Earlier this month, the Philadelphia hotel Roosevelt Inn, its corporate parents, its New York management company, and an individual owner/manager of the hotel, were sued for allegedly allowing trafficking of sex involving a minor to take place on the hotel’s premises. The case – the first of its kind invoking Pennsylvania’s recently-amended human trafficking law – raises an abundance of difficult legal and ethical questions regarding hotels’ legal responsibilities for and obligations concerning their guests’ conduct, and how to meet those responsibilities while also respecting guests’ privacy.

The Roosevelt Inn Case

The lawsuit alleges that the defendants, “individually and/or by and through their actual or apparent agents, servants and employees,” “knew or had constructive knowledge” that their premises were being used for the sexual exploitation of the plaintiff, identified as “M.B.” The complaint alleges a number of potential indicators for sex trafficking at the hotel, implying that those red flags should have tipped the defendants off to the tragedy of M.B.’s alleged circumstances – indicators such as men lingering in the hall outside the plaintiff’s room, older men accompanying her in the hotel, M.B. being treated aggressively, M.B. exhibiting fear and anxiety, cash payments for her room, regular refusal of housekeeping services, and M.B. having few or no personal belongings in her room and dressing in a “sexually explicit manner.”

The complaint asserts causes of action for negligence, negligent infliction of emotional distress, intentional infliction of emotional distress, and a count styled “Negligence: Violation of Pennsylvania Human Trafficking Law, 18 Pa. C.S.A. § 3001, et. seq.”

The Law

Civil liability. The Roosevelt Inn complaint’s reference to the Pennsylvania Human Trafficking Law reportedly represents the first time that that law has been invoked in a civil lawsuit. Although plaintiff M.B. does not directly frame it as a separate cause of action, opting instead to invoke the sex trafficking law generally as a component of a negligence theory, the Pennsylvania law includes a provision that has the potential to create civil exposure for hotels whose premises have been used for prostitution. 18 Pa.C.S. § 3051(a)(2)(i) provides for civil liability for anyone who “profit[s] from” any sex trade act. In the case of a defendant, like a hotel, who “provides goods or services to the general public,” the law would require the plaintiff to prove that the defendant “knowingly markets or provides its goods or services to” a trafficker. 18 Pa.C.S. § 3051(b)(1). A federal law similarly provides for civil liability for “whoever knowingly benefits, financially or by receiving anything of value from participation in a venture which that person knew or should have known was engaged in [human trafficking].” 18 U.S.C. § 1595(a).

Under the federal regime, receiving a financial benefit when one should have known that one’s co-venturer was engaged in trafficking is enough to create exposure. (Under Pennsylvania law, the conduct must be done “knowingly”; which means “aware” that one’s conduct is of a particular nature, that particular circumstances exist, or that “it is practically certain” that one’s conduct will cause a particular result, 18 Pa.C.S. § 302(b)(2)). It seems likely, then, that cognizance of the sorts of red flags listed in the Roosevelt Inn complaint – men lingering in halls, regular refusal of housekeeping services, checking in with few or no personal belongings, etc. – could be sufficient to create civil liability under either Pennsylvania or federal law. Other potential indicators of trafficking identified by the Polaris Project, an anti-human trafficking organization, include:

• paying for the room with a prepaid card;
• requesting a room overlooking the parking lot;
• presence of excessive drugs, alcohol, or sex paraphernalia; and
• frequent requests for new linens, towels, and restocking of the refrigerator.

Criminal liability. Both Pennsylvania and federal law also create the potential for criminal exposure for hotels and their affiliates and employees who do not adequately respond to prostitution on their property. The federal statute makes it a criminal offense to “benefit[ ], financially or by receiving anything of value, from participation in a venture” that harbors a person, knowing or in reckless disregard of the fact that he or she is a victim of sex trafficking. 18 U.S.C. § 1591(a)(2).

The Pennsylvania law is similar, establishing criminal liability for anyone who “knowingly benefits financially or receives anything of value from any act that facilitates” an act of sex trafficking. 18 Pa.C.S. § 3011(b). Pennsylvania law also includes a separate provision that specifically creates criminal liability for any “business entity” that “knowingly aids or participates in any violation of [the sex trafficking law].” 18 Pa.C.S. § 3017(a). Violation of this provision can also lead to penalties of up to $1 million, revocation of the entity’s charter or authority to do business in the state, or forfeiture of assets or restitution. Id.

The Privacy Tightrope

While hotels may have a duty to prevent any form of human trafficking on their premises, that battle comes with a set of potential risks. Hotels are also under strict legal and ethical privacy obligations, and a misstep in service of even the most well-intentioned anti-trafficking agenda could lead to privacy blunders.

Hotels are at risk for legal action if identifiable information about their guests is distributed inappropriately. In one case that made headlines last year, sportscaster Erin Andrews was awarded a $55 million verdict after she sued a hotel that had revealed to another guest which room was hers, and that guest then surreptitiously filmed her through her door’s peephole. In an effort to avoid those risks, and protect guests’ privacy, hotels may have policies regarding when and how guests’ names and other identifiable information can be used, may seek to limit staff with access to identifiable information about guests to those with a need to know, and may take other reasonable precautions.

Combine these privacy concerns with the fallout from a poorly-executed attempt to react to suspected trafficking on the hotel’s premises, and the risks become clear. A call to law enforcement, even if not overheard, could generate a difficult-to-control flurry of activity involving many people, including staff and non-staff, and potentially even affect other guests. This activity could result in exposure of personal information about the suspect guest, potentially including some of his or her most sensitive information, such as information about visitors to the guest’s room, sexual activity, and the like. Such revelations, if ultimately determined to be unjustified, could lead to serious exposures for the organization. This is particularly so in an age of social media when there is little opportunity to control the rapidity and breadth of the spread of sensitive information. And if information memorializing staff’s suspicions about guests’ conduct is stored electronically, a data breach – a huge and growing issue in the hospitality industry – could be even more devastating for those guests than it otherwise might be.

