FTC Business Blog

Enforcing the Opioid Addiction Recovery Fraud Prevention Act: The FTC’s settlement with Evoke Wellness and what it means for businesses kkrown June 11, 2025 | 10:01AM Enforcing the Opioid Addiction Recovery Fraud Prevention Act: The FTC’s settlement with Evoke Wellness and what it means for businesses The FTC is cracking down on companies attempting to deceive people seeking treatment for addiction. An example of this effort is the FTC’s recently filed settlement to resolve allegations that Evoke Wellness (“Evoke”) and two of its executives used illegal tactics to trick people seeking substance use disorder (“SUD”) treatment services.According to the FTC’s complaint, Evoke ran a two-phased scheme involving false advertisements and deceptive telemarketing. First, Evoke placed Google search ads that included the phone numbers for Evoke’s treatment facilities and call center. The problem? According to the FTC, the search ads effectively impersonated other treatment clinics people search for online.The FTC charges that, when people clicked on the phone number in an ad, Evoke’s telemarketers were standing by to carry on the deception — leading callers to believe they had reached the specific facilities they had searched for. Then, the telemarketers would redirect them to Evoke treatment centers instead.The FTC claims Evoke’s practices violated the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA), which gives the FTC extra tools to address unfair or deceptive acts or practices related to any SUD treatment service or product.Businesses involved in the marketing or sale of services or treatments to address opioid or other addiction should consider the following:Check your online profile. Take this opportunity to run a Google search for your business’s name to make sure nobody’s impersonating your business or sending people searching for it to a different site. If someone’s using your business’s name without permission, we want to hear about it. Report it at ReportFraud.ftc.gov.The FTC will use all tools at its disposal to fight deceptive claims for addiction treatment products or services. OARFPA gives the FTC the ability to seek civil penalties, refunds for consumers, and other enhanced remedies from people or businesses that use unfair or deceptive acts or practices to market or sell SUD treatment services or products. The FTC is committed to addressing the opioid crisis and will use all available means to aggressively pursue unscrupulous marketers targeting people seeking treatment.Tell the truth in your ads. Whatever your product or service, use truthful, non-misleading ads to attract customers. In this case, the FTC claimed Evoke drove traffic to their telemarketers by planting misleading ads designed to draw in customers searching for other businesses. Compete honestly. Misleading ads hurt consumers and competitors, and the FTC will continue to pursue businesses that break the law.

Three ways your business can mark Identity Theft Awareness Week lfair January 29, 2024 | 10:39AM Three ways your business can mark Identity Theft Awareness Week By Lesley Fair January 29th kicks off 2024’s Identity Theft Awareness Week, but consumer-conscious companies promote identity theft awareness – and prevention – 52 weeks a year. As the FTC, federal and state agencies, consumer groups, and others sponsor events across the country and online, here are three things your business can do to promote identity theft awareness to customers, employees, and members of your community. Implement sound data security practices. Discussions of information security sometimes focus on arcane technological issues, but let’s not lose sight of what’s in it for many data crooks: getting their hands on the personal data necessary to commit identity theft. The FTC has brought close to 150 cases challenging companies’ lax data security. The lawsuits recount the lapses that caused the breaches in the first place – poor password policies, negligent network monitoring, slipshod supervision of contractors, and insufficient employee training, to name just a few examples. But the court papers may not tell the whole story about the devastating consequences those corporate deficiencies inflict on consumers. People injured by identity theft often must devote months – or years – trying to restore their reputations and clean up the mess made of their personal finances. A simple way your business can be part of the solution is not to be part of the problem. Don’t collect personal information if you don’t have a genuine business need, safely store what you must maintain, and dispose of it securely when that business need passes. The FTC has guidance for companies – including cybersecurity resources for small businesses – to help you safeguard consumer data. Lend a hand to people who have experienced identity theft. Assisting people who are trying to recover from identity theft isn’t just good customer relations. It’s the law. If a consumer spots charges on their account they didn’t make and it appears that an unauthorized transaction occurred at your company, Section 609(e) of the Fair Credit Reporting Act requires you to provide them with relevant records. The law allows you to get proof of their identity (like a driver’s license), but it’s illegal to re-victimize them by making them jump through hoops to get the documentation they need. According to an FTC law enforcement action, a national retail chain didn’t honor that FCRA provision and paid a $220,000 civil penalty. Read Businesses Must Provide Victims and Law Enforcement with Transaction Records Relating to Identity Theft for more about legal compliance. And here’s a suggestion we’re passing along from a national retailer. When people come to their Customer Service Counters to retrace their steps in search of a lost wallet or missing credit card, the company has copies of FTC brochures at the ready, including Lost or Stolen Credit, ATM, and Debit Cards and What To Know About Identity Theft. Spread the word about identity theft awareness through your social networks. Identity theft doesn’t just harm consumers. It’s bad for business, too. In addition to the billions of dollars lost every year to fraudsters, identity theft takes a tremendous toll on the well-being and peace of mind of affected customers, employees, friends, and family. That’s why we want to enlist you in the effort to raise awareness about how to prevent identity theft and streamline the recovery process. The FTC has sharable Identity Theft Awareness Week resources – including videos and other visuals – you can post on social media. We also have a new publication, How To Spot, Avoid, and Report Identity Theft in Your Language, available in multiple languages. In addition, during Identity Theft Awareness Week, the FTC and partners will be hosting podcasts and webinars for general audiences, as well as events focused on servicemembers, older adults, young adults, and business owners. Do you know someone dealing with identity theft? Guide them to IdentityTheft.gov to get them started on a personal recovery plan.  

