Photo of Tracy Marshall

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of the Consumer Protection Connection blog and Beyond Telecom Law Blog.

On 6 March 2019, Democrats in the House and Senate introduced the “Save the Internet Act of 2019.” The three-page bill (1) repeals the FCC’s Restoring Internet Freedom Order released in early 2018, as adopted by the Republican-led FCC under Chairman Ajit Pai; (2) prohibits the FCC from reissuing the RIF Order or adopting rules substantively similar to those adopted in the RIF Order; and (3) restores the Open Internet Order released in 2015, as adopted by the Democratic-led FCC under Chairman Tom Wheeler.

Major Impacts:

  • Broadband Internet Access Service (BIAS) is reclassified as a “telecommunications service,” potentially subject to all provisions in Title II of the Communications Act.
  • The three bright line rules of the Open Internet Order are restored: (1) no blocking of access to lawful content, (2) no throttling of Internet speeds, exclusive of reasonable network management practices, and (3) no paid prioritization.
  • Reinstates FCC oversight of Internet exchange traffic (transit and peering), the General Conduct Rule that authorizes the FCC to address anti-competitive practices of broadband providers, and the FCC’s primary enforcement authority over the Open Internet Order’s rules and policies.
  • Per the Open Internet Order, BIAS and all highspeed Internet access services remain subject to the FCC’s exclusive jurisdiction and the revenues derived from these services remain exempt from USF contribution obligations.
  • The prescriptive service disclosure and marketing rules of the Open Internet Order, subject to the small service provider exemption, would apply in lieu of the Transparency Rule adopted in the RIF Order.

FCC Chairman Pai promptly issued a statement strongly defending the merits and benefits of the RIF Order.

KH Assessment

  • From a political perspective, Save the Internet Act of 2019 garners support from many individuals and major edge providers committed to net neutrality principles but faces challenges in the Republican-controlled Senate.
  • In comments filed in the proceeding culminating in the RIF Order, the major wireline and wireless broadband providers supported a legislative solution that codified the no blocking and no throttling principles but not the no-paid prioritization prohibition or classifying BIAS as a telecommunications service.

It is highly unlikely that the legislation will be enacted as introduced. Though still unlikely, there is a better chance that a legislative compromise may be reached.

On August 4, 2016, the Federal Communications Commission (FCC) released a Declaratory Ruling granting in part two separate petitions that were filed last year – one by the Edison Electric Institute and American Gas Association, and another by Blackboard, Inc. – regarding application of the Telephone Consumer Protection Act of 1991 (TCPA) to certain types of non-telemarketing, informational “robocalls” placed by energy utilities and schools, respectively.  The TCPA prohibits, among other things, robocalls (calls and texts that are placed using an autodialer or a prerecorded or artificial voice) to mobile numbers unless they are made for an “emergency purpose” or with “prior express consent.”

The Declaratory Ruling confirms that:

(1) Energy utilities are deemed to have the requisite “prior express consent” to place robocalls regarding matters “closely related to the utility service” (namely, calls regarding planned or unplanned service outages or service restoration, calls regarding meter work, tree trimming, or other field work, calls regarding payment or other problems that threaten service curtailment, and calls about potential brown-outs due to heavy energy use) if placed to numbers provided by customers; and

(2) Schools can lawfully place certain types of robocalls to members of the school communities pursuant to the “emergency purpose” exception in the TCPA (namely, calls concerning weather closures, incidents of threats and/or imminent danger due to fires, dangerous persons, or health risks, and unexcused absences), and schools are deemed to have the requisite “prior express consent” to place other types of robocalls that are “closely related to the school’s mission” (namely, notifications of upcoming teacher conferences and general school activities) if placed to numbers provided by the recipients.

For a more detailed summary of the Declaratory Ruling, click here.

