Author: Joel Thomas

The FCC Establishes a Database Aimed at Reducing Robocalls: New Safe Harbor for Businesses, Additional Obligations for Telecom Providers

Posted on by Joel Thomas

“Robocalling” – a term that broadly describes automatically-dialed calls, caller ID spoofing, recorded calls, and telemarketing – has become one of the biggest challenges for both callers and consumers.  According to robocall blocking service provider YouMail, 47.8 billion robocalls were placed in 2018.  Atlanta was once again the city in the U.S. receiving the most robocalls, with about 2.1 billion annually.  Rounding out the top five, were Dallas, New York, Los Angeles, and Chicago.

The Telephone Consumer Protection Act (“TCPA”) and its implementing rules restrict the making of telemarketing calls, the use of automatic telephone dialing systems, and the use of artificial or prerecorded voice messages, without the express consent of the dialed party.  A telemarketing call is also defined broadly to include text messages sent to wireless subscribers.  The requirements under the TCPA apply to all telemarketers, as well as all businesses that use automated phone equipment to interact with consumers, for example, to provide appointment reminders, account notifications, or other general business communications.

The North American Numbering Plan Administrator estimates that about 35 million numbers are disconnected and made available for reassignment to new customers each year.  This reassignment process means that a caller who previously obtained the express consent to call a given number may call that number without realizing that the number has been reassigned to a new party who has not given express consent to receive the call – which could lead to legal liability for the caller under the TCPA.

The Federal Communications Commission (“FCC”) has said that unwanted calls to reassigned numbers are a major problem.  Despite that there are existing tools available to address this issue, the FCC has determined that none are comprehensive.  Further, none appear to have adequately curbed the problem of making unwanted calls to reassigned numbers.

As a result, in December 2018, the FCC ordered the creation of a database that will enable callers to verify whether a telephone number has been reassigned before calling that number.  Those callers that rely on the reassigned numbers database will be provided a safe harbor from TCPA liability where the caller has prior express consent to make the call to the number that the database erroneously reported as not having been disconnected.  In addition, the FCC’s new rules will impose new reporting obligations on telecommunications service providers.

Businesses should look to use the reassigned numbers database because it will likely reduce both their potential liability for making unlawful calls to reassigned telephone numbers and operational costs as a result of targeted calling.  Telecommunications service providers should ensure that they are prepared to comply with the new recording and reporting obligations.

Permanent disconnection and aging. The FCC ordered the creation of a comprehensive database of numbers that have been permanently disconnected so businesses like banks and pharmacies that call customers frequently may avoid calling reassigned numbers.  Callers will be able to query the database before making a call to determine whether the number has been permanently disconnected.

“Permanent disconnection” means that a subscriber has permanently relinquished a number, or the provider has permanently reversed its assignment of the number to the subscriber so that the number is no longer associated with the subscriber for active service in the service provider’s records.  Permanent disconnection does not include instances where the phone number remains associated with the subscriber such as, for example, temporary disconnections for non-payment or when a consumer ports a number to another provider.

In the order, the FCC also adopted a minimum telephone number aging period of forty-five (45) days, establishing a minimum period of time a number must remain out of use before reassignment to a new customer.  Before this change, telecom providers could reassign telephone numbers to another consumer almost immediately.  The FCC reasoned that the more quickly a number is reassigned from one consumer to another, the less likely callers are to learn of the reassignment and the more likely a caller is to misdirect a call to the reassigned number.

Contents and use of the database.  The FCC will limit the contents of the database to the date of the most recent permanent disconnection for the affected telephone number.  The data made available to callers in response to a query will be limited to either “yes”, meaning the number has been reported as disconnected since the date the caller provides; “no”, meaning the number has not been reported as disconnected since the date the caller provides; or “no data”, meaning there is no information available for the number requested.

To ensure that the database is available to the widest number of users and accessible to any size caller, it will have the ability to process low volume queries, for example, via a website interface, or high-volume queries through a batch process or standardized application interface.  This means that a small dental office that texts their patients appointment reminders and a large outbound call center making thousands of calls each day can each use the database in a manner that works best for their respective operations. However, users of the database will be required to certify that they are using it solely to determine whether a number is permanently disconnected.

Safe harbor for users of the database.  Callers that use the database are granted a safe harbor from TCPA liability for calls made to numbers for which they had obtained prior express consent but, at the time of the call, relied on the database to determine that the number had not been reassigned.  The safe harbor shields the caller from liability if the database returned an inaccurate result.

Projected costs for users of the database.  Use of the database is voluntary, and those that choose to use it will be assessed a user fee.  In addition to the user fee, the FCC estimates the startup cost for callers to be one day of development and three days of testing for a single full-time engineer, resulting in about $2,160 for larger companies that would invest in the information technology resources to integrate with the reassigned numbers database.  Smaller companies are expected to have lower startup costs as a result of using an internet/web-based interface.

