Michelle Cohen recently joined Ifrah Law as a partner. Here is an edited transcript of a recent interview with Ms. Cohen.
Question: What are some of your legal experiences and strengths that you’d like to highlight?
Answer: I have many years of experience representing clients engaged in various industry sectors before state attorney generals, the FTC and the FCC, particularly in investigations and enforcement matters. I have a deep knowledge of marketing law and have counseled and defended clients in dozens of matters involving the Telephone Consumer Protection Act, the federal Can Spam Act, and state and federal telemarketing laws and regulations. I also sat for and passed the Certified Information Privacy Professional examination administered by the International Association of Privacy Professionals. This demonstrates my broad capabilities in the field of privacy law.
Some recent matters of note include managing a data loss incident for a client that entailed notifications to several state attorney generals’ offices, assisting the client with remediation and public relations management, and reviewing existing data retention policies, as well as a follow-up investigation at the state level. The client was able to move forward without any enforcement activity.
On the Telephone Consumer Protection Act side, I have supervised teams of attorneys in defending class and individual actions and resolved FCC enforcement matters (including without any penalties).
My training as both a litigator and a regulatory/corporate advisor allows me to offer a wide range of services to clients. I take great pride in knowing that my regulatory advice to clients in how to craft their business practices and establish meaningful policies has resulted in these clients avoiding enforcement actions and litigation.
Question: There has been a lot of publicity these days about data breaches that have caused serious harm to a number of retailers, credit card companies, banks, and others. Do you think there has been a real uptick in the number of such breaches, and if so, why has it occurred?
Answer: I think the increased publicity stems more from the growing awareness on the part of companies and the press that there are various types of data breaches and data losses that are covered by federal and state laws and that need to be reported and remediated. Some years back, if a laptop containing sensitive information was stolen from an employee’s car, the company might disable the account and report the theft, but the event did not necessarily trigger potentially thousands of notices to those affected, state attorney generals and consumer protection offices, publicity (via news reports and blogs that cover daily breaches) and possible lawsuits and enforcement activity. Today, that one event can result in all of those actions occurring.
Question: What is your advice to companies that may someday face a data breach?
Answer: A couple of months ago, I wrote an article regarding data breaches. The central point was that no organization should consider itself immune. Rather, a data breach (in the form of a bad actor) or a data loss (for instance, by negligent but unintentional employee action) WILL occur, no matter how many precautions a company takes. The key is to have policies in place regarding data security, to train employees in an effort to prevent negligent actions, and to be prepared for actions that will need to be taken when an event occurs. Organizations should have a team in place (human resources, legal, public relations, etc.) for dealing with these types of problems. Data loss events require swift, but considered action. In particular, some of the state breach laws have deadlines, and companies have found themselves under investigation (or involved in litigation) when their responses to a breach have been too slow or failed to meet the requirements of the law. These legal ramifications, combined with the negative publicity that WILL follow, can often be much worse than the actual data loss event.
Question: Are some companies failing to put the best safety provisions in place?
Answer: Most large companies have incorporated data safety policies; however, many medium size and smaller businesses have not done so. In addition, I think that many companies, both large and small, do not realize the scope and applicability of many of the laws. For example, consider a large company based in Texas, with most of its employees in that state. Its managers may not realize that if the company has three employees in Massachusetts, they are covered by Massachusetts’ data protection law. This statute has very specific requirements, including a requirement for a Massachusetts-specific information security plan. Let’s say the Texas company has a data loss and has to notify the Massachusetts employees and the Massachusetts Attorney General’s office along with all of its other employees. The company may get a follow-up inquiry from the Massachusetts AG asking for a copy of that company’s Massachusetts-compliant written information security policy. If the company does not have one, because it never realized it fell within that state’s law, it may find itself in some hot water there.
Accordingly, all organizations need to be proactive in their data security planning and must provide continuing updates to their policies, training, and understanding of what federal, state, and international laws may apply to their operations.
