retail compliance bootcamp: avoiding the retail apocalypse compliance bootcamp: avoiding the retail...
Post on 29-Apr-2018
215 Views
Preview:
TRANSCRIPT
© Sheppard, Mullin, Richter & Hampton LLP 2015
Retail Compliance Bootcamp:
Avoiding The Retail Apocalypse
Panelists:
Ted Max, Partner, Sheppard Mullin
Kari Rollins, Partner, Sheppard Mullin
Sean Kirby, Special Counsel, Sheppard Mullin
It was the best of times, it was the worst
of times
▪ After a down 2016, the global luxury market is forecast to grow by
5% in 2017 to an estimated $1.4 trillion dollars;
▪ Gen Y provided 30% of all spending and Gen Z generated 85% of
luxury growth in the last year;
▪ Keys to success are engaging content for digital platforms like
Instagram and Snapchat; pairing pop stars and influencers are
essential to marketing; and tourism-driven fashion purchasing
(China recovery and weaker British pound);
▪ Online sales of personal luxury goods will make up 25% of market
by 2025.
It was the best of times, it was the worst
of times
We are experiencing a retail apocalypse and
proactive compliance can be the difference
between success and failure. You are general
counsel of ACC Corp., a fictitious company. You
are a critical behind-the-scenes player in ACC’s
decision-making, strategy and legal analysis. This
is an ordinary day until the telephone rings.
Problem 1: The Head of IT Calls
Isabella Teck reports:
▪ Yesterday 12/13, Christopher Crash, the CEO of your website service provider,
ACME, called and said the website had been hacked. That they were doing a full
investigation and that he would call me as soon as he had more information. He
ensured me that the site is secure as of 12/13 and all user credentials have been
updated.
▪ I had a follow up call w/Christopher today and he had his lawyer on the phone which I
did not expect. They limited the conversation to notifying us that the investigation has
been passed to their insurance company which would do a forensic investigation as a
part of their cyber-liability insurance. They said that whomever gained access, did so
through one of our IT service person's username/password, Daemon Niceguy. They
said that they have a highly suspicious IP address (not confirmed to be the source,
but highly likely) that is from Kazakhstan. They said the investigation would take a
few weeks to identify exactly what information was obtained and confirm the IP
address.
▪ I removed Daemon from the email chain because on the call, Chris identified
Daemon’s username as the source of the access. Although I know that Daemon did
not do this, I did not want to discuss further without speaking to you first.
▪ What do you do? Who do you call?
Problem 2: You Receive A Class Action
Complaint
The complaint from the Law Offices of C.K. Lee alleges that your ACC’s
website is not accessible to the plaintiff who is blind because:
• The website requires use of a mouse and does not permit blind persons
seeking to access the site to determine what is on the site, browse the
site, investigate the menu or make any purchases;
• ACC has failed to adhere to the Web Content Accessibility Guidelines;
• ACC has engaged in acts of intentional discrimination by constructing
and maintaining a website that is inaccessible to blind persons;
• ACC has failed to take actions to correct the access barriers in the face
of substantial harm and discrimination to blind class members;
• The Complaint asserts a class action asserting causes of action for: (1)
Violation of Title III of the Americans with Disabilities Act (“ADA”);
and (2) Violation of New York State Human Rights Law, New York
Exec. Law, Article 15 (Executive Law § 292 et seq.); (3) Violation of
New York State Civil Rights Law, NY CLS Civ. R. Article 4 (CLS Civ R
§ 40 et seq.); and (4) Violation of New York City Human Rights Law,
NYC Admin. Code § 8-102, et seq.). What do you do? Who do you
call?