Recommendation: Carefully Thought-Out Policies, Tailored to Your Organization

The best framework for safeguarding against and reacting to sex trafficking while avoiding privacy and other harms is a set of intelligent, well thought-out policies that address both concerns. These policies should be tailored to the particular organization’s size, capacity, and culture. Crucially, the policies must be consistently applied: the appearance that such policies are employed to the benefit or detriment of some guests, but not others, defeats their purpose and creates the potential for liability. Because of the importance of consistent application, good, effective training is a must.

Ultimately, hotels cannot eliminate the risk that their premises will be used for improper purposes, and difficult decisions will need to be made along the way. But careful planning and intelligent before-the-fact decision making can go far to help mitigate the risk.

Today the U.S. Department of Labor (DOL) formally announced its Final Rule which more than doubles the minimum salary threshold for “executive,” “administrative,” and “professional,” employees to qualify as exempt from overtime pay under the Fair Labor Standards Act (FLSA).

The DOL estimates that the Final Rule, which will become effective on December 1, 2016, will extend overtime pay eligibility to 4.2 million workers and result in $1.2 billion a year in additional wages paid to employees. The DOL also estimates that this will make 35 percent of full-time salaried workers automatically entitled to overtime based on salary alone (up from an estimated 7 percent currently).

KEY PROVISIONS OF THE FINAL RULE

• Increases the minimum salary threshold from $455 per week ($23,660 per year) to $913 per week ($47,476 per year) for employees to qualify as exempt from overtime under the executive, administrative or professional (EAP) exemptions. This is slightly less than $3,000 below the level included in the proposed regulations and reflects the 40th percentile of weekly earnings for full-time salaried workers in the lowest-wage Census region (currently the South).
• Increases the total annual compensation requirement from $100,000 to $134,004 per year for highly compensated employees (HCE) to qualify as exempt, which is the 90th percentile of full-time salaried workers nationally. This number is near $12,000 more than the figure included in the proposed regulations.
• Automatically updates the minimum salary threshold every three years, the first of which will take effect on January 1, 2020. The DOL will announce the new minimum salary level at least 150 days before its effective date. The current estimate of the salary level provided by the DOL in 2020 is $51,168. As with the current increase, the automatic updates will be keyed to the 40th percentile of full-time salaried workers in the lowest-wage Census region at the time of updating.
• Non-discretionary bonuses, incentive pay or commissions of up to 10 percent of the salary threshold paid on at least a quarterly basis (approximately $91 per week and $4,750 per year) can be counted to meet the minimum salary requirement for EAP (but not HCE) employees. Employers also are permitted to make “catch-up” payments to employees in order to maintain the minimum salary requirement.
• The Final Rule does not include any changes to the EAP duties tests.

The Final Rule also applies to the computer professional exemption, raising the hourly rate to $27.63 per hour. In addition, the new minimum salary threshold will be used to test whether employees are being paid a sufficient amount if they are being paid on a “fee basis.”

IMPLEMENTATION OF THE FINAL RULE

As the DOL notes, “employers have a wide range of options for responding to the changes in the salary level,” and likely will employ many different strategies throughout their workforces to comply with the Final Rule.

• For EAP employees currently classified as exempt and earning close to the new salary threshold, employers may choose to increase the salary level to maintain exempt status (especially where the employee works substantially more than 40 hours per week).
• In contrast, employees making less than $45,000 likely will be reclassified as non-exempt. For those employees, employers will need to assess how much (if any) overtime the newly reclassified employees likely will work and determine an hourly wage rate or salary for those employees taking into account those estimates.

Employers should consider the impact of the Final Rule generally, assessing its impact not only on individual employees and departments but more broadly looking at its effect on workflow and business operations.

For organizations that have a significant number of exempt employees currently earning less than $913 per week, compliance with the Final Rule will potentially have ripple effects throughout the organization, impacting the work of both exempt and non-exempt employees. The Final Rule also may well have the unintended consequence of creating salary compression at the lowest rungs of the exempt workforce and while at the same time creating an increased workload for the remaining exempt workforce.

Implementation of the DOL’s Final Rule for many organizations will be labor intensive, requiring the coordinated efforts of leaders from legal, employee relations, finance, and operations. Messaging to employees regarding any changes also will be important. Given the December 1, 2016, effective date of the Final Rule, employers should analyze the associated impact on their businesses and make modifications in order to comply.

RELATED RESOURCES:

• WEBINAR: Join us on Wednesday, May 25th at 11:00 a.m. ET for a webinar that will analyze the DOL’s Final Rule on overtime that more than doubles the minimum salary threshold for white-collar workers under the FLSA.Click here to register >
• ARTICLE: “Employers Need to Assess Impact of DOL’s Final Overtime Rule,” Andrea M. Kirshenbaum,The Legal Intelligencer (May 20, 2016). Click here to view >

Disclaimer: this article does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this E-Flash without first seeking the advice of counsel.

Social media has endless and valuable opportunities for the hospitality industry. From “valuable marketing” to connecting on a more personal level with consumers, social media can make or break a brand. However, in order to “maintain a positive reputation” on a world-wide platform like Twitter, it is important to take proactive measures. Completely controlling a wild beast like social media is an impossible feat. In this article, Charles Spitz and Benjamin Shechtman analyze a case involving Chipotle and a disgruntled employee and offer insight on the nuances of social media and the NLRA.

Read the full article here.

The M.C. Dean NALF

In the M.C. Dean NALF, the FCC accused M.C. Dean — the contractor that provides telecommunications and internet services to the BCC — of operating its network management system in what the system’s user manual called “‘shoot first and ask questions later’ mode” for approximately two years, between October 2012 and December 2014. According to the FCC, that setting allowed M.C. Dean’s hardware to routinely and repeatedly disrupt links between wireless devices in use at the BCC and any Wi-Fi network other than M.C. Dean’s. Through the use of this feature, the FCC alleged, M.C. Dean “automatically detected and indiscriminately deauthenticated any unknown [point of wireless access to the internet].” The alleged result was that many visitors found their personal Wi-Fi hotspots unusable at the convention center.

