© Sheppard, Mullin, Richter & Hampton LLP 2015

Retail Compliance Bootcamp:

Avoiding The Retail Apocalypse

Panelists:

Ted Max, Partner, Sheppard Mullin

Kari Rollins, Partner, Sheppard Mullin

Sean Kirby, Special Counsel, Sheppard Mullin

The Retail Industry Has Generated A Number of

High Profile Bankruptcies in 2017

• .

It was the best of times, it was the worst

of times

▪ After a down 2016, the global luxury market is forecast to grow by

5% in 2017 to an estimated $1.4 trillion dollars;

▪ Gen Y provided 30% of all spending and Gen Z generated 85% of

luxury growth in the last year;

▪ Keys to success are engaging content for digital platforms like

Instagram and Snapchat; pairing pop stars and influencers are

essential to marketing; and tourism-driven fashion purchasing

(China recovery and weaker British pound);

▪ Online sales of personal luxury goods will make up 25% of market

by 2025.

It was the best of times, it was the worst

of times

We are experiencing a retail apocalypse and

proactive compliance can be the difference

between success and failure. You are general

counsel of ACC Corp., a fictitious company. You

are a critical behind-the-scenes player in ACC’s

decision-making, strategy and legal analysis. This

is an ordinary day until the telephone rings.

Problem 1: The Head of IT Calls

Isabella Teck reports:

▪ Yesterday 12/13, Christopher Crash, the CEO of your website service provider,

ACME, called and said the website had been hacked. That they were doing a full

investigation and that he would call me as soon as he had more information. He

ensured me that the site is secure as of 12/13 and all user credentials have been

updated.

▪ I had a follow up call w/Christopher today and he had his lawyer on the phone which I

did not expect. They limited the conversation to notifying us that the investigation has

been passed to their insurance company which would do a forensic investigation as a

part of their cyber-liability insurance. They said that whomever gained access, did so

through one of our IT service person's username/password, Daemon Niceguy. They

said that they have a highly suspicious IP address (not confirmed to be the source,

but highly likely) that is from Kazakhstan. They said the investigation would take a

few weeks to identify exactly what information was obtained and confirm the IP

address.

▪ I removed Daemon from the email chain because on the call, Chris identified

Daemon’s username as the source of the access. Although I know that Daemon did

not do this, I did not want to discuss further without speaking to you first.

▪ What do you do? Who do you call?

Problem 2: You Receive A Class Action

Complaint

The complaint from the Law Offices of C.K. Lee alleges that your ACC’s

website is not accessible to the plaintiff who is blind because:

• The website requires use of a mouse and does not permit blind persons

seeking to access the site to determine what is on the site, browse the

site, investigate the menu or make any purchases;

• ACC has failed to adhere to the Web Content Accessibility Guidelines;

• ACC has engaged in acts of intentional discrimination by constructing

and maintaining a website that is inaccessible to blind persons;

• ACC has failed to take actions to correct the access barriers in the face

of substantial harm and discrimination to blind class members;

• The Complaint asserts a class action asserting causes of action for: (1)

Violation of Title III of the Americans with Disabilities Act (“ADA”);

and (2) Violation of New York State Human Rights Law, New York

Exec. Law, Article 15 (Executive Law § 292 et seq.); (3) Violation of

New York State Civil Rights Law, NY CLS Civ. R. Article 4 (CLS Civ R

§ 40 et seq.); and (4) Violation of New York City Human Rights Law,

NYC Admin. Code § 8-102, et seq.). What do you do? Who do you

call?

