Archive for December, 2008

Consumer Fraud Act- The Basics

Written by Mike Pisauro on December 22nd, 2008 in Basics, Consumer Fraud | 1 Comment »

The Consumer Fraud Act (CFA), NJSA 56:8-1 et seq.  is a very powerful law and one which business owners need to be aware of. In New Jersey, the CFA applies to persons who, in general, sell products to consumers. That is a very broad definition and it applies not only to individuals but can apply to a business as well.

Generally, a “consumer” is defined as any person or business that purchases products for their own use.  This does not include persons or businesses that purchase products to incorporate into their own products, nor does the act cover businesses that buy objects for resale.   (I will discuss further who is covered by the statute in a later post).

Specifically, the CFA prohibits:

the act, use or employment by any person of any unconscionable commercial practice, deception, fraud, false pretense, false promise, misrepresentation, or the knowing, concealment suppression, or omission of any material fact, with intent that others rely upon such concealment, suppression or omission, a connection with a sale or advertisement of any merchandise or real estate, or with the subsequent performance of such person as aforesaid, whether or not any person has in fact been mislead, deceived or damaged thereby, is declared to be an unlawful practice.  NJSA 56:8-2.

There are three categories of CFA violations: affirmative acts, omissions and regulatory violations.   For affirmative acts and violations of regulations, it does not matter whether the business made an honest mistake.  For example, the Courts have found that a realtor’s statement as to which section of town the property was in was a violation of the CFA – even though the Realtor honestly believed in the statement she made.  In another case, an advertising agency accidently omitted the odometer reading on vehicles in an ad and, since this is contrary to state regulations, the agency was found to be in violation of the CFA.   This is one aspect of the law that makes it so powerful and so very important to be aware of.

Acts of omissions, on the other hand, must include proof that the business intended to mislead the consumer.  Therefore, as an example in the realtor’s case, if the realtor never told the plaintiff that the property was in a specific section of town, the plaintiff would have had to show that the realtor knew the property was not in the particular section of town requested and that the buyer based their decision to purchase the property on this incorrect information. Further, since the realtor omitted the information regarding which section of town the property was in order to encourage the buyer to buy, the realtor may have committed a violation of the act.

What are the penalties for violating the CFA?  Upon demonstration of an ascertainable loss, the person is entitled to treble those damages.  Additionally, the Court is required to award attorney fees and costs.  Even if a plaintiff cannot show an ascertainable loss, if they can prove a violation of the act, the plaintiff is entitled to attorney fees and costs.  The trebling of damages and the award of attorney fees and costs is not discretionary but is required under the statute.  It is always possible that the damages caused by the violation of the CFA could, even if trebled, quickly be overshadowed by the award of attorney fees and costs.

In short, every retail business (and many other businesses, as well) should become familiar with the Consumer Fraud Act and any regulations governing their business.   By being familiar with these laws a business can, at least, minimize the risk of finding itself trying to avoid a claim under the Act.

Identity Theft Prevention Act regulations

Written by Mike Pisauro on December 11th, 2008 in Consumer Fraud, Identity Theft, Regulations | No Comments »

In July 2006 I wrote about New Jersey’s Identity Theft Prevention Act (business-newsletter-vol-1).  I also gave a presentation to the Pennington Business & Professional Association on the Act (pbpa-presentation).  At that time the Act still required that rules be proposed.  Since then the Division of Consumer Affairs, in conjunction with the Department of Banking and Insurance, proposed rules implementing the Act in April of 2007 and partially adopted those rules one year later.  Although the DCA decided not to adopt the rules setting forth the hardware and software requirements of the law, this article seeks to examine the proposed rules regarding a company’s obligations to maintain the confidentiality of a person’s private data.  Even though it was not adopted, I think what was proposed is instructive because DCA will have to re-propose standards at a later date.

One part of the proposed regulations, which was not adopted, defined personal information as any information that combines a person’s first name or initial and last name with any of the following information: social security number, driver’s license number, or account/credit card numbers.  Another section of the regulations, which was adopted, defined “business” in a manner that included any and all businesses – no matter the size.  The rules would have applied to a sole proprietorship all the way up to the largest corporation in the State.  The adopted regulations provides that any business that maintains a client’s credit card information or social security number must have in place technology and office policies to protect the privacy of this information.  With one minor and unimportant exception the regulations do not differentiate between the size of the business – this applies whether the business is a three person operation or a 1000 person operation.

The Department did not adopt the Section 3 requirements due to the large number of negative comments.  While the department did not publish all of the comments, it did indicate the objections ranged from the cost of implementing the requirements to the ability of businesses and public entities to comply.  Other commentators from large entities noted that they already had extensive systems in place and complying with the proposed regulations would be counterproductive.

