Unfair and Deceptive Trade Practices in Connecticut

Posted on February 14, 2010 by N. Kane Bennett

Each state generally has some type of consumer protection or trade protection law that seeks to prohibit and punish unfair conduct and deceptive acts in trade or commerce.   Most states, including Connecticut, model their laws after section 5 of the Federal Trade Commission Act.  Section 5 of the FTC Act prohibits unfair or deceptive acts and unfair competition in the marketplace. 

Connecticut's Unfair Trade Practices Act (commonly referred to as CUTPA by attorneys and judges), is codified at Connecticut General Statutes section 42-110b.  CUTPA states, in relevant part, that:

(a) No person shall engage in unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce.

(b) It is the intent of the legislature that . . . the courts of this state shall be guided by interpretations given by the Federal Trade Commission and the federal courts to Section 5 . . . .

(c) The commissioner may . . .establish by regulation acts, practices or methods which shall be deemed to be unfair or deceptive. . . Such regulations shall not be inconsistent with the rules, regulations and decisions of the federal trade commission and the federal courts . . .

(d) It is the intention of the legislature that this chapter be remedial and be so construed.

CUTPA's provisions can be far reaching for businesses and consumers.  For example, under section 42-110g, attorneys who successfully prove a CUTPA violation in Connecticut business litigation may be able to recover attorneys fees, punitive damages, and costs for their clients.  CUTPA's provisions also provide for the ability of attorneys to bring class action lawsuits in Connecticut for unfair or deceptive acts. Additionally, courts can order injunctive relief or other equitable remedies for CUTPA violations.

CUTPA's provisions may be enforced by the various State's Attorneys and the Attorney General, such as the AG's recent lawsuit against Net Health over its loss or exposure of personal identifiers (date of birth, social security number) of Connecticut residents.  Private citizens and businesses may also bring actions for unfair competition or deceptive acts under CUTPA, including class action lawsuits such as the recent case against AT&T over Internet access.

To establish a violation of CUTPA, attorneys in Connecticut have to prove that their clients suffered "any ascertainable loss of money or property, real or personal, as a result of the use or employment of a method, act or practice prohibited by section 42-110g. . ." Generally speaking, this requirement means Connecticut attorneys have to show that their clients sustained damages as a result of an unfair or deceptive act in trade or commerce. 

To determine what constitutes an unfair or deceptive act, Connecticut courts specifically refer back to the Federal Trade Commission and what is commonly referred to as the "cigarette rule."  The cigarette rule defines what type of conduct may qualify as unfair and deceptive justifying an award of compensatory or punitive damages.   This rule dates back to 1964 and comes from legislative policy making by the Federal Trade Commission concerning requirements for warning labels on cigarette packages. 

 The three prongs of the cigarette rule are as follows:

  1. whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise-in other words, it is within at least the penumbra of some common law, statutory, or other established concept of unfairness;
  2. whether it is immoral, unethical, oppressive, or unscrupulous;
  3. whether it causes substantial injury to consumers, [competitors or other business persons]. . . .

All three criteria do not need to be satisfied to support a finding of unfairness. A practice may be unfair because of the degree to which it meets one of the criteria or because to a lesser extent it meets all three.


It is important to note that not every act or conduct that might seem to fit the criteria will be a violation of CUTPA. For example, generally speaking, mere negligent acts or simple breaches of a contract do not constitute unfair or deceptive acts under CUTPA. It is also important to note that some conduct automatically violates CUTPA or is considered a per se violation, such as failure to follow the Home Improvement Act or to register a trade name.


There are many nuances to CUTPA and the above is only a brief summary. Any business or consumer trying to determine whether they were damaged by conduct constituting a violation of CUTPA should contact a business litigation attorney or the Attorney General's office.

 

Tags: , , , , , , ,

Health Net's Data Loss In Connecticut Was Theft

Posted on December 9, 2009 by N. Kane Bennett

Attorney General Richard Blumenthal issued a scathing press release related to Health Net's recent data loss and security breach.  Blumenthal called Health Net's story on it "sanitized" and its six month delay in reporting "unconscionable."  Blumenthal called for a federal investigation and intensified state efforts because of the sensitive financial and health information at risk for exposure.

Health Net is based in Shelton, Connecticut and is one of the largest health plans in the Northeast serving approximately 580,000 members.  A report by Lucas Mearian of Computerworld stated that the information stolen was a portable hard drive that had not been encrypted.  Proper encryption could have prevented access of the information.

Connecticut consumers have been affected by the data loss and more than a million people had social security numbers and financial and medical information exposed. Consumers in Arizona, New Jersey, and New York also had sensitive information exposed.  Thus far, there has been no report of identity theft or misuse of the information.

