The FTC has issued an updated data breach response guide. The guide provides an outline of steps the FTC believes your company should follow in the event of a data breach. They fall into several broad categories:  securing operations, fixing vulnerabilities, and notifying appropriate parties.

Under the heading of “securing operations,” the FTC suggests things such as assembling a team of forensics and legal experts, securing physical areas, taking servers and other affected equipment offline, and conducting an investigation into what occurred. This is all good advice. But, in my opinion, it comes too late. Companies need to plan for data breaches before they occur. Planning proactively allows you to have your response plan in place. Then, all your leadership team needs to do is implement it.

If you have a response plan in place, then “fixing the vulnerabilities” will be easier, too. Your forensic investigation will inform what vulnerabilities the attack and breach uncovered. Nonetheless, the FTC advice here is a little weak as well. For example, only at this stage does the FTC suggest creating a comprehensive communications plan. You need to have a draft communications plan in place that you can update and put into action at the first sign of trouble. If you don’t, you will be overwhelmed responding to rumor and false information instead of setting the agenda for the post-breach conversation.

The “notifying appropriate parties” section of the FTC guide, in contrast, is chock full of good advice, including sample notification letters and contact information for key agencies and entities like credit reporting agencies. The guide also reminds us that most states now have state reporting requirements that need to be followed and that breaches involving health information involve an entirely separate area of federal notification law. Especially in cases involving health information, strict compliance with the law is necessary.

While imperfect, the FTC guide for responding to data breaches has substantial information and is worth reviewing. Importantly, it provides guidance as to the type of response the FTC desires. Complying with the guidance by definition reduces the likelihood the FTC with bring an administrative action respecting any data breaches you suffer and helps in your defense to any actions the FTC does initiate.

In a development that applies to all businesses operating in California, Governor Jerry Brown recently signed a new bill which prohibits employers in California from requiring employees, as a condition of employment, to submit to the law of another state or foreign jurisdiction for disputes related to their employment.

© 2005 iStockphoto LP. All rights reserved.Applicable to employees who primarily reside and work in California, the new law provides that employers may not include provisions in employment agreements that require the adjudication of claims outside of California, or apply another jurisdiction’s law to disputes arising in California. As an example, a New York business with employees in California could not include provisions that require disputes with such employees to be heard in New York courts or governed by the laws of New York. The law further provides that provisions in employment agreements that violate the foregoing prohibitions are voidable, upon request of the employee, and any disputes over a voided provision must be adjudicated in California courts under California law.

The law, known by its legislative moniker of California Senate Bill No. 1241, will become effective January 1, 2017 and applies to contracts entered into, modified, or extended after January 1st. It is viewed by many as an attempt to target mandatory arbitration provisions commonly found in employment agreements. Additionally, especially given the nationwide fight being waged to redefine many franchisees as “employees” of the franchisor, this new law has the potential to void common choice of law and forum provisions in franchise agreements entered into the California residents.  This law is sure to be challenged, as it seems to fundamentally assault the ability of employers and employees to bargain freely, so stay tuned.

Thanks to Evan McGillan for his research and drafting assistance for this post.

In Williams v. Jani-King, counsel for Jani-King has requested the Third Circuit en banc reconsider its decision to allow class certification to franchisees who claim to be employees, rather than independent contractors. Although the Third Circuit did not reach the merits of the case, which claims misclassification of the franchisees as independent contractors, the Third Circuit considered the controls inherent in the franchise relationship as a factor under Pennsylvania law.  In a strong dissent, Circuit Judge Cowen recognized franchising as a “bedrock” of the economy, and the majority decision threatens to undermine the entire franchise industry by confusing trade mark and operational controls as evidence of control over employment.

At oral argument, counsel for Jani-King, Aaron D. Vanoort, argued to the panel that  “control over what” is important.  His argument, adopted by the dissent, is that control over trademarks, required by the federal Lanham Act, should not be considered at all in the evaluation of whether franchisees are really employees. In support of the en banc request, Jani-King argues that the uniform franchise documents used to support class treatment, should actually be read by the court to address whether the class action should go forward.

As the merits remain undecided, the case creates uncertainty for the franchise industry.