Problem 3: Your Head of Marketing Pops
His Head In▪ Donald Draper, ACC’s new head of marketing is a force of nature and has a
plan to jump start sales. He is sure these are all alright -- “everybody does
this” but just wants to be sure:
▪ ACC is going to partner with stylists to get ACC’s designs in the press -- we
will give them free product for their clients on the condition that they ensure
that the clients wear ACC’s designs;
▪ ACC is going to partner with influencers and celebrities to get ACC’s
designs all over social media -- we will give them free designs on the
condition that they wear ACC’s designs and take selfies wearing the ACC
designs;
▪ ACC is going to plan meet and greets with beauty designers and influencers
to celebrate their contribution to the industry, sip champagne, and give them
swag bags and free sets of the new ACC beauty products so they can
prepare videos for YouTube, Vimeo and social media showing consumers
how to use the ACC cosmetic collections;
▪ ACC is going to do this worldwide as we are a global company – so can we
do this globally?
▪ What do you do? Who do you call?
▪
Addressing The Three Problems:
What Are the Perspectives:
▪ Designer or Artistic Director;
▪ CFO;
▪ Chief Technology Officer or IT Director;
▪ Marketing Director; and
▪ General Counsel or Chief Legal Officer.
Problem 1: What Do You Do?
▪ You attorney is meeting with your team;
▪ What questions do you have for legal counsel?
▪ Immediate Steps:
• Review the ACME contract;
• Get the facts about the ACME breach;
• What forensics have been done to date?
• Where is the fault? Who is responsible?;
• What about insurance: ACC? Or ACME?;
• What are the reporting obligations?;
• What can I do to ensure this does not happen again
• What is this going to cost ACC? Can’t we just pay to
make this go away?
Problem 2: What Do You Do?
▪ You attorney is meeting with your team;
▪ What questions do you have for legal counsel?
▪ Immediate Steps:
• What are the claims? What does this mean?
• Can you explain what the legal obligations are under
the ADA and New York law?
• What about an audit?
• What are the next steps?
• What rights does ACC have? What is the best
strategy?
• What is this going to cost ACC? Can't I just pay to
make this go away?
Problem 3: What Do You Do?
▪ You attorney is meeting with your team;
▪ What questions do you have for legal counsel?
▪ Doesn’t everybody do this? What is the big deal?
• What about gifting celebrities through stylists? It’s
been always going on, ACC can use the photos in
return;
• What about giving designs for selfies? What do we
need to do?;
• What about giving beauty products to designers and
influencers for videos? Is that alright? It has been
going on forever?
• What is this going to cost ACC? Can’t I just pay to
make this go away?
© Sheppard, Mullin, Richter & Hampton LLP 2017
Incident Response Preparedness
Kari Rollins
Sheppard Mullin Richter & Hampton LLP
krollins@sheppardmullin.com
Breach Simulation Exercise
Isabella Teck reports:▪ Yesterday 12/13, Christopher Crash, the CEO of your website service provider, ACME,
called and said the website had been hacked. Acme is doing a full investigation and said he
would call Ms. Teck as soon as he had more information. Acme assured Ms. Teck that the
site is secure as of 12/13 and all user credentials have been updated.
▪ Ms. Teck had a follow up call w/Christopher today and he had his lawyer on the phone
which she did not expect. They limited the conversation to notifying Ms. Teck that the
investigation has been passed to their insurance company which would do a forensic
investigation as a part of their cyber-liability insurance. They said that whomever gained
access, did so by using ACC’s IT administrator’s username & password, Daemon
Niceguy. They said that they found a highly suspicious IP address that is from Kazakhstan
(not confirmed to be the source, but highly likely). They said the investigation would take a
few weeks to identify exactly what information was obtained and confirm the IP address.
▪ I removed Daemon from the email chain because on the call, Chris identified Daemon’s
username & password as the source of the access. Although I know that Daemon did not
do this, I did not want to discuss further without speaking to you first.
Breach Simulation Exercise (cont.)
How will you work with Acme to understand the details
of the incident and assess ACC’s legal obligations?▪ Do you treat this data incident differently than any other data incident simply
because the intrusion occurred at your vendor-managed website?