FTC takes action against stalking apps lfair October 22, 2019 | 9:10AM FTC takes action against stalking apps By Lesley Fair You know that eerie feeling that someone is following your every move? If someone secretly installed a “stalking app” or “stalkerware” sold by Retina-X Studios, LLC, onto your mobile device, that strange sensation could be way more than a feeling. A complaint against the developer and marketer alleges violations of the FTC Act and the Children’s Online Privacy Protection Act Rule. Florida-based Retina-X and James N. Jones, Jr., marketed three apps as ways to monitor children or employees. MobileSpy captured and logged GPS location, text messages, photos, call history, browser history, etc. People who bought the premium version also could view the unsuspecting user’s screen in real time. PhoneSheriff monitored much of the same data, plus email history and screenshots of activity using Snapchat. As part of the iOS registration process for TeenShield, Retina-X collected the dates of birth of users being monitored–roughly a third of whom were under 13. Once installed, TeenShield captured GPS location, text messages, call history, browser history, email, and the like. To install the products, the buyer needed physical access to the device and often had to jailbreak or root it. In other words, they had to bypass restrictions built into the operating system on the device. Once the software was in place, buyers could remotely monitor the user’s activities from an online dashboard. By default, an icon appeared on the device. However, Retina-X instructed the person who installed the software on how to hide it and have the app run surreptitiously without the user’s knowledge. Although Retina-X claimed in its privacy policies that the products were designed to be used only to monitor a parent’s underage child or employee, the company didn’t take any steps to ensure that was how their apps were used. What’s more, why would parents or employers jailbreak or root phones to install Retina-X software when other monitoring apps on the market didn’t require jailbreaking or rooting? The complaint alleges several forms of consumer injury. One particular concern is that stalkers – for example, perpetrators of domestic violence – could use the apps to keep tabs on their victims’ location and online activity, information they could use to inflict emotional or even physical harm. Stalkers also could also use software like this to commandeer victims’ financial accounts. At the very least, people who installed Retina-X’s apps on the devices of unsuspecting users likely voided their devices’ warranties and exposed the users to increased security risks common when a device has been jailbroken. Furthermore, the FTC alleges Retina-X failed to take basic steps to protect the sensitive data its apps collected, especially information collected from children being monitored. For example, the company didn’t have written security standards in place and didn’t conduct security testing for known vulnerabilities. In addition, while touting its products’ ability to monitor others, the complaint alleges that Retina-X didn’t take appropriate steps to monitor its own service provider – the company that developed Retina-X’s apps, managed its servers, handled its payment processing, and provided marketing and customer support services. The privacy policies for MobileSpy, PhoneSheriff, and TeenShield included the same soothing language: “It is company policy that our customer databases remain confidential and private. . . . Your private information is safe with us.” But no one told that to the hacker who in 2017 found unencrypted credentials for the company’s cloud storage account in the TeenShield Android Package Kit. Once logged in, the hacker found the username and password for Retina-X’s server. That was the “Open Sesame!” the hacker needed to access sensitive data collected through PhoneSheriff and TeenShield and then erase it entirely. Retina-X didn’t learn about the hack until two months later when a journalist contacted the company after having received evidence from the hacker. Fast forward a year and a hacker again found the credentials for the company’s cloud storage account, this time in the PhoneSheriff Android Package Kit. The credentials were–to use the company’s terminology – “obfuscated,” but the hacker was still able to decrypt them. This time the hacker erased all photos in the cloud storage account. The complaint includes one count of unfair acts or practices and three counts of deception. In addition, the FTC alleges Retina-X knowingly collected personal information from children under the age of 13 through the TeenShield product, but failed to honor the COPPA Rule’s requirement to maintain reasonable procedures to protect the confidentiality, security, and integrity of that data. To settle the case, Retina-X and James N. Johns, Jr., have agreed to delete the data they collected and not sell any product that requires jailbreaking or rooting. In addition, in the future, they’ll have to get statements from buyers that they’ll use the app only to monitor their child or an employee, or an adult who has consented in writing. They also must include an icon with the name of the app that can only be removed by parents who have installed it on their kids’ phones. In keeping with other recent data security settlements, they must get third-party assessments of their information security program every two years. Once the proposed settlement appears in the Federal Register, the FTC will accept public comments for 30 days. In the meantime, here are tips other companies can take from the case. Exercise heightened caution if you sell monitoring products. Take reasonable steps to ensure your product is used only for lawful purposes. For example, you can’t require the circumvention of built-in operating system or device security protections and then claim ignorance about how your product is used. If you collect it, protect it. Collecting any form of sensitive data carries with it the obligation to protect it when it’s in your possession. If it’s information covered by COPPA, Section 312.8 of the Rule puts special data protections in place. Take steps to avoid a third-degree burn. When working with third-party service providers, spell out your data security expectations in your contracts and build in monitoring mechanisms to make sure they’re following through. When COPPA-covered information is involved, Section 312.8 of the COPPA Rule underscores that requirement: “[T]ake reasonable steps to release children’s personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurances that they will maintain the information in such a manner.”  

