Commercial Transactions Due Diligence

FTC files charges against operators of alleged high school diploma mills

The Federal Trade Commission (the “FTC”) filed complaints on February 10, 2016 against two operators of online “high schools” that claim to be legitimate but allegedly are diploma mills, charging anywhere from $135 to $349 for a worthless certificate.

Complaints in both cases filed by the FTC in the U.S. District Court for the District of Arizona charge that the operators bought several website names designed to appear like legitimate online high schools and used deceptive metatags with terms such as “GED” and “GED online” to bring the bogus sites higher in search rankings. Once consumers got to the sites, messages popped up implying that the diplomas offered were equivalent to an actual high school diploma.

According to the FTC’s documents, the “courses” amounted to four untimed and unmonitored multiple-choice tests, requiring that students answer 70% of each test correctly. For some “high schools,” when students failed to meet that standard, they were redirected to the test once more, and this time, the correct answers were highlighted so that the students could change their answers.  Other “high schools” provided students with an online “study guide” that also highlighted the correct answer for students to select when taking the test.

Upon completing the tests, the FTC’s documents charge that consumers were directed to a set of menus to evaluate their “life experiences,” where selecting that he/she knows how to “balance

[a] checkbook” translates as credit for accounting coursework.  If a consumer says they “listen to music occasionally,” he/she may be given credit for a music appreciation course.

The FTC’s complaints in both cases point to numerous consumers who sought to use the diplomas to get jobs, apply for college and even join the military, only to find out that their diplomas were not recognized.

February 23rd, 2016|Categories: Commercial Transactions Due Diligence|Tags: , , |

New US-EU Safe Harbor agreement may be around the corner

Various sources report that US and EU representatives met on December 17, 2015 to hash out an agreement that would replace the recently invalidated Safe Harbor privacy framework. The two governments aim to have a replacement framework in place by January, says EU Justice Commissioner Vera Jourová. One of the main goals of the new program is to allow EU citizens’ grievances to be filed directly with their national privacy regulator.

As reported in our client alert and blogs, in October 2015, judges from the European Court of Justice issued a judgment striking down a 15-year old agreement, known as the Safe Harbor framework, which allowed US and European organizations to freely move personal data between the two regions as long as the US ensured an adequate level of data protection at the company and certified that it would abide by the seven EU data privacy principles regarding notice, choice, onward transfer, security, data integrity, access, and enforcement.  The invalidation ruling impacted nearly 4,000 businesses that relied on the Safe Harbor framework to transfer data between the US and Europe and requires all businesses to revaluate their compliance with European data privacy and security standards.

December 22nd, 2015|Categories: Commercial Transactions Due Diligence|Tags: , |

Right to be Forgotten movement gains backers in the U.S.

Seeking to expand recognition of the Right to be Forgotten to the United States, a consumer group has filed a petition with the Federal Trade Commission (the “FTC”) requesting that Google be required to remove links upon request.

Last year, the European Court of Justice ordered Google to remove links about the financial history of a Spanish attorney, finding that the links to stories about his debts were “inadequate, irrelevant or no longer relevant, or excessive,” establishing the Right to be Forgotten (“RTBF”). Over the last 12 months, Google has received 274,462 removal requests and evaluated 997,008 URLs for removal from its search results.

In the hopes of bringing the RTBF to the United States, Consumer Watchdog recently filed a petition with the FTC. The group argued that by providing the ability to request removal of links to European consumers in Europe, Google engaged in unfair and deceptive practices in violation of the Federal Trade Commission Act. Not offering Americans the right to request removal – while providing it to millions of users across Europe – is unfair, the group argued to the FTC. And Google’s claims in its privacy policy that “

[p]rotecting the privacy and security” of customer information “is a top priority,” are deceptive because the company limits protections by denying the RTBF, the consumer group added.

Consumer Watchdog listed several examples of U.S. citizens who have been harmed without the RTBF in this country, ranging from a guidance counselor who was fired after photos of her as a lingerie model from 20 years prior surfaced online to a woman whose mug shot appeared online after she was arrested defending herself against an abusive boyfriend. The group also told the FTC that Google already removes certain types of links from search results in this country (such as revenge porn), meaning it has the capability to remove other links as well.