▪ What does your contract with Acme say about data incidents like this?
▪ What about insurance? Whose insurance will cover?
▪ Who will investigate? What investigative steps will we take?
▪ Who will lead the investigation?
▪ Who is the primary contact for the vendor?
▪ Who is on the investigation team?
▪ What information do we want Acme to tell us?
▪ Who is obligated to notify impacted customers? Who will, as a practical
matter, actually notify impacted customers?
▪ What if the press learns of the incident? How will you respond?
Have a Plan!
Secure the data
Convene the team, decide if need external support
Analyze and assess the data, interview witnesses
Decide if involve law enforcement
Create a communications strategy
15
Is Your Vendor Contract In Good Shape?16
Contract Provisions
Security
Compliance with laws, PCI
Use limitations
Limit transfers
Limit third party access
Audit
Notice
Indemnity
Insurance
Liability Limitation
An Additional Firewall: Insurance & Indemnification
Contract Provisions With Vendors
17
The contract
Maintain insurance
levels
Add you as additional insured
Indemnify you if a breach Their
insurance should be primary
They should give you
insurance certificate
The Response Team
• Internal
• Outside
Legal counsel
• Security
• Privacy Office
Compliance (if it exists!)
• Whose data was it?
Appropriate business team
• Internal
• External support
IT
Executive decision maker(s)
Privilege Is Still Important!
▪As you investigate, facts may become more damning
▪Could be other sensitive information at risk
▪ Proposed business plans
▪ Trade secrets
▪ And more
▪Retained faster/investigation quicker
▪Hire experts (including investigators) under privilege and
separately
• Keep under the “direction of counsel”
• Separate engagement letter/SOW
Investigate the Facts that Trigger Notice
“Breach”
Unauthorized access and/or
acquisition
Compromise security
Likelihood of harm
Exceptions
What Information Was Involved?
Nam
e
Financial information
SSN
Passwords that permit access to financial
account
Username and passwords
Other (some state specific)
Who Needs to Be Notified?
Who Will Do The Notifying?
Impacted individuals
Government Authorities
Credit reporting agencies
Other Contractual
PartnersPress
What Does Notice Look Like?
Describe incident
Categories of information
Consequences of breach/nature of risk
• Steps to investigate, mitigate harm
Protection measures put in place
• Contact information for law enforcement
• Where to get more information
Advice about how to protect self
Be Ready to Answer Typical Questions
• What happened?
• When did it happen?
• What information was
compromised?
• Was my information
compromised?
• How many people’s
information was impacted?
• Was the information
encrypted?
• Was my social security
number compromised?
• Did anyone misuse this
information?
• What should I do?
• What are you doing to
protect me?
• Why aren’t you taking other
measures to help?
• What are you doing to
protect others?
• Will this happen again?
• Who should I contact if I
have more questions?
Is the Company Ready for What's Next?
• Victims of breach are litigation targets
• US leads charge in being litigious
• FTC
• State AGs
• SEC
• Shareholders
• Customers
• Other jurisdictions equally concerned
Judge, Jury and Prosecutor: Public Servant Role
▪ Advocacy before the government not like litigation
Look underneath the
ask for the implied
obligations
Call and talk to them! What do they really want
and need, cooperate
Create your closing
argument first
Comprehensive plan for
analyzing documents (no
data dump!)
Tell the story early
Preparing for the Future: Building the
Narrative In Advance of the Breach
28
• Robust written security policy and practices
• Experienced IT/security teams
• Myriad security controls and systems in place
• Do security controls/systems meet or exceed regulatory requirements and industry
standards
• Internal and External security controls/systems
• Monitoring compliance
• Security audits (internal vs. external)
• Employee compliance
• Vendor compliance
• Response plan in place to address:
• Remediation
• Containment
• Preservation
Best Practice Recommendations
Analyze practices
Understand vendors
Budget appropriately for
exposure
Review existing contracts
Get appropriate insurance
Investigate with privilege
Balance containment and
notice investigation
Anticipate worse before giving notice
© Sheppard, Mullin, Richter & Hampton LLP 2017
ADA Claims: Compliance
Challenges and Uncertainties --
How to Avoid Risks
Sean Kirby
Sheppard Mullin Richter & Hampton LLP
skirby@sheppardmullin.com
What Are These Claims?