Other provisions in Section 3 that were not adopted set forth business practice requirements or policies that should be in place.  While these sections were not adopted, the business practices that were suggested should be examined as they will likely find their way, in a modified form, upon re-proposal.  First, only those who need access to the personal data should be allowed access to the data.  Former employee’s user ids and passwords should be deactivated immediately.  This is not only required for compliance with the act and proposed regulations, but is a good business practice in and of itself.  Employees should be trained on how to recognize personal information and understand how that information should be treated.  Businesses with five or more employees must have a written information security policy that details the security of computerized personal information and explains each employee’s responsibilities regarding the use and maintenance of that information.

The systems in place need to be regularly reviewed because the proposed rules require daily scans.  In other words, the business needs to ensure that the antispyware and antivirus programs are actually up-to-date and running daily scans.  The proposed rules require that the firewalls keep logs of incoming and outgoing communications and ensure that those communications are authorized and not the result of a breach in security.  Documentation must be maintained detailing the business’ security protocols and audits.

As I noted in the last article, in the unfortunate event of a breach, the particulars of the breach must be reported to the Division of State Police of the Department of Law and Public Safety.  The proposed, but not adopted, regulations require that this report be made within six hours of discovery of the breach.  Despite the amount of press identify theft receives, it continues to occur on sometimes scary scales.  These thefts are the result not only of direct malicious attacks, but also of negligence on the part of employees and contractors or just bad luck.  There have been several instances when an employee has taken home a business laptop only to have that laptop stolen when the employee stopped along the way to pick something up.  For this reason, laptops should be encrypted – and it may also be a good practice to use a cable lock to secure the laptop within your car if you plan on making stops on the way home.  While it may be a pain to secure your laptop that “pain” is negligible when compared to the headaches of having to report the theft and explain to your customers, employee and others why their identities may be at risk.

Subsection 3.5 of the proposed regulations detailed how personal information should be destroyed.  The proposed regulations provides that the records, whether paper or electronic, must be destroyed in such a way (such as shredding, erasing or otherwise modifying the information) so that it is “unreadable, undecipherable or noreconstructable.”  The business must keep track of how the records were destroyed and when and these records must be maintained for a period of five years.  Keep in mind that hitting the delete key on your computer is not the same as placing a piece of paper through a shredder.  “Deleting” a file on a hard drive really does not delete the record.  In fact, the deleted record can be recovered fairly easily.  There are programs available at little or no cost, however, which will ensure that the record should be unrecoverable.  This is important to remember when you need to have hard drives replaced or when you are donating or discarding old computers.  This will probably be something to consider when the DCA issues a new proposal.

As if all of the possible repercussions of violating the act are not significant enough, Section Five of the regulations, that were adopted, set forth the penalties for violating the act or its regulations.  Failure to comply with the time lines for reporting a breach, failure to maintain the required records, or failure to maintain the required computer security systems is deemed to be a willfully, knowingly or recklessly violation the act.  It will also result in liability under the consumer fraud act.    A violation of the consumer fraud act will result in triple damages, possible punitive damages and attorney fees.  That can be a very hefty price to pay for not maintaining proper records and security procedures.

Taking a proactive approach to maintaining personal information has the potential to save you thousands of dollars and lots of headaches in the future.  If you have any questions regarding how to comply with the law contact your attorney and your technology consultant and ask them to walk you through the policy and hardware/software you need to ensure a headache free future.

Home Improvement Contractors bill

Written by Mike Pisauro on December 8th, 2008 in Home Improvement | No Comments »

Today in the Assembly Regulated Professions committee A2532 will be considered.  The bill would alter the normal course for cases brought in the special civil part against home improvement contracts.  Cases brought in the special civil part are case with values of $15,000 or less and provides for a quicker time between filing and trial.  Under the Rules of Court, cases in special civil part must be filed in the county where at least one defendant lives or works.  This bill changes that rule.

Under the bill the homeowner could bring the case where the homeowner lives and not where the contractor is located.  This makes life somewhat easier for the customer but could make it somewhat harder for the contractor.

Assuming the bill eventually becomes law, a contractor can alter the application of the law with the contractor’s contract.  The contract could provide that that all cases against the contractor must be brought in the contractor’s county and not that of homeowner.  The contract could also provide that the homeowner could not file in court but must seek arbitration.

Update 12-9-08:  The bill “passed” out of the Housing and Regulated Committee and sent to the Assembly Judiciary Committee. Once its is out of the committees the full assembly can vote on the bill.  A similar process has to occur on the senate side.

NJ Business Wise begins

Written by Mike Pisauro on December 8th, 2008 in Uncategorized | No Comments »

NJ Business Wise will look at laws, legislation, cases or practice topics that directly affect your business.  This blog replaces Frascella & Pisauro’s business news newsletter.  I am going to leave the blog open to comments and see how that proceeds.

If you would like a topic discussed please email me at:  mike@fplegal.com.   As a word of caution, do not send any information which may be confidential.  Nothing written in this blog or received in an email or as comments should be construed to create an attorney client relationship.