Photo of Tracy Marshall

As evidenced by another congressional hearing on data security, the idea of a federal data breach notification law is something that both businesses and consumers can support.  The concept has also attracted bipartisan support in Congress.

Following the string of online data breaches that Sony experienced in April and May- what Rep. Mary Bono Mack has called the “ground zero” of cyber attacks- Sony was criticized because it took a week to investigate the initial breach affecting its PlayStation network before notifying consumers or making a public announcement.  The reality is, however, that in the absence of a federal law having preemptive effect, the inconsistent state laws that companies must navigate when they experience a breach make it a practical impossibility to provide an immediate, meaningful response to affected consumers and government agencies.

Numerous differences in the 46+ state data breach notification laws make notifying affected individuals and agencies complex, especially for companies with national operations.  Companies must perform extensive internal investigations to determine the number of individuals and states involved, the means and extent of unlawful access or acquisition, and the  nature of consumer information accessed or acquired just to initiate the notification process.  They must then examine applicable state laws to determine who (e.g., residents, state agencies, and/or consumer reporting agencies) should be notified, when, and how.  Some states even dictate what information must or cannot be disclosed.  Often, that requires separate forms of notifications to individuals depending on where they reside.

Given the current landscape, the question is not whether a comprehensive federal data breach notification law should or will be adopted, but when.

Photo of C. Douglas Jarrett

In an article in The Wall Street Journal, Shayndi Raice and Thomas Catan highlight that FCC and DoJ approvals of the proposed AT&T-T-Mobile transaction are far from certain. Recent FCC reports and decisions adverse to AT&T (as well as Verizon Wireless) signal the FCC will review the transaction with healthy skepticism. And, as noted by Raice and Catan, DoJ recently raised objections to other proposed transactions due concerns over industry concentration.

Until recently, the prevailing view was that the merger would be approved subject to conditions, such as transfers of spectrum to other carriers in certain markets. This view was based on FCC rulings over the last fifteen years on mergers involving Wireless carriers, Wireline carriers and cable operators. By and large, the DoJ’s antitrust review of these transactions largely tracked the FCC’s decision-making.

Recent FCC Wireless Reports and Decisions. In its Mobile Wireless Competition Report of May 2010, the FCC provided its most comprehensive analysis of the Wireless market, noting increasing levels of concentration and suggesting policy adjustments may be appropriate to support competition. In contrast to prior reports, the FCC declined to characterize the Wireless market as “effectively competitive.” This year’s report is expected shortly. Also, in 2010, the Commission reconsidered and eliminated the so-called “home roaming exclusion,” despite objections from AT&T and Verizon Wireless. This exclusion had relieved AT&T and Verizon Wireless from having to enter into roaming agreements with competitors in areas in which the requesting carriers possess spectrum licenses or spectrum leases.

In 2011, the FCC required Wireless carriers to enter into roaming agreements with competitors for Wireless broadband services, such as 4G LTE services, rejecting the arguments of AT&T and Verizon Wireless. Recently, the FCC proposed rules that would permit owners and operators of commercial and residential buildings to install and operate signal boosters, designed and manufactured consistent with proposed standards, without the prior approval of the Wireless carriers. This proposal accommodates the interests of tenants and occupants having difficulty receiving Wireless service. The Wireless industry opposed this approach.

Among the Arguments AT&T Must Overcome. Opponents to the transaction likely will argue that approval would facilitate the emergence of a virtual duopoly (of AT&T and Verizon Wireless) in the smart-phone, calling plan segment of the Wireless market; increase concentration among Wireless carriers having (i) valued spectrum resources, and (ii) nationwide or near nationwide service footprints; and, strengthen AT&T’s position in securing initial access to new handsets—particularly smart-phones—as manufacturers historically have introduced new GSM models prior to releasing CDMA versions.

The FCC likely also will consider that over 25% of adults in the United States now rely exclusively on Wireless for voice communications, cord-cutting continues, Wireless broadband is growing rapidly, and, by statute, Wireless rates cannot be regulated.