The NALF implied that M.C. Dean’s motive in disrupting unknown wireless networks operating in the BCC was to force visitors to purchase wireless service from M.C. Dean itself. (For its part, M.C. Dean — like other operators of large wireless networks in the hospitality industry — advances various practical justifications for these sorts of network management practices —more on this below.) The FCC concluded that Wi-Fi blocking activity represents “a particularly egregious form of misconduct,” which “runs counter to fundamental Commission principles by stymieing wireless innovation, competition and the availability of Wi-Fi as an important Internet access technology.” Because the FCC deemed the conduct especially offensive, and “to ensure that a proposed forfeiture is not treated as simply a cost of doing business,” the FCC proposed a fine of $718,000 — just shy of four times the base figure suggested by the Commission’s forfeiture guidelines.

M.C. Dean has declined to accept the FCC’s proposed forfeiture, making a submission that describes the Commission’s legal theory as “akin to a second-rate B-movie Dracula that collapses when exposed to the realities of daylight” and urging that the NALF be “dispatched with the regulatory equivalent of a wooden stake through the heart: a summary cancelation or withdrawal.” M.C. Dean argues that, not only is the FCC wrong about its motives — the vast majority of its wireless service sales take place prior to the events and so revenues are not boosted by any real-time blocking activity — the enforcement action amounts to an unfair surprise. The FCC, argues M.C. Dean, itself authorized the equipment that the company used, with the result that “the company reasonably believed that such authorization extended to the [equipment’s] deauthentication technology”; not only that, but the FCC’s legal theory is novel and M.C. Dean claims it had no notice that the conduct might violate the FCC’s rules.

Ongoing Battle

The FCC has made its anti-Wi-Fi blocking efforts into something of a campaign. Simultaneously with issuing the M.C. Dean NALF, the FCC issued a separate NALF indicating it will issue a $25,000 fine against Hilton Hotels for a failure to cooperate in the FCC’s investigation of Wi-Fi blocking at Hilton properties around the world. The Hilton and M.C. Dean actions came on the heels of a $750,000 settlement with Smart City Holdings over its Wi-Fi blocking at multiple convention centers, and a late-2014 settlement of $600,000 with Marriott over similar conduct.

In the wake of the Marriott settlement, industry groups petitioned the Commission for a declaration or rulemaking clarifying the FCC’s stance toward certain sophisticated Wi-Fi management techniques, which can be valuable tools for protecting consumers on business premises, and for protecting the businesses themselves. The FCC aggressively rebuffed the petition, issuing multiple statements on Jan. 27, 2015 to the effect that the FCC does not countenance Wi-Fi blocking, period. The industry groups, faced with a near-certain public flogging, withdrew their petition. They had little choice, but the move meant that important and complex questions regarding Wi-Fi network management on hotel and other business premises would remain unanswered.

In the course of withdrawing the petition, the American Hotel & Lodging Association highlighted the legitimate security concerns associated with unchecked hotspot use in a physical space crowded with Wi-Fi users, telling the FCC:

Broad access to Wi-Fi is among the capabilities that petitioners’ guests demand. They also demand access to a safe and secure system in order to protect private information from criminals seeking to exploit consumers. … Of particular concern to the hospitality industry is the ability of a hotel to protect the security of its network and guests by using wireless intrusion detection and prevention systems that are part of WLAN equipment authorized by the FCC. These systems are employed by numerous WLAN operators across multiple industries, including the federal government.

The M.C. Dean NALF appears to signal again the FCC’s blunt rejection of the industry group’s concerns.

Legitimate Concerns

The FCC’s rejection notwithstanding, there are important considerations at play. Depending on how strictly the FCC interprets its perceived anti-blocking powers, for example, hotels and convention centers could well be deprived of an effective tool for protecting patrons against dangerous and widespread scams. In one such scam, a would-be cyberthief sets up a Wi-Fi hotspot that acts as an “evil twin” to the business’s legitimate network, giving the bogus wireless network the same name and characteristics as the business’s. When unsuspecting visitors use the illegitimate wireless, the bad actor can often collect the data that passes across his equipment, exposing private information such as usernames, passwords, credit card information and private messages. Deprived of the ability to disrupt the connection between an evil twin and its putative victims — because the FCC has described the “use of deauthentication frames with the intent to prevent third-party Wi-Fi devices from establishing or maintaining their own networks” as a violation — businesses may be without their most powerful tool for protecting their customers against such misdeeds.

Another concern is performance. Particularly in the hospitality industry, where customers are often businesspeople who expect and require on-premises connectivity to do their jobs, reliable Wi-Fi is a necessity, not a luxury. But when a relatively small physical space is packed with a large number of individual wireless hotspots, some of them operating at a much higher power than others, those devices can interfere with one another and network performance, including the performance of the business’s network, can suffer. Businesses may be prevented from policing their airspace to avoid significant interference from particularly disruptive devices. The fact that resulting on-premises connectivity problems may be perceived by customers as unlawful Wi-Fi blocking, contrary to the FCC’s recent enforcement actions, is an irony that businesses may have to endure.

Controversy Within the Commission

Commissioners Michael O’Rielly and Ajit Pai dissented from the M.C. Dean NALF, echoing the industry’s unease over the FCC’s aggressive enforcement absent clear rules. Both commissioners questioned whether the current state of the law even allows the FCC to prohibit the type of Wi-Fi management at issue, noting that the Commission’s interpretation of the law could lead to absurd results, including that — because, as noted above, Wi-Fi signals in close proximity to one another clash — every intentional use of wireless equipment in a public space could invite sanctions.

Commissioner Pai called the decision “the latest evidence that the FCC’s enforcement process has gone off the rails,” accusing the Commission of “yet again focus[ing] on attention-grabbing fines,” “instead of dispensing justice by applying the law to the facts.” A month later, he echoed those comments at an event for communications attorneys, saying that “things have gone seriously awry” in the Commission’s enforcement process and chastising the FCC Enforcement Bureau for neglecting the unglamorous, meatand-potatoes enforcement that has traditionally been its beat in favor of eye-popping fines that attract press but do not necessarily further the Commission’s mission.

Commissioner Pai’s concerns are apparently shared by some at the federal government’s other top cyber enforcer, the Federal Trade Commission. The day after Commissioner Pai’s remarks, FTC Commissioner Maureen Ohlhausen gave a speech (“FTC-FCC: When Is Two a Crowd?”) to the same audience that contrasted the FCC’s and FTC’s enforcement priorities and noted:

The FCC’s approach … differs significantly from the FTC’s “reasonable security” approach. I am concerned that what appears to be a “strict liability” data security standard will actually harm consumers. The goal of consumer protection enforcement isn’t to make headlines; it is to make harmed consumers whole and incentivize appropriate practices.