“As clearly demonstrated by its willingness to remove links to certain information when requested in the United States, Google could easily offer the RTBF or the Right To Relevancy request option to Americans,” Consumer Watchdog wrote. “It unfairly and deceptively opts not to do so.”

The RTBF doesn’t implicate First Amendment concerns or constitute censorship, the group said, because the content remains on the Internet. The right “simply allows a person to request that links from their name to data that is inadequate, irrelevant, no longer relevant, or excessive be removed from search results,” according to the petition. “Americans deserve the same ability to make such a privacy-protecting request and have it honored.”

Further, the right isn’t automatic. “Removal won’t always happen, but the balance Google has found between privacy and the public’s right to know demonstrates Google can make the RTBF or Right To Relevancy work in the United States,” Consumer Watchdog concluded.

Meanwhile, the issue of expanding the RTBF has also come up in Europe. In July, a French regulatory authority ordered Google to remove all the links from its search pages including Google.com in the U.S. – not just the European pages. Google refused to comply and filed an appeal of the order. “We believe that no one country should have the authority to control what content someone in a second country can access,” Google’s global privacy counsel Peter Fleischer wrote on the company’s blog.

Read Consumer Watchdog’s petition to the FTC.

September 23rd, 2015|Categories: Commercial Transactions Due Diligence|Tags: , , |

FTC launches new resource for identity theft victims

The FTC has launched IdentityTheft.gov, a new resource that makes it easier for identity theft victims to report and recover from the crime. A Spanish version of the site is available at RobodeIdentidad.gov.

The new website provides an interactive checklist that explains the recovery process and helps victims understand the steps that should be taken upon learning that their identity has been stolen. It also provides sample letters and other helpful resources. In addition, the site offers specialized tips for specific forms of identity theft, including medical and tax-related, and contains advice for people who have been notified that their personal information was exposed in a data breach.

Identity theft has been the top consumer complaint reported to the FTC for the past 15 years, and in 2014, the Commission received more than 330,000 complaints from consumers who were victims.

June 12th, 2015|Categories: Commercial Transactions Due Diligence|Tags: , |

Financial regulators focus on vendor due diligence

In the wake of the economic crisis, financial institutions have faced a wave of new rules and regulations. From the Dodd-Frank Wall Street Reform and Consumer Protection Act to regulators stepping up their enforcement efforts, regulated entities must ensure compliance with a host of new requirements.

The rules and heightened oversight go beyond banks themselves, and are increasingly focused on their third-party vendors. In many cases, vendors are not allowed to work with regulated entities unless they can demonstrate their compliance with various data security and privacy requirements.

Last year, New York’s Department of Financial Services (the “DFS”) sent letters to banks nationwide expressing concern about the state of their cybersecurity practices with regard to third-parties. DFS Superintendent Benjamin Lawsky requested that recipients disclose “any policies and procedures governing relationships with third-party service providers” as well as “any due diligence processes used to evaluate” all types of providers, including accountants and law firms. “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors,” Lawsky wrote.

In “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” the Securities and Exchange Commission (the “SEC”) and the Department of Justice (the “DOJ”) state that the agencies “assess whether the company has informed third-parties of its compliance program and commitment to ethical and lawful business practices, and where appropriate, whether it has sought assurance from third-parties, through certifications and otherwise, of reciprocal commitments.” To avoid regulatory action, the SEC and DOJ also suggest that regulated banks and financial institutions consider providing training to vendors.

The Office of the Comptroller of the Currency (the “OCC”) released new guidance in October 2013, advising banks to take a “life cycle” approach to managing third-party relationships (such as security providers, affiliates, consultants, joint ventures, and payment processors) from planning and due diligence to ongoing monitoring and termination.

When conducting due diligence – commensurate with the level of risk and complexity presented by the relationship – financial institutions should not rely on prior knowledge or experience of the third-party, the OCC said. Instead, they must conduct an “objective, in-depth assessment of the third-party’s ability to perform the activity in compliance with applicable laws and regulations and in a safe and sound manner” including a review of the third-party’s financial conditions (like any pending litigation or audited financial statements), reference checks, and evaluation of the entity’s legal and regulatory compliance.

Contracts should specify compliance with the regulations of relevant law, such as the Gramm-Leach-Bliley Act, the OCC added, and provide the financial institution with the power to conduct compliance reviews of the third-party.