FCC’s Procedures. Even though the FCC’s pleading schedule calls for Petitions to Deny to be filed by May 31, 2011, Opposition(s) by June 10, 2011 and Replies to Oppositions by June 20, 2011, a continuous stream of ex parte meetings and filings are expected until the FCC sets a date to adopt a decision.

Photo of C. Douglas Jarrett

A fundamental expectation of clients in any commercial transaction is that counsel understand the business deal.  When procuring Wireline voice and data communications services,  major businesses, institutions and state governments make five fundamental business decisions.  The first four apply to Wireless services procurements.
              1. Service
              2. Choice of Carriers
              3. Pricing
              4. Minimum Purchase Commitments
              5. Wireline Service for Enterprise Data Communications

1.       Services

The major domestic Wireline carriers are AT&T, Verizon, Sprint and Qwest/CenturyTel .  The core services these carriers offer to enterprise customers include long distance, VoIP, audio conferencing and various data services—high-speed Internet access, frame relay, private line (TDM and Ethernet), and Multi-Protocol Label Switching (“MPLS”) services.   As a rule, local exchange service remains regulated and is not included in these deals.  These carriers offer related services, such as network (router) management , data center (collocation) and network security services, but are not yet substantial providers of cloud computing or content delivery services.   Customer premises equipment  (routers and switches) typically are not bundled with these services.

All of these carriers offer international services ( i.e., services between the US and other countries).   Multinational enterprises also are interested in Rest-of- World (“ROW”) services (i.e., services between and sometimes within foreign countries).  Several domestic carriers and foreign carriers such as Telefonica and BT offer ROW services.

The Wireless voice and data services available to enterprise customers are largely the same as those offered to consumers, although pricing options are different.  Handsets are bundled with Wireless services.  The principal domestic providers are AT&T, Verizon Wireless, Sprint and T-Mobile.  Available handset options, in-country coverage, Wireless data options  and the extent to which domestic carriers coordinate or manage wireless services in other countries are among the critical decision points.  Wireless service offerings tend to be country-centric.

2.         Choice of Carriers

Wireline and Wireless services are highly commoditized offerings with high  market entry barriers.  Enterprise customers typically utilize RFPs and consultants specializing in procuring these services.   Properly crafted RFPs include substantial information regarding enterprise traffic and bandwidth requirements and service preferences.  As discussed below,  the real-world prices paid by enterprise customers are not publicly available.

Enterprise customers have a strong interest in limiting the number of Wireline and Wireless carriers, respectively, from which they obtain service, principally to clarify responsibility for service quality, provisioning and trouble resolution, maximize bargaining leverage, and develop a mutually beneficial business relationship.  Typically, Wireline and Wireless carrier selection decisions are made independent of each other.

Continue Reading Understanding the Business Deal in Wireless and Wireline Services Agreements

Don’t let the Committee on Foreign Investment in the United States (“CFIUS”) be your 3:00 AM phone call after your sale of telecom or information technology assets to foreign investors has closed.

CFIUS “is an inter-agency committee authorized to review transactions that could result in control of a U.S. business by a foreign person … in order to determine the effect of such transactions on the national security of the United States.” (see U.S. Department of the Treasury, The Committee on Foreign Investment in the United States (CFIUS), Resource Center). Obtaining CFIUS’ blessing is voluntary, but CFIUS has the authority to review transactions on its own. The CFIUS may recommend to the President of the United States to involuntarily suspend or prohibit your transaction if your deal has a negative impact on national security 50 U.S.C. § 2170(d).

The concern over foreign investment in the U.S. is not new. For example, the International Investment Survey Act requires that foreign direct investment in the U.S. be reported to the Bureau of Economic Analysis 22 U.S.C. § 3101-08., and the Foreign Investment in Real Property Tax requires foreign persons to pay a tax when they dispose of US real estate (see irs.gov, FIRPTA Withholding). CFIUS tracks foreign involvement in mergers, acquisitons, takeovers, long term leases and joint ventures of critical infrastructure.  Critical infrastructure is not defined by class or size of transaction, but by impact on national security (31 C.F.R. § 800.208).