Federal Trade Commission
This is the fourth of a regular series of posts that summarize and wrap up our latest thoughts that have appeared recently on Ifrah Law’s blogs.
1. Proposed Gaming Bill Could Make Nevada First to Legalize Online Poker
Nevada, long an innovator in the gambling arena, may soon take another major step by becoming the first state to legalize online poker. We discuss the state’s importance in the gaming world, the chances of passage of the bill, and the groups that stand to benefit.
2. Brady Violation Leads to Reversal of Conviction in D.C.
When it comes to Brady violations, sometimes late is no better than never, it seems, as the D.C. Court of Appeals reverses a conviction for assault with intent to commit murder. We explain what information the prosecutors withheld and why it was important.
3. ‘Taking the Fifth’ Before Congress: A New Ethics Twist
It’s unethical for a prosecutor to put a witness on the stand with knowledge that the witness will exercise the privilege against self-incrimination. We look into a new D.C. Bar ethics opinion that gives a novel answer to the question of doing the same thing before a congressional committee.
4. Is FTC Action Needed Against Pricey Apps?
It’s true that children shouldn’t be buying expensive Smurfberries and other online goodies for their apps with real money (on Mom or Dad’s credit card). The FTC has been asked to take action. We discuss whether the agency is the right place to turn, or perhaps Mom and Dad are.
5. Does Google Need to Police Its Ads for Fraud?
There are unscrupulous merchants out there on the Internet. Does Google need to look into every advertiser before accepting its money? A consumer group’s letter to the FTC has awakened interest in this issue.
6. Online Sellers Need to Beware of State Attorneys General
A Philadelphia online electronics store is the target of Pennsylvania’s attorney general for alleged bait-and-switch practices. But it’s not just the state of origin that can target an online seller.
On March 2, 2011, Jeff Ifrah, founding partner of the Ifrah Law firm in Washington, D.C., provided commentary on two different breaking news items to The Washington Post, the Associated Press, ABC News, the Blog of the Legal Times and several other major news outlets.
That day, an article in The Washington Post quoted Ifrah on the significance of an FTC press conference at which the agency pledged to crack down on marketers who promise bogus business opportunities The same day, Ifrah was quoted on the same development in a posting on the Blog of Legal Times (BLT).
Also on March 2, the Associated Press quoted Ifrah on the issues behind a guilty plea by a former executive at Alabama-based Colonial Bank in a nearly billion-dollar fraud conspiracy involving a mortgage lender, Taylor Bean. The article was picked up by The Washington Post, salon.com, the Atlanta Journal-Constitution, ABC News, Seattle Times, and many other outlets.
Federal Criminal (Other)
This is the second of a regular series of posts that summarize and wrap up our latest thoughts that have appeared recently on Ifrah Law’s two blogs.
1. Is D.C. on the Way to Legalizing Online Poker?
On February 2, we were among the first media outlets to point out that a little-noticed amendment could give D.C. residents the legal right to play online poker through a new system administered by the D.C. Lottery. This would put the District, surprisingly, in the forefront of the movement to legalize Internet poker. It’s an issue that a lot of people will be watching.
2. New DOJ Unit Will Keep Eye on Prosecutors’ Misconduct
The Department of Justice’s new Professional Misconduct Review Unit was created to investigate and punish instances of misconduct by DOJ attorneys. Our post examines this new unit and concludes that the DOJ has a long way to go to restore full public confidence.
3. Those iPad Hackers Were Probably Seeking Publicity, Not Profit
What was the story behind the two iPad hackers who obtained the personal data of approximately 120,000 iPad users by exploiting a security weakness in AT&T’s software? They’re now facing potential jail time, but we concluded that they were probably just trying to show where the weaknesses were in the software, not to profit from the data that they got hold of.
4. Is This Domain Name Seizure a Bad Omen for Internet Freedom?
Recently, a U.S. magistrate seized 10 websites that prosecutors say were streaming live sports events in violation of copyright. We were concerned that prosecutors might soon go too far in these efforts and try to ask for the seizure of any domain or website that they just find objectionable.
