A fact of business today is that customers – both consumers and other businesses – and employees expect to transact digitally. To remain competitive, companies find themselves increasing their efforts to digitally transform their businesses.
Successfully implementing this transformation requires careful planning to ensure regulatory compliance, a smooth integration with existing business technology and a positive customer experience.
Our objective with these monthly bulletins is to help companies identify important and significant news and legal developments impacting digital offerings.
In this issue, we provide an analysis regarding why you have to think proactively regarding data breaches and receive a customer's consent to receive breach notices electronically. In addition, we will cover recently enacted federal and state laws, federal and state regulatory activities, fresh judicial precedent and other important news.
Digitally complying with data breach notification laws: a little planning goes a long way
Your company suffered a data breach and you have to send breach notices to affected consumers. You know the quickest and easiest way to do that is using email. You check your records and find email addresses for the affected consumers. In some cases that's the only address you have. But can you send an electronic data breach notice? Find out more.
- GAO recommends Congress develop comprehensive legislation on Internet privacy that would enhance consumer protections: In 2018, after incidents involving the misuse of consumers' personal information from the Internet, the GAO was asked to review federal oversight of Internet privacy. In January 2019, the GAO published its report, which addresses, among other objectives: (1) how FTC and FCC have overseen consumers' Internet privacy and (2) selected stakeholders' views on the strengths and limitations of how Internet privacy currently is overseen and how, if it all, this approach could be enhanced. After reviewing prior enforcement actions and stakeholder responses, the GAO recommended that Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment.
New co-chair named to Congressional Blockchain caucus: On January 28, 2019, Representative Darren Soto (FL-09) was named co-chairman of the Congressional Blockchain Caucus, a bipartisan group that promotes the future of blockchain technology and shapes the role Congress plays in its development. Representative Soto joins Representatives Tom Emmer (MN-06), Bill Foster (IL-11), and David Schweikert (AZ-06) as leaders of the Caucus.
ISDA publishes legal guidelines for smart derivatives contracts: On January 30, 2019, the International Swaps and Derivatives Association published its first in a series of legal guidelines for smart derivatives contracts, titled "Legal Guidelines for Smart Derivatives Contracts: Introduction." As ISDA states, this first paper outlines some potential smart derivatives contract models, sets out principles for the development of smart derivatives contracts, and identifies contractual and documentation issues that may be relevant in the development and implementation of new technology platforms, products and solutions for use within the derivatives industry.
Boston Fed produces white paper detailing two blockchain use cases: On February 6, 2019, the Federal Reserve Bank of Boston published a white paper titled "Beyond Theory, Getting Practical With Blockchain." The paper details how a Boston Fed team worked through two use cases. The first use case focused on developing a general ledger platform to simulate the banking transactions and settlements of a critical Boston Fed accounting system. The second use case focused on what an "audit" node or "supervisor" node would look like in a future banking blockchain network.
After review, FTC to keep CAN-SPAM in its current form: On February 12, 2019, the FTC announced that it had completed its first review of the CAN-SPAM rule – which governs the sending of commercial emails, including giving recipients the right to opt-out of receiving them – and it voted to keep the rule with no changes. In 2017, the FTC sought comment on whether the rule was useful and was still needed and what effects, if any, technological or economic changes have had on the rule. The FTC sought comment on three specific issues: whether it should (1) expand or contract the categories of messages that are treated as "transactional or relationship messages"; (2) shorten the time-period for processing opt-out requests; and (3) specify additional activities or practices that constitute aggravated violations.
DOT SBIR opens solicitation on use of blockchain in recording commercial motor vehicle registration: On Tuesday, February 19, the Department of Transportation (DOT) Small Business Innovation Research (SBIR) Program published a solicitation notice informing small businesses of the opportunity to contract for a project with the Federal Motor Carrier Safety Administration (FMCSA), among others, entitled, "Secure Motor Carrier Safety Data Information Exchange Using Blockchain." The FMCSA is interested in 1) determining whether it is feasible to create a secure transaction platform using blockchain technology that logs data for auditing purposes; and 2) creating a platform to record data shared between motor carriers, the FMCSA, and states to maintain an active DOT status for trucks that are involved in interstate commerce.