James K. Jackson writes:

The broad sweep of industrial sectors in the economy that fall within the terms “critical infrastructure,” “homeland security,” and “key resources” reflects a fundamental change in the way some in Congress view national economic security. From this viewpoint, economic activities are a separately identifiable component of national security and, therefore, should be protected from foreign investment that transfers control to foreigners or shifts technological leadership abroad.” (see Foreign Investment, CFIUS, and Homeland Security: An Overview)

The Department of Homeland Security is tasked with identifying critical infrastructure industries relevant to CFIUS review, and that list currently includes telecommunications (see DHS Critical Infrastructure Sectors).

Clearly, voluntarily reporting and additional due diligence are considerations for transactions involving foreign investors.

Photo of C. Douglas Jarrett

The recent United States Supreme Court decision in AT&T Mobility LLC v. Concepcion, heralded by many as a win for business over the consumer, actually was an affirmation of  agreements to arbitrate disputes  under federal law.

The Court found that the Federal Arbitration Act preempted state law that negated an arbitration provision in this instance.  The Supreme Court noted that the “overarching purpose” of the Federal Arbitration Act was to “ensure the enforcement of arbitration agreements according to their terms . . . .”  The Court affirmed that contracts that provide for resolution of disputes by arbitration are enforceable and are supported by “a “liberal federal policy favoring arbitration.”  This liberal policy applies whether the contract is between two businesses, even if of unequal negotiating strength, or between a business and a consumer.

Thus, if a party favors dispute resolution through arbitration there is now an extremely high expectation that a properly phrased arbitration preference in an agreement will be enforced. All that is required is a clearly worded clause that establishes an agreement to arbitrate any dispute related to the contractual relationship.  Whether such an agreement is advisable and what other provisions might be included  are topics for future posts.

Photo of C. Douglas Jarrett

Amazon’s analysis of its extended cloud computing outage, as summarized in Richi Jennings IT Blogwatch, raises an important question for counsel advising clients negotiating agreements to procure cloud computing, content delivery and data communications services:  Should the agreement include a provision defining a service problem threshold and/or a series of problems threshold that triggers a right to terminate the agreement? We believe such a provision should be included, notwithstanding significant service provider pushback.

Several reasons underlie this position:

  • The concept of “cure” in standard breach and default provisions doesn’t really work.   Telecommunications and technology services agreements call for a service to be provided for a defined period of time.  When the service is unavailable or substandard during this period, the lost operating time cannot be recaptured.     
  • The widespread use of service level agreements (“SLAs”) impliedly recognizes that the “opportunity for cure” approach is largely irrelevant in circumstances when service is inadequate or unavailable.    
  • Standard SLAs are premised on the assumption that outages and periods of degraded service will be limited in duration and that credits and escalated response provide a sort of rough equity and reasonable compensation.
  • When an outage is extended, standard SLA remedies do not begin to compensate the customer for the disruption to its business.  

The potential termination of a problematic service relationship may give rise to the concern of “the cure being worse than the disease” because migrating from one services provider to another is often time-and resource-intensive and disruptive for the customer.  Thus, a service provider transition clause should always be included so the customer has adequate time to re-procure the service and migrate to a replacement provider.  During this transition, the service provider must be obligated to continue to provide and support the service and the customer must continue to pay for the service.

Clearly, reasonable contract provisions do not obviate the need for redundancy and contingency plans, as noted in a thoughtful blog post on the Amazon outage by Sharon Machlis.  On the other hand, a customer’s decision to procure back-up or alternative service should not negate a customer’s right to terminate an agreement when the primary service is degraded or unavailable for extended periods.  The service provider has put the Customer’s business at serious risk.  The customer purchased the insurance (redundant or back-up service) for its protection, not the services provider’s.