Service provider obligations and administration of the database. The order also requires all service providers that use the North American Numbering Plan to provide to the database administrator information about telephone number disconnections.  Those providers that do not receive their numbers directly from the North American Numbering Plan Administrator or the Pooling Administrator (for example, resellers and most VoIP providers) may delegate their reporting obligation to the service providers through which they obtain numbers.  The database administrator will be selected by the FCC through a competitive bidding process at a later time.

Similarly, toll free numbers, which are administered by the Toll Free Numbering Administrator, will also be included in the database.  The obligation to report the permanent disconnection status of toll free numbers will fall to the Toll Free Numbering Administrator.

Beginning 30 days after the rules are approved by the Office of Management and Budget, providers will be required to keep records of their permanent disconnections on a going-forward basis.   In addition, providers will be required to report their permanent disconnections to the database administrator on the 15th day of each month, with the exact start date to be announced by the FCC once the database is operational.   However, small providers (those providers with 100,000 or fewer domestic retail subscriber lines) will be granted a limited extension of six months from both the recordkeeping and reporting requirements.

While the timeframe for implementing the database and the foregoing changes is uncertain, this looks to be beneficial to all stakeholders once operational.

If you have any questions about how these recent developments may affect your liability under the TCPA or reporting obligations, please contact Joel Thomas at jthomas@fh2.com or (770) 399-9500.

IoT and Connected Devices: Before Rushing In, Be Mindful of the Risks

Posted on by Joel Thomas

If your business manufactures or uses a connected device or simply collects and stores user data, it may be exposed to legal liability.  Despite the transformative effects of such Internet of Things (“IoT”) technologies, the reality is that IoT will increase your business risk – know its sources and manage it.

What is IoT?

IoT is a concept that has existed for decades.  However, due to deep declines in the cost of sensors, computing and related technologies, IoT is now influencing the physical world in transformative ways.  To start, IoT describes a ubiquitous connection of devices or objects (“things”) that can be monitored, controlled or interacted with by Internet-connected electronic devices, allowing people to interact seamlessly with both the digital and physical world.  IoT centers on machine-to-machine communications and the idea that more information (i.e., data) leads to a deeper understanding of the physical world.  In turn, this deeper understanding creates greater value for the end-user.  On a small scale, IoT includes wearable technologies that, in real-time, allow a user to track how far she has run and to share this information with friends.  IoT technology also includes an array of conveniences in home automation and security.  For example, when a homeowner pulls into his driveway, IoT can automatically open the garage door, turn on lights inside the home, and disable the home security system.  On a much larger scale, IoT will maximize efficiencies in the way that cities consume power, manage traffic, and prepare for natural disasters.  Experts at Cisco and Ericsson estimate that there will be 50 billion connected devices by 2020.  Moreover, the McKinsey Global Institute values the IoT market somewhere between $3.9 trillion and $11 trillion by 2025.

Despite the countless opportunities that IoT presents, businesses should be wary of its major legal concerns: the capture and use of consumer data, and cybersecurity threats.  Further, businesses should have actionable plans for the governance and protection of consumers’ personally identifiable information.

Whose Data is it?

When things are always on – as is the case with IoT – data is continuously shared.  And although IoT creates new opportunities to solve existing problems, it raises new issues between private citizens and businesses operating in the digital space.  At present, there is much debate over the ownership of data that consumers disclose while using products and services: Do consumers retain ownership over their personal data or do businesses take ownership over such disclosures?  Consumer disclosures are often a necessary component of the utility of products and services.  These disclosures also aid the improvement to such products and services, thereby creating long-term benefits for the consumer.  Businesses that take care in drafting their terms and conditions contract for rights in these consumer disclosures.

Still, businesses must consider consumer privacy laws and the ethical concerns of collecting and storing consumers’ personal data.  Broadly, the FTC enforces consumer protection laws that protect consumers against unfair methods of competition or deceptive acts or practices.  But businesses should also be cognizant of the applicable regulatory frameworks for the industries in which they operate.  For instance, the Communications Act, as amended, and the FCC impose additional requirements for telecommunications carriers’ use of consumer information.  In addition, state laws and regulations may impose added responsibilities.  Also, U.S. companies that engage in cross-border data flows should be aware of additional data transfer laws and data sovereignty issues.  Similarly, ethical concerns for data privacy often arise out of the representations that businesses make concerning their use of data or the overbroad bulk collection of data, where either instance exceeds consumers’ reasonable expectations.  In recent proceedings, the FTC has brought enforcement actions against technology companies like Snapchat, Yelp, Google, and Facebook for violating their user privacy agreements.  There, the FTC found the companies to have deceived consumers over the amount of personal data the companies collected and made misrepresentations on how certain products or product features actually worked.

Businesses should always provide notice and obtain consent before collecting consumer information, and they must market truthfully and ensure their public commitments match actual practices for the collection, scope, retention, expressed purpose, and confidentiality of data.  Further, businesses should also be aware that private actions concerning the ownership of consumer data could arise in a number of ways – privacy, contract, or tort.

