How New York Authorities Are Regulating the Internet

The image of the Internet as an unregulated Wild West, untouched by government action, is one that some find attractive. But it is not accurate, as illustrated by a number of important actions taken in recent weeks by the New York State Attorney General’s office, including one it took in conjunction with representatives of dozens of other states.

As discussed below, these steps have significant practical ramifications for companies and individuals in New York that use the Internet (and who doesn’t?) as well as the businesses that provide Internet services to all of us.

Social Media Fraud

In late January, New York State Attorney General Letitia James announced a settlement with Devumi LLC and related companies owned by German Calas Jr. (collectively, Devumi) over the sale of fake followers, “likes,” views, and other forms of online endorsement and social media activity.

According to the Attorney General’s office, Devumi sold the fakes to users of social media platforms from computer-operated accounts (“bot accounts”) and from accounts created when people pretended to be other people (“sock-puppet accounts”). The AG’s office asserted that these accounts, found on social media platforms including Twitter, YouTube, LinkedIn, SoundCloud, and Pinterest, pretended to express genuine opinions of real people when they actually reflected false, paid-for activity aimed at deceiving online audiences and the public. The AG’s office said that some activity Devumi sold came from fake accounts that copied real people’s social media pictures and profiles without the knowledge or consent of the individuals whose identities had been copied.

The AG’s office determined that Devumi also sold endorsements from social media influencers without disclosing that the influencers had been paid for their recommendations.

The AG’s office asserted that these business practices deceived and attempted to affect the decision-making of social media audiences, including other platform users’ decisions about what content merited their own attention, consumers’ decisions about what to buy, advertisers’ decisions about whom to sponsor, and the decisions by policymakers, voters, and journalists about which people and policies had public support. Devumi’s practices, the AG’s office contended, also deceived some of the company’s own customers who mistakenly believed they were paying for authentic endorsements (although other Devumi customers apparently knew they were buying fake activity and endorsements) and deceived social media platforms with policies prohibiting fake activity.

The settlement prohibits Devumi from engaging in any of the same misconduct going forward—not a very powerful result given that Devumi is no longer in business. However, the settlement appears to be truly groundbreaking, as Attorney General James characterized it, as it seems to be the first finding by a law enforcement agency in the United States that selling fake social media engagement is illegal deception and that fake activity using stolen identities is illegal impersonation. As Attorney General James said in a statement, the settlement with Devumi sends a “clear message that anyone profiting off of deception and impersonation is breaking the law and will be held accountable.”

Internet Speed

In December, the AG’s office, under then-Attorney General Barbara D. Underwood, announced two notable settlements relating to Internet speeds.

First, the AG’s office announced a $174.2 million settlement with Charter Communications, Inc., and Spectrum Management Holding Company (together, Charter) of a consumer fraud action previously filed by the AG’s office that alleged that the state’s largest ISP, which operated initially as Time Warner Cable and later under Charter’s Spectrum brand name, denied customers the reliable and fast Internet service it had promised.

The complaint filed by the AG’s office asserted, among other things, that Charter leased deficient modems and wireless routers to subscribers that did not deliver the Internet speeds subscribers had paid for, failed to maintain enough network capacity to reliably deliver promised download speeds to subscribers, and represented Internet speeds as equally available, whether connecting over a wired or WiFi connection, even though, in real-world use, Internet speeds routinely are slower via WiFi connection.

The settlement included direct restitution of $62.5 million for over 700,000 active subscribers (in an amount between $75 and $150 per subscriber) as well as streaming services and premium channels, with a reported retail value of over $100 million, at no charge for approximately 2.2 million active subscribers. The AG’s office said that it believed that the $62.5 million in direct refunds to consumers represented the largest payout to consumers by an Internet service provider (ISP) in the United States.