$575 million Equifax settlement illustrates security basics for your business lfair July 22, 2019 | 6:48AM $575 million Equifax settlement illustrates security basics for your business By Lesley Fair Patch your software. Segment your network. Monitor for intruders. According to tech experts, those are security basics for businesses of any size. But when you’re industry giant Equifax – a company in possession of staggering amounts of highly confidential information about more than 200 million Americans – it’s almost unthinkable not to implement those fundamental protections. An FTC, CFPB, and State AG settlement of at least $575 million illustrates the injury to consumers when companies ignore reasonably foreseeable (and preventable) threats to sensitive data. Read on for security tips for your business and what consumers can do to get compensation for their losses and sign up for free credit monitoring. The Equifax data breach has been in the headlines, but what happened behind the scenes? According to the complaint, in March 2017, US-CERT – Homeland Security’s cyber experts – alerted Equifax and other companies about a critical security vulnerability in open-source software used to build Java web applications. The alert warned anyone using a vulnerable version of the software to update it immediately to a free patched version. It didn’t take long before the press reported that hackers had already started to exploit the vulnerability. Equifax’s security team got the US-CERT alert on March 9, 2017, and sent it to more than 400 employees with instructions that the staffers responsible for the affected software should patch it within 48 hours, as required by the company’s Patch Management Policy. Within a week, Equifax performed a scan intended to search for vulnerable forms of the software remaining on its network. But the scan Equifax conducted wasn’t up to the task, which ultimately proved devastating to consumers. According to the complaint, the company used an improperly configured automatic scanner that failed to detect that the vulnerable software was alive and well on a part of the company’s Automated Consumer Interview System (ACIS). The lawsuit alleges that Equifax didn’t detect the “open sesame” vulnerability in its system for months. How sensitive was the data stored on the ACIS portal? If it’s been a while since you’ve made that hands-on-face shriek from “Home Alone,” now may be the time because it was the portal where Equifax collected information about consumer disputes, including documentation uploaded by consumers. In addition, Equifax used that platform for consumer credit freezes, fraud alerts, and even requests for a free annual credit report. Thus, millions of consumers interacted with the ACIS portal every year. The complaint outlines the specifics, but suffice it to say that for infocrooks looking for Social Security numbers, dates of birth, credit card numbers, expiration dates, and the like, the data on ACIS was Grade A primo stuff. Compounding the injury to consumers was the fact that ACIS was originally built in the 1980s and even in-house Equifax documents referred to it as “archaic” and “antiquated technology.” What’s more, the complaint alleges that when Equifax sent that email to more than 400 of its employees warning them about the need for the patch, the company didn’t alert the staff member responsible for the part of ACIS with the vulnerability. Equifax failed to discover the unpatched vulnerability for more than four months. In late July 2017, the company’s security team spotted suspicious traffic on the ACIS portal. They blocked it, but identified additional questionable traffic the next day. That’s when Equifax took the platform offline and hired a forensic consultant who determined that hackers had already exploited the vulnerability. But it gets worse. The consultant figured out that once inside the ACIS system, attackers were able to gain access to other parts of the network and rummage through dozens of unrelated databases also containing highly confidential information. In addition, they accessed a storage space connected to the ACIS databases that included administrative credentials stored in plain text, which they used to grab even more sensitive data. According to Equifax’s forensic analysis, attackers were able to steal (among other things) approximately 147 million names and dates of birth, 145 million Social Security numbers, and 209,000 credit and debit card numbers and expiration dates. The complaint alleges that a number of Equifax’s actions – and failures to act – led to violations of the FTC Act and the Gramm-Leach-Bliley Safeguards Rule, which requires financial institutions to implement and maintain a comprehensive information security program. For example: Equifax didn’t check to make sure employees followed through on the patching process; Equifax failed to detect that a patch was needed because the company used an automated scan that wasn’t properly configured to check all the places that could be using the vulnerable software; Equifax failed to segment its network to limit how much sensitive data an attacker could steal; Equifax stored admin credentials and passwords in unprotected plain-text files; Equifax failed to update security certificates that had expired 10 months earlier; and Equifax didn’t detect intrusions on “legacy” systems like ACIS. The complaint cites those as factors that contributed to a breach of consumers’ personal information of massive proportions. The settlement requires Equifax to pay at least $300 million to a fund that will provide affected consumers with credit monitoring services, compensate people who bought credit or identity monitoring services from Equifax, and reimburse consumers for out-of-pocket expenses incurred as a result of the 2017 data breach. Equifax will add up to $125 million more to the fund if the initial payment isn’t enough to compensate consumers for their losses. Equifax also will pay $175 million to 48 states, the District of Columbia and Puerto Rico, and a $100 million civil penalty to the CFPB. (The FTC doesn’t have legal authority to get civil penalties in a case like this.) Financial remedies are only part of the settlement. Under the order, Equifax must implement a comprehensive information security program requiring – among other things – that: Equifax must conduct annual assessments of internal and external security risks, implement safeguards to address them, and test the effectiveness of those safeguards; Equifax must assure that service providers with access to personal information stored by Equifax also implement appropriate security programs; and Equifax must get annual certifications from Equifax’s Board of Directors saying, in effect, “Yes, I attest that the company is complying with the order’s requirement of an appropriate information security program.” The Equifax settlement is a study in how basic security missteps can have staggering consequences. Here are some tips other companies can take from the case – and we didn’t have to look far for advice. The quotes are all from the FTC’s brochure, Start with Security. “Update and patch third-party software.” Companies should treat a security warning from US-CERT with the utmost seriousness. Equifax’s 48-hour Patch Management Policy may have looked good on paper, but paper can’t patch a critical software vulnerability. Of course, you should tell your IT team to implement appropriate patches and fixes. But you also need a belt-and-suspenders system to make sure your company follows through effectively. “Ensure proper configuration.” There’s nothing inherently wrong with using an automated vulnerability scan, but if it’s not set up to know where to look, it’s just another collection of zeros and ones. The complaint alleges that Equifax compounded the problem by not maintaining an accurate inventory of what systems ran what software – a fundamental practice that would have made it easier to find the vulnerability in the ACIS platform. “Monitor activity on your network.” Who’s coming in and what’s going out? That’s what an effective intrusion detection tool asks when it senses unauthorized activity. An effective system of intrusion detection could have helped Equifax detect the vulnerability sooner, thereby reducing the number of affected consumers. “Segment your network.” The idea behind ships’ watertight compartments is that even if one portion of the structure sustains damage, the entire vessel won’t go under. Segmenting your network – storing sensitive data in separate secure places on your system – can have a similar mitigating effect. Even if an attacker sneaks into one part of your system, an appropriately segmented network can help prevent a data oops from turning into a full-fledged OMG. The FTC has more security advice for businesses. Are you a consumer affected by the Equifax breach? Visit ftc.gov/equifax (also available in Spanish) for information about how to apply for compensation.  

The many facets of advertising diamonds with clarity lfair May 3, 2019 | 10:58AM The many facets of advertising diamonds with clarity By Lesley Fair and Robert Frisby Last month the FTC sent staff warning letters to eight firms advertising simulated or laboratory-created diamonds. According to the letters, the companies had promoted their products without adequately disclosing that they weren’t mined diamonds. Since then, industry members have been talking about the best ways to ensure compliance with the FTC’s Jewelry Guides, which are designed to help companies avoid confusing or deceiving consumers. We posed some of the questions we’ve heard to FTC attorney Robert Frisby. Our company sells simulated or laboratory-created diamonds as alternatives to mined diamonds. Should we disclose that our products aren’t mined? ROBERT:  Yes. To avoid the risk of deceiving consumers about the type of jewelry you offer, advertisers selling simulated or laboratory-created diamonds should disclose that the products aren’t mined diamonds. Describing simulated or laboratory-created diamonds merely as “diamonds,” without more, would likely convey the false impression to consumers that they’re buying mined diamonds. Using a brand name that includes the word “diamond,” without qualifying your claim with a clear explanation, would present the same problem. (In this context, a “qualified” claim means a claim that is appropriately limited, explained, or narrowed.) Similarly, describing a simulated or imitation diamond like cubic zirconia as a “laboratory-created diamond” without a clear qualification would likely lead consumers to the inaccurate conclusion that the product has the same optical, physical, and chemical properties as a laboratory-created or mined diamond. What terms should we use to disclose that our simulated or laboratory created-diamonds aren’t mined diamonds? ROBERT:  Use terms that clearly convey to consumers that the item is a simulated or laboratory-created diamond, rather than a mined diamond. Although the FTC’s Jewelry Guides don’t specify the wording you should use to make this disclosure, the Jewelry Guides state that the terms “laboratory-grown,” “laboratory-created,” “[manufacturer name]-created,” “imitation’’ or ‘‘simulated” would be appropriate to describe the nature of the product and to disclose the fact that it’s not a mined diamond. The Guides give advertisers flexibility to use another “word or phrase of like meaning” to make the disclosure. However, if you choose to use alternative phrases, exercise care to ensure that consumers understand them. How and where should we disclose that simulated or laboratory-created diamonds are not mined diamonds? ROBERT:  What matters is that consumers see the disclosure, read it, and understand what it means. That’s why advertisers should make those disclosures clearly and conspicuously, and in close proximity to where the ad uses the term “diamond” to describe the jewelry. In addition, the disclosure should appear early in the product description. Putting it at the end of a lengthy block of text or on a different webpage – for example, on an FAQ or “diamond education” page – won’t suffice because consumers might skip over it. However, in a particular ad, you may not have to make the same disclosure repeatedly if the nature of the items offered for sale is clear from the context. In social media advertising, can we make disclosures through hashtags? ROBERT:  Exercise care when using hashtags to disclose information that is necessary to avoid deception. A hashtag at the end of a social media post might not convey the information effectively, especially if appears in a string of other hashtags or if the other hashtags arguably contradict it. For example, a list of hashtags including both #diamonds and #labgrown might confuse consumers about whether the product contains mined diamonds. Just a reminder: Advertisers are responsible for all reasonable interpretations of their advertising, including ads on social media that make claims or that fail to make adequate disclosures. What if we want to tout the environmental benefits of our simulated or laboratory-created diamonds? ROBERT:  The FTC’s Guides for the Use of Environmental Marketing Claims – the Green Guides – offer advice on how to make environmental claims non-deceptively. Keep two basic principles in mind: 1) Advertisers must have a reasonable basis for any environmental benefit claims they make for their products; and 2) Advertisers must qualify their claims adequately to avoid deception. The Green Guides advise advertisers to avoid making unqualified general environmental benefit claims – for example, “environmentally friendly” – because it is highly unlikely the advertiser can substantiate all reasonable interpretations of these claims. The better practice is for advertisers to qualify a general claim by disclosing the specific reasons why the product has environmental benefits. Section 260.4 of the Green Guides features examples of claims that are appropriately qualified under the circumstances.    