Not to be outdone, the Consumer Financial Protection Bureau (the “CFPB”) followed up in January 2015 with the latest addition to its loosely-sewn patchwork of vendor management best practices and requirements. Compliance Bulletin 2015-01 which, among other directives, puts CFPB-supervised entities on notice that they may not invoke non-disclosure agreements to avoid complying with requests from the CFPB to produce a third-party’s confidential information.

For nonbanks and service providers still coming up-to-speed on the CFPB’s supervision and enforcement, confidentiality obligations, audit rights, vendor training responsibilities, and remedies for vendor breaches are among the more thorny agreement provisions that may need to be enhanced in light of developing trends.

Read OCC Bulletin 2013-29.

Read the SEC’s and DOJ’s “A Resource Guide to the U.S. Foreign Corrupt Practices Act“.

May 8th, 2015|Categories: Commercial Transactions Due Diligence|Tags: , , |

Securities class actions remain popular

For regulated entities, an enforcement action by a government agency is practically guaranteed to result in a parallel consumer class action.

Nowhere is that more clear than for publicly traded companies regulated by the Securities and Exchange Commission (SEC). Securities class actions were considered to be so rampant that in 1995, Congress enacted the Private Securities Litigation Reform Act (PSLR) to curb what the industry believed were abusive practices.

While the statute raised the bar for private enforcement actions, it certainly did not close the courtroom doors to plaintiffs. Although there are fewer suits brought today, complaints are still filed lockstep with an agency enforcement action and in significant enough numbers to keep companies on their toes.

Industry watchers predicted that a seminal case decided by the U.S. Supreme Court last term, Halliburton Co. v. Erica P. John Fund (Halliburton II), would result in a decrease in class actions filed. That case involved a popular theory known as “fraud on the market,” where plaintiffs were not required to demonstrate that each individual class member relied on any allegedly misleading statements if the security at issue could be shown to be “efficient,” or with a market price reflecting all of its publicly available information.

While the Court did not toss the theory, the justices held that defendants can rebut the presumption prior to class certification. The June decision appeared to have little impact on the figures for 2014 filings. For example, NERA Economic Consulting reported that 221 securities class actions were filed last year, compared to 222 in 2013 and 212 in 2012.

Interestingly, although the number of complaints in securities class actions has not fluctuated much over the last few years, the aggregate amount of investor losses has declined, NERA found. 2014 saw a drop to $154 million from $159 million in 2013, down significantly from $243 million in 2012 and $248 in 2011. Are certain industries facing more lawsuits than others? NERA reported that one quarter of all of the securities class actions were filed against companies in the health technology and services area. Other major players: the finance industry, in second place with 19 percent of the suits, followed by the electronic technology and service sector with 13 percent.

Securities class action plaintiffs are also continuing a trend of settling prior to trial. Of all the pending and newly filed cases in 2014, just one lawsuit was actually tried to verdict (resulting in a plaintiff victory). Almost half of the cases ended on the defendant’s motion to dismiss (48 percent last year with an additional 21 percent dismissed in part), NERA found; 75 percent of the cases that survived settled prior to the class certification stage of litigation.

Read the U.S. Supreme Court’s opinion in Halliburton II.

February 23rd, 2015|Categories: Commercial Transactions Due Diligence|Tags: , , |

Asset searches: who can get bank information and why

Accessing bank account information can be vitally important, particularly for those engaged in a lending transaction seeking to fulfill due diligence requirements. But getting your hands on the information can be a challenge.

Asset searches are not illegal. However, certain methods to obtain bank or investment account information can be, such as pretext calling. The simplest way to obtain financial information is via the account holder, a designated representative, or a party with a valid court order. The first two options are unlikely to be forthcoming. As for the third choice, obtaining a court order to access such information can be time-consuming and costly.

Access to financial information is regulated by both federal and state laws. For example, the Gramm-Leach-Bliley Act (GLBA) prohibits obtaining customer information from a financial institution under false pretenses and imposes an obligation on financial institutions to protect customer information. Generally, a “customer” is defined as an individual consuming goods or services for personal or household use, although some authorities have included sole proprietors, partnerships of five or fewer, and other small businesses to receive the same privacy protections. For businesses, the issue of data protection is governed by contract. While the consumer protection provisions of laws like the GLBA would not apply, it does not mean that financial institutions can freely share their information.