Legal Effects Remain Uncertain

Although connected products and services may amplify products liability concerns, cybersecurity must also be addressed.  It is clear that product and service providers who do not meet reasonable expectations in the cybersecurity of their product and service offerings will face liability.  But these requirements are still imprecise, as regulators have abstained from creating formal rules and have instead decided matters on a case-by-case basis.  For example, in separate proceedings, the FTC brought enforcement actions against Wyndham Hotels and Resorts and IP-camera maker Trendnet, alleging that the companies engaged in deceptive and unfair acts because of their failure to take reasonable security measures.  In both cases, the FTC alleged, among other things, that the companies unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft, because they stored personally identifiable consumer data in clear readable text and failed to use readily available security measures, like firewalls or software that would secure data transmissions.  Further, the FTC alleged that neither company regularly tested or monitored the security of its network.  Both cases carry twenty year settlement obligations.  In another case, the FCC held companies YourTel and TerraCom jointly and severally liable for fines totaling $10 million due to poor data security practices, where the companies stored personally identifiable consumer data online, without firewalls, encryption or password protection.  More recently, the Consumer Financial Protection Bureau fined financial-technology firm Dwolla for misrepresentations made concerning its data security practices.  Notably, in this case no data breach actually occurred.

Still, the effect of law becomes even more unpredictable when we begin to use existing technologies in disruptive ways that touch multiple industries.  For example, the advent of a “digital wallet” has created gaps, overlaps and ambiguities in applicable payments laws.     In the face of such ambiguity, many businesses unwittingly take on extreme risk as they add connectivity to products, introducing poorly designed, vulnerable hardware or software to the marketplace.

Businesses should build products with safety in mind to address cybersecurity concerns, designing their products or services around the possibility of hacks or breaks in the communication chain.  They should regularly monitor and update the security of their products and services as needed.  One of the greatest benefits of IoT is that updates, or patches, can be pushed from the manufacturer directly to the consumer without consumer involvement, which is not only convenient for the consumer, but also limits the business’s prolonged exposure to liability.  Even if a business does not offer ongoing support, it should notify consumers of security risks and available updates.  Larger businesses may want to implement bug bounty programs, which provide recognition or compensation to individuals that report bugs or find system vulnerabilities.

Take Time to Contract Thoroughly with Corporate Partners

Does your business collect or share data with corporate partners absent a formal contract?  Businesses should appreciate the danger for potential liability as the number of stakeholders who play a part in the value chain increases.  The Target and Home Depot data breaches occurring in December 2013 and September 2014, respectively, provide retail examples of the importance of security practices among corporate partners and finding a balance in the amount of access afforded to vendors.  In both instances, point-of-sale systems were compromised when third-party vendor credentials were stolen for back office systems.

Along with internal security measures, businesses should look to standardize security across the many stakeholders involved in their distribution chain.  If security cannot be standardized, businesses should work only with service providers who are capable of maintaining adequate security over the data for which they are responsible.  When contracting with corporate partners, a business should implement strong indemnity provisions that protect it against damages caused by the other party.  Further, businesses should maintain licensing and supply agreements between them and their corporate partners that clearly define: the scope of the data collected; the ownership of such data; the custodian of the data; the acceptable uses for the data; whether any third-parties will have access to the data; how to determine liability in the event of a breach; the side of the point of demarcation on which responsibilities lie; and how compliance will be verified.

Plan for a Breach before It Occurs

Lastly, businesses should have actionable plans for the governance and protection of data that contains consumers’ personally identifiable information.  Many companies maintain information of a wide scope under a false impression that more data is always more valuable.  But collecting and retaining large stores of information can actually make it more difficult for companies to realize a breach has occurred.

Businesses should follow these tips: limit the scope of data collected; do not retain data for longer than needed; anonymize data where possible; and be reasonable in the disposal of confidential documents.  Further, businesses that are custodians of large amounts of data that contain personally identifiable information should maintain cyber risk insurance.  Cyber risk insurance policies generally indemnify first party and third party losses that result from disruption to the company’s own network, data breaches of personally identifiable information, cyber extortion, and media liability.  (For a more in depth discussion on insurance coverage, be sure to read Michael Stewart’s post, “Insurance for Technology Businesses: Are You Covered?”)

Managing the Risks

As businesses release innovative products and services, they are faced with policymakers’ unclear expectations for security practices and uncertain applications of existing legal standards.  Businesses can reduce their legal exposure by marketing truthfully; knowing the consumer protection and data security laws and regulations that govern their industry; creating comprehensive data security programs that are verified through regularly scheduled audits; using reasonable security measures and addressing failures or opportunities for breach before a system is compromised; and having a plan in place to deal with a breach, including knowledge of the requirements for reporting it.

Friend, Hudak & Harris, LLP is at the forefront of inspecting and assessing the potential impact of IoT across a number of industries. This leaves us well positioned to guide clients through varied complexities, helping them to avoid or reduce technology related risks.