Problem 3: Your Head of Marketing Pops

His Head In▪ Donald Draper, ACC’s new head of marketing is a force of nature and has a

plan to jump start sales. He is sure these are all alright -- “everybody does

this” but just wants to be sure:

▪ ACC is going to partner with stylists to get ACC’s designs in the press -- we

will give them free product for their clients on the condition that they ensure

that the clients wear ACC’s designs;

▪ ACC is going to partner with influencers and celebrities to get ACC’s

designs all over social media -- we will give them free designs on the

condition that they wear ACC’s designs and take selfies wearing the ACC

designs;

▪ ACC is going to plan meet and greets with beauty designers and influencers

to celebrate their contribution to the industry, sip champagne, and give them

swag bags and free sets of the new ACC beauty products so they can

prepare videos for YouTube, Vimeo and social media showing consumers

how to use the ACC cosmetic collections;

▪ ACC is going to do this worldwide as we are a global company – so can we

do this globally?

▪ What do you do? Who do you call?

▪

Addressing The Three Problems:

What Are the Perspectives:

▪ Designer or Artistic Director;

▪ CFO;

▪ Chief Technology Officer or IT Director;

▪ Marketing Director; and

▪ General Counsel or Chief Legal Officer.

Problem 1: What Do You Do?

▪ You attorney is meeting with your team;

▪ What questions do you have for legal counsel?

▪ Immediate Steps:

• Review the ACME contract;

• Get the facts about the ACME breach;

• What forensics have been done to date?

• Where is the fault? Who is responsible?;

• What about insurance: ACC? Or ACME?;

• What are the reporting obligations?;

• What can I do to ensure this does not happen again

• What is this going to cost ACC? Can’t we just pay to

make this go away?

Problem 2: What Do You Do?

▪ You attorney is meeting with your team;

▪ What questions do you have for legal counsel?

▪ Immediate Steps:

• What are the claims? What does this mean?

• Can you explain what the legal obligations are under

the ADA and New York law?

• What about an audit?

• What are the next steps?

• What rights does ACC have? What is the best

strategy?

• What is this going to cost ACC? Can't I just pay to

make this go away?

Problem 3: What Do You Do?

▪ You attorney is meeting with your team;

▪ What questions do you have for legal counsel?

▪ Doesn’t everybody do this? What is the big deal?

• What about gifting celebrities through stylists? It’s

been always going on, ACC can use the photos in

return;

• What about giving designs for selfies? What do we

need to do?;

• What about giving beauty products to designers and

influencers for videos? Is that alright? It has been

going on forever?

• What is this going to cost ACC? Can’t I just pay to

make this go away?

© Sheppard, Mullin, Richter & Hampton LLP 2017

Incident Response Preparedness

Kari Rollins

Sheppard Mullin Richter & Hampton LLP

krollins@sheppardmullin.com

Breach Simulation Exercise

Isabella Teck reports:▪ Yesterday 12/13, Christopher Crash, the CEO of your website service provider, ACME,

called and said the website had been hacked. Acme is doing a full investigation and said he

would call Ms. Teck as soon as he had more information. Acme assured Ms. Teck that the

site is secure as of 12/13 and all user credentials have been updated.

▪ Ms. Teck had a follow up call w/Christopher today and he had his lawyer on the phone

which she did not expect. They limited the conversation to notifying Ms. Teck that the

investigation has been passed to their insurance company which would do a forensic

investigation as a part of their cyber-liability insurance. They said that whomever gained

access, did so by using ACC’s IT administrator’s username & password, Daemon

Niceguy. They said that they found a highly suspicious IP address that is from Kazakhstan

(not confirmed to be the source, but highly likely). They said the investigation would take a

few weeks to identify exactly what information was obtained and confirm the IP address.

▪ I removed Daemon from the email chain because on the call, Chris identified Daemon’s

username & password as the source of the access. Although I know that Daemon did not

do this, I did not want to discuss further without speaking to you first.

Breach Simulation Exercise (cont.)

How will you work with Acme to understand the details

of the incident and assess ACC’s legal obligations?▪ Do you treat this data incident differently than any other data incident simply

because the intrusion occurred at your vendor-managed website?

▪ What does your contract with Acme say about data incidents like this?

▪ What about insurance? Whose insurance will cover?