Commissioner O’Rielly said that the M.C. Dean NALF illustrates the poor fit between legislation and regulation developed in a pre-Wi-Fi world and the problems of the present day. He called the enforcement an example of, “yet again, trying to set important and complex regulatory policy by enforcement adjudication,” adding, “[t]his is backward and not the best course of action.”

Conclusion

The FCC appears set on aggressively moving against Wi-Fi blocking without answering crucial questions about which available network management techniques are FCC-approved. This state of affairs is increasingly common in issues of cybersecurity, where slow-moving regulators meet fast-developing technology. The FCC has made it clear that it will look with a jaundiced eye on practices that fail to meet its expectations; what exactly those expectations are appears destined to be developed piecemeal, one enforcement action at a time.

_________________________________________________________________

—By Abraham J. Rein and Charles W. Spitz, Post & Schell PC

Abraham Rein is an associate in Post & Schell’s Philadelphia office and was part of the team that won the Facebook speech case, United States v. Elonis, in the Supreme Court of the United States.

Charles Spitz is principal and chairman of Post & Schell’s hospitality practice group and is based in Philadelphia.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

With the recent disclosure by Chipotle Mexican Grill, Inc. (“Chipotle”) that it received a grand jury subpoena from the U.S. Attorney’s Office for the Central District of California relating to a norovirus outbreak among customers and employees at a Los Angeles-area restaurant, the federal government is reiterating its interest in assuring the safety of the nation’s food supply, be it from restaurants or production facilities. The U.S. Department of Justice (“DOJ”), together with the Food and Drug Administration (“FDA”), is increasingly investigating and prosecuting food companies for the sale of adulterated food products – ice cream manufactured by Blue Bell Creameries from Texas, peanut butter manufactured by Peanut Corporation of America from Virginia, eggs produced by Quality Egg, LLC, in Iowa, and cantaloupes grown by Jensen Farms in Colorado, among others.

Coupled with the Yates Memo, the September 2015 memorandum by DOJ Deputy Attorney General Sally Yates announcing DOJ’s emphasis on holding individual employees accountable for corporate misconduct, this puts food company executives, as well as food companies, at increased risk of being charged criminally for adulterated products.

Federal Food, Drug and Cosmetic Act

The sale of food products is subject to the federal Food, Drug and Cosmetic Act (“FDCA”), which prohibits the sale of misbranded or adulterated food, among other regulated products, in interstate commerce. Adulterated food¹ is defined to include food which “consists in whole or in part of any filthy, putrid or decomposed substance” or “has been prepared, packed or held under insanitary conditions whereby it may have become contaminated with filth, or whereby it may have been rendered injurious to health.” The FDCA provides for both felony and misdemeanor charges against those who introduce adulterated food or other regulated products into interstate commerce. Felony charges² may be filed for any FDCA violation committed “with the intent to mislead or defraud” or for a FDCA violation committed after a prior FDCA conviction. The government may also charge companies and individuals with a misdemeanor FDCA violation – a strict liability offense – in the absence of any intent to violate the FDCA.

Of the recent felony cases, the conviction and sentencing of Stewart Parnell, CEO of the Peanut Corporation of America, stands out. Parnell was charged with 67 felony counts relating to a salmonella outbreak that infected over 700 people and resulted in the death of nine people. At trial, the government proved that despite knowing the peanut butter his company produced was contaminated, Parnell ordered his employees to “just ship ‘em,” and intentionally shipped adulterated foods in interstate commerce.  In September 2015, Parnell was sentenced to 28 years imprisonment – the longest sentence ever given to an individual convicted for food safety violations in the United States.

For some matters still under investigation, whether individual employees, as well as companies, will be charged is yet to be determined. In the Blue Bell Creameries ice cream investigation, involving a 2014 listeria outbreak resulting in three deaths that was allegedly traced to three production plants, in assessing whether or not to bring misdemeanor or felony charges, the FDA and DOJ may be investigating exactly what if anything Blue Bell executives knew regarding the outbreak, when that knowledge was obtained, and how that knowledge factored in any corrective efforts. With respect to Chipotle, because only a single restaurant was tied to the norovirus outbreak, whether a sufficient nexus to interstate commerce exists to support federal jurisdiction may be at issue.

Responsible Corporate Officer Doctrine

To prosecute corporate executives for misdemeanor FDCA violations, in which they played no direct role, the government must demonstrate that the individual is a “responsible corporate officer” within the meaning of a doctrine (i.e., the Park doctrine) established by the U.S. Supreme Court in United States v. Dotterweich, 320 U.S. 277 (1943) and United States v. Park, 421 U.S. 658 (1975). In Dotterweich, the Court upheld a company president’s conviction for adulteration and misbranding of repackaged drugs despite a lack of evidence that he had actual knowledge of or any role in the FDCA violations. The Court reasoned that because the distribution of food and drugs affects the lives and health of people who are beyond self-protection, “in the interest of the larger good, [the FDCA] puts the burden of acting at hazard upon a person otherwise innocent but standing in responsible relation to the public danger.” In Park, the Court further developed the doctrine, holding that a prima facie case is established when there is evidence that “the defendant had, by reason of his position in the corporation, responsibility and authority to either prevent in the first instance, or promptly correct, the [FDCA] violation complained of, and that he failed to do so.”

Two recent examples of the prosecution of individuals under the Park doctrine were widely reported. In April 2015, a father and son, the owner and COO of Quality Egg, were each sentenced to three months in prison and personally fined $100,000 after pleading guilty to a misdemeanor FDCA violation for introducing eggs adulterated with salmonella into interstate commerce. Neither admitted to having prior knowledge of their company shipping adulterated eggs, but the government’s sentencing memorandum stated that the company had disregarded positive salmonella tests for years and that company employees tried to bribe a U.S. Department of Agriculture inspector. Additionally, in January 2014, brothers Eric and Ryan Jensen, the owners of Jensen Farms, pleaded guilty to misdemeanor FDCA violations for their part in distributing in interstate commerce cantaloupes adulterated with listeria, which was tied to the deaths of at least 33 people and 147 hospitalizations. Despite a lack of evidence that the brothers intended to sell adulterated food and “unique cooperation” with the government resulting in changes in farming practices, they were each sentenced to five years of probation and $150,000 in fines.