While the FCC largely granted the relief requested by the petitioners regarding the type of consent that is required to place “robocalls,” the agency reminded businesses of their obligation to comply with other TCPA requirements when placing robocalls, such as the opt-out requirements and ceasing robocalls to numbers that have been reassigned to new subscribers.  TCPA litigation is on the rise, and the FCC has adopted stringent requirements for automated calls and texts, so all businesses should ensure that they understand their obligations when using these technologies to communicate with current and former customers, employees, and others.

Lawsuits- class actions in particular- alleging violations of the Telephone Consumer Protection Act of 1991, 47 U.S.C. § 227 (“TCPA”) are on the rise.  The Federal Communications Commission (“FCC”) has also been actively engaged in TCPA enforcement, and just last month released a Declaratory Ruling clarifying that sellers may be held vicariously liable for TCPA violations by third party telemarketers acting on their behalf.  This landscape makes it increasingly important for companies to review their practices to ensure that they comply with applicable laws.

Among other things, the TCPA generally prohibits:

  • Using artificial or pre-recorded voice messages to make calls to residential lines and cellular phones without prior express consent;
  • Using autodialers to call cellular phones and send text messages;
  • Making calls to numbers registered on the national Do-Not-Call Registry; and
  • Sending unsolicited ads via fax without prior express consent (or an established business relationship) and an opt-out mechanism.

Last year, the FCC revised its rules to require, among other things:

  • Prior written consent for autodialed or prerecorded telemarketing calls to wireless and wireline numbers; and
  • An automated opt-out mechanism.

TCPA violations can result in fines of $500 to $1,500 per violation, which can have a severe financial impact on companies that engage in large-scale marketing campaigns that do not comply.

The bottom line: Companies that engage in marketing campaigns via phone, text, and fax should carefully review their policies and practices to ensure that they comply with applicable laws.  Companies that engage third parties to perform these services on their behalf should also perform due diligence on their vendors and incorporate relevant provisions into their contracts.

The Obama Administration’s consumer data privacy framework released last month will impact companies’ data collection, use, and retention practices, and raises complex legal issues. As explained in a recent article by Keller and Heckman LLP, the notion of codes of conduct developed through a multistakeholder process, to be enforced by the Federal Trade Commission (“FTC”), raises (1) administrative procedure concerns, and (2) questions as to whether self-regulatory initiatives could be hampered. In addition, enforceable codes of conduct and a Consumer Privacy Bill of Rights, which forms the core of the framework, could spur more privacy litigation. Recent lawsuits have involved the use of cookies and other technologies to track users online, companies’ violations of their privacy and data security commitments, and companies’ failures to adequately protect and secure personal information.

As contemplated by the White House framework, the U.S. Department of Commerce National Telecommunications and Information Administration (“NTIA”) has requested comments on enforceable codes of conduct and the multistakeholder process. NTIA seeks comment on the following issues in particular:

  • Transparency of privacy notices for mobile apps;
  • Online services directed to kids and teens; and
  • The use of technologies like browser cookies, local shared objects, and browser cache to collect personal information.

These issues have also been a focus of lawmakers, the FTC, and the states.

The Administration urges Congress to pass legislation that applies the Consumer Privacy Bill of Rights to sectors not subject to existing privacy laws, and calls for a national security breach notification standard. Even in the absence of comprehensive legislation, these developments demonstrate that the U.S. privacy legal landscape continues to rapidly evolve.

Do you know whether and how your websites use “cookies” or other technologies to collect information from users and/or target advertising?  Do you know what information is being collected and how it is being used?  The Federal Trade Commission has endorsed an online “Do Not Track” mechanism, and recent inquiries, investigations, and lawsuits relating to the use of cookies and other technologies online have put the issue in the spotlight:

  • Sen. Jay Rockefeller, who introduced a “Do Not Track” bill earlier this year, plans to hold a hearing on Facebook’s use of cookies following a USA TODAY report.  Rockefeller sent letters to Visa and MasterCard last month about their information collection practices.
  • Reps. Ed Markey and Joe Barton, who introduced a “Do Not Track Kids Act” earlier this year, have also made inquiries to Facebook about its information collection practices.
  • The FTC is reportedly close to reaching a settlement with Facebook over allegedly deceptive privacy practices.
  • Earlier this month, the FTC entered into a consent agreement with the online advertiser ScanScout regarding claims that consumers could opt-out of targeted ads by changing their browser settings to remove or block cookies, when in fact it that was not possible with flash cookies.
  • Several private lawsuits were brought in 2010 and 2011 relating to the use of tracking technologies on websites, which alleged violations of various federal and state laws.