▪ Who will investigate? What investigative steps will we take?

▪ Who will lead the investigation?

▪ Who is the primary contact for the vendor?

▪ Who is on the investigation team?

▪ What information do we want Acme to tell us?

▪ Who is obligated to notify impacted customers? Who will, as a practical

matter, actually notify impacted customers?

▪ What if the press learns of the incident? How will you respond?

Have a Plan!

Secure the data

Convene the team, decide if need external support

Analyze and assess the data, interview witnesses

Decide if involve law enforcement

Create a communications strategy

15

Is Your Vendor Contract In Good Shape?16

Contract Provisions

Security

Compliance with laws, PCI

Use limitations

Limit transfers

Limit third party access

Audit

Notice

Indemnity

Insurance

Liability Limitation

An Additional Firewall: Insurance & Indemnification

Contract Provisions With Vendors

17

The contract

Maintain insurance

levels

Add you as additional insured

Indemnify you if a breach Their

insurance should be primary

They should give you

insurance certificate

The Response Team

• Internal

• Outside

Legal counsel

• Security

• Privacy Office

Compliance (if it exists!)

• Whose data was it?

Appropriate business team

• Internal

• External support

IT

Executive decision maker(s)

Privilege Is Still Important!

▪As you investigate, facts may become more damning

▪Could be other sensitive information at risk

▪ Proposed business plans

▪ Trade secrets

▪ And more

▪Retained faster/investigation quicker

▪Hire experts (including investigators) under privilege and

separately

• Keep under the “direction of counsel”

• Separate engagement letter/SOW

Has Law Enforcement Been Contacted?

Should It Be Contacted?

Investigate the Facts that Trigger Notice

“Breach”

Unauthorized access and/or

acquisition

Compromise security

Likelihood of harm

Exceptions

What Information Was Involved?

Nam

e

Financial information

SSN

Passwords that permit access to financial

account

Username and passwords

Other (some state specific)

Who Needs to Be Notified?

Who Will Do The Notifying?

Impacted individuals

Government Authorities

Credit reporting agencies

Other Contractual

PartnersPress

What Does Notice Look Like?

Describe incident

Categories of information

Consequences of breach/nature of risk

• Steps to investigate, mitigate harm

Protection measures put in place

• Contact information for law enforcement

• Where to get more information

Advice about how to protect self

Be Ready to Answer Typical Questions

• What happened?

• When did it happen?

• What information was

compromised?

• Was my information

compromised?

• How many people’s

information was impacted?

• Was the information

encrypted?

• Was my social security

number compromised?

• Did anyone misuse this

information?

• What should I do?

• What are you doing to

protect me?

• Why aren’t you taking other

measures to help?

• What are you doing to

protect others?

• Will this happen again?

• Who should I contact if I

have more questions?

Is the Company Ready for What's Next?

• Victims of breach are litigation targets

• US leads charge in being litigious

• FTC

• State AGs

• SEC

• Shareholders

• Customers

• Other jurisdictions equally concerned

Judge, Jury and Prosecutor: Public Servant Role

▪ Advocacy before the government not like litigation

Look underneath the

ask for the implied

obligations

Call and talk to them! What do they really want

and need, cooperate

Create your closing

argument first

Comprehensive plan for

analyzing documents (no

data dump!)

Tell the story early

Preparing for the Future: Building the

Narrative In Advance of the Breach

28

• Robust written security policy and practices

• Experienced IT/security teams

• Myriad security controls and systems in place

• Do security controls/systems meet or exceed regulatory requirements and industry

standards

• Internal and External security controls/systems

• Monitoring compliance

• Security audits (internal vs. external)

• Employee compliance

• Vendor compliance

• Response plan in place to address:

• Remediation

• Containment

• Preservation

Best Practice Recommendations

Analyze practices

Understand vendors

Budget appropriately for

exposure

Review existing contracts

Get appropriate insurance

Investigate with privilege

Balance containment and

notice investigation

Anticipate worse before giving notice

© Sheppard, Mullin, Richter & Hampton LLP 2017

ADA Claims: Compliance

Challenges and Uncertainties --

How to Avoid Risks

Sean Kirby

Sheppard Mullin Richter & Hampton LLP

skirby@sheppardmullin.com

What Are These Claims?