 

Tags: , , , , , , , ,

Insurance Might Be An Option for Data Loss Lawsuits Alleging Negligence Against Businesses

Posted on July 21, 2009 by N. Kane Bennett

Every business in Connecticut, big or small, faces significant financial consequences for data loss or a breach of security.  As I noted in a business tips post on this blog, implementing a strong data loss and privacy policy is critical for preventing a loss or mitigating its effects and damages.  Of course, once you have a policy or procedure in place, your business could face a lawsuit for negligence for violation of these same policies and procedures.   To add extra protection against the devastating costs of data loss or a security breach, businesses should also consider insurance coverage.

Lawsuits over data loss and security breaches are becoming more common.  Obtaining insurance to cover losses from data loss can potentially save your business.  Business litigation attorneys bringing lawsuits over data losses often include negligence as one of the grounds or theories of recovery in these cases.  Take for example, the recent class action lawsuit for data loss filed against Aetna in Federal Court in Pennsylvania.  The lead theory of recovery in the complaint against Aetna is negligence.   

There may be many reasons why attorneys pursue negligence as a theory of recovery in these security and privacy cases.  However, pursuing a negligence theory increases the possibility of triggering the breaching company's insurance coverage for data loss, if the company has a policy.  If a business has insurance coverage that applies to the allegations in the complaint, the insurance company typically will also provide a legal defense to the claim.   Legal costs alone could be enough to sink a business, let alone the damages.   

When considering the cost of a data loss insurance policy, a business owner should likewise consider the cost to the business of a data breach.  How can you estimate the cost?  One way to estimate the cost is to use a data loss calculator.  You might also estimate your data loss costs by referencing this 2009 Ponemon Institute benchmark study estimating costs at $202 per page and rising. 

The price of an insurance policy may be cost effective when you consider the potential devastating financial impact of a major data loss or security breach.  In addition, if a business has a strong data loss policy and procedure in place, the cost of insurance should be lower.   Although cyber liability insurance has been available for over ten years, more of these insurance policies are being offered at better prices today.  Here are some links to major insurance companies offering insurance policies for data loss, cyber liability, and technology errors. 

Technology 404 by Darwin.

CyberChoice by The Hartford

 CyberSecurity by Chubb

ACE DigitTech

OneBeacon @vantage

 

Tags: , , , , , , , , , ,

Technology Tips For Connecticut Businesses To Avoid Litigation

Posted on July 9, 2009 by N. Kane Bennett

As part of this Blog, I am going to regularly post technology tips for any Connecticut business to manage risks and avoid lawsuits. These tips will be based on a presentation I did for the Hartford Business Journal's Etechnology Summit concerning technology bombs that can sink a business.

Here's todays tip for Connecticut businesses to avoid financial loss as a result of datal loss and security breaches.

Implement a Data Loss Policy and Solution

Any business that stores third party information or personal indentifiers (credit card information, social security numbers) on its computer systems faces potential exposure under a host of privacy laws.  For a good resource on privacy laws go to the Privacy Law Blog by Proskauer Rose LLP.  For an example of a new privacy law in Connecticut, consider the"Act Concerning the Confidentiality of Social Security Numbers."  Connecticut's Unfair Trade Practices Act could also be implicated in a data loss case.

Data loss or a security breach can cause a huge financial problem, bad public realtions, and signficant down time.  Consider the recent case of TJX reported on by Sheri Qaulters for the National Law Journal.  Discount retailer TJX had a data breach involving exposure of 45 million credit and debit cards.   TJX entered into various settlements including payment of $9.75 million to 41 states; $30 to every consumer who used a credit or debit card; and an undisclosed settlement with three banks. Ouch.

TJX is an extreme example, but data loss can sink a small to medium sized business.  How can a business mimize its exposure to lawsuits from data loss or security breach?

Implement a data loss policy and solution for your business.   There is no one size fits all policy and solution and every business will have different needs.  If you already have a policy, you should have it reviewed regularly for changes in the law.  If you do not have a policy in place, you need to start somewhere.  For "do it yourselfers" there is the Federal Trade Commision's Guide for Business and Protecting Personal Information.  The FTC's guide is a 5 step plan from identifying your risk exposure to implementing procedures. 

 In addition  to implementing policies, any business with a significant risk exposure for data loss (i.e. medical practice, retailers, e commerce) should consider purchasing a cyber liability insurance policy.  These policies are now more afforadable and many insurers such as The Hartford are now actively underwriting polices to cover first and third party data loss claims and providing ongoing resources and information.  

The bottom line is, a business cannot afford to take the risk of ignoring data loss and security breach exposure.  Do not wait for the first breach or lawsuit. 

Tags: , , , , , , , , , ,