FTC to law violators: Don’t bank on bankruptcy lfair February 19, 2019 | 1:14PM FTC to law violators: Don’t bank on bankruptcy By Lesley Fair A recent ruling by a Florida Bankruptcy Judge sheds light on a tenacious team within the FTC’s Bureau of Consumer Protection. But first, let’s set the time machine to 2008 when the FTC entered into a settlement with BlueHippo, a computer financing company that pitched electronics to consumers with “less than perfect credit, bad credit, no credit.” The FTC sued BlueHippo for a host of illegal practices, many related to the company’s refund policies. The defendants settled that case, agreeing to pay as much as $5 million in consumer redress. But just a year later, the FTC went back to court, alleging that BlueHippo was already in violation of the order because it didn’t clearly disclose the terms of its refund policy. According to the FTC, rather than giving consumers their money back, BlueHippo purported to offer “store credit,” but failed to disclose that major strings were attached. Consumer didn’t learn about the onerous policies until they tried to use their “credit,” only to have BlueHippo tell them they’d have to shell out more cash first. As a result, more than 55,000 people paid money to BlueHippo, but got nothing in return. The trial judge granted the FTC’s contempt motion against the corporate defendants and BlueHippo CEO Joseph Rensin, but entered a remedy of only $609,000. After the FTC appealed, the United States Court of Appeals for the Second Circuit reversed and remanded the matter to the trial court, which entered a judgment against Mr. Rensin for $13.4 million, the financial harm the court determined that consumers suffered as a result of the scheme. Mr. Rensin refused to pay the contempt judgment, and according to the FTC, he tried to evade it by filing for bankruptcy. That’s when the FTC’s bankruptcy team stepped in. At a trial before the Bankruptcy Judge, Mr. Rensin argued (among other things) that he was unaware of certain aspects of his company’s refund policies and that his in-house counsel had been responsible for them – testimony the Court expressly rejected as not credible. Mr. Rensin also claimed that the $13.4 million he owed was dischargeable in bankruptcy. The FTC disagreed, citing a provision in the law that a debt is not discharged “to the extent obtained by . . . false pretenses, a false representation, or actual fraud . . . .” The Bankruptcy Judge held, “What constitutes ‘false pretenses’ in the context of § 523(a)(2)(A) has been defined as ‘implied misrepresentations or conduct intended to create and foster a false impression.’” You’ll want to read the Memorandum Opinion for the details, but the Court concluded that consumers “relied on what BlueHippo told them, which was fatally misleading and amounted to fraudulent misrepresentation and concealment.” The FTC’s bankruptcy team also argued that an additional provision applied: § 523(a)(6), which “does not discharge an individual debtor from any debt . . . for willful and malicious injury by the debtor to another entity or to the property of another entity.” The Bankruptcy Judge concluded that the FTC “met its burden in proving that Mr. Rensin’s conduct was wrongful and without just cause and thus was malicious within the meaning of § 523(a)(6). Mr. Rensin used BlueHippo to create a series of transactions aimed at defrauding consumers for the purpose of filling the coffers of BlueHippo. There was nothing defensible about his actions.” What’s more, the Court ruled, “Based on the credible evidence admitted in this case, not only did Mr. Rensin go along with this fraud, but he was at the helm of and guided BlueHippo in its every action in connection with this fraud.” The Court put it this way: As the captain of the ship, with not only direct oversight but regular operational involvement in every aspect of the business relevant to this fraud, and with full knowledge of the financial benefits reaped from the fraud, at a time when BlueHippo was otherwise cash strapped, there is no doubt that Mr. Rensin orchestrated the entire affair. The effect of the ruling is that the FTC may proceed in its efforts to recover money for consumers injured by BlueHippo’s practices. But even at this intermediate stage, the case offers two important reminders: 1) It’s unwise for companies and corporate officers to assume that bankruptcy will necessarily shield them from the financial consequences of their illegal conduct toward consumers; and 2) If it’s necessary to follow a defendant to Bankruptcy Court to protect consumers’ interests, the FTC has an experienced team ready to go there.  