▪ In New York, Plaintiff’s lawyers bring three types of claims

for website inaccessibility:

– Violation of the Americans With Disabilities Act (“ADA”).

• Federal law requiring public accommodations to be accessible

to disabled individuals.

• Damages: (i) injunctive relief; and (ii) attorneys’ fees.

– Violation of the New York State Human Rights Law (“NYSHRL”).

• State law prohibiting discrimination on account of disability.

• Damages: (i) injunctive relief; and (ii) compensatory damages

(i.e., emotional distress).

– Violation of the New York City Human Rights Law (“NYCHRL”).

• City law prohibiting discrimination on account of disability.

• Damages: (i) injunctive relief; (ii) compensatory damages (i.e.,

emotional distress); (iii) punitive damages; and (iv) attorneys’

fees.

Legal Obligations Under the ADA,

NYSHRL and NYCHRL▪ ADA Legal Obligations

– Website must provide effective communication to

disabled individuals.

– What “effective communication” means is a key issue

in these website litigations because the DOJ has not

provided guidance.

▪ NYSHRL and NYCHRL

– Do not have separate requirements from the ADA and

no regulations have been enacted.

How Do I Make My Website ADA

Compliant?▪ Currently, you can’t! Not like facilities cases

– No regulations - DOJ has punted (again)

– We don’t know what content has to be “accessible” or

what “accessible” even means

– Functional standard

• Are the goods and services you provide accessible

to the blind using a screen reader and deaf using

speakers?

– Functional test

• But how do you litigate with only a functional

test ?

• Battle of the experts

What does a website have to do to

function with a screen reader ?

▪ 2 Main issues: Navigation and Alt Text labels for

images

– Navigation: Blind individuals using your site - Does

navigating the site require a mouse?

– Alt Text: Describe what is being sold - “$20 gift

certificate” not “JPG#3”

What about the WCAG?

▪ Web Content Accessibility Guidelines (WCAG)– Guidance never intended as law

– Versions: 1.0 / 2.0 A, AA, AAA

▪ We don’t know what is compliant with the WCAG

▪ Guidance frequently changes and has not been

adopted by the DOJ.

Risk Management: Software Audit

of a Website▪ We can’t litigate these cases by asking judges to load a

screen reader and test the functionality of a website by

themselves.

▪ We need something that can be included in a motion to

show that a site is compliant.

▪ We do what plaintiffs do when they are looking for

websites to commence litigation against – a software

audit to show that the site is clean.

▪ There are several that check websites for accessibility:

– WAVE (webAIM) - built to sell consulting services so biased but

commonly used by plaintiff’s counsel

– Google Chrome audit (not based on WCAG)

– Tenon.io, Achecker, etc.

What does a software audit look

like?

What does a software audit look

like?

Next Steps / Strategy

▪ Settle Quickly:

– Pros: Matter is over, potentially lower settlement payment

– Cons: Likely to be sued again.

▪ Answer and Delay:

– Pros: Buy yourself some time while the case law develops; DOJ may

issue guidance.

– Cons: Incur some legal fees; uncertainty.

▪ Move to Dismiss:

– Pros: Aggressive stance which may cause some plaintiff’s attorneys to

go away.

– Cons: Case law has not been favorable in most jurisdictions on motions

to dismiss; incur attorneys’ fees.

▪ Take Discovery and Move for Summary Judgment:

– Pros: Buy yourself time to make modifications to cite.

– Cons: Incur attorneys fees; time to get to summary judgment stage;

issue of fact may still exist.