Photo of Tracy Marshall

In April, we witnessed some of the largest data breaches in U.S. history, one of which reportedly affected more than 100 million consumers.  Those breaches occurred as two comprehensive privacy bills- the Commercial Privacy Bill of Rights Act of 2011 and the Consumer Privacy Protection Act of 2011– were introduced in Congress, and they sparked investigations from officials and regulators around the world.  This landscape increases the likelihood of action on federal privacy legislation this year, which could change the way that companies collect, use, store, and share personal information online and offline.

Recent breaches illustrate the ways that personal information can be compromised.  In April:

  • Sony  experienced an unauthorized network intrusion that compromised account information for the PlayStation® Network and Qriocity™ service, including names, addresses, email addresses, birth dates, passwords, and logins for more than 70 million consumers;
  • One week later, Sony announced that hackers may also have stolen information for approximately 24.6 million Sony Online Entertainment customer accounts, as well as information from a database with 12,700 non-U.S. credit or debit card numbers and 10,700 direct debit records of customers in Europe;
  • The email marketing provider Epsilon (whose clients include major supermarket chains, hotel chains, banks, and retail stores) announced that a hacker obtained customer names and email addresses from the company’s system (but not more sensitive information, such as credit card numbers and social security numbers);
  • The Texas Comptroller’s office inadvertently disclosed personal information of about 3.5 million residents (including names, addresses, social security numbers, dates of birth, and driver’s license numbers) on a server that was accessible to the public; and
  • A New York Yankees employee sent an email to season ticket holders that mistakenly attached a spreadsheet with names, addresses, phone numbers, fax numbers, email addresses, and Yankees account numbers for approximately 20,000 ticket holders.

We are still experiencing the aftermath of the Sony and Epsilon breaches.  Just days after Sony reported the breach, the company was named in a class action lawsuit, and Rep. Bobby Rush announced  his intent to reintroduce data security legislation.  Senator Richard Blumenthal requested an investigation  of the Epsilon breach, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade sent letters to both Sony and Epsilon inquiring about the breaches, and the Subcommittee Chair, Rep. Mary Bono Mack, stated  that she plans to introduce legislation.

Given the possibility of lawsuits, government action, and not to mention negative publicity following a major data breach, all companies that handle personal information and/or entrust it to other parties should carefully assess their policies, practices, and procedures before an incident occurs and get ready for new laws down the road.

Photo of C. Douglas Jarrett

 

As widely reported, AT&T and Deutsche Telekom AG have entered into an agreement under which AT&T will acquire T-Mobile USA in a cash-and-stock transaction valued at approximately $39 billion.  Countless critiques and assessments of the deal have been published.  The FCC recently set the pleading schedule  in connection with its review of the  proposed transaction. 

Handset exclusivity is among the more important issues raised by the proposed takeover, as noted in Cecilia Kang’s article AT&T Agrees to buy T-Mobile USA.

The merger was a surprise, as Wall Street speculated in recent weeks that Deutsche Telekom would sell its T-Mobile USA unit to Sprint Nextel. Those two companies are struggling to retain subscribers as giants AT&T and Verizon Wireless pick up customers attracted to exclusive partnerships to carry Apple’s iPhone and Motorola’s Droid.

Exclusive handset arrangements are highly problematic when the largest carriers can lock up the most advanced handsets, smart phones and tablets for months or years.  A wireline service analogy highlights these concerns. Imagine if, in order to buy the latest Cisco routers, major businesses and the Federal government must purchase dedicated Internet access service exclusively from Verizon. Unthinkable.

While these arrangements were not on the horizon when the FCC permitted the bundling of handsets and wireless service, exclusive arrangements were seen as problematic even in 1992.  Skype raised the issue several years ago, but the FCC has declined to act on Skype’s petition.  Ironically, in 2007 the FCC agreed with AT&T and Verizon in banning another form of exclusive contracts—exclusive access agreements  in which a cable company secures from an apartment owner the exclusive right to provide video service to the apartment’s residents.

Clearly, the FCC should limit exclusive handset arrangements, preferably banning the practice generally or, at least, barring these arrangements as a condition in any decision approving AT&T’s takeover of T-Mobile.