InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Announces Settlement Over Alleged Violations Of International Safe Harbor Privacy Framework
On February 11, the FTC announced a settlement to resolve allegations that a children’s online entertainment company falsely claimed it was abiding by the U.S.-EU Safe Harbor international privacy framework. The FTC alleged that the company deceptively claimed through statements in its privacy policy that it held current certifications under the Safe Harbor Framework even though it had allowed its certification to lapse. The FTC did not allege that the company committed any substantive violations of the privacy principles of the Safe Harbor framework or other privacy laws. The proposed settlement agreement, which is subject to public comment, would prohibit the company from misrepresenting the extent to which it participates in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The action follows a dozen similar actions recently announced by the FTC.
Congressional Committees Review Data Breaches, Potential Federal Responses
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
Senate Commerce Committee Expands Data Broker Inquiry
On February 3, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) again expanded his investigation of data brokers when he asked six brokers for information on the compilation and sale of products that identify consumers based on their financial vulnerability or health status. The issue was raised recently in a majority staff report, which was released in connection with a December 2013 committee hearing. The Chairman cited “serious concerns regarding the sale and dissemination of lists identifying a consumer’s fragile health or financial circumstances without the consumer’s knowledge or permission,” which Mr. Rockefeller believes can be used by businesses seeking to target vulnerable customers for financially risky lending products or fraud schemes. The Chairman seeks a broad range of information about the companies’ data collection and sales practices conducted over a five year period. The letters are the latest in an ongoing review by the Committee, which previously expanded the scope of the review in September 2013.
California Attorney General Files Suit Over Untimely Data Breach Notice
On January 24, the California Attorney General (AG) sued a health care company over its alleged failure to timely submit notice of a 2011 data breach. According to the complaint, the company learned of the breach at the end of September 2011, completed a preliminary investigation in December 2011, and subsequently continued the investigation through mid-February 2012. The company allegedly did not begin mailing notice letters to affected individuals until mid-March. The complaint alleges the company failed to provide such notice in the most expedient time possible, which the AG alleges could have commenced in December 2011. The complaint also includes allegations regarding the actual breach at issue. The AG is seeking statutory penalties of $2500 per violation. Among other things, the suit demonstrates the AG’s inclination to take privacy and data security actions beyond the California Online Privacy Protection Act.
CFPB Issues Advisory Regarding Recent Retailer Data Breaches; Congressional Activity Increases
On January 28, the CFPB issued a consumer advisory in response to recent reports of data breaches at several large retailers. In addition to providing tips for consumers in the wake of a retail breach, the advisory encourages card holders to submit complaints about debit and credit card issuers’ inadequate responses to consumer charge disputes related to data breaches.
The advisory is the first public response from the CFPB on data breach issues. It follows a request last month from Senator Chuck Schumer (D-NY), a member of the Senate Banking Committee, that the CFPB conduct an investigation of the data breach and issue a “full report on the findings of its investigation -- informing the public of how this breach occurred, how consumers can protect themselves from similar attacks, and any further recommendations the CFPB may have for retailers to minimize the occurrence of similar breaches.” Schumer also asked Director Cordray to “take a closer look at whether retailers systems should be required to transfer credit and debit card information as encrypted data. . . . The CFPB must ensure that necessary rules and standards for retailers are in place to validate consumers’ trust in the transaction process.”
Numerous congressional committees share jurisdiction over data breach issues. The Senate Banking Committee will be among the first to act with a hearing scheduled for February 3, 2014 that will feature governmental witnesses, as well as the views of the retailer and banking industries.
FTC Actions Allege Violations Of International Safe Harbor Privacy Framework
On January 21, the FTC announced agreements with 12 companies to resolve allegations that the companies falsely claimed compliance with an international privacy framework. The FTC complaints explain that the U.S.-EU Safe Harbor Framework provides a method for U.S. companies to transfer personal data outside of the EU that is consistent with the requirements of the European Union Directive on Data Protection. The Directive sets forth EU requirements for privacy and the protection of personal data and requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the European Commission has made a determination that the recipient jurisdiction’s laws ensure the protection of such personal data. To participate in the Framework, a U.S. company must self-certify to the U.S. Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard. The FTC claimed that the companies indicated compliance with the Safe Harbor principles, for example through privacy policies or certification marks, when the companies had allowed their self-certifications to lapse. The FTC alleged that this conduct violated Section 5 of the FTC Act. The companies did not admit the allegations, and the FTC acknowledged that the allegations do not necessarily mean that the companies committed any substantive violations of the privacy principles of the Safe Harbor framework. The proposed settlement agreements would prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
NIST Cybersecurity Framework Will Not Include Privacy Standards Appendix
On January 15, NIST updated the status of its efforts to finalize the voluntary Cybersecurity Framework directed by President Obama’s Executive Order 13636. According to the update, NIST expects to publish the final framework on February 13, 2014, but the initial final version will not include an appendix with specific privacy standards. Citing insufficient support from stakeholders, NIST instead will include an alternative methodology that it believes will better allow organizations to incorporate general privacy principles when implementing a cybersecurity program.