▪ In New York, Plaintiff’s lawyers bring three types of claims
for website inaccessibility:
– Violation of the Americans With Disabilities Act (“ADA”).
• Federal law requiring public accommodations to be accessible
to disabled individuals.
• Damages: (i) injunctive relief; and (ii) attorneys’ fees.
– Violation of the New York State Human Rights Law (“NYSHRL”).
• State law prohibiting discrimination on account of disability.
• Damages: (i) injunctive relief; and (ii) compensatory damages
(i.e., emotional distress).
– Violation of the New York City Human Rights Law (“NYCHRL”).
• City law prohibiting discrimination on account of disability.
• Damages: (i) injunctive relief; (ii) compensatory damages (i.e.,
emotional distress); (iii) punitive damages; and (iv) attorneys’
fees.
Legal Obligations Under the ADA,
NYSHRL and NYCHRL▪ ADA Legal Obligations
– Website must provide effective communication to
disabled individuals.
– What “effective communication” means is a key issue
in these website litigations because the DOJ has not
provided guidance.
▪ NYSHRL and NYCHRL
– Do not have separate requirements from the ADA and
no regulations have been enacted.
How Do I Make My Website ADA
Compliant?▪ Currently, you can’t! Not like facilities cases
– No regulations - DOJ has punted (again)
– We don’t know what content has to be “accessible” or
what “accessible” even means
– Functional standard
• Are the goods and services you provide accessible
to the blind using a screen reader and deaf using
speakers?
– Functional test
• But how do you litigate with only a functional
test ?
• Battle of the experts
What does a website have to do to
function with a screen reader ?
▪ 2 Main issues: Navigation and Alt Text labels for
images
– Navigation: Blind individuals using your site - Does
navigating the site require a mouse?
– Alt Text: Describe what is being sold - “$20 gift
certificate” not “JPG#3”
What about the WCAG?
▪ Web Content Accessibility Guidelines (WCAG)– Guidance never intended as law
– Versions: 1.0 / 2.0 A, AA, AAA
▪ We don’t know what is compliant with the WCAG
▪ Guidance frequently changes and has not been
adopted by the DOJ.
Risk Management: Software Audit
of a Website▪ We can’t litigate these cases by asking judges to load a
screen reader and test the functionality of a website by
themselves.
▪ We need something that can be included in a motion to
show that a site is compliant.
▪ We do what plaintiffs do when they are looking for
websites to commence litigation against – a software
audit to show that the site is clean.
▪ There are several that check websites for accessibility:
– WAVE (webAIM) - built to sell consulting services so biased but
commonly used by plaintiff’s counsel
– Google Chrome audit (not based on WCAG)
– Tenon.io, Achecker, etc.
Next Steps / Strategy
▪ Settle Quickly:
– Pros: Matter is over, potentially lower settlement payment
– Cons: Likely to be sued again.
▪ Answer and Delay:
– Pros: Buy yourself some time while the case law develops; DOJ may
issue guidance.
– Cons: Incur some legal fees; uncertainty.
▪ Move to Dismiss:
– Pros: Aggressive stance which may cause some plaintiff’s attorneys to
go away.
– Cons: Case law has not been favorable in most jurisdictions on motions
to dismiss; incur attorneys’ fees.
▪ Take Discovery and Move for Summary Judgment:
– Pros: Buy yourself time to make modifications to cite.
– Cons: Incur attorneys fees; time to get to summary judgment stage;
issue of fact may still exist.