Stemming unproven stem cell therapy claims lfair October 18, 2018 | 11:27AM Stemming unproven stem cell therapy claims By Lesley Fair Old West nostrum sellers used to market treatments for a broad range of diseases with the slogan “Good for what ails ya.” California-based Regenerative Medical Group used a current buzzword in science – stem cell therapy – to peddle what they claimed were treatments for conditions as varied as cerebral palsy and autism to Parkinson’s disease, stroke, and macular degeneration. But according to the FTC, they didn’t have proof to back up their expansive promises. “What ails ya?” For consumers struggling with serious diseases, the lawsuit demonstrates the FTC’s concern with “what fails ya” – in other words, unproven “cures” that lack scientific support. Advertising online and through social media, the defendants, including owner Bryn Jarald Henderson, D.O., promoted stem cell treatments derived from the amniotic fluid of women who have given birth via C-section. Their marketing claims were – to say the least – dramatic. According to a promotional letter from Dr. Henderson, “Lives are being saved, the blind see, the crippled walk and the patients with heart, lung, kidney and nerve diseases can alter the course of their suffering with a simple therapy [that] lasts for years and impacts their lives NOW!” The defendants’ ads also made express claims about specific intractable medical conditions: “Stem Cell Treatments have been shown to improve sight in patients with Macular degeneration.” “We can make blinded People see again!” “We can reverse Autism symptoms.” “Can stem cell therapy help patients with chronic kidney disease? Yes it can. It can make new cells that replace damaged cells and reverse chronic kidney disease symptoms.” “Cure for Parkinson’s? The only Medical Group worldwide that treats Parkinson’s with amniotic Stem Cells!” For stroke victims with damaged brain tissue, “Stem Cell treatment acts as a form of medical time machine, reversing the damage that has already been made.” One of the company’s YouTube videos featured an 11-year-old girl with cerebral palsy who purportedly spoke “her first words” after receiving treatment from the defendants. Regenerative Medical Group and Dr. Henderson charged consumers between $9,500 to $15,000 for an initial treatment with recommended “boosters” going for between $5,000 to $8,000. What’s more, they claimed that what they offered was comparable to or even better than conventional medical care. That’s what the defendants said, but what’s the real story on stem cells? In fact, there are many different kinds of stem cells – amniotic stem cells are only one variety – and they vary widely in potency. According to the National Institutes of Health (NIH) website, “Much work remains to be done in the laboratory and the clinic to understand how to use these cells for cell-based therapies to treat disease.” Furthermore, the vast majority of amniotic stem cell research has been conducted on animal models. According to the FTC, there are no human clinical studies showing that amniotic stem cell therapy treats any diseases in humans and certainly not the long list of conditions the defendants claimed to cure. The proposed settlement requires the defendants to have human clinical testing to support future claims related to the treatment of any disease or health condition. Based on the defendants’ financial status, the $3.3 million judgment – which represents what patients paid for the treatments – will be partially suspended when the defendants turn over $525,000. That money will be returned to consumers. The company also has to send a letter about the lawsuit to their customers and others who have expressed an interest in their stem cell therapy treatments. What does the FTC prescribe for misleading health representations? Here are some suggestions. “Cure” claims command clinical confirmation.  Products that promise to treat or cure diseases need the support of human clinical testing. Don’t draft your ad copy until you have methodologically sound testing in hand that demonstrates statistically and clinically significant results. The FTC’s action against Regenerative Medical Group is the latest in a long line of cases challenging unproven treatments for autism, arthritis, macular degeneration, and other serious conditions. Claims like that are at the center of the enforcement radar screen and they’re likely to stay there. Exercise caution when using in-the-headlines medical terms.  The phrase “stem cell treatment” covers a broad range of therapies – from promising research to flat-out fraud – and it may not be easy for consumers to make nuanced distinctions. Marketers shouldn’t add to the confusion by playing fast and loose with the facts. Don’t overstate the results consumers are likely to receive or falsely state or imply that your product is superior to other treatments. Patients should study treatment options carefully.  People diagnosed with serious diseases can find a wealth of information online, but not every site is trustworthy. Before diving into the deep end of the internet, start your research with agencies like the NIH or FDA. Take stem cells therapies as an example. While encouraging scientists to continue their research, the FDA also has warned consumers about the dangers of questionable stem cell “treatments.”  