It may be some time before a comprehensive federal privacy law is adopted, but we can expect that the FTC will continue to exercise its authority over unfair and deceptive practices and plaintiffs will continue to pursue privacy-related lawsuits.  With this evolving landscape, it is important for a company’s review of its privacy policies and information collection practices to encompass not only personal information, but also information that has historically been deemed “non personal” in nature (e.g., pages viewed, referring websites, and the like).

The privacy implications of the sale of the bankrupt Borders Group’s consumer database to Barnes & Noble have been a focus of the Federal Trade Commission (“FTC”), state Attorneys General, and lawmakers, and the transaction highlights the need for companies to carefully draft and periodically review their privacy notices to consumers.

Privacy notices should not only accurately reflect current practices regarding the collection, use, sharing, and security of personal information, but also cover possible future transactions, such as a dissolution, merger, or sale of assets or the sharing of personal information with service providers.

In an e-mail sent to Borders customers and a notice on the Barnes & Noble website, customers were advised that they can opt-out of having their contact information (which includes names, addresses, and e-mail addresses) and purchasing history shared with Barnes & Noble.  This came about because Borders reportedly had at least three different privacy policies since 2006 that limited how personal information collected from customers could be shared; earlier policies stated that Borders would not share information without express consent, and a later policy indicated that information could be transferred if Borders was sold, merged, or reorganized, but the company would seek appropriate protections in such cases.  The FTC questioned whether the later policy covered dissolution and the sale of assets in bankruptcy, and the later policy only applied to information collected after the date it was adopted, so customers’ consent to the transfer was required.

Recent privacy enforcement actions by the FTC and lawsuits have focused on companies’ deceptive or unfair practices in failing to adhere to their stated privacy policies, applying a material change in a privacy policy to personal information collected under a prior policy without an affected individual’s consent, and failing to adequately secure personal information.  In light of this, it is important to ensure that privacy policies accurately describe the company’s current practices and are comprehensive enough to cover possible future transactions involving personal information.  In addition, personal information collected from consumers should always be appropriately secured from unauthorized acquisition or use.

Companies should not assume that their general liability policies cover cyber attacks, and they should anticipate disputes from insurers when seeking defense and/or indemnity under these policies.  This is illustrated by a Complaint filed by Zurich Insurance Company in the Supreme Court of New York against various Sony entities relating to claims for coverage after the cyber attacks that Sony experienced earlier this year.  Zurich seeks a declaration that it is not obligated to defend or indemnify Sony for claims made against it because the damages are not covered by Sony’s commercial general liability policy.  The Complaint highlights the need for companies to examine their insurance policies to determine the extent of coverage and whether additional cyber insurance is necessary.

Sony estimates its costs from the attacks- which exposed personal information for more than 100 million individuals and resulted in more than 50 class action lawsuits, potential actions by state attorneys general, and other claims- to be $170 million by the end of fiscal year 2011.  The class action suits against Sony allege damages due to unauthorized access to personal information and Sony’s delay in notifying consumers.  Sony’s commercial general liability policy covers bodily injury, property damage, and certain personal and advertising injury offenses.

The increase in cyber attacks, data breaches, and lawsuits (in particular class action suits) from aggrieved parties makes cyber insurance an attractive option, but there are many factors to consider.  In addition, the uncertainty associated with general liability insurance and cyber attacks underscores that insurance cannot and should not be relied upon in lieu of internal privacy and data security programs, training, and risk assessments to mitigate the impact of cyber incidents.

An article on this issue prepared by Keller and Heckman LLP attorneys is available on our website.