© Sheppard Mullin Richter & Hampton LLP 2017
Advertising and Social Media:
Mad Men No More -- Influencers,
Bloggers, Celebrities and Native
Advertising
Theodore C. Max
Sheppard Mullin Richter & Hampton LLP
tmax@sheppardmullin.com
FTC’s Endorsement Guides and Revised Endorsement Guides
(“Endorsement Guides”) apply to “any advertising message…that
consumers are likely to believe reflects the opinions, beliefs, findings, or
experience of a party other than the sponsoring advertiser.”
Basic Rules:
▪ Endorsements must reflect the truthful experience of the endorser.
▪ You can’t make claims that require proof you don’t have.
▪ Clearly disclose any material connection between the endorser and the
advertiser.
▪ Social Media is no exception.
The Basic Rules
Celebrity Giveaways
Ok, what if we give celebrities our latest ACC it bag? Can
we use their photo in our marketing materials and on our
website?
FTC Guidelines: In September 2017, the FTC in a Q&A
stated: “You should tell the participants in your network
that if they endorse products they have received through
your program, they should make it clear they got them for
free. Advise your clients -- the advertisers -- that if they
provide free samples directly to your members, they should
remind them of the importance of disclosing the
relationship when they talk about those products.”
Celebrity Giveaways
Ok, what if we give celebrities our latest ACC it
bag and ask them to take a selfie and say how
much they love the bag?
The Kardashians do it all the time!!!!
▪ Kourtney Kardashian
▪ ✔ @kourtneykardash
▪ Oh yeah! Love the ugg collection too!RT @HALESyah: I had to
wear Kardashian Kollection on my 25th Birthday! ...
http://m.tmi.me/iZInG
▪ 2:58 PM - 4 Dec 2011
▪ 34 34 Retweets
▪ 32 32 likes
What Makes A “Material” Girl?
Madonna loves our products and we have nothing in writing
but she always Tweets and Snapchats about how
wonderful our designs are!!! All it is are a few free bags
here and there. . . .What is the big deal? What is “material”
any how?
What about “#sp”? That works?
While “#sp” has been used by
influencers, the FTC has said this is not
“likely [to] infor[m] consumers that the
message was sponsored by an
advertiser.” #Sponsored works. What
about “#ambassador”? Not sufficient.
#ACC-Ambassador works. What about
“#Thanks ACC”? Not sufficient. #Thanks
ACC for gift of the beautiful bag.
What Makes A “Material” Girl?
What About Free Gifts?: If the social media influencer
receives a one-time fee or gift or if the social media influencer
continually receives free gifts from a brand, even if the gifts are
of less value individually, this would likely require a
disclosure. Social media posts meet the test even if the posts
are not accompanied by a review. For example, a standalone
photograph can convey that the media influencer endorses the
product.
What Is “Material”?
We run a retail website that includes customer reviews of the
products we sell. We believe honest reviews help our customers
and so we give out free products our favorite customers for them
to review. We tell them to be honest, whether it’s positive or
negative. What we care about is how helpful the reviews are. Do
we still need to disclose which reviews were of free products?
FTC Says: “Yes. Knowing that reviewers got the product they
reviewed for free would probably affect the weight your customers give
to the reviews, even if you didn’t intend for that to happen. And even
assuming your reviewers are unbiased, your customers have the right
to know which reviewers were given products for free. It’s also possible
that the reviewers may wonder whether your company would stop
sending them products if they wrote several negative reviews – despite
your assurances that you only want their honest opinions – and that
could affect their reviews.”
Celebrity Giveaways
▪ FTC Guidelines: In September 2017, the FTC in a Q&A
stated:
▪ “What if I upload a video to YouTube that shows me
reviewing several products? Should I disclose that I got
them from an advertiser?
▪ Yes. The guidance for videos is the same as for
websites or blogs.”
▪ Disclosure: “ACC gave me this product to try. . . .”