The settlement also contained the following terms:

• Affirmative advertising obligations: Charter must describe Internet speeds as “wired,” disclose that wireless speeds may vary, and disclose the factors that might lead actual experience to vary, including based on the number of users and device limitations. This applies to all advertising and marketing of speeds, including television and other commercials, website and website communications, print ads, bill inserts, and emails.
• Substantiating Internet speeds: Charter must substantiate Internet speeds using an industry-accepted testing methodology, and discontinue any speed plan that cannot be substantiated.
• Advertising prohibitions: Charter may not make unsubstantiated claims about the speed required for particular Internet activities such as streaming, the reliability of the Internet service (such as no buffering or no slowdowns), or the availability of the promised speed over WiFi. Charter also may not describe Internet speeds as “consistent” without fully satisfying the Federal Communications Commission’s consistent speed metric and must make commercially reasonable efforts to deliver access to all online content and services featured in its advertisements.
• Equipment reforms: Charter must provide subscribers with equipment capable of delivering the advertised speed under typical network conditions when they commence service, promptly offer to ship or install free replacements to all subscribers with inadequate equipment via at least three different contact methods, and implement rules to prevent subscribers from initiating or upgrading service without proper equipment for the chosen speed tiers.
• Sales and customer service training: Charter must train customer service representatives and other employees to inform subscribers about the factors that affect Internet speeds. Charter also must maintain a video on its website to educate subscribers about various factors limiting Internet speeds over WiFi.

Only days after announcing the agreement with Charter, the AG’s office announced settlements with four major ISPs (Altice, Frontier, RCN, and Verizon) that effectively established industry-wide standards for marketing Internet speeds consistent with those in the Charter settlement.

In summary, the agreements require the ISPs to market Internet speeds as “wired,” to substantiate their speed claims with regular speed testing, and to warn consumers that “wireless speeds may vary.” The ISPs also must spell out the relative benefits of speeds and services accurately, ensure that there is sufficient network capacity to deliver advertised content from third party providers, such as Netflix, and undertake other reforms that, the AG’s office said, were designed to improve Internet service and make marketing clearer and more accurate.

The agreements also included direct financial commitments by the ISPs to improve network infrastructure and compensate for the harm the AG’s office found to certain consumers. For example, Frontier must spend no less than an additional $25 million to upgrade its network infrastructure upstate to relieve congestion and improve service.

Data Breaches

Last, but certainly not least, it is important to highlight the data breach settlement reached recently by 43 states, including New York, and the District of Columbia with the Neiman Marcus Group LLC over the 2013 breach of customer payment card data at 77 Neiman Marcus retail stores in the United States. With the flow of data breaches that seem to occur on a regular basis, this settlement is unlikely to be the last data breach settlement that New York reaches this year.

The underlying facts are by now all too familiar: In January 2014, Neiman Marcus disclosed that payment card data collected at its retail stores had been compromised by an unknown third party. The states’ investigation determined that approximately 370,000 payment cards—roughly 27,600 of which were associated with New York consumers—were compromised in the breach, which took place over the course of several months in 2013. At least 9,200 of the payment cards compromised in the breach were used fraudulently.

In addition to a $1.5 million monetary settlement to the settling jurisdictions (New York’s share: $58,611.60), Neiman Marcus agreed to a number of provisions aimed at preventing similar breaches in the future, including:

• Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
• Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
• Maintaining working agreements with two separate and qualified payment card industry forensic investigators;
• Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software reaching its end-of-life or end-of-support date;
• Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company’s business; and
• Devaluing payment card information using technologies such as encryption and tokenization to obfuscate payment card data.

Under the settlement, Neiman Marcus is also required to retain a third-party professional to conduct an information security assessment and report, and to detail any corrective actions that the company may have taken or plans to take as a result of the third-party report.

Conclusion

With more and more reasons for us to be online for work and pleasure, the Internet and its various components will continue to play a leading role in our lives. Regulators in New York have taken notice, and their involvement in the online world will almost certainly continue to grow.

Reprinted with permission from the February 15, 2019 issue of the New York Law Journal. © ALM Media Properties, LLC.  Further duplication without permission is prohibited.  All rights reserved.