The Government’s Appetite Has Been Whetted

In an interview in July 2015, DOJ Associate Attorney General Stuart Delery said “[w]e have made a priority holding individuals and companies responsible when they fail to live up to their obligations that they have to protect the safety of the food that all of us eat.” These recent food safety convictions and ongoing investigations should put food industry executives on notice:  to avoid potential personal liability, responsible food industry executives must ensure that their manufacturing, distribution, and food handling processes, and compliance monitoring of same, accord with current food safety requirements and that any known or suspected deficient processes are promptly evaluated and remedied.

Disclaimer: This post does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this post without first seeking the advice of counsel.

The Real ID Act was passed by Congress in 2005 to set nationwide standards for the issuance of driver’s licenses and identification cards by establishing minimum security, authentication, and issuance procedures forall states. Under the law, federal agencies are barred from acceptingdriver’s licenses and identification cards issued by states that do not comply with the minimum standards. As of today’s date, only twenty three (23) states are fully compliant with the Real ID Act.

The Real ID Act was implemented slowly over the last ten years. The final phase of implementation, commercial flight restrictions, was to become effective this year. To give states more time to become compliant, the Department of Homeland Security extended the deadline for commercial air travel until January 22, 2018. At that time, airline passengers with a driver’s license issued by a state that is still non-compliant with the Real ID Act, will be forced to show an alternative form of identification for domestic travel, such as a Passport, Passport Card, Global Entry card, U.S. Military ID, airline or airport-issued ID, or a federally recognized tribal-issued photo ID.

At this time, 27 states have been granted an extension by Homeland Security to become compliant. These states have until October 1, 2020 to comply with the Act. Currently, only six states and territories do not have extensions: Illinois, Minnesota, Missouri, New Mexico, Washington, and American Samoa (see the chart below for more detail on deadlines).

As of today’s date, citizens using a state-issued driver’s license seeking access to military bases, nuclear power plants, and other federal facilities that are only accessible with identification, must present a license in compliance with the REAL ID Act. At this time, the only individuals that need to be concerned are those from the six states and territories that are non-compliant and have not been issued an extension (see chart below). The REAL ID Act does not apply to individuals entering federal buildings that do not require identification (such as post offices), voting, driving, participating in law enforcement proceedings, or children (under 18 years old) flying domestically.

The potential impact of states’ non-compliance with the Real ID Act is cause for concern for any companies booking individuals for domestic air travel and that have multi-state operations and offices, as well as the agencies that provide associated booking services and itineraries. For this reason, these entities should continue to monitor and confirm when non-compliant states have made the necessary changes. Hopefully the pressure from the Department of Homeland Security will force these states to make changes. If they fail to do so, companies need to ensure that their employees have valid passports or other acceptable identification for domestic travel to and from non-compliant states.

Click here to see how the REAL ID Act will affect your state.

Disclaimer: This EFlash does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this EFlash without first seeking the advice of counsel.

Abraham J. Rein & Charles W. Spitz

                                                                                                                                       374            95

On Monday, November 2nd, the Federal Communications Commission (FCC) took more enforcement steps in its campaign against Wi-Fi blocking – the practice of blocking unauthorized Wi-Fi hotspots that let consumers share mobile data access with other devices, like laptops and tablets – in hotels and convention spaces. It released two Notices of Apparent Liability for Forfeiture (“NALF”) indicating that it will issue:

a $718,000 fine in connection with Wi-Fi blocking at the Baltimore Convention Center; and
a $25,000 fine against Hilton Hotels for a failure to cooperate in the FCC’s investigation of Wi-Fi blocking at Hilton properties around the world.
This comes on the heels of a $750,000 settlement with Smart City Holdings over its Wi-Fi blocking at multiple convention centers, and a late-2014 settlement of $600,000 with Marriott over similar conduct.

As we previously noted in this space, in the wake of the Marriott settlement, industry groups petitioned the Commission for a declaration or rulemaking clarifying the FCC’s stance toward certain sophisticated Wi-Fi management techniques, which can be valuable tools for protecting consumers on business premises, and for protecting the businesses themselves. The FCC aggressively rebuffed the petition, issuing multiplestatements on January 27 to the effect that the FCC does not countenance Wi-Fi blocking, period. The industry groups, faced with a near-certain public flogging, withdrew their petition. They had little choice, but the move meant that important and complex questions regarding Wi-Fi network management on hotel and other business premises would remain unanswered.

In the course of withdrawing the petition, the American Hotel & Lodging Association (“AH&LA”) highlighted the legitimate security concerns associated with unchecked hotspot use in a physical space crowded with Wi-Fi users, telling the FCC:

Broad access to Wi-Fi is among the capabilities that Petitioners’ guests demand. They also demand access to a safe and secure system in order to protect private information from criminals seeking to exploit consumers. . . . Of particular concern to the hospitality industry is the ability of a hotel to protect the security of its network and guests by using wireless intrusion detection and prevention systems that are part of WLAN equipment authorized by the FCC. These systems are employed by numerous WLAN operators across multiple industries, including the federal government.

Monday’s enforcement actions appear to signal again the FCC’s blunt rejection of the industry group’s concerns.

Commissioners O’Rielly and Pai dissented from the Baltimore Convention Center NALF, echoing the industry’s unease over the FCC’s aggressive enforcement absent clear rules. Both Commissioners questioned whether the current state of the law even allows the FCC to prohibit the type of sophisticated Wi-Fi management at issue, noting that the Commission’s interpretation of the law could lead to absurd results, including that every intentional use of Wi-Fi equipment in a public space could invite sanctions. Both bemoaned the Commission’s failure to take up the industry’s request for legally binding guidance over what is and is not allowed, instead of “trying to set important and complex regulatory policy by enforcement adjudication.” Ultimately, Commissioner Pai called the decision “the latest evidence that the FCC’s enforcement process has gone off the rails,” accusing the Commission of “yet again focus[ing] on attention-grabbing fines”; Commissioner O’Rielly called the move “backward and not the best course of action”; and both declined to join in the decision.