© Sheppard Mullin Richter & Hampton LLP 2017

Advertising and Social Media:

Mad Men No More -- Influencers,

Bloggers, Celebrities and Native

Advertising

Theodore C. Max

Sheppard Mullin Richter & Hampton LLP

tmax@sheppardmullin.com

FTC’s Endorsement Guides and Revised Endorsement Guides

(“Endorsement Guides”) apply to “any advertising message…that

consumers are likely to believe reflects the opinions, beliefs, findings, or

experience of a party other than the sponsoring advertiser.”

Basic Rules:

▪ Endorsements must reflect the truthful experience of the endorser.

▪ You can’t make claims that require proof you don’t have.

▪ Clearly disclose any material connection between the endorser and the

advertiser.

▪ Social Media is no exception.

The Basic Rules

Celebrity Giveaways

Ok, what if we give celebrities our latest ACC it bag? Can

we use their photo in our marketing materials and on our

website?

FTC Guidelines: In September 2017, the FTC in a Q&A

stated: “You should tell the participants in your network

that if they endorse products they have received through

your program, they should make it clear they got them for

free. Advise your clients -- the advertisers -- that if they

provide free samples directly to your members, they should

remind them of the importance of disclosing the

relationship when they talk about those products.”

Celebrity Giveaways

Ok, what if we give celebrities our latest ACC it

bag and ask them to take a selfie and say how

much they love the bag?

The Kardashians do it all the time!!!!

▪ Kourtney Kardashian

▪ ✔ @kourtneykardash

▪ Oh yeah! Love the ugg collection too!RT @HALESyah: I had to

wear Kardashian Kollection on my 25th Birthday! ...

http://m.tmi.me/iZInG

▪ 2:58 PM - 4 Dec 2011

▪ 34 34 Retweets

▪ 32 32 likes

What Makes A “Material” Girl?

Madonna loves our products and we have nothing in writing

but she always Tweets and Snapchats about how

wonderful our designs are!!! All it is are a few free bags

here and there. . . .What is the big deal? What is “material”

any how?

What about “#sp”? That works?

While “#sp” has been used by

influencers, the FTC has said this is not

“likely [to] infor[m] consumers that the

message was sponsored by an

advertiser.” #Sponsored works. What

about “#ambassador”? Not sufficient.

#ACC-Ambassador works. What about

“#Thanks ACC”? Not sufficient. #Thanks

ACC for gift of the beautiful bag.

What Makes A “Material” Girl?

What About Free Gifts?: If the social media influencer

receives a one-time fee or gift or if the social media influencer

continually receives free gifts from a brand, even if the gifts are

of less value individually, this would likely require a

disclosure. Social media posts meet the test even if the posts

are not accompanied by a review. For example, a standalone

photograph can convey that the media influencer endorses the

product.

What Is “Material”?

We run a retail website that includes customer reviews of the

products we sell. We believe honest reviews help our customers

and so we give out free products our favorite customers for them

to review. We tell them to be honest, whether it’s positive or

negative. What we care about is how helpful the reviews are. Do

we still need to disclose which reviews were of free products?

FTC Says: “Yes. Knowing that reviewers got the product they

reviewed for free would probably affect the weight your customers give

to the reviews, even if you didn’t intend for that to happen. And even

assuming your reviewers are unbiased, your customers have the right

to know which reviewers were given products for free. It’s also possible

that the reviewers may wonder whether your company would stop

sending them products if they wrote several negative reviews – despite

your assurances that you only want their honest opinions – and that

could affect their reviews.”

Celebrity Giveaways

▪ FTC Guidelines: In September 2017, the FTC in a Q&A

stated:

▪ “What if I upload a video to YouTube that shows me

reviewing several products? Should I disclose that I got

them from an advertiser?

▪ Yes. The guidance for videos is the same as for

websites or blogs.”

▪ Disclosure: “ACC gave me this product to try. . . .”