- CSBS to adopt recommendations from Fintech Advisory Panel: On February 14, 2019, the Conference of State Bank Supervisors (CSBS) agreed to adopt 14 specific recommendations from the CSBS Fintech Industry Advisory Panel. Among the recommendations that CSBS will adopt are:
- Develop a 50-state model law to license money services businesses
- Create a standardized call report for consumer finance businesses
- Build an online database of state licensing and fintech guidance, while encouraging a common standard
- Develop a new technology offering, a State Examination System, to simplify examinations of nonbanks operating in more than one state
- Expand the use of the Nationwide Multistate Licensing System among all state regulators and to all nonbank industries supervised at the state level
- Ohio auditors form blockchain working group. On Thursday, February 21, the County Auditors' Association of Ohio (CAAO), a group of county officials tasked with managing county budgets, reportedly announced it had formed a working group to study how blockchain technology may be implemented in property deed transfers. The working group will consist of 11 county auditors from across the state.
- CSBS requests information for State Model Payments Law. In February, the Conference of State Bank Supervisors (CSBS) issued a request for comment regarding recommendations published by the payments Subgroup of the Fintech Advisory Panel concerning the state regulatory approach to money transmission. Specifically, the request seeks comments on the following:
Comments are due by April 12, 2019.
- The scope of covered money transmission activities and applicable exemptions
- The change in control process, including the personal vetting requirements for individuals deemed new control persons
- Prudential regulations – in particular, permissible investment, net worth and surety bond requirements
- Supervision processes and coordination – in particular, how states can ensure the areas outlined above are implemented consistently without state-by-state policy diversion or needless duplication of effort.
- DC creates FinTech Sandbox council. On January 23, 2019, District of Columbia Mayor Muriel Bowser signed a Mayoral Order establishing a District of Columbia Financial Services Regulatory Sandbox and Innovation Council. This Council will produce a report within six months that details the feasibility of developing a regulatory sandbox for financial services in DC. The report will examine how blockchain, including smart contract technology, can help deliver financial services. The report will also include recommendations on developing, implementing and administering a regulatory sandbox in the DC for FinTech, InsurTech, RegTech and other technology businesses impacting the DC financial services market.
ULC publishes guidance note on intersection of blockchain, smart contracts and electronic transactions. On Monday, February 11, the Uniform Law Commission published a "Guidance Note Regarding the Relation Between the Uniform Electronic Transactions Act and Federal ESIGN Act, Blockchain Technology and 'Smart Contracts.'" The Guidance Note provides an overview of the state Uniform Electronic Transactions Act (UETA) and federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and blockchain-based smart contracts, concluding that state UETA provisions do not require amendment to enable use of blockchain and smart contracts in electronic transactions.
Wyoming creates FinTech Sandbox to test financial products and services. On February 19, 2019, Wyoming Governor Mark Gordon signed into law HB057, which creates Wyoming's financial technology sandbox for the testing of financial products and services in Wyoming. The law authorizes the Banking Commissioner or the Secretary of State, upon receipt of an application and consumer protection bond, to waive specified statutes or rules to allow for the testing or innovative financial products or services through a financial technology sandbox program. Wyoming will only consider for the FinTech sandbox financial products or services that cannot be made available under existing law.