5. Facebook Friends and Judicial Ethics
We looked at an Ohio state board’s ruling that a judge may become a Facebook “friend” of an attorney as long as the judge takes care to protect the integrity and impartiality of the judiciary. This decision is one indication that states are looking to impose content-based restrictions regarding Internet use and social media, rather than broad prohibitions on the use of an entire website.
6. Middlemen Run Afoul of FTC Suspicions
We took a look at a recent case that the Federal Trade Commission settled with three companies that had advertised to consumers that they would provide debt relief services, while in fact they simply were middlemen who put people in touch with others who were in the business of debt relief. Our post examines why FTC actions like this one can prevent middlemen from entering a market and can actually be harmful to consumers.
7. FTC Looks at Football Helmet Safety Claims
In view of the growing concern over concussions in the NFL, we took a look at safety claims for football helmets. Sen. Tom Udall (D-N.M.) asked the FTC to look into claims made by helmet manufacturers. We discussed what might be at stake for the companies and for young football players.
8. FTC Cracks Down on Bogus Virus-Removal Software
The FTC recently took action against companies that placed online advertisements falsely stating that users’ computers are infected with viruses – and then sold them bogus security software. We noted that cases like this can serve as a reminder that the FTC is likely to target sellers who blatantly cloak their advertisements in deceptive fear tactics.
9. Wu Appointment May Mean More Regulation to Come
We believe the FTC’s recent appointment of Columbia Law Professor Tim Wu as a member of the FTC’s Office of Policy Planning could be a harbinger of more market-stifling regulation to come, and we urged that the FTC should stick to protecting consumers and not to look to fix things that aren’t broken.
10. Chargebacks Can Be a Major Problem for Small Businesses
In this post, a follow-on to a Wall Street Journal article that identified chargebacks as a major problem for small businesses, we noted that credit card companies often take the side of the purchaser in reversing a charge and that it can often take a long time for a merchant to be re-credited with a sale. We expressed hope that consumers would realize that their actions can harm merchants that often can’t afford these losses and that they would think twice before requesting a chargeback.
This is the first of a regular series of posts that summarize and wrap up our latest thoughts that have appeared recently on Ifrah Law’s two blogs.
1. Can Police Read a Suspect’s Text Messages Without a Warrant?
What happens when the usual rules of search and seizure collide with the new world of information in which a tiny phone can hold as much data as a computer? On January 19, we looked at a California Supreme Court decision that in a warrantless police search after an arrest, a cell phone in a defendant’s pocket isn’t treated any differently from a pack of cigarettes or a note pad.
2. E-Cigarettes, the Internet, and the FTC
Electronic cigarettes are battery-operated nicotine delivery devices that are meant to replicate the flavor and sensation of smoking a tobacco cigarette. On January 20, we made some predictions about how the FTC will be regarding online advertising strategies for this new product and what online advertisers should do about it.
3. ‘Fake’ Reviews and Endorsements Catch the FTC’s Attention
On January 24, we took a look at the FTC’s first case that focused on “fake” product reviews and explained what this means for other affiliate marketers. The FTC alleged that a PR firm called Reverb Communications had its employees pose as ordinary consumers when they posted online iTunes product reviews and that it didn’t disclose the relationship. We discuss why Reverb’s settlement set important precedent for online advertisers, affiliate marketers and bloggers.
4. An Unfair Sentence for Slaughterhouse Plant Manager?
A few months ago, Sholom Rubashkin, the former plant manager at Agriprocessors, Inc., in Iowa, was sentenced to 27 years in prison for fraud in his operation of the kosher slaughterhouse. The case drew national attention. Recently, three influential legal advocacy groups filed amicus briefs in a federal appeals arguing that the sentence is excessive and urging that Rubashkin be resentenced. On January 25, we examined these amicus briefs and their arguments.