A recent article in Wired instructed employees in how to digitally erase all their stuff when they quit their jobs. The problem is that the author drew few distinctions between wiping computers of all personal items–family photographs or videos, personal emails, etc.–and company-related work product. Most franchisors and franchisees will take the position–and rightly so!–that employees’ work product on their company-issued laptops, cell phones, and voicemail accounts is company property.

The corollary to the Wired article is what the employer should shut down when an employee resigns. Whenever an employee resigns their employment, companies must be prepared to take some immediate steps:

1. Unless there are ongoing projects that the employee needs to complete, the company should shut down or limit the employee’s access to confidential and proprietary information;

2. The IT Department needs to monitor the employee’s computer activity to ensure that they are not downloading or sending to personal email confidential or proprietary documents or information, including client lists; and

3. The employee should be reminded of any existing obligations under a confidentiality or non-disclosure agreement, or company policy. While many states have adopted uniform trade secret acts, and the recently passed Defend Trade Secrets Act provides a cause of action if a company’s trade secrets are misappropriated even in the absence of a restrictive covenant, it is helpful to be able to point an employee to concrete obligations in an agreement when they resign their employment.

Post-separation, franchisors and franchisees need to be prepared to enforce their restrictive covenants. If an employee destroys or misappropriates trade secrets when they wipe their company-issued computer clean, companies should be prepared to enforce their rights.

This post was authored by Catherine Barbieri and first appeared in slightly edited form on Fox Rothschild’s Tech in the Workplace blog.

Neon NoOn September 22, 2016, California Governor Brown vetoed two pieces of franchise legislation which had been passed by both houses.  Both of these bills originated with the State Bar of California’s Franchise Law Committee.

The first bill is Assembly Bill 1782.  Effectively, Bill 1782 provided for a Limited Trade Show Exemption, which means that a franchisor can attend a trade show in California without being registered in California.  The provisions of the bill included numerous conditions for allowing a franchisor to attend these trade shows, including submission of a detailed notice to the commissioner regarding the franchisor, the posting of a conspicuous sign at the show stating that the franchisor is not legally able to offer a franchise for sale in California and the payment of a fee. Other states, such as New York, make certain allowances for franchisors to attend trade shows in state without being registered.

The Governor vetoed this legislation stating the following reasons:  “Registration gives the Department [of Business Oversight] the opportunity to review franchise disclosure documents and ensure that franchisors are providing accurate information to potential customers.  Allowing unregistered franchisors to market at these events without verifying their eligibility to do business in California is a step in the wrong direction.”

The second bill is Assembly Bill 2637.  Bill 2637 removed the present provision in California franchise regulation requiring that a franchisor disclose to a prospective franchisee all terms of the franchise agreement and related agreements which the franchisor had negotiated with other franchisees in the past 12 months in order to be exempt from an additional registration requirement for sales on terms different than those reflected in the registered franchise disclosure document.  The proposed legislation added the requirement that the original offer was of the documents registered with the state and that language must be added to the cover page or state addendum in the franchise disclosure document to the effect that the franchisor is able to negotiate the terms of the franchise agreement and related documents.

The Governor vetoed this legislation stating the following reasons:  “While it is important to promote bringing new businesses into California, doing so at the expense of transparency could be detrimental to potential franchisees, as the bill proposes to do.  The current process, which allows the Department to review contract changes, ensures that franchisees are not placed at a disadvantage in their final agreement.”

Both veto responses seem to misunderstand some of the effects of this legislation.  With respect to the trade show legislation, no transactions may take place without registration so I am not sure what additional protection this may provide.  I suspect that many trade shows may be looking for alternative venues.  Even more obvious to me, however, is the second veto.  The result will be that many franchisors will continue to refuse to negotiate or give any requested concessions to their franchisees in California.

The State Department announced that it will begin accepting applications for the FY 2018 Diversity Immigrant Visa Program—commonly called the diversity visa (DV) lottery—beginning Tuesday, October 4, 2016. Applicants who are selected and approved may apply for a green card starting on October 1, 2018.

Each year, the State Department randomly selects 50,000 immigrant visa applications from a pool of foreign national applicants who were born in certain countries with historically low rates of immigration to the United States. The State Department will accept diversity visa applications for FY 2018 beginning on Tuesday, October 4, until Monday, November 7.

Applicants who are selected in the lottery must meet certain requirements before becoming eligible to apply for lawful permanent residency (i.e., apply for a green card).