At the time of the industry groups’ withdrawal of their petition, we noted that the FCC appears set on aggressively moving against Wi-Fi blocking without answering crucial questions about which available network management techniques are FCC-approved. This state of affairs is increasingly common in issues of cybersecurity, where slow-moving regulators meet fast-developing technology. The FCC has made it clear that it will look with a jaundiced eye on practices that fail to meet its expectations; what exactly those expectations are appears destined to be developed piecemeal, one enforcement action at a time.

Disclaimer: This post does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this post without first seeking the advice of counsel.

Click here to view the original article.

The FDA has issued draft guidance regarding previously announced menu-labeling rules set to take effect on December 1, 2015. The scope of those rules, which require certain businesses to post nutrition information about food offered for sale, has raised questions for the hospitality industry.

The FDA’s draft guidance, issued on September 11, 2015, relates to last year’s nutrition labeling rules promulgated under the Patient Protection and Affordable Care Act, which requires certain “restaurants and similar retail food establishments” to disclose calorie information and provide a “succinct statement concerning suggested daily caloric intake” on or near menus and near self-service food and food on display. The rules, which apply only to restaurant-type establishments that are part of a chain with 20 or more locations doing business under the same name and which offer for sale “substantially the same menu items,” raised questions regarding their applicability to chain hotels that offer food in various capacities.

Four Key Takeaways

• First, the draft guidance clarifies that chain or franchise hotels offering complimentary breakfast would not, by virtue of that fact alone, be considered the sort of “covered establishments” that are subject to the rule: they are not “restaurant[s] or similar retail food establishment[s] that offer[ ] for sale standard menu items.”
• Second – in an important caveat– certain hotel restaurants that “offer for sale” restaurant-type food are covered by the new rules if they meet the criteria qualifying them as a chain. Those criteria include being part of a group of hotel restaurants with 20 or more fixed locations doing business under the same name, and offering for sale substantially the same menu items.  (It should be noted, however, that the nutrition labeling requirements apply only to food offered for sale, so even if a given hotel restaurant is a “covered establishment,” that hotel’s complimentary breakfast likely will not be subject to the new rules.)
• Third, the criteria qualifying the establishment as a chain apply regardless of the type of ownership of the locations – so individual franchises are covered to the same extent as multiple locations under common ownership – and the FDA warns that “persons exercising authority and supervisory responsibility over a restaurant or similar retail food establishment can be held responsible for violations,” suggesting that under some circumstances the FDA could, if it chose, impose vicarious liability on the franchisor or licensor of a restaurant for misbranded food at a franchise location.
• Fourth, the guidance makes clear that covered entities can comply with the labeling requirements by providing the required information via an app or internet link, but that the establishment must provide access to the information (e.g., at a kiosk or other electronic device available at the establishment), without the need for customers to supply their own electronic devices.

Conclusion

The FDA’s food labeling rules are complex and could impact the hospitality industry in a variety of ways. Licensors and franchisors that retain power over hotel restaurants’ menus and menu boards are not insulated from liability for missteps, and all hospitality chain executives, general counsel and franchisees should prioritize getting into compliance with the rules prior to the go live date of December 1, 2015.

Disclaimer: this E-Flash does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this E-Flash without first seeking the advice of counsel.

View the original article here.

The rise in mobile devices is not confined to personal use; mobile devices increasingly play an integral role in many business operations. We rely on mobile devices to communicate with clients, frequently using them to exchange sensitive data. Health care professionals use mobile technology when interacting with and treating patients. Countless workplaces expect employees to be available on-demand via mobile devices. Mobile devices transmit, receive and store a treasure trove of valuable data, which, if compromised, can be used by bad actors to steal identities, access bank accounts, file false tax returns, misappropriate trade secrets and more. Safeguarding this sensitive data is important to all businesses, both to ensure client confidence and to comply with a complex patchwork of legal obligations. Therefore, businesses, including law firms and attorneys, must be cognizant of the risks involved in using mobile devices and vigilant about following best practices for mobile data security.

Mobile Data Security Risks

Mobile devices, and by extension the data stored on and transmitted by them, are uniquely vulnerable. First, by their very nature, mobile devices are more easily lost or stolen than computers. Second, because they rely on wireless connections, data transmitted by mobile devices is more vulnerable to undetected interception while in transit.

Thefts of mobile devices are on the rise. According to Federal Communications Commission Commissioner Jessica Rosenworcel, one in three robberies includes the theft of a mobile device. Moreover, it is all too easy to lose a mobile device, especially if an employee uses one device for both business and personal use, carrying it virtually everywhere he or she goes. If a mobile device is lost and not properly secured, it is relatively easy for bad actors to gain access to the device and the data stored on it, including emails and their attachments. Depending on whether employees store sensitive information like passwords and access information for other services or sites in their email folders, a thief can find a gold mine of data from just one device.

Additionally, scams to intercept wireless data transmissions are all too common. In one classic scheme—far from the only one—a bad actor will set up a free public WiFi hotspot, give it an appealing name, and simply pull down all the data that unsuspecting users transmit across it. If that data is unencrypted and includes sensitive information, the trick has been a success.

The Legal Landscape

Persons and entities that handle or store sensitive data, especially data containing clients’ financial, health or other identifying information, are subject to an ever-evolving patchwork of state and federal regulation regarding protecting this data. For example, many states, including Pennsylvania, require these entities to inform customers in the event of a breach. Pennsylvania’s Breach of Personal Information Notification Act imposes notification obligations on “any entity that maintains, stores or manages computerized data that includes personal information” in the case of a data breach. Generally, if the personal information was unencrypted, the entity must notify customers if their personal information “was or is reasonably believed to have been accessed and acquired by an unauthorized person.” However, if the data was encrypted, then notification is required only if the data was accessed in unencrypted form or if the breach involved the encryption’s security.

Currently there is no general federal data breach notification law, although several recently have been proposed. However, the Health Insurance Portability and Accountability Act of 1996 imposes a notification requirement when unsecured protected health information, like individually identifiable health information, “has been, or is reasonably believed … to have been, accessed, acquired or disclosed.” This obligation is imposed not only on health care providers and insurers, but also on their business associates that receive, handle or use protected health information.