It has been widely reported that the Obama administration will soon announce a proposal designed to strengthen consumer privacy on the Internet. The plan, calling for new laws and a new “watchdog” position to oversee the effort, is expected to be part of an upcoming Commerce Department report.
The concern about online privacy is well founded. Few consumers realize the extent to which their information is collected, bundled and sold to Internet marketers. Most websites employ tracking technologies that gather consumers’ search and spending habits to create detailed dossiers that are then sold to Internet marketers. And there is no comprehensive U.S. law that protects consumer privacy online.
But we question whether a new law is needed. As the nation’s consumer protection agency, the Federal Trade Commission has been successfully prosecuting companies accused of violating consumer privacy both on and off the Internet for many years. The FTC’s mandate against deceptive and unfair practices is broad enough to encompass any conceivable privacy violation.
Moreover, the Obama proposal faces opposition from both privacy advocates, who claim that the plan doesn’t go far enough, and from the Republican-controlled House of Representatives, which is unlikely to support legislation that could strengthen the FTC.
In addition, some privacy advocates have expressed concern that the Obama plan is based on industry self-regulation and is therefore “toothless.” While we agree that leaving the industry to regulate itself is not sufficient, there are viable ways to combine self-regulation and government enforcement. In fact, the wildly popular Do Not Call law is a good example of such a model. The FTC is expected to call on the industry to develop an Internet version, a “do-not-track” tool that people could use to remove themselves from online surveillance by marketers and others. The recommendation will be included in an upcoming FTC report on Internet privacy, expected to be released in December.
The FTC already has a number of tools to protect consumer privacy online. These include holding companies to their privacy promises about how they collect, use and secure consumers’ personal information; enforcing rules concerning financial privacy notices and the administrative, technical and physical safeguarding of personal information; and ensuring consumer privacy under the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act. At this point, a new law and a new set of bureaucrats don’t seem necessary.
The Federal Trade Commission is taking steps to show that it is quite serious about enforcing the so-called blogger disclosure rules that it issued last year.
The rules say, essentially, that when someone endorses or reviews a product or service, the person must disclose any relationship with the company that produces the product. So if a blogger gets a free item from a manufacturer, the blogger has to say so in his or her review. The idea is that consumers would want to know if the objectivity of a review is tainted in any way.
This type of problem occurs frequently in affiliate marketing, since the affiliates of a manufacturer can discuss the manufacturer’s products in their blogs. This would be a relationship that would have to be disclosed.
But the rule isn’t limited to bloggers or affiliates. The commission just served notice that public relations and marketing firms are squarely in its focus. What if a PR firm’s employees are endorsing their clients’ products without disclosing that they are, essentially, being paid to do so?
That issue just came before the FTC. Tracie Snitker, the founder and sole officer of Reverb Communications, a small PR firm in the Sacramento area, signed a consent order that became final in late September. She agreed to remove any reviews on iTunes that discussed apps produced by Reverb’s game developer clients that were actually written by Reverb employees who posed as ordinary customers and failed to disclose the relationship.
In addition, Snitker agreed not to post any further reviews on iTunes that fail to make that kind of disclosure – in effect, she and her employees are not allowed to pose as independent consumers.
Mary Engle, the director of the FTC’s Division of Advertising Practices, said at the time that the basic principle is clear: “Companies, including public relations firms involved in online marketing, need to abide by long-held principles of truth in advertising.”
The agreement that Snitker signed is legally binding. It follows a less stringent action that the FTC took in April against Ann Taylor Stores, which gave up to $500 in gift cards to bloggers who attended a preview of its summer 2010 design collection. Not all the bloggers disclosed this financial connection.
In the Ann Taylor case, the agency simply closed the matter with a nonbinding “closing letter,” in which it stated that it expected Ann Taylor to “take reasonable steps to monitor bloggers’ compliance with the obligation to disclose gifts they receive.”