Katherine Heigl v. Duane Reade (2014)
Katherine Heigl sued Duane Reade for $6
million in New York federal court claiming
a violation of the Lanham Act and New York
Civil Rights Law for the use of her photo and
name in social media promoting Duane
Reade. The case was settled amicably before
trial: "Ms. Heigl has voluntarily dismissed her
lawsuit, and Duane Reade has made a
contribution to benefit the Jason Debus
Heigl Foundation.”
Do Not Assume You Have Permission!
What about getting our own ACC employees to get behind our
new Collection? Can we get folks within ACC to “Like” the
new Collection? We will circulate digital runway images and
have our employees send “Likes” on the Facebook page to
create buzz. This is a no brainer, right?
Creating Buzz for the New Collection
The Takeaway
FTC Guides: Social Media Best Practices for
Employees and Vendors
▪ Have a company policy regarding employee use of Social Media. If
you do not and they ;
▪ Institute robust compliance program, including specific training and
guidance relating to the FTC’s Enforcement Guides;
▪ Make training available to employees, vendors and personnel at
respective advertising agency;
▪ Have response and remediation program in place and take
immediate action when given notice of improper or lack of proper
disclosure; and
▪ Disclosure: #employee not sufficient -- #ACC_Employee or #My
Company
What if we get a reporter to prepare an article about our new
ACC denim collection? We could also have influencers wear
the new denim collection and take selfies of the new jeans?
We would only give them a few pairs of jeans which sell for
$500 each. That cannot be a problem can it?
What About Native Advertising?
Trends: Branded Entertainment
▪ Instagram is bringing more transparency to the platform
around commercial relationships
– Instagram now has a "Paid partnership with" tag on posts
and stories when a commercial relationship exists between
a creator and a business.
– Instagram has always been committed to transparency on
the platform. This will be a tool that provides long term
benefits to Instagram’s most authentic creators. Initially,
they are partnering with a small number of creators and
businesses and will launch to more creators in the coming
months along with an official policy.
▪ What’s the bottom line?: “The watchword is
transparency. An advertisement or promotional message
shouldn’t suggest or imply to consumers that it’s anything
other than an ad.” The FTC Guides apply to any
advertising message that consumers are likely to “believe
reflects the opinions, beliefs, findings or experience of a
party other than the sponsoring advertiser”
▪ What do the rules require of social media influencers?:
Social media influencers must disclose any material
relationship between the brand and him/herself.
Executive Summary: What You Need to
Know
▪ How can social media users fulfill the FTC disclosure requirements?: The
FTC requires that the disclosure be clear and conspicuous:
– For example, including the following on an Instagram or Twitter post is likely sufficient: “#contest,
#sweepstakes, #advertisement, or #ad.
– For the disclosure, use a font and contrasting shade of type that is easy to read and that stands
out. Additionally, use hashtags that are relevant. The hashtag “#sweeps”, for example, is likely
not sufficiently transparent to meet the FTC disclosure requirement for sweepstakes
▪ Which social media posts are governed by the FTC Guides?: The FTC is
focused on endorsements that are made on behalf of a sponsoring advertiser in
exchange for a fee or something of value (i.e., free clothing or a discount on
future purchasers).
▪ The Need for Disclosure: The test to determine if an individual social media
post requires a disclosure is: “Whether knowing about the gift or incentive given
by the brand to the social media influencer affects ‘the weight or credibility’
readers or viewers give to the recommendation?”
Executive Summary: What You Need to
Know
Be Prepared
▪ The cost of being prepared is the cost of avoiding
risk;
▪ Have an Employee Policy regarding social media;
▪ Have agreements in place with influencers,
bloggers, advertisers and celebrities;
▪ Monitor social media usage by employees and
social media influencers, bloggers and celebrities to
ensure disclosures being made; and
▪ The FTC is scrutinizing social media. Be careful!
top related