Other federal laws also address data security and the protection of personal information. For example, the Federal Trade Commission uses its broad consumer-protection authority to protect consumer privacy and personal data from improper disclosure. The FTC enforces the Gramm-Leach-Bliley Act, which protects nonpublic personal information from unauthorized disclosure by financial institutions. Financial institutions also must comply with the FTC’s red flags rule, which obligates them to undertake periodic risk assessments to determine whether they are required to implement a written identity-theft prevention program. Finally, the FTC also brings enforcement actions against individuals and entities that have misused or improperly disclosed consumer data, or failed to take “reasonable” precautions to protect it. According to reported enforcement actions, violators frequently are required to revise or implement comprehensive privacy and data security programs, delete illegally obtained consumer information, and notify consumers whose data has been improperly disclosed.

Best Practices to Safeguard 

Mobile Data

This combination of factors— countless devices storing and transmitting vast and valuable data, vulnerability to infiltration, and a mosaic of regulation—makes mobile device security a crucial area for any business. To protect data stored on mobile devices, consider implementing the following recommendations:

• Physically encrypt mobile devices.

Device encryption and SIM card encryption are available on almost all smartphones and other mobile devices, and prevent bad actors from accessing stored data even if the device is physically dismantled. Physical encryption is stronger than simple password protection because it cannot be defeated with specialized software.

• Strong passwords still are important.

Require mobile devices to be passwordprotected, and consider requiring alphanumeric passwords or passwords longer than four characters. Discourage employees from using easy-to-guess passwords.

• Have a plan for lost devices.

Install software capable of remotely wiping data from the mobile device if it has been lost or stolen. Also train employees to notify information technology staff immediately in the event of a loss.

• Separate personal from work.

If employees are permitted to bring their own devices to work, ensure that business data is segregated and cannot be downloaded or locally saved onto the personal device. Readily available software can assist with this.

• Maintain control of settings.

Ensure that devices used for work, whether provided by the company or employees’ own devices, cannot install applications that can modify key security settings, and ensure that employees cannot modify security configurations without information technology authorization.

• Train employees to minimize risk of physical loss.

Train employees to be mindful of their devices’ security, including safeguarding them while traveling. To protect data transmitted by mobile devices, consider implementing the following recommendations:

• Do not use free public WiFi.

Data transmitted over wireless connections can be seen by the provider. Scammers frequently set up free public hotspots and intercept data transmitted by unsuspecting users.

• Encrypt email.

Many companies encrypt their email, as do major free email providers like Gmail. If not automatically encrypted, encrypt emails containing sensitive financial or protected health information. When exchanging sensitive information with business partners, determine whether they encrypt email.

• Do not text sensitive data.

Texts are the most easily intercepted messages and generally are not encrypted, making their content easily accessible by bad actors.

_________________________________________________

Authors:

ABRAHAM J. REIN is an associate in Post & Schell’s data protection/breach and internal investigations and white-collar defense practice groups in Philadelphia. He counsels corporate enterprises and individuals on the prevention of data security breaches and compliance with related state and federal regulations, and defends them in related investigations and criminal proceedings.

CAROLYN H. KENDALL is an associate in the firm’s data protection/breach and internal investigations and whitecollar defense practice groups in Philadelphia. She conducts internal investigations and defends corporations, officers and other individuals facing criminal and civil investigation, as well as counsels them on the prevention of data security breaches, and compliance with related state and federal regulations

Originally published on Saturday, July 18, 2015
44 views at time of republishing

– At oral argument, Defendant-Appellants Wyndham Hotels and Resorts, LLC (“Wyndham”) argued strenuously that businesses have essentiallyno guidance as to what specific cybersecurity practices are required to avoid an enforcement action by the FTC. Wyndham argues that an FTC enforcement action under these circumstances violates constitutional notice principles.

– Plaintiff-Appellees FTC argued, just as emphatically, that the business community is in fact on notice of the FTC’s cybersecurity requirements by virtue of a variety of complaints that the FTC has filed alleging data privacy failures.

– The court, in detailed questioning during argument, probed whether federal court is the proper forum for the case. Ultimately, the judges requested briefing on whether the matter warrants “detailed administrative consideration,” requiring it to be sent instead to an internal FTC proceeding.

Although the case has not yet been decided on the merits – the court is considering Wyndham’s motion to dismiss – the potential impact is extreme: this is the first time the FTC has asked a federal court to allow it to interpret its statutory authority to enjoin “unfair” business practices to extend to data security failures.

WYNDHAM’S ALLEGED DATA BREACHES AND SECURITY FAILURES

According to the FTC’s complaint, Wyndham and the Wyndham-branded hotels to which the Wyndham name is licensed – whose property management systems link to Wyndham’s corporate network – suffered three intrusions into their computer networks between April 2008 and January 2010. In each case, hackers were allegedly able to access sensitive consumer data by compromising the Wyndham data center in Phoenix, Arizona. Ultimately, the breaches allegedly led to “fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia.”

The FTC’s complaint catalogs the following alleged security failures that purportedly allowed the breaches to occur and which “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft:”

Failure to take appropriate steps – such as employing firewalls – to limit access between and among the Wyndham corporate network, the Wyndham-branded hotels’ property management systems, and the internet;

• Allowing Wyndham-branded hotels to store credit card information in an unencrypted format;
• Not ensuring that Wyndham-branded hotels implemented adequate information security practices before connecting their networks to Wyndham’s;
• Not remedying “known security vulnerabilities,” including permitting the branded hotels to connect to Wyndham’s network with servers whose operating systems could not receive security updates;
• Allowing hotels’ servers to connect to Wyndham’s network despite the fact that the servers’ default user IDs and passwords had never been changed;
• Not doing enough to require strong user IDs and passwords;
• Not adequately inventorying computers connected to Wyndham’s network;
• Not taking “reasonable measures” to prevent unauthorized access to Wyndham’s network;
• Not following “proper incident response procedures,” including failing to monitor Wyndham’s network for malware used in a previous intrusion; and
• Not adequately restricting third-party vendors’ access to the networks by, e.g., restricting connections to specified IP addresses.