California Appeals Court Holds Injury Required For Standing Under State Shine The Light Law
Recently, the California Court of Appeals, Second District, held that a plaintiff must have suffered a statutory injury to have standing to pursue a cause of action under the state’s “Shine the Light Act” (SLA). Boorstein v. CBS Interactive, Inc., No. B247472, 2013 WL 6680796 (Cal. Ct. App. Dec. 19, 2013). The SLA requires businesses that collect California residents’ personal data and then share that data for marketing purposes to disclose or allow consumers to opt out of that sharing. Specifically, all businesses must make consumers aware of their SLA rights by (i) maintaining a disclosure on their website and providing contact information for consumers to make a request about information shared with direct marketers; (ii) requiring customer service agents to provide the contact information upon request; or (iii) making the contact information available at every place of business in the state. In recent years, consumers filed a series of class actions, including the instant case, alleging that companies failed to properly disclose their contact information on their websites. The class plaintiffs did not, however, allege that they had sought SLA disclosures or would have done so had contact information been available. Consistent with federal district courts that have considered these claims, the state appeals court here determined that a failure to timely, accurately, or completely respond to a disclosure request is a discrete event upon which a court could calculate a civil penalty for each violation, whereas a failure to post information on a website is a continuing event that cannot readily be quantified. The court held that such a continuing violation, without more, is not an actionable violation. The court rejected the plaintiff’s claim that he suffered an "informational injury” because he did not receive information to which he was statutorily entitled, and upheld the trial court’s holding that the alleged failure was merely a procedural injury insufficient to establish standing.
Italy's High Court Upholds Acquittal of Google Executives In Video Privacy Case
On December 17, Italy’s highest court, the Italian Supreme Court of Cassation, issued a landmark ruling upholding the acquittal of three Google senior executives by the Milan Court of Appeals. Initially, an Italian trial court convicted the executives of criminal violations of Italy’s privacy laws for allegedly allowing a controversial video to be uploaded to the precursor to YouTube by a user of the service without first screening the video. The Milan Court of Appeals rejected prosecutors’ contention that the company should be responsible for prescreening user-provided content, and agreed with the executives that requiring prescreening for such content would not only infringe on users’ freedom of expression, but would undermine websites’ functionality. The Court of Cassation will issue a written statement of its reasoning early next year. BuckleySandler attorneys Samuel Buffone and Ann Wiles represented two of the three Google executives.
Second Circuit Reinstates Federal TCPA Class Action
On December 3, the U.S. Court of Appeals for the Second Circuit held that federal rules govern when determining whether a federal TCPA suit may proceed as a class action and reinstated a case dismissed based on New York state class action rules. Bank v. Independence Energy Group LLC, No. 13-1746, 2013 WL 6231563 (2nd Cir. Dec. 3, 2013). A federal district court dismissed, sua sponte, a TCPA class action complaint based on the application of New York state civil procedure, which prohibits class-action suits for statutory damages. On appeal, the Second Circuit agreed with the named plaintiff that, based on the U.S. Supreme Court’s holding last year in Mims v. Arrow Financial Services, LLC, 132 S. Ct. 140 (2012), Federal Rule of Civil Procedure 23 applies when deciding whether a federal TCPA suit can proceed as a class action. In Mims, the Court had held that TCPA Section 227(b)(3) permits private parties to bring an action in an appropriate state court, but does not require that private actions seeking redress under the TCPA be heard only by state courts. Here, the Second Circuit reasoned that Mims “suggests that in enacting the TCPA, Congress merely enabled states to decide whether and how to spend their resources on TCPA enforcement,” and that “Congress had a strong federal interest in uniform standards for TCPA claims in federal court.” Based on Mims, the Second Circuit rejected its prior interpretation of section 227(b)(3) as having “substantive content” and providing a delegation of authority to state courts to set the terms of TCPA claims. Accordingly, the court held that Federal Rule of Civil Procedure 23, not state law, governs when a federal TCPA suit may proceed as a class action.