Affiliate marketers need to be aware of these two government actions of increasing severity. Endorsements are fine; you can say what you want, but you had better disclose your financial ties, whether you are an affiliate, a paid endorser, a PR firm employee, or simply the recipient of a free gift card.
Is there a way to hold a government agency like the Federal Trade Commission (FTC) accountable for the cost to businesses of what a company says are abrupt and systemic changes in regulatory standards? POM Wonderful LLC, a Los Angeles-based juice company, is trying to do just that by suing the FTC in District Court.
The FTC is reportedly investigating POM for alleged false advertising but hasn’t filed a complaint against the company. POM claims in its own lawsuit, filed in U.S. District Court in the District of Columbia, that the agency is already inventing new deceptive-advertising law on its own – without going through the required rule-making procedures — and is getting ready to enforce it against POM.
Specifically, POM says the FTC is now requiring that advertisers obtain prior approval by the Food and Drug Administration before making claims that a product treats or prevents disease and that they must have two well-controlled studies before making non-disease claims.
POM alleges that the FTC has put out these new, obligatory advertising standards for the entire food industry not by going through formal rule-making that would give the industry a chance to have input, but simply by publishing consent orders that it entered into with Nestle U.S.A. and Iovate Health Sciences, Inc. POM says the FTC gave POM copies of these consent orders and told POM that these standards now have the force of law and delineate the “new definition of deception.” POM says this action flies in the face of 20 years of FTC rules and regulations on food advertising.
POM alleges that the FTC is violating POM’s First Amendment rights to engage in truthful speech and is damaging POM’s good will and brand identification as a healthy juice company. Another notable argument that POM makes is a claim of due process deprivation in violation of the Fifth Amendment. The company alleges that the FTC’s actions have disrupted its business and devalued the “tens of millions of dollars” invested in research that was conducted in accordance with the FTC’s prior standards.
POM makes valid points. Companies ought to be able to reasonably rely on government standards so that they can decide how to allocate their resources. That is why federal agencies are required to undertake formal rule-making procedures and to allow businesses time to respond to proposed rules and, if necessary, to modify their practices in advance of the rules’ implementation.
But regulators sometimes see such procedures as tedious and time-consuming. Hence the common practice of many agencies of making changes on the fly through settlement agreements with investigated companies. As POM alleges was done by the FTC, an agency may settle out with a company by requiring that company to implement more stringent measures. Since the agreement is private and between two parties, that document may contain any measure the two parties agree upon – whether or not common practice and whether or not more stringent than current regulatory standards. One of the wrinkles in agencies’ use of such settlement agreements, though, is that these agreements often impact more than just the parties to the agreement.
The parties to the consent decree win (sort of) in that they keep the agency at bay. The agency wins in that it expeditiously (and extrajudiciously) gets to tighten its reins on companies subject to its regulations. But outside companies – which have diligently and reasonably relied on published regulations – may find themselves at a significant loss.
Late last month, we noted a highly unusual decision by U.S. Magistrate Judge Alan Kay in the District of Columbia to order the Federal Trade Commission to respond to interrogatories about a subpoena it had issued to Paul Bisaro, the CEO of Watson Pharmaceuticals, in a generic-drug investigation.
Normally, that sort of inquiry into the motivations behind an FTC subpoena is off limits. The only exception, which is rarely invoked, is that limited discovery can be ordered to ensure that enforcement of the subpoena would not amount to an abuse of process.
Kay’s inquiry seems to have found nothing terribly amiss in the FTC’s motivations for the subpoena, as he has just recommended to U.S. District Judge Colleen Kollar-Kotelly that the subpoena to Bisaro should be enforced. Judge Kollar-Kotelly had referred the dispute to Kay, and his findings can now be appealed to Judge Kollar-Kotelly.
Kay said that the case law requires that the court enforce the subpoena, as long as the FTC could show a proper purpose for it, even though there were allegations that the subpoena also had an improper purpose.