WYNDHAM’S MOTION TO DISMISS AND APPEAL

Wyndham moved to dismiss the FTC’s complaint in the District of New Jersey, arguing, among other things, that (a) the FTC’s statutory authority to take action to enjoin and remedy “unfair” commercial practices does not cover data security failures that are negligent at worst, in which the company itself was a victim of a third party’s crime; and (b) the FTC has never put companies on notice of what cybersecurity practices would be sufficient to avoid an enforcement action, raising constitutional concerns.

The district court denied the motion to dismiss, but granted Wyndham’s request to allow the denial to be immediately appealed to the Third Circuit.  The district court noted pointedly that “the Court does not render a decision on liability today. . . . And this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked. Instead, the Court denies a motion to dismiss given the allegations in this complaint – which must be taken as true at this stage[.]”  In allowing Wyndham to appeal the decision, the court pointed to the “novel, complex statutory interpretation issues” in the case, and acknowledged that those issues “give rise to a substantial ground for difference of opinion.”

THE ISSUES ARRIVE IN THE THIRD CIRCUIT

The Third Circuit briefing has been extensive and intense. Eleven days prior to arguments, after some 400 pages of merits briefing (including six friend-of-the-court or amicus briefs), the court issued a letter instructing the parties to come to argument prepared to discuss, in essence, whether the FTC must more fully address the application of its “unfairness” authority to cybersecurity issues via administrative rulemaking or internal administrative proceedings, before a federal court can pass on it at all.

The court’s question flows from a statutory provision allowing the FTC to seek a permanent injunction only in a “proper case.” The meaning of that term is ambiguous, but legislative history could be read to suggest that the provision should only be applied where the FTC “does not desire to further expand upon” its statutory authority, because the case presents no issues “warranting detailed administrative consideration.” The court’s letter, and the judges at argument, probed whether the question of appropriate cybersecurity practices warrants such administrative consideration.

At oral argument, the FTC responded essentially that (a) the Commission has already given the issue its due consideration, both in a recent ruling on a motion to dismiss an administrative proceeding as well as by virtue of filing administrative complaints in “fifty data security cases brought at the administrative level;” and (b) the specific measures that are required to satisfy the FTC’s “unfairness” analysis can be established in court on a case-by-case basis as a factual matter, relying on expert testimony and the like.  (Wyndham, while emphatically maintaining that the FTC had offered the business community insufficient cybersecurity guidance, opted to “ke[ep its] powder dry” on the question of forum, in large part because “[we] like [our] chances better” in federal court than in an administrative proceeding.)

After oral arguments lasting twice as long as the allotted time, the judges closed the session with a request that the parties brief the forum question.

THE PARTIES’ POSITION ON FORUM

On March 27, the parties filed the court’s requested briefs. Predictably, the FTC’s brief reiterated its oral argument position that federal court is an appropriate forum in part because data-security complaints and consent decrees filed administratively by the Commission constitute whatever “detailed administrative consideration” is required. The FTC’s brief also emphasized that Wyndham had never challenged federal courts’ ability to hear the case.

In its brief, Wyndham managed to maintain its dry-powder stance. It agreed with the FTC that the court need not, and should not, reach the question of forum because neither party had raised it, arguing that the issue “is not a jurisdictional matter the Court is obligated to address sua sponte.” It went on to argue, among other things, that the case presents a “particularly poor vehicle” to address the issue, in part “because the problems with the FTC’s case run far deeper than the form of relief the Commission is seeking or the forum in which it has chosen to proceed.” As an example of the issues with the FTC’s case, Wyndham cited again its allegation that the industry has never been put on notice of what cybersecurity practices the FTC would accept. Finally, Wyndham’s brief contended that, should the court nonetheless determine to find that federal court is an inappropriate forum for the case, it would be doubly unfair to allow the FTC – after a two-year investigation and nearly three years of federal court litigation – to simply start afresh in its administrative forum. Rather, Wyndham asked the court to dismiss with prejudice, or alternatively to require the FTC to go through a formal rulemaking process to set out clearly-defined cybersecurity standards to which it will hold the industry.

POTENTIAL IMPLICATIONS FOR THE HOSPITALITY INDUSTRY

In this case, the FTC has articulated the position that businesses like Wyndham are on notice of required cybersecurity practices, because the FTC has filed complaints laying out practices which, “taken together,” it claims violate the prohibition on “unfair” business practices.

At oral argument, the judges questioned whether businesses could be expected to monitor the FTC’s dockets – indeed, it appears that the FTC announced an average of approximately fifteen new complaints each month in 2014 – to ensure compliance with its standards. The FTC replied that “any careful general counsel would be looking at what the FTC is doing,” because the FTC “has broad-ranging jurisdiction and undertakes frequent actions against all manner of practices and all manner of businesses.”

Although the Third Circuit need not follow the district court in accepting that argument, it may. Additionally, the court appears to be considering turning the case away on improper-forum grounds, meaning that a federal court will have no occasion to consider the FTC’s position. If that happens, or if the Third Circuit affirms the court below, the FTC will likely continue to maintain that its filing of complaints laying out cybersecurity practices that it considers “unfair” puts businesses and their counsel on notice of the minimum practices they must follow.

In any event, this litigation places the hospitality industry on notice that an investment in uncovering and filling cybersecurity gaps now may prevent FTC sanctions downstream. To this end, monitoring the FTC’s complaints and working with IT staff in making judgments about whether the organization’s data security practices sufficiently cover those gaps about which the FTC is complaining is important. This will require attention to detail, an excellent IT staff, and inside and/or outside counsel with a strong working knowledge of cybersecurity principals, both legal and technical.

_________________________________________________________

About the Authors:

Marc H. Perry is a Principal and Co-Chair of Post & Schell’s Hospitality Practice Group. He is an experienced trial lawyer and has successfully represented members of the hospitality industry in litigation in state and federal courts. He has tried and litigated complex premises liability, catastrophic injury and wrongful death claims on behalf of hospitality clients, including claims of criminal conduct of third parties on the premises and negligent security.

Abraham J. Rein is an Associate in Post & Schell’s Internal Investigations & White Collar Defense, Data Breach/Protection/Breach and Hospitality Practice Groups. Mr. Rein’s national practice focuses on representing individuals and businesses in complex litigation settings, ranging in scope from consumer fraud to securities, civil rights, antitrust and government regulation.