Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • State AGs urge FTC to update identity theft rules

    State Issues

    On February 11, a bipartisan group of 29 state Attorneys General, the District of Columbia Attorney General, and an official from the Hawaii Office of Consumer Protection, responded to the FTC’s request for comment on whether the agency should make changes to its identity theft detection rules (the Red Flags Rule and the Card Issuers Rule), which require financial institutions and creditors to take certain actions to detect signs of identity theft affecting their customers. (Covered by InfoBytes here.) 

    In their response, the Attorneys General urge the FTC not to repeal the Rules, arguing that it “would place consumers at greater risk of identity theft, especially consumers in states that have not enacted” laws that complement the Rules. Instead, the response letter requests the FTC modify the Rules to “ensure their continued relevance” and “keep pace with the ingenuity of identity thieves.” The suggestions include: (i) that notices of changes to email addresses and cell phone numbers be sent to both the prior and updated addresses and phone numbers, an expansion of the current use of mailing addresses; (ii) the encouragement of more current forms of authentication, including multi-factor authentication, to replace examples which imply that knowledge-based authentication by itself is sufficient; and (iii) the addition of new suspicious activity examples related to the use of an account, such as a covered account accessed by unknown devices or IP addresses, an unauthorized user unsuccessfully trying to guess account passwords through multiple attempts, and attempts by foreign IP addresses to access multiple accounts in a close period of time.

    State Issues FTC Identity Theft RFI State Attorney General Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • District court orders TCPA suit to mediation, states FCC’s interpretation of autodialer may take years

    Courts

    On February 1, the U.S. District Court for the Eastern District of Missouri issued an order referring the parties in a putative TCPA class action to mediation. The plaintiff’s complaint alleges that the defendant’s insurance company sent her text messages without her consent using an automatic telephone dialing system (autodialer). In response, the defendant argued that the software it used to send the text messages does not qualify as an autodialer because it calls numbers from a pre-set list, instead of one that is randomly or sequentially generated. The defendant further argued that the case should be stayed because the FCC is currently considering whether systems such as the one at issue qualify as autodialers under the TCPA following the D.C. Circuit’s March 2018 ruling in ACA International v. FCC, which set aside the FCC’s 2015 interpretation of an autodialer as “unreasonably expansive.” (Covered by a Buckley Special Alert.) The decision to refer the case to mediation comes after the court’s August 2018 order denying the defendant’s motion to stay the proceeding. In that order the court explained that, although the FCC issued a notice in May 2018 (covered by InfoBytes here) seeking comments on the interpretation of the TCPA, the rulemaking process would likely take years and may not even resolve the issue in the case.

    Courts TCPA Autodialer Mediation FCC Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • NYDFS’ cybersecurity FAQs provide process for covered entities that no longer qualify for exemptions

    Privacy, Cyber Risk & Data Security

    On February 2, NYDFS updated its answers to FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See here for previous InfoBytes coverage on updates to the FAQs.) Among other things, the update outlines the procedures covered entities must follow if the entity ceases to qualify for exemptions under Section 500.19. Covered entities who no longer qualify for an exemption will have 180 days from the end of their most recent fiscal year to comply with all applicable requirements of 23 NYCRR Part 500. NYDFS further notes that covered entities may be required to periodically refile their exemptions to ensure qualification.

    Privacy/Cyber Risk & Data Security NYDFS 23 NYCRR Part 500 State Issues Compliance

    Share page with AddThis
  • Final deadline approaching for NYDFS cybersecurity regulation

    Privacy, Cyber Risk & Data Security

    On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services institutions regulated by NYDFS are required to implement a cybersecurity program to protect consumer data. The last step in the implementation timeline requires covered entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, such third parties. NYDFS also reminded regulated entities that the deadline to file their second certification of compliance via NYDFS’ cybersecurity portal is February 15.

    Previously InfoBytes coverage on NYDFS’ cybersecurity regulation are available here.

    Privacy/Cyber Risk & Data Security NYDFS 23 NYCRR Part 500 State Issues Third-Party

    Share page with AddThis
  • FINRA provides 2019 risk monitoring and examination guidance

    Agency Rule-Making & Guidance

    On January 22, the Financial Industry Regulatory Authority (FINRA) issued new guidance on areas member firms should consider when seeking to improve their compliance, supervisory, and risk management programs. The 2019 FINRA Risk Monitoring and Examination Priorities Letter (2019 Priorities Letter) examines both new priorities as well as areas of ongoing concern, including the adequacy of firms’ cybersecurity programs. FINRA notes, however, that the 2019 Priorities Letter does not repeat topics previously addressed in prior letters, and advises member firms that it will continue to review ongoing obligations for compliance. Topics FINRA plans to focus on in the coming year include:

    • Firms’ use of regulatory technology to help compliance efforts become “more efficient, effective, and risk-based.” FINRA will work with firms to understand risks and concerns related to supervision and governance systems, third party vendor management, and safeguarding customer data;
    • Supervision of digital assets, including coordinating with the SEC to review how firms determine whether a given digital asset is a security and whether firms are implementing adequate controls and supervisions related to digital assets, such as complying with anti-money laundering and Bank Secrecy Act rules and regulations;
    • Assessment of firms’ compliance with FinCEN’s Customer Due Diligence rule, which requires firms to identify beneficial owners of legal entity customers (as previously covered by InfoBytes here); and
    • Financial risks, including credit risks, funding and liquidity planning.