Online contract formation and electronic signatures
- Grant of motion to dismiss in favor of arbitration under employment agreements. In Nevill v. Johnson Controls International PLC, 2019 WL 302157 (E.D. Wisc. January 23, 2019), the court applied Wisconsin contract law and granted the defendant's motion to dismiss for improper venue, holding that online benefit acceptance procedures supported the plaintiff's agreement to arbitrate as described in the defendant's employee benefit plans. The defendant, by email, informed the plaintiff of benefit offered to him and that he could review and accept the terms of the benefit award by logging onto the online benefit platform. After logging onto the platform, acceptance/rejection buttons activated only after the plaintiff: (1) clicked each hyperlink to the benefit plan and award documents; (2) checked a box stating that he "read all the documents"; and (3) entered his unique employee password, which operated as the electronic signature.
Dismissal granted due to arbitration provisions of employment agreement. In Perez v. Ruby Tuesday, Inc., 2019 WL 355637 (N.D. NY January 28, 2019), the court granted the defendant's motion to compel arbitration and dismissed Perez's claims based on an electronic arbitration agreement executed as a condition of continuing employment. All employees were required to execute the agreement on restaurant computers during working hours. The defendant presented a declaration attaching the arbitration agreement bearing Perez's date/time stamped electronic signature, as well as Perez's timecard showing she was working during the time the agreement was signed. The signature appeared below the following language: "My electronic signature below confirms that (a) I have received, read, and understand the Ruby Tuesday Arbitration Policy; and (b) I understand and agree to be bound by same as it relates to my employment with Ruby Tuesday."
- Court grants second motion to compel arbitration after defendant produces additional evidence. In Moses v. Lending Club, 2019 WL 489092 (D. Nev. February 6, 2019), Lending Club filed a second motion to compel arbitration after the court denied its initial motion without prejudice, requiring evidence to indicate a binding arbitration agreement. This time Lending Club produced a declaration which detailed the processes for, and provided screenshots showing, how borrowers agree online to borrower membership agreements and loan agreements – including Lending Club methods and records for tracking such agreement and processing borrower requests to opt out of the arbitration provisions contained in such agreements. The court distinguished Carlos v. Patenaude & Felix A.P.C., 736 Fed. Appx. 656, 2018 WL 2714576 (9th Cir. June 6, 2018) [which we discussed here], because, in that case, the defendant failed to produce evidence of the agreement executed by Carlos, specifically by failing to produce screenshots of the application process showing the credit application and credit card agreement as it would have been displayed to Carlos. The defendant in Carlos had produced only its internal records reflecting the information Carlos had entered into the platform during the online application process.
State case law
Biometrics and privacy
- Under Illinois's Biometric Information Privacy Act, plaintiffs do not need to allege actual harm to be eligible for statutory damages: In Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that standing under the Illinois Biometric Information Privacy Act (BIPA) does not require plaintiffs who did not give prior informed consent to the collection of their biometric information to allege actual or threatened harm. Under many statutes (including BIPA), a party has standing to sue for statutory damages if the party is "aggrieved" by a violation of the relevant statute. This generally requires an allegation that actual or threatened injury resulted from the violation. Here, the court held that being aggrieved is dependent on the nature of the harm the legislature intended to remedy. In the case of BIPA, the Illinois General Assembly intended to mitigate the risk of misuse of a consumer's biometric information by requiring a private entity to notify and obtain consent from the consumer before such information is collected; and given the unpredictable nature of the harm caused by data breaches, consumers are sufficiently aggrieved by being denied the right to withhold consent to collection. To wait until actual harm has materialized, the court reasoned, would be "antithetical to [BIPA's] preventative and deterrent purposes."
