirements;
  • Strengthen data security protections by requiring operators to take reasonable steps to release children’s personal information only to third parties who are capable of maintaining the confidentiality, security, and integrity of the information;
  • Require reasonable data retention and deletion procedures;
  • Strengthen the FTC’s oversight of self-regulatory "safe harbor" programs; and
  • Institute voluntary pre-approval mechanisms for new consent methods and for activities that support the internal operations of a Web site or online service.
You can read more about the new Rule changes here and here.





May 20, 2013

There Seems To Be An Uptick In FDIC Lawsuits Against Directors And Officers

2013 is shaping up to be a bad year for former directors and officers of seized financial institutions.

Cornerstone Research, a consulting firm, has issued a report entitled "Characteristics of FDIC Lawsuits against Directors and Officers of Failed Financial Institutions" indicating that FDIC litigation activity in 2013 relating to failed institutions could outpace the prior three years.  As of April 22, the FDIC has seized eight institutions and filed at least twelve lawsuits. If this pace continues until the end of the year, the number of suits will total 39, more than any year since the start of the crisis.

Salient conclusions include the following:
  • The FDIC has extracted a total of $601 million—mostly from the pockets of directors, officers and their insurers. 
  • Of the 44 settlement agreements involving directors and officers, 39%, required out-of-pocket payments by the directors and officers in addition to amounts to be paid by insurance carriers.
  • FDIC lawsuits against directors and officers of failed institutions have been filed in 12 percent of all failures so far. 
  • After the crisis began in 2007, the FDIC began filing lawsuits in 2010.  Accordingly, there seems to be a backlog of filings, with more to come.
  • CEOs are the most commonly named defendants (88% of cases).
  • Outside directors have been sued in 75% of the complaints in 2013.
  • All 2013 lawsuits included allegations of gross negligence and breach of fiduciary duty. Seventy-five percent included allegations of simple negligence.
You can read the full report here





May 19, 2013

Is the legal equivalent of a nurse practitioner (a "legal practitioner") the future of legal services in the U.S.?

Nurse practitioners and physician's assistants are increasingly becoming the providers of choice for routine medical care.  This is largely a function of labor supply and cost pressures (from insurers, other third-party payors, and the uninsured).  Take the following article from March 2013 in the Raleigh News and Observer: "Increasingly, our medical care is entrusted to nurse practitioners"  (Read more here: http://www.newsobserver.com/2013/03/26/2781629/increasingly-our-medical-care.html).  Could a similar article be written in 2023 regarding "legal practitioners"?  Many are wondering. 

Some, including some lawyers, are actively advocating for a professional legal practitioner role below the level of licensed attorney.  In his blog, Simple Justice, New York attorney Scott H. Greenfield, has even argued that the supervision of an attorney is unnecessary: "The most important aspect of this new position is that it would entitle the practitioner to function independent of lawyers. While they could operate within the law firm structure, they would be trained and authorized to practice as a stand alone professional, to hang out a shingle of their own."

If a new tier of legal practitioner is indeed in the future, what should the role entail?  What safeguards will be necessary to protect the public?  What services currently provided by lawyers will become the purview of the legal practitioner?  Where and how will the practitioners be trained?  Who will make these decisions? 

Please share your thoughts on the subject with me here or elsewhere.  As a member of the NC Bar Association's Strategic Planning & Emerging Trends Committee, I am very interested to hear thoughts from various perspectives on all aspects of this issue. 

Credit: Allan Head of the NCBA for the NP/LP article analogy concept.

May 15, 2013

Ethical Email for In-House Counsel

When may a lawyer copy or "Reply All" to an opposing party, and when is it prohibited? 

I wrote an article in The Business Lawyer entitled "Ethical Email for In-House Counsel: What the Ethics Committee of the North Carolina State Bar Thinks of Your Use of the "CC" Field and "Reply All" Button" that was published today analyzing the North Carolina State Bar's position on these issues.  The audience was in-house counsel, but most of it applies to all lawyers. 

Here is an excerpt:
 
The next time you position your cursor over the "CC" field or the "Reply All" button on your email software, consider whether clicking your mouse could be a violation of the Rules of Professional Responsibility. 
 
*** 

Today, contract negotiation is done primarily by email, and much of the early stages of claims negotiation is handled by email as well. When corresponding with an attorney representing the other side, a lawyer may not realize that merely copying the other lawyer's client can amount to a breach of his or her professional responsibility that could result in disciplinary action by the State Bar. On January 24, 2013, the Ethics Committee of the North Carolina State Bar voted to publish a proposed ethics opinion addressing a lawyer's professional obligations when corresponding with a represented party by email.
 
You can read the full article in HTML format or in PDF

May 13, 2013

Pisgah Community Bank in Asheville Seized


On Friday, May 10, the N.C. Office of the Commissioner of Banks seized Pisgah Community Bank in Asheville, North Carolina, and handed it over to the FDIC as receiver.  The FDIC immediately sold approximately $19.8 million of Pisgah’s $21.9 million in assets to Capital Bank, N.A., of Rockville, Maryland.  The Maryland bank also assumed most of the $21.2 million in total deposits. 

Today, Monday, May 13, the Asheville office opened as a branch of Capital Bank, which has its only other branches in Maryland and Washington, DC.

I have no inside information, but my guess is that Capital Bank does not intend to expand further into North Carolina, and that the acquired office in Asheville will ultimately be closed or sold.  I draw that inference from the existing geographic footprint of the Maryland bank and the fact that NC already has a fast-growing "Capital Bank" (and therefore a trademark/regulatory dispute would be foreseeable if both continued to grow in NC under the same name.)  Only time will tell if I have guessed correctly.

Pisgah Community Bank was the seventh North Carolina state-chartered bank to close since 1991, and the second in 2013.

[Source: NCCOB]