Katherine Heigl v. Duane Reade (2014)

Katherine Heigl sued Duane Reade for $6

million in New York federal court claiming

a violation of the Lanham Act and New York

Civil Rights Law for the use of her photo and

name in social media promoting Duane

Reade. The case was settled amicably before

trial: "Ms. Heigl has voluntarily dismissed her

lawsuit, and Duane Reade has made a

contribution to benefit the Jason Debus

Heigl Foundation.”

Do Not Assume You Have Permission!

What about getting our own ACC employees to get behind our

new Collection? Can we get folks within ACC to “Like” the

new Collection? We will circulate digital runway images and

have our employees send “Likes” on the Facebook page to

create buzz. This is a no brainer, right?

Creating Buzz for the New Collection

The Takeaway

FTC Guides: Social Media Best Practices for

Employees and Vendors

▪ Have a company policy regarding employee use of Social Media. If

you do not and they ;

▪ Institute robust compliance program, including specific training and

guidance relating to the FTC’s Enforcement Guides;

▪ Make training available to employees, vendors and personnel at

respective advertising agency;

▪ Have response and remediation program in place and take

immediate action when given notice of improper or lack of proper

disclosure; and

▪ Disclosure: #employee not sufficient -- #ACC_Employee or #My

Company

What if we get a reporter to prepare an article about our new

ACC denim collection? We could also have influencers wear

the new denim collection and take selfies of the new jeans?

We would only give them a few pairs of jeans which sell for

$500 each. That cannot be a problem can it?

What About Native Advertising?

Trends: Branded Entertainment

▪ Instagram is bringing more transparency to the platform

around commercial relationships

– Instagram now has a "Paid partnership with" tag on posts

and stories when a commercial relationship exists between

a creator and a business.

– Instagram has always been committed to transparency on

the platform. This will be a tool that provides long term

benefits to Instagram’s most authentic creators. Initially,

they are partnering with a small number of creators and

businesses and will launch to more creators in the coming

months along with an official policy.

Trends: Branded Entertainment

▪ The new Instagram tag looks like this:

▪ What’s the bottom line?: “The watchword is

transparency. An advertisement or promotional message

shouldn’t suggest or imply to consumers that it’s anything

other than an ad.” The FTC Guides apply to any

advertising message that consumers are likely to “believe

reflects the opinions, beliefs, findings or experience of a

party other than the sponsoring advertiser”

▪ What do the rules require of social media influencers?:

Social media influencers must disclose any material

relationship between the brand and him/herself.

Executive Summary: What You Need to

Know

▪ How can social media users fulfill the FTC disclosure requirements?: The

FTC requires that the disclosure be clear and conspicuous:

– For example, including the following on an Instagram or Twitter post is likely sufficient: “#contest,

#sweepstakes, #advertisement, or #ad.

– For the disclosure, use a font and contrasting shade of type that is easy to read and that stands

out. Additionally, use hashtags that are relevant. The hashtag “#sweeps”, for example, is likely

not sufficiently transparent to meet the FTC disclosure requirement for sweepstakes

▪ Which social media posts are governed by the FTC Guides?: The FTC is

focused on endorsements that are made on behalf of a sponsoring advertiser in

exchange for a fee or something of value (i.e., free clothing or a discount on

future purchasers).

▪ The Need for Disclosure: The test to determine if an individual social media

post requires a disclosure is: “Whether knowing about the gift or incentive given

by the brand to the social media influencer affects ‘the weight or credibility’

readers or viewers give to the recommendation?”

Executive Summary: What You Need to

Know

Be Prepared

▪ The cost of being prepared is the cost of avoiding

risk;

▪ Have an Employee Policy regarding social media;

▪ Have agreements in place with influencers,

bloggers, advertisers and celebrities;

▪ Monitor social media usage by employees and

social media influencers, bloggers and celebrities to

ensure disclosures being made; and

▪ The FTC is scrutinizing social media. Be careful!

Thank You For Attending!