Virtual currency and money transmission
- Florida court holds that selling bitcoin for fiat makes a person a money services business under Florida law: In State v. Espinoza, 2019 WL 361893 (Fla. Ct. App., 3rd Dist. Jan. 30, 2019), the court overruled the trial court's motion to dismiss and held that selling bitcoin directly to another person meant that the seller was acting as a "money services business" because he or she was both a "payment instrument seller" and a "money transmitter." The case arose because the defendant – who was not licensed as a money services business – sold bitcoin to an undercover agent. The defendant acknowledged that he was not licensed but argued that bitcoin was not covered by Florida's money services business law. The court disagreed. First, the court concluded that the defendant acted as a payment instrument seller because bitcoin constitutes a "payment instrument." A payment instrument is "monetary value," which Florida defines as "a medium of exchange, whether or not redeemable in currency." The court concluded that bitcoin was a "medium of exchange" and highlighted that local Miami businesses accepted payment via bitcoin. Next, the court concluded that the defendant acted as a money transmitter. The defendant argued, in part, that being a money transmitter requires transmission to a third party. The court disagreed, noting that because Florida's law – unlike the federal definition of a money transmitter – clearly does not contain a third-party or middleman requirement, it would not read such a requirement into the law. Overall, the court remanded the case back to the trial court for further proceedings consistent with this opinion.
Online contract formation and electronic signatures
- Motion to compel arbitration granted in class action employee dispute. In Perez-Tejada v. Mattress Firm, Inc., 2019 WL 830450 (D.Mass. February 21, 2019), the court, applying Massachusetts law, found that an arbitration agreement was not unconscionable; that adequate consideration was exchanged for the agreement; and that the defendants had put the employees on adequate notice of the agreement to arbitrate. The defendant sent an email to all employees with a copy of the arbitration agreement, requesting that the employees watch a video explaining the significance of the agreement and informing them of the need to electronically execute or opt-out of the agreement within 30 days and explaining the processes to do so. The email further stated that failure to timely execute or opt out in accordance with the processes, and remaining in the employ of defendants, would constitute the employee's agreement to be bound by the arbitration agreement. Employees were emailed almost daily with reminders to either execute or opt out of the arbitration agreement; these reminders included warnings in ALL CAPS of the effect of failing to take either action. All but one of the plaintiffs had electronically signed the arbitration agreement through an electronic signature process which applied a visual signature to the agreement, and the remaining plaintiff had neither signed nor opted out.
- Denial of motion to compel arbitration upheld. In another employer-employee dispute, Gilgar v. Public Storage, 2019 WL 698052 (Cal. App. 2nd. February 21, 2019), unpublished, the appellate court upheld the trial court's dismissal of the defendant's motion to compel arbitration. Citing California law, the court noted the failure of the arbitration agreement to include a visual signature line or check box, and the defendant's failure to call Gilgar's attention to the arbitration agreement or its legal effect. Rather than executing the arbitration agreement itself, after clicking to display each of the 11 documents in the hire package, Gilgar had to sign an acknowledgement of receipt by clicking a box marked "I Agree" next to a statement that Gilgar was "signing this Acknowledgment electronically" and had "read the document." Id. at 1*. Moreover, the defendant failed to present evidence that Gilgar had consented to conduct transactions by electronic means as required by California's enactment of UETA. The acknowledgment did not include electronic consent language, no screenshots of the execution process were provided, and the other 10 informational documents in the hire package did not indicate that Gilgar was entering into a contractual agreement with respect to the arbitration agreement.
ANNOUNCING OUR NEW PRACTICE: BLOCKCHAIN AND DIGITAL ASSETS
On February 26, DLA Piper announced the launch of its Blockchain and Digital Assets practice, which will offer strategic advice on a global basis to address the needs of companies implementing blockchain technology solutions and creating and deploying digital assets. The practice will be led by partners Mark Radcliffe (Silicon Valley), Margo Tank (Washington, DC) and Michael Hamilton (Los Angeles) in the US, and partners Martin Bartlam (London) and Scott Thiel (Hong Kong) internationally. Find out more here.
M. Tank and D Whitaker, "Trends in electronic signatures: strategies for addressing risk using biometric data," a white paper for Wacom.
Margo Tank is presenting on the "Rise of Smart Contracts" at the DC Blockchain Summit in Washington, DC on March 7, 2019.
Margo Tank and David Whitaker are presenting on 2019 Legal and Regulatory Issue at the Electronic Signature and Records Association Winter Members Meeting in Atlanta.