Operation Main Street targets scams against small business lfair June 18, 2018 | 10:20AM Operation Main Street targets scams against small business By Lesley Fair Small business keeps America in business. But while you have your shoulder to the wheel and nose to the grindstone, it can be tough to keep an eye out for scammers. That’s why the FTC and law enforcement partners across the country have your back. Just one example is Operation Main Street: Stopping Small Business Scams, a coordinated initiative involving 24 civil and criminal actions against B2B fraudsters. In addition to ongoing litigation and recent settlements, the FTC filed a new case as part of Operation Main Street. The FTC has gone to court to challenge the conduct of nine U.S.- and Canada-based individuals and corporations operating as Premium Business Pages. (They also use the names Ameteck Group, The Local Business Pages, and Data Net Technologies.) The FTC says the defendants call small businesses claiming to be collecting on past-due bills for online directory listings, search engine optimization services, web design, or web hosting. Pay now, the callers threaten, or your account will be turned over to “collections” or will be “red flagged” – actions the callers warn could have a negative impact on the company’s credit. But in truth, the targeted small businesses never ordered the products or services in the first place. Another tactic the FTC says the defendants use is to offer “discounts” or to “waive” fees on the supposedly overdue amount. But if business owners pay, they can expect more calls from defendants’ telemarketers. In some cases, the telemarketers claim the payment was only the first installment. In other instances, the FTC says they perform the equivalent of telemarketing “ventriloquism,” pretending to be from a different company, but using the same bogus “overdue invoice” gambit. A federal judge has granted the FTC’s request for a temporary restraining order. Other law enforcers are also taking aim at scammers who target small business. The Attorneys General of Arizona, Delaware, Florida, Indiana, Missouri, New York, Tennessee, and Texas took action as part of Operation Main Street. From bogus business directories to government imposter fraud, the breadth of the challenged conduct illustrates the many shady faces of B2B fraud. Other noteworthy developments are two criminal cases brought as part of Operation Main Street. The U.S. Attorney for the Southern District of New York – with assistance from the New York Division of the U.S. Postal Inspection Service – announced the arrest of a person allegedly operating a $3 million fake invoice scam. In addition, the U.S. Attorney for Maryland brought a criminal action of particular interest to FTC watchers. Last year the FTC settled a lawsuit against an outfit that bilked small businesses and nonprofits out of more than $50 million in a scam involving unordered light bulbs and cleaning supplies. The U.S. Attorney’s Office just reached a plea agreement with a leader of that operation. He’ll face sentencing soon. But law enforcement is only one part of Operation Main Street. Education is a key component, too. The FTC just issued a new publication, Scams and Your Small Business, with to-the-point tips on how you can spot the signs of a scam and what to do if con artists have targeted your company. In addition, the Better Business Bureau has issued a research report on small business scams, based on information from 1200 small businesses. According to the BBB, 67% of those surveyed perceive scammers as a growing risk to their company. The top five scams they identified: 1) bank/credit card company imposters; 2) directory listing and advertising services; 3) fake invoices/supplier bills; 4) fake checks; and 5) tech support scams. What can your business do to magnify the impact of Operation Main Street? Educate your employees. The FTC has you covered with that new publication, Scams and Your Small Business. By learning about the latest scams, your staff can deliver a devastating one-two punch to fraudsters: a forceful buh-bye followed by a “we mean business” hang-up. Report fraud. People who responded to the BBB survey say that one of their primary motivations for reporting fraud is to help warn others. That says a lot about the small businesses that form the backbone of our economy. Spot a scam? Speak up. Report what you’ve seen to the FTC.

The lesson of the MARS Rule: Not one penny up front lfair January 26, 2018 | 12:51PM The lesson of the MARS Rule: Not one penny up front By Lesley Fair Like calling an NFL lineman “Tiny,” we appreciate an ironic name as much as the next person. But it’s different when a company calls itself – among other things – Consumer Defense, Preferred Law, and Modification Review Board and then makes allegedly deceptive claims regarding loan modification services to consumers struggling to hold onto their homes. An FTC lawsuit filed against a related group of 14 companies and individuals charges them with violations of the FTC Act and the MARS Rule (Regulation O). According to the FTC, the defendants preyed on struggling homeowners with promises that their expert legal advice could stop consumers from going into foreclosure and that they could get affordable mortgage modifications. Advertising on TV and radio, online, through direct mail, and on the phone, the defendants often claimed that these modifications would not only save consumers’ homes, but also big bucks – for example, by slashing interest rates in half and reducing monthly payment by hundreds of dollars. Touting a track record as high as 98%-100%, the defendants typically charged cash-strapped consumers $3,900 in monthly installments of $650. Some contracts with consumers made representations like this: Based on the past performance of American Home Loan Counselors with the assistance of Preferred Law’s federal legal services, and our knowledge of your factual situation, MRB [Modification Review Board] hereby GUARANTEES that a modification or home foreclosure alternative pursuant to the HAFA program will be secured for you conditioned upon the following terms . . . . (The “conditions” were things like paying required fees and returning documents in a timely fashion.) The FTC says that the defendants strung consumers along for months with misleading promises that modification packages were in the works. As part of the ploy, the defendants allegedly directed homeowners not to pay their mortgages and not to communicate with their lenders. The defendants insisted that consumers pay them, of course. But according to the FTC, in numerous instances, the defendants failed to get any relief for their customers. The complaint alleges that consumers learned from their lenders that the defendants didn’t provide complete modification documents, submitted irrelevant requests for information, or never even contacted the lender in the first place. The lawsuit charges that by turning over what little cash they had to the defendants and getting next to nothing in return, many consumers ultimately lost their homes. Of course, there are federal programs to assist struggling homeowners, like Making Home Affordable (MHA). The FTC alleges that the defendants used doctored logos and other tactics to suggest a false affiliation with government programs. The complaint alleges the defendants violated the FTC Act by misrepresenting their services, touting a false affiliation with or endorsement by the federal government, claiming to have special relationships with the consumers’ mortgage companies, and telling people they should stop making their mortgage payments. The lawsuit also charges multiple violations of the MARS Rule, which makes it illegal – among other things – to ask for or receive upfront payments before there’s a written agreement between the consumer and the loan holder or servicer. The FTC says the defendants also failed to make specific disclosures required by the Rule, including (to name just a few) “[Name of Company] is not associated with the government, and our service is not approved by the government or your lender.&rdquo “Even if you accept this offer and use our service, your lender may not agree to change your loan.” “You may stop doing business with us at any time. You may accept or reject the offer of mortgage assistance we obtain from your lender [or servicer]. If you reject the offer, you do not have to pay us. If you accept the offer, you will have to pay us [insert] amount or method for calculating the amount] for our services.” “If you stop paying your mortgage, you could lose your home and damage your credit.” The case is pending in a Nevada federal court, which granted the FTC’s request for a temporary restraining order. Looking for tips on complying with MARS? Read Mortgage Assistance Relief Services Rule: A Compliance Guide for Business. The most important reminder is that businesses claiming to offer mortgage assistance services can’t charge upfront fees – as in not one penny – until consumers and their loan holders or servicers sign a new agreement.  