Watson had contended that the FTC was using its investigative powers improperly. The commission says it is looking into whether there was a possibly anti-competitive agreement that could have kept a generic form of a sleep disorder drug off the market for a substantial period of time, thus harming consumers.
Watson and Bisaro had asserted that the FTC was using its investigative tools to try to pressure Watson, a generic-drug company, to enter into a deal with a third party and to relinquish its statutory rights to exclusivity for the drug.
However, Kay wrote in his August 17, 2010, report to Judge Kollar-Kotelly that Bisaro may still have information that would be relevant to a legitimate inquiry by the FTC and that “enforcement of a subpoena is called for as long as a proper purpose does exist.”
Kay did call the FTC’s approach “questionable” but said it is the business of the legislature, not the judiciary, to look into the practices of regulatory agencies.
It appears that a direct challenge to the FTC’s practices has been averted. However, the commission may feel chastened by the fact that a federal magistrate chose to order interrogatories to flesh out the purpose behind a subpoena.
Watson might have done better to try to resolve the issue with the FTC after the first, favorable ruling, rather than letting the matter go back to Magistrate Kay for another ruling, especially after he too knew that a legitimate enforcement purpose existed.
For further thoughts on this matter, see the Washington Legal Foundation’s Legal Pulse commentary on this case.
When a U.S. magistrate judge in the District of Columbia issued his ruling in Federal Trade Commission v. Bisaro on July 13, 2010, permitting limited discovery of certain FTC officials regarding an agency subpoena, it had been more than three decades since the D.C. Circuit had found that “extraordinary circumstances” were present that warranted discovery in a subpoena enforcement action.
Subpoena enforcement proceedings are typically “summary procedures.” However, upon a finding that extraordinary circumstances exist, the court may order limited discovery to ensure that enforcement of the subpoena would not amount to an abuse of process.
In opposing the FTC’s petition to enforce a subpoena requiring him to testify under oath, Paul M. Bisaro, CEO of Watson Pharmaceuticals, moved to compel limited discovery on whether the FTC was acting with an improper purpose in issuing the subpoena. Bisaro argued that the FTC had acted outside the scope of its regulatory and enforcement authority by using the subpoena to pressure Watson to enter a deal with another generic pharmaceutical company.
U.S. Magistrate Judge Alan Kay found the facts in Bisaro “extraordinary enough to grant very limited discovery.”
In a finding that will no doubt be embarrassing to the Commission, Kay found that the FTC may have exceeded its authority by using its investigative power to pressure Watson to enter into a business deal that the FTC considers desirable. Citing the U.S. Supreme Court’s 1964 decision in United States v. Powell, Kay said it is an abuse of process to enforce an agency summons that “had been issued for an improper purpose, such as to harass the [recipient] or to put pressure on him to settle a collateral dispute.” Kay ordered the FTC to answer interrogatories but stopped short of requiring a key agency official, Markus Meier, to sit for a deposition.
The case will likely fuel the debate as to just how far the FTC will go to achieve a ban on so-called reverse-payment patent settlements between generic and branded drug firms. Bisaro argued that Meier, the assistant director of the FTC’s Bureau of Competition’s Health Care Division, expressly warned Watson’s counsel that failure to pursue the FTC’s suggested course would likely cause the FTC “Front Office” to initiate an investigation.
Kay found this credible and noted that the FTC had admitted, “If Watson had just agreed to [do what the FTC wanted] it never would have pursued this investigation.”
Kay rejected the FTC’s argument that “an administrative subpoena must be enforced whenever a valid purpose appears, even if an otherwise improper purpose also appeared.”
Prior to the Bisaro decision, the D.C. Circuit had only found one instance where extraordinary circumstances existed to warrant discovery. See United States v. Fensterwald, 553 F.2d 231, 232 (D.C. Cir. 1977) (finding limited discovery into IRS audit selection procedure appropriate where lawyer who headed a committee investigating the IRS was then selected for special audit).