International asset searches present their own set of problems. Other countries – particularly those in the European Union – have strict data privacy laws that prohibit any access to personal information as well as the transfer of data across national borders. Federal law also comes into play, with the Foreign Corrupt Practices Act presenting potential liability issues if an entity searching for asset information obtained the information by illegal means (such as bribing a banking or government official).

What about judgments? While a judgment cannot by itself force a bank or brokerage firm to disclose account information, it allows a creditor to use the court to seize the debtor’s assets. With a judgment in hand, a creditor can file for an order of examination which will require the debtor to disclose – under oath – the location of assets, details about income, or other relevant information. However, the judicial process of obtaining a judgment reveals the intent of the creditor and can give the debtor time to empty an account or move assets prior to the court entering an order. Judgments can also be tricky to enforce. State law governs judgments with specifics varying in each jurisdiction. In California, a creditor must obtain a writ of execution directing a levying officer (usually a sheriff) to serve the writ on the named institution. The institution must then freeze the specific account(s) or, in certain situations, turn over the balance in the account. Serving a writ of execution in California was recently simplified to allow service on a “central location” designated by a bank with nine or more locations in the state or accept service at any branch without such a designated office.

Long-arm statutes can be used to reach accounts in a jurisdiction other than where the judgment originated. A debtor can object to the attempt and courts typically impose a test of whether the debtor or third party (like the bank or brokerage holding the assets) has connections with the court or creditor, which, at a minimum, can delay the process and make it more expensive.

For assets like stocks, bonds, and commodities, creditors can again obtain a court order that can liquidate the account into cash to be turned over to the creditor. It should be noted that certain types of accounts (notably retirement accounts) cannot be reached, even in cases of fraud. To preserve an account balance, a creditor can serve a levy on a brokerage in order to put a hold on the account while waiting for a court order.

Public records – ranging from property records to litigation – can also help locate or confirm a debtor’s assets. One important consideration: it is essential to vet any company that purports to be able to obtain financial account information. Many misleading claims and offers about obtaining such information can be found on the Internet and creditors should ensure that any data obtained was in accordance with applicable law and regulations.

February 23rd, 2015|Categories: Commercial Transactions Due Diligence|Tags: , |

Privacy laws gain momentum in Congress

President Barack Obama has made data security a priority in recent weeks.

Speaking at the Federal Trade Commission (FTC) in January, the President announced three pieces of legislation: the Student Digital Privacy Act (which would prohibit the sale of sensitive student data for non-education purposes), the codification of the Consumer Privacy Bill of Rights issued by the White House in 2012, and the Personal Data Notification & Protection Act.

Implicating businesses across the country, the Data Notification Act would establish nationwide, uniform data breach notification rules that would preempt the existing collection of 47 different state laws. Criminal penalties for hackers would also be strengthened and companies would be required to notify consumers of a breach within 30 days.

Broader than prior proposals of federal data breach notification bills, the Act defines “sensitive personally identifiable information” to include a range of data, like an individual’s first and last name or initial and last name in combination with two other items like a home address or telephone number, birthdate, or mother’s maiden name, a Social Security number by itself, and a user name or e-mail address in combination with a password or security question answer that would permit access to an online account.

The notice provisions allow companies to inform consumers of a breach by mail, telephone, and e-mail, under certain conditions. When more than 5,000 individuals are affected in a single state, media notice is required; if more than 5,000 total individuals (regardless of residence) are impacted, the company must also notify credit reporting agencies and the federal government.

Although the bill designates the FTC as the primary enforcement agency, with the authority to promulgate rules pursuant to the law, the measure also requires the agency to coordinate with the Consumer Financial Protection Bureau (CFPB) where a data breach relates to “financial information or information associated with the provision of financial products or services.”

Some exemptions are included in the proposed bill. A business that does not access, store, or use covered data for more than 10,000 individuals during a 12-month period is exempt from the individual notice requirements. Safe harbor is also provided for companies that conduct a “risk assessment” that determines the data breach did not result in – and will not result in – harm to affected individuals. The business must notify the FTC of its “risk assessment” results and affirmatively indicate its intent to invoke the safe harbor.

A few days after he presented the proposal, President Obama reiterated his intent to pass data security measures in his State of the Union address, sending a message that he is focused on cybersecurity and privacy in the coming legislative session. Recent high-profile cyberattacks and data breaches (think Sony and Target) have also led to support from lawmakers and consumers, giving the bill momentum, but the question of its passage remains uncertain.

