BLOGS: Communications, Tech & Media Review

Friday, November 18, 2016, 10:29 AM

FCC Nixes Mortgage Bankers' Petition on Autodialed Calls to Wireless Numbers

By: Marty Stern, Doug Bonner and Rebecca Jacobs

The FCC’s Consumer and Governmental Affairs Bureau recently denied a petition from the Mortgage Bankers Association for an exemption from the prior express consent requirement for autodialed calls and texts to wireless numbers under the TCPA.   The requested exemption would have covered mortgage servicing calls, such as delinquency notifications, calls regarding missing documentation, and inquiries regarding whether the property had been abandoned or vacated.  In denying the requested exemption, the Bureau reasoned that the petition failed to demonstrate either that the calls would be made at no charge to the recipient, or that there was an exigency or immediate need for the calls sufficient to justify the exemption and what the Bureau viewed as the intrusion to the customer’s privacy from such calls.  The Bureau contrasted its decision here with the exemption granted to the American Bankers Association in the Commission’s 2015 TCPA Declaratory Ruling, in cases regarding fraudulent transactions involving a customer’s account, or identity theft.  The Bureau’s decision on the Mortgage Bankers Association petition is also in contrast to the recent Commission Declaratory Ruling granting petitions from Blackboard and Edison Electric Institute, which allowed certain autodialed school-related and utility calls and texts to wireless numbers, where the called party had previously provided his or her wireless number.

The D.C. Circuit recently heard oral argument on petitions for review of the FCC’s 2015 TCPA Declaratory Ruling, which, among other things included controversial findings on the definition of an autodialer and a caller’s obligation to cease autodialing reassigned numbers after one call, and decision is expected by year-end.    

Labels: , , , ,

Monday, November 7, 2016, 4:05 PM

FCC adopts proposed $21,691,499 fine of Network Services Solutions for violations of the USF Rural Health Care Program

By Doug Bonner

In the first major FCC enforcement proceeding involving its Rural Health Care Program, the FCC on November 4, 2016 adopted an NAL for nearly $22 Million against telecommunications reseller Network Services Solutions, which provided RHP services to Health Care Providers primarily in Mississippi and Texas.

The violations involve fabrication of documents, inflating rural rates, doctoring records to hide unfair non-competitive bidding practices, bribing a customer to sign, and submitting forged and false urban rates to increase payments from the Fund.  The violations appear to have been longstanding, from 2012 to date, and resulted in NSS receiving “millions of dollars” to which it was not entitled. 

FTC Provides Nonbinding Materials to Help Businesses Defend Against and Respond to Data Breaches

By Ted Claypoole and Taylor Ey

On October 25, 2016, the Federal Trade Commission (FTC) released its nonbinding “Data Breach Response” guide with an accompanying blog post and video, all directed to help businesses prepare a data breach response plan. The FTC continues to remain an active participant in the regulation of data security and cybersecurity practices, as this is one of several publications it offers to businesses related to data security and cyber security. While the guide is nonbinding, it provides insight into what the FTC may expect of a business when planning for and responding to a data breach.

The FTC recommends several steps businesses should consider when responding to a data breach. The steps taken will vary depending on the scale of the breach and the size and nature of a business. Generally, the FTC recognizes that any data breach response plan should include: (1) notification to affected parties, (2) notification to law enforcement, (3) prevention of future attacks, and (4) compliance with applicable state and/or federal law.

The FTC highlights the importance of planned communications when responding to a data breach. First, the FTC recommends that businesses identify their audience: were customers, investors, business partners, and/or employees affected by the breach? Affected parties need details about the breach so they can take additional protective measures, like changing passwords and usernames.

One way the FTC recommends businesses communicate with their audiences is through a model letter. The letter is a model for notifying individuals whose names and Social Security Numbers have been stolen. This model letter closely mirrors the required notification language found under California’s data breach notification statute, Cal. Civ. Code § 1798.82(d), including sections on: What Happened, What Information Was Involved, What We Are Doing, and What You Can Do. The FTC’s model letter also includes information available on the FTC’s website,, which may help affected parties prevent identity theft.

Businesses also should work with law enforcement to ensure that communications do not impede investigations of the breach. Ultimately, businesses need to be as transparent as possible when communicating information about data breaches to alleviate the doubts, concerns, and frustrations of affected parties.

To prevent future breaches, the FTC suggests that businesses assemble a data forensics team to analyze the affected computer systems and recommend solutions. Businesses should also take affected computer equipment offline to prevent additional data loss, but not turn off the machines before forensic experts arrive.

Finally, businesses need to comply with relevant state and federal laws regarding disclosures of data breaches. All but three states have procedures for data breach notifications, and states require notification of security breaches involving personal information of their residents. Federal laws are generally triggered based upon the type of information at issue in a data breach. For example: electronic health information breaches may be governed by the FTC’s Health Breach Notification Rule and/or the Department of Health and Human Services’s HIPPA Breach Notification Rule.

The Data Breach Response guide only highlights steps to take after a data breach has occurred. The FTC mentions its other reference materials for businesses to consider when developing data breach prevention plans, such as Protecting Personal Information: A Guide for Business and Start with Security: A Guide for Business, Lessons Learned from FTC Cases.

While the Data Breach Response guide is not comprehensive, it offers helpful and practical steps for businesses to consider in responding to data breaches and provides insight into what the FTC may consider reasonable and best practice following a data breach.

back to top