First, applicants must be born in countries that have historically low immigration rates. Individuals born in the following countries are ineligible to apply for a DV for fiscal year 2018: Bangladesh, Brazil, Canada, China (mainland-born**), Colombia, Dominican Republic, El Salvador, Haiti, India, Jamaica, Mexico, Nigeria, Pakistan, Peru, Philippines, South Korea, United Kingdom (except Northern Ireland) and its dependent territories and Vietnam. Most notably, nationals of Ecuador are eligible to apply in this year’s diversity visa lottery program, a change from being ineligible in years past. Those not born in an eligible country may still be able to apply for a DV through a spouse (if that spouse was born in an eligible country) or, in certain circumstances, through a parent.

Secondly, each DV applicant must have at least a high school education or its equivalent or, alternatively, have two years of work experience in a position that requires at least two years of education, training or experience to perform. The State Department encourages applicants to avoid procrastination in applying, as heavy demand in their application system may cause delays or other technical errors. Applicants will be able to check if they were selected in the randomized lottery starting May 2, 2017.

Employers, including franchisors and franchisees, are often interested in having a qualifying employee apply for a diversity visa in order to avoid costly traditional employment-based green card applications (such as first conducting mandatory advertisements in connection with a PERM filing with the Department of Labor). Both employers who encourage their foreign employees to apply, as well as any other prospective individual applicants, should be mindful of complex requirements in order to avoid rejection, denial or other avoidable issues throughout the diversity visa application process.

**Note: Persons born in Hong Kong SAR, Macau SAR and Taiwan are eligible.

For more information, please contact Michael W. Stevenson, who contributed this post, or any member of Fox Rothschild’s Immigration Practice.

Copyright: stuartphoto / 123RF Stock Photo
Copyright: stuartphoto / 123RF Stock Photo

My colleagues and I have posted in the past about the proposed commentary on Item 19 Financial Performance Representations (“FPR Commentary”) drafted by the North American Securities Administrators Association, Inc. (“NASAA”).   The FPR Commentary is intended to provide practitioners with clarification about how franchisors should make an FPR in Item 19 of the Franchise Disclosure Document and will answer frequently asked questions about how franchisors can make a financial performance representation (also known as an earnings claim) under federal and state franchise disclosure guidelines.

The NASAA is once again seeking public comments on a revised proposal for the FPR Commentary.  This is a second request for public comments following the feedback received on the original proposed FPR Commentary.  The original proposed FPR Commentary was released for public comment in October of 2015.

A copy of the proposed FPR Commentary with instructions on how to provide your comments can be found here.   Comments on this revised proposed FPR Commentary are due on or before October 13, 2016 and the NASAA reminds everyone after the comment period has closed, NASAA will post to its website the comments it receives as submitted by the authors. Parties should therefore only submit information that they wish to make publicly available.

Copyright: bbbar / 123RF Stock Photo
Copyright: bbbar / 123RF Stock Photo

The attorneys in Fox Rothschild’s Franchising, Licensing & Distribution practice are excited to welcome Craig R. Tractenberg as he joins Fox’s franchise practice in our Philadelphia and New York offices. Craig is the former head of the franchise practice at Nixon Peabody and also enjoys a terrific reputation as an international litigator.

All of our clients will benefit from the remarkable depth of experience that Craig brings to the table, and all of us — Craig’s new colleagues here at Fox and clients alike — will surely benefit as well from his strategic thinking and sage counsel.

Here’s a condensed version of Craig’s very impressive bio:

  • Craig is a skilled international litigator who focuses on complex business disputes involving franchises, intellectual property, licenses, business torts and insolvency issues. He has represented individuals, companies and governments in litigation before state and federal courts and in international arbitration forums such as AAA, the International Centre for Dispute Resolution (ICDR) and the International Centre for Settlement of Investment Disputes (ICSID).
  • His practice centers on developing and protecting the financial and brand equity of franchise companies, real estate projects and energy projects. For franchise companies, he regularly structures new franchise programs, many of which are international. He also defends and enforces franchise agreements.
  • Craig has prosecuted or defended fraud, defamation and unfair competition cases and also enforces and defended trade secrets and restrictive covenants in state and federal courts.
  • In international work, Craig successfully defended the Republic of Turkey against an investor claim before the International Centre for Resolution of Investor Disputes in Paris. This followed the successful defense of the Republic of Turkey before the International Chamber of Commerce Court of Arbitration in Geneva. He also successfully represented a claimant U.S. company in an intellectual property licensor’s claim brought against a Brazilian licensee before the ICDR.
  • Accolades from clients and colleagues have placed Craig on many of the most important lists of leading lawyers. For nine consecutive years, he has been included in a list of “The Best Lawyers in America” for Franchise Law in New York. He has been recognized as a “Legal Eagle” every year since 2005 by Franchise Times. In the preeminent lawyer rankings by Chambers USA, he was named as one of the leading Franchise attorneys in New York. He is also listed in the International Who’s Who of Franchise Lawyers and in “Super Lawyers.”
Copyright: wattanaphob / 123RF Stock Photo
Copyright: wattanaphob / 123RF Stock Photo

The Radio Shack bankruptcy case raised a fundamental question regarding the sale of personally identifiable customer information: Can it be done? The answer is “Probably”. (You expected anything else?)

When Radio Shack filed for bankruptcy protection, it had collected personally identifiable customer information respecting 117 million individual customers. Radio Shack had promised customers in its privacy policy that it would not “rent or sell” their personally identifiable information to any third party. In the bankruptcy proceedings, the customer information was identified as an asset. Radio Shack proposed to sell this asset for the benefit of creditors. The FTC, many state attorneys general, Verizon and AT&T objected to the proposed sale. A privacy ombudsman, permitted by the Bankruptcy Code, was also appointed by the Court.

The Bankruptcy Court ordered all parties to mediate the dispute. In mediation, a deal was reached permitting customer information to be sold. However, a number of conditions were attached to the sale. First, the buyer had to agree to be bound by Radio Shack’s privacy policy. Second, customers had to be given notice of the sale and an opportunity to “opt-out” either via email or mail, depending upon whether Radio Shack had a valid email address for the customer. Third, opt-out information had to be “prominently” posted on the Radio Shack website. Finally, the buyer was prohibited from the use of “sensitive” information, including debit/credit card information, date of birth and government IDs such as Social Security numbers.

The Radio Shack settlement provides a number of takeaways respecting the sale of personally identifiable customer information, in and out of bankruptcy:

  • Even government actors such as the FTC and state AGs appear to recognize that privacy rights are not absolute and need to be balanced against the interest driving a sale.
  • A bedrock principle is the need to honor the promises made by the company that collected the information.
  • Government regulators require an “opt-out” process.
  • Company privacy policies and disclosures should make it explicitly clear that information collected from customers may be sold and/or provided to a successor or buyer company, including if such information is sold in the context of bankruptcy.
  • Don’t ignore HIPPA, which will always apply to medical information.
Copyright: goldfinch4ever / 123RF Stock Photo
Copyright: goldfinch4ever / 123RF Stock Photo

Following on the heels of other states, Republicans in the Virginia House of Delegates have pre-filed a bill intended to override any action by the U.S. Department of Labor to make the employees of a franchisee also employees of the franchisor.  The bill is House Bill No. 1394 for the January 2017 General Assembly legislative session.  A very similar bill was vetoed by Governor Terry McAuliffe during the 2016 session.  Virginia Republicans are hoping to gain the support of enough delegates to override a potential future veto.

Similar to other states, the legislation clarifies that an employee, for purposes of Virginia labor law, is not an employee of a franchisee’s franchisor.  The following additional language proposed is added to the definition of “Employee”:  “Notwithstanding any voluntary agreement entered into between the U.S. Department of Labor and a franchisee, neither a franchisee nor a franchisee’s employee shall be deemed to be an employee of the franchisee’s franchisor for any purpose to which this section applies.

Delegate Chris Head, who introduced the legislation, states “Small businesses are the backbone and lifeblood of our economy.  In recent years, President Obama’s National Labor Relations Board has sought to expand the influence of labor unions over small business franchises to the detriment of their hard working employees. This legislation protects employees from the overreaching federal government and overzealous labor unions.  This bill is consistent with Virginia’s proud history as a right-to-work state.”

For more information, I recommend the following Bloomberg podcast interviewing Bloomberg BNA Capital Hill reporter Chris Opfer.