One trend in recent months is an increase in class action lawsuits and government investigations following a major data breach that compromises personal information.  This serves to remind companies not only of the repercussions of a data breach, but also the importance of taking stock in the data they collect and share and integrating privacy and data security into their business practices.  As companies outsource activities to third parties and move to cloud-based services, it is particularly important to build privacy and data security considerations into contracts with service providers.

While the nature of the business and type and sensitivity of the information that is collected and shared with service providers will dictate the specific requirements to be imposed, it is important to contractually require providers to implement and maintain appropriate administrative, physical, and technical safeguards, share information regarding their security practices with the company, and notify the company of any incidents that do or could affect the security of personal information.  It is also important to review the provider’s privacy and data security programs, policies, training materials, and data breach response procedures.  Further, access to and use of sensitive information should be limited to individuals with a need for the information to perform the services.

Compliance with the various federal and state laws and industry standards (such as the Payment Card Industry Data Security Standards) is another key consideration.  The global privacy landscape is quite different from the U.S. legal framework, so companies must also be mindful of international laws as they outsource activities to other jurisdictions.

In short, privacy and data security should be considered at every step as companies expand their activities and outsource functions to third parties.

Online hacking, lost or stolen laptops, and improper disposal are just some of the ways that personal information that a company collects from customers and employees can get into the wrong hands and be used to commit identity theft.  There are a variety of laws that dictate how companies must respond to a data breach, and the latest Ponemon Institute U.S. Cost of a Data Breach report shows that costs relating to data breaches continue to rise.

While a company’s practices will vary depending on the type of information that is collected and the nature and scope of a breach, below are some steps companies can take before a breach occurs and after they experience a breach to help facilitate a timely response and mitigate the impact:

Before a Breach Occurs:

  • Take stock of the information that you collect, store, and share.
  • Assess the security measures in place and identify risks.
  • Create company awareness.
  • Review service providers’ policies, practices, and contracts.
  • Understand the applicable laws.
  • Adopt a written data breach response plan.
  • Determine available remedies in the event of a breach.
  • Identify law enforcement and agency contacts.

After a Breach Occurs:

  • Act promptly!
  • Investigate the nature and scope of the breach.
  • Identify the type of information accessed or acquired.
  • Determine which laws are triggered.
  • Assess who must or should be notified, when, and how.
  • Decide what remedies will be offered.
  • Document responsive actions taken.
  • Anticipate regulatory investigations and/or litigation after a major breach.

Given the variety of ways that personal information is collected, stored, used, and shared, the prevalence of data breaches, and an increase in agency enforcement and litigation relating to companies’ privacy and data security practices, it is critical to have a plan in place before a breach occurs, then conduct a thorough investigation and promptly respond if and when you experience a breach.

As evidenced by another congressional hearing on data security, the idea of a federal data breach notification law is something that both businesses and consumers can support.  The concept has also attracted bipartisan support in Congress.

Following the string of online data breaches that Sony experienced in April and May- what Rep. Mary Bono Mack has called the “ground zero” of cyber attacks- Sony was criticized because it took a week to investigate the initial breach affecting its PlayStation network before notifying consumers or making a public announcement.  The reality is, however, that in the absence of a federal law having preemptive effect, the inconsistent state laws that companies must navigate when they experience a breach make it a practical impossibility to provide an immediate, meaningful response to affected consumers and government agencies.

Numerous differences in the 46+ state data breach notification laws make notifying affected individuals and agencies complex, especially for companies with national operations.  Companies must perform extensive internal investigations to determine the number of individuals and states involved, the means and extent of unlawful access or acquisition, and the  nature of consumer information accessed or acquired just to initiate the notification process.  They must then examine applicable state laws to determine who (e.g., residents, state agencies, and/or consumer reporting agencies) should be notified, when, and how.  Some states even dictate what information must or cannot be disclosed.  Often, that requires separate forms of notifications to individuals depending on where they reside.

Given the current landscape, the question is not whether a comprehensive federal data breach notification law should or will be adopted, but when.