United States: State AGs To Businesses: Protect Your Customers From Criminal Activity

This week, 22 State AGs led by Wisconsin, sent Hyundai and Kia a letter criticizing the companies' lack of anti-theft immobilizers and use of a customer service campaign instead of a recall to address the problem. The letter blames the car makers for "lack of responsibility for the crisis" of car thefts with "alarmingly high rates of thefts" saying they are harming consumers and affecting public safety. Vehicle owners, the letter states, may be unable to insure their automobiles as insurance companies State Farm and Progressive have announced they have denied policies. The companies made the choice not to follow suit regarding industry practice to include the anti-theft devices as standard in the US, yet included the immobilizers in Canada and Europe. (It should be noted that Canada and EU transportation agencies appear to require these by law, and NHTSA does not).

This is not the first time State AGs have been looking to cover ground of federal transportation regulators. Last September, we described the letter from 38 AGs urging Congress to provide additional authority with airlines. Not only are the states treading regulated ground here, but also they are demonstrating again their willingness to hold third parties responsible for fraud or crime that occurs using those third parties' goods or services.

State AGs have often argued that companies should be responsible for: 1) failing to implement safeguards to protect consumers using their goods or services, 2) failing to disclose security flaws, or 3) misrepresenting safety features, all of which they argue cause consumers to be vulnerable to scams. We have seen AGs take enforcement action against or work with companies to address concerns with robocalls, mobile cramming, gift card fraud, money transfers, and more. This same underlying policy position is how AGs combat data breaches and data security issues, routinely focusing on companies that were victims of a third-party attack and alleging UDAP and other privacy law violations related to their data security practices.

Companies need to take a close look at what they represent to consumers about the safety and security of their products, and should remember not to put their heads in the sand if they see fraud or crime happening using their goods or services. AGs likely expect businesses to take action against such fraud through measures including:

• Fraud or crime detection programs
• Internal policies to prevent fraud
• Clear policies to customers regarding responsibility for third-party actions
• Disclosures or consumer alerts to customers to help make them aware of potential for crime

While these measures can help keep you off AG radar, if the amount of fraud or crime is overwhelming, AGs may suspect something inherently flawed in your products or services. Be prepared to respond with information about all actions taken to mitigate potential consumer harm.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.