Testing, testing: A review session on COPPA and schools lfair January 23, 2015 | 9:19AM Testing, testing: A review session on COPPA and schools By Lesley Fair We often get questions about how the Children’s Online Privacy Protection Act applies in the school setting. The COPPA Rule gives parents control over what information “an operator of a Web site or online service” – yes, that includes apps – can collect from their kids under 13. Among other things, COPPA requires entities covered by the law to notify parents and get their approval before they collect, use, or disclose personal information from children. So how does COPPA apply to schools? Here’s the short answer: Schools – which are usually part of the local government – don’t fall within the legal definition of who’s covered by COPPA because they aren’t commercial “operators.” That said, schools sometimes allow, or even require, students to use sites and services that are covered by COPPA and which must provide notice and get verifiable parental consent. This question isn’t new. When the FTC issued the original COPPA Rule in 1999, it addressed how schools may serve as an intermediary between operators and parents in the notice and consent process or as the parent’s agent, acting on the parent’s behalf. Here’s what we said about the subject back then in the Statement of Basis and Purpose for COPPA: “Numerous commenters raised concerns about how the Rule would apply to the use of the Internet in schools. Some commenters expressed concern that requiring parental consent for online information collection would interfere with classroom activities, especially if parental consent were not received for only one or two children. In response, the Commission notes that the Rule does not preclude schools from acting as intermediaries between operators and parents in the notice and consent process, or from serving as the parents’ agent in the process. For example, many schools already seek parental consent for in-school Internet access at the beginning of the school year. Thus, where an operator is authorized by a school to collect personal information from children, after providing notice to the school of the operator’s collection, use, and disclosure practices, the operator can presume that the school’s authorization is based on the school’s having obtained the parent’s consent.” (Need the citation for that? It’s 64 Fed. Reg. 59888, 59903.) However, the school’s ability to consent on a parent’s behalf is limited to the educational context – in other words, it applies only when an operator collects personal information from students just for an educational purpose, and for no other commercial purpose. Thus, in addition to the central role schools play in creating an engaging learning environment, they also have a part to play in protecting student privacy. Recently, FTC staff received questions about whether COPPA covers providers of online tests – in particular, tests that two consortia of state educational agencies are developing. The Partnership for Assessment of Readiness for College and Careers (PARCC) is a nonprofit that describes itself as “an alliance of states working together to develop common assessments serving nearly 24 million students.” The Smarter Balanced Assessment Consortium is made up of member states and other government agencies. The idea is that the tests will be given online to school kids across the country. While we encourage all types of entities to respect children’s privacy, the FTC’s enforcement authority doesn’t extend to information collection by state governments or most nonprofits. So these specific consortia, and the development and administration of their tests, are not covered by COPPA. It’s important to keep in mind that schools administer tests for many reasons – to evaluate students’ and schools’ performance, for example – but also, in many cases, schools must comply with legal mandates to test students under federal, state, and local laws. More broadly, however, the goal of COPPA is to protect children’s privacy with respect to the online collection of personal information by commercial entities. Many parents care deeply about their children’s privacy, and rightly expect their schools to protect it. But COPPA was not intended to displace the traditional relationship between parents and schools when it comes to the collection of information exclusively for educational purposes in the school context and with the school’s permission. That holds true even when that information is collected online. Of course, under the Family Educational Rights and Privacy Act (FERPA), educational agencies and institutions have specific obligations to protect student privacy, including protecting personal information from children’s education records from further disclosure or uses without the written consent of the parent, unless permitted to do so under FERPA. In sum, COPPA provides important protections for children’s personal information in the commercial space, and also recognizes the special role that schools may play in providing consent for the online collection of information from kids exclusively for educational services – for example, online testing.