Learn more about Personal Data Notification & Protection Act

February 23rd, 2015|Categories: Commercial Transactions Due Diligence|Tags: , , , |

Beware of loopholes in reporting on securities brokers

When considering the track record of a securities broker or dealer, investors should be cognizant of loopholes in background reporting.

The Financial Industry Regulatory Authority (FINRA) oversees the regulation of brokers and operates BrokerCheck, an online database that contains disciplinary records of registered brokers. But a review by the Wall Street Journal found that BrokerCheck is sorely lacking a wealth of information about registered brokers, some of which can be found in the records of state regulators. At least 38,400 brokers have regulatory or financial red flags that appear only on state records, according to the WSJ’s investigation; of those brokers, at least 19,000 had clean BrokerCheck records. One significant area omitted by FINRA: internal reviews.

The WSJ identified 4,346 brokers with one or more internal reviews reported on their state records but not on BrokerCheck. Other regulatory red flags not spotted on FINRA’s database: personal bankruptcies filed more than 10 years ago, judgments and liens that have been satisfied, and certain employment terminations.

FINRA’s records do include complaints against brokers, regulatory actions, terminations for cause, and personal bankruptcies filed within the last decade, which the agency says is consistent with the Fair Credit Reporting Act. But in light of the gaps – and a proposal from FINRA to the Securities and Exchange Commission to expand the obligations of financial institutions with regard to the background screening of applicants (https://www.scherzer.com/sec-considers-background-check-rule-proposed-by-finra/) – investors should consider checking state regulatory records to form a more complete picture of a broker’s history.

In response to the WSJ’s inquiry, FINRA launched a review of its database and said the agency is studying the current rules about the information disclosed on BrokerCheck. The agency is also attempting to patch a separate loophole by coordinating its efforts with state insurance regulators. Following reports that insurance and securities regulators struggle to share data – and that individuals take advantage of the gap by continuing to sell insurance products despite losing a securities license, for example – FINRA vowed to take action. Beginning this month, the agency said it will provide a monthly report of its disciplinary actions against securities brokers not only to state securities regulators but state insurance regulators as well.

January 29th, 2015|Categories: Commercial Transactions Due Diligence|Tags: , , |

OFAC getting more common in contract terms and background checks

Do you know what OFAC is about? OFAC is the acronym of the U.S. Department of Treasury’s Office of Foreign Assets Control, and its function is to administer and enforce sanctions against countries or individuals (like terrorists or narcotics traffickers) with actions ranging from trade restrictions to the blocking of assets.

For U.S. companies, the agency’s enforcement applies to banks, insurers, and others in the financial industry that may be involved in covered dealings, which include engaging in transactions prohibited by Congress such as trade with an embargoed country or with a specially designated national (SDN).

Violations of regulations, which extend to all U.S. citizens, can result in substantial fines and penalties. Criminal penalties can reach up to $20 million and imprisonment up to 30 years; civil fees can range from up to $65,000 to $1,075,000 per violation, depending on the activity at issue.

OFAC has significantly stepped up its enforcement efforts that have resulted in sizable settlement agreements with U.S. entities, and thus companies increasingly are incorporating sanctions compliance language based on OFAC regulations into contracts and agreements, as well as including OFAC checks in their employment-purpose background screening or in connection with business transaction due diligence.

Contract terms requiring a party to affirm that it is not the subject of any OFAC sanctions status, that no OFAC investigations are in process, or that it does not engage in transactions with countries like Iran or North Korea, are becoming standard. Some deals also include a provision attesting that a company is not owned by an individual on the list of SDNs, that the company is not based or located in an embargoed country, or to assure that the monies used to make an investment or purchase were not provided by a sanctioned country or individual. Of course, it is also important to conduct background checks to confirm these representations at the start of the contract and at reasonable intervals thereafter.

The use of compliance language does not insulate a company from OFAC liability. While such a provision may create a contract-based remedy to recover monetary damages based on a fine or settlement with the agency, the clause cannot eliminate liability. Like any other governmental regulator, OFAC is not bound by private contract and can take action even with such terms in place.

Learn more about OFAC.

January 29th, 2015|Categories: Commercial Transactions Due Diligence|Tags: , |
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top