    Agency Rule-Making & Guidance Fintech FINRA Cryptocurrency Examination FinCEN CDD Rule Privacy/Cyber Risk & Data Security Bank Secrecy Act Of Interest to Non-US Persons

    Share page with AddThis
  • Massachusetts amends legislation protecting consumers from security breaches

    State Issues

    On January 10, the Massachusetts Governor signed HB 4806, following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other provisions, the amendments to the current law:

    • Prohibit users from requesting or obtaining the consumer credit report of a consumer unless the user obtains the consumer’s prior written, verbal, or electronic consent, and discloses the user's reason for accessing the consumer report to the consumer prior to obtaining consent.
    • Require every consumer reporting agency to disclose to consumers, when properly identified, (i) the nature, contents, and substance of all information on file (except medical information) at the time of the request; (ii) the sources of all credit information; and (iii) “the recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.”
    • State that a consumer reporting agency may not charge a fee to any consumer for placing, lifting, or removing a security freeze from a consumer report.
    • Specify that a consumer reporting agency may not “knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer's credit.”
    • Require persons who experience a security breach to report specific information to the state Attorney General, as well as certify that their credit monitoring services are in compliance.
    • State that consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services.
    • Require persons who experience a breach that compromises social security numbers to provide at least 18 months of free credit monitoring for affected individuals.

    State Issues State Legislation Credit Reporting Agency Privacy/Cyber Risk & Data Security Security Freeze Data Breach

    Share page with AddThis
  • Massachusetts enacts legislation amending consumer protections from security breaches

    State Issues

    On January 10, the Massachusetts Governor signed HB 4806, following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other provisions, the amendments to the current law:

    • Prohibit users from requesting or obtaining the consumer credit report of a consumer unless the user obtains the consumer’s prior written, verbal, or electronic consent, and discloses the user's reason for accessing the consumer report to the consumer prior to obtaining consent.
    • Require every consumer reporting agency to disclose to consumers, when properly identified, (i) the nature, contents, and substance of all information on file (except medical information) at the time of the request; (ii) the sources of all credit information; and (iii) “the recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.”
    • State that a consumer reporting agency may not charge a fee to any consumer for placing, lifting, or removing a security freeze from a consumer report.
    • Specify that a consumer reporting agency may not “knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer's credit.”
    • Require persons who experience a security breach to report specific information to the state Attorney General, as well as certify that their credit monitoring services are in compliance.
    • State that consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services.
    • Require persons who experience a breach that compromises social security numbers to provide at least 18 months of free credit monitoring for affected individuals.

    State Issues State Legislation Credit Reporting Agency Privacy/Cyber Risk & Data Security Security Freeze Data Breach

    Share page with AddThis
  • District Court: FCRA lawsuit passes Spokeo test, survives motion to dismiss

    Courts

    On January 8, the U.S. District Court for the Northern District of Illinois denied a bank’s motion to dismiss claims that it had obtained a credit report without a permissible purpose, ruling that the allegations rise above a mere procedural violation of the FCRA. According to the opinion, the consumer alleged that the bank accessed her credit report and obtained personal information, including current and past addresses, birth date, employment history, and telephone numbers, without having a personal business relationship, information to suggest the consumer owed the debt, or receiving consent for the release of the report. The bank argued that the consumer’s claim was only a “bare procedural violation” and not a concrete injury in fact as required under the U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins (covered by a Buckley Sandler Special Alert). However, the court determined that the consumer’s allegation that the invasion of privacy, which occurred when the bank accessed her credit report from a consumer reporting agency without receiving consent and with no legitimate business reason to do so, “adequately alleges a concrete injury sufficient to confer standing.”

    Courts Privacy/Cyber Risk & Data Security Spokeo Credit Report FCRA

    Share page with AddThis
  • Retailer settles multistate data breach investigation for $1.5 million

    State Issues

    On January 8, a national retailer reached a $1.5 million multistate settlement with 43 states and the District of Columbia to resolve an investigation following a 2013 data breach of customer payment card information. According to the Illinois Attorney General’s announcement, the retailer will implement provisions to prevent future breaches, such as (i) complying with Payment Card Industry Data Security Standard requirements; (ii) maintaining a system to collect and monitor network activity; (iii) updating software that maintains and safeguards personal information; and (iv) devaluing payment card information through the use of encryption and tokenization technology to obfuscate payment card data. The retailer must also retain a third-party professional responsible for conducting an information security assessment and report, as well as outlining corrective measures.

    State Issues Privacy/Cyber Risk & Data Security State Attorney General Credit Cards Data Breach Settlement

    Share page with AddThis
  • District Court: Privacy claims related to incentive compensation sales program can proceed

    Courts

    On December 31, 2018, the U.S. District Court for the District of Utah granted in part and denied in part a national bank’s motion to dismiss putative class action claims concerning the bank’s use of confidential customer information to open deposit and credit card accounts as part of its incentive compensation sales program. (See previous InfoBytes coverage here.) According to the court, the plaintiffs claiming accounts were opened in their name plausibly alleged that the bank benefited from an increase in the number of accounts and products, and disagreed with the bank that the misappropriation of name claim should fail because those plaintiffs’ names and identities had value beyond those of the general public. While the majority of the state claims and all federal claims were dismissed, the court allowed four state claims to remain, including invasion of privacy. However, the court requested that the parties address why it should not decline to exercise jurisdiction over the state law claims following the dismissal of all federal claims.

    Additionally, the court dismissed claims brought by “Bystander Plaintiffs” who did not allege the opening of any unauthorized accounts in their names, or claim that their information was ever improperly used or accessed or that they were subject to improper sales practices. Because the Bystander Plaintiffs claimed only that they would not have opened accounts if bank employees had told them about the alleged issues, the court dismissed their claims for lack of Article III standing, reasoning that they did not allege any injury.

    Courts Incentive Compensation Privacy/Cyber Risk & Data Security Spokeo

    Share page with AddThis

Pages

Upcoming Events