Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC alleges a common enterprise’s software misrepresented consumers’ sensitive browsing data

    Federal Issues

    On February 22, the FTC released a complaint and decision against multiple software companies operating as a common enterprise for allegedly violating three counts of Section 5 of the FTC Act for (1) unfairly collecting consumers’ browsing information; (2) deceptively failing to disclose tracking of consumers; and (3) stating false representations on data aggregation and anonymization. From 2014 to 2020, the FTC alleged that the companies distributed software with several privacy claims including that the software would block cookies and prevent browser tracking without obtaining consumers’ consent and deceiving consumers about the true nature of their actions.

    The FTC alleged the companies collected browser information through browser extensions and antivirus software. While the companies claimed that these extensions provided security and privacy services, the companies used the extensions to collect browser information from users including URLs of visited webpages, URLs of background resources (e.g., cookies or images pulled from other domains), consumers’ search queries, and cookie values. While the companies made claims about the privacy and security of their products, they failed to disclose to consumers that their browsing information was sold to third parties and misrepresented how the data was shared. This browsing information can comprise sensitive data, possibly revealing a consumer’s religious beliefs, health information, political ideology, location, finances, and “interests in prurient content.” The FTC noted that when the companies in 2019 asked software users to opt-in to collect browser information, less than 50% of consumers agreed.

    Under the FTC’s Decision, the companies must pay $16.5 million in monetary relief. Additionally, the FTC enjoined the companies from licensing or selling any browsing data from branded products to third parties for advertising purposes, and the companies are required to (a) obtain consent from consumers before selling consumers’ browsing data from non-branded products for advertising; (b) delete consumer web browsing information and certain products or algorithms derived from that data; (c) notify consumers whose information was previously sold without their consent; and (d) implement a privacy program.

    Federal Issues Data Consumer Data Privacy, Cyber Risk & Data Security

  • California Attorney General settles with food delivery company for allegedly violating two state privacy acts

    Privacy, Cyber Risk & Data Security

    On February 21, the California State Attorney General Office announced its complaint against a food delivery company for allegedly violating the California Consumer Privacy Act of 2018 (CCPA) and the California Online Privacy Protection Act of 2003 (CalOPPA) for failing to provide consumers notice or an opportunity to opt-out of the sale.

    The CCPA requires businesses that sell personal information to make specific disclosures and give consumers the right to opt out of the sale. Under the CCPA, a company must disclose a privacy policy and post an “easy-to-find ‘Do Not Sell My Personal Information’ link.” The California AG alleged that the company provided neither notice. The AG also alleged that the company violated CalOPPA by not making required privacy policy disclosures. The company’s existing disclosures indicated that the company could only use customer data to present someone with advertisements, but not give that information to other businesses to use.

    The proposed stipulated judgment, if approved by a court, will require the company to pay a $375,000 civil money penalty, and to (i) comply with CCPA and CalOPPA requirements; (ii) review contracts with vendors to evaluate how the company is sharing personal information; and (iii) provide annual reports to the AG on potential sales or sharing personal information.

    Privacy, Cyber Risk & Data Security California State Attorney General CCPA CalOPPA Enforcement Data

  • NIST group releases drafts on TLS 1.3 best practices aimed at the financial industry

    Privacy, Cyber Risk & Data Security

    On January 30, the NIST National Cybersecurity Center of Excellence (NCCoE) released a draft practice guide, titled “Addressing Visibility Challenges with TLS 1.3 within the Enterprise.” The protocol in question, Transport Layer Security (TLS) 1.3, is the most recent iteration of the security protocol most widely used to protect communications over the Internet, but its implementation over TLS 1.2 (the prior version) remains challenging for major industries, including finance, that need to inspect incoming network traffic data for evidence of malware or other malicious activity. A full description of the project can be found here.

    Compared to TLS 1.2, TLS 1.3 is faster and more secure, but the implementation of forward secrecy, i.e., protecting past sessions against compromises of keys or passwords used in future sessions, creates challenges related to data audit and legitimate inspection of network traffic. As a result, NIST released the practice guide to offer guidance on how to implement TLS 1.3 and meet required audit requirements without compromising the TLS 1.3 protocol itself.  The practice guide suggests how businesses improve their technical methods, such as implementing passive inspection architecture either using “rotated bounded-lifetime [Diffie Helman] keys on the destination TLS server” or exported session keys, to support ongoing compliance with financial industry and other regulations––for continuous monitoring for malware and cyberattacks. The draft practice guide is currently under public review with Volumes A and B of the guide open until April 1, 2024. Volume A is a second preliminary draft of an Executive Summary and Volume B is a preliminary draft on the Approach, Architecture, and Security Characteristics. 

    Privacy, Cyber Risk & Data Security Data Internet Privacy NIST

  • FCC adopts updated data breach notification rules

    Agency Rule-Making & Guidance

    On December 21, 2023, the FCC announced it adopted an updated data breach notifications rule. The rule was formerly designed to protect consumers against pretexting, “a practice in which a scammer pretends to be a particular customer or other authorized person to obtain access to that customer’s call detail or other private communications records.” As previously covered by InfoBytes, the FCC promulgated its notice of proposed rulemaking in January 2023. The rule has been updated to expand the data breach notification requirements to, among other things: (i) cover different categories of personally identifiable information that carriers hold; (ii) expand the definition of “breach” to cover unintended disclosures of consumer information, except in situations where such information is obtained in good faith by an employee or representative of a carrier or telecommunications relay service (“TRS”) provider, and where there’s no improper use or further disclosure of that information; (iii) require TRS providers and carriers to notify the FCC, FBI, and U.S. Secret Service as soon as practicable and no later than seven business days after the reasonable determination of a breach; (iv) no longer require TRS providers and carriers to notify consumers of a data breach if they reasonably determine no harm to consumers is reasonably likely; and (v) no longer require carriers to follow a mandatory waiting period to notify consumers of a breach. FCC Chairwoman Jessica Rosenworcel said in her statement that the update to the data breach policy is the first in 16 years and that under the Communications Act, “carriers have a duty to protect the privacy and security of consumer data.” The rule was adopted on December 13, 2023. 

    Agency Rule-Making & Guidance FCC Data Data Breach

  • FTC orders prison contractor to fix security exposures after data breach

    Privacy, Cyber Risk & Data Security

    On November 16, the FTC issued a proposed order against an integrated technology services company finding a violation of Section 5(a) of the Federal Trade Commission Act. According to the order, the company offered various products and services to jails, prisons, and detention facilities. These products and services included means of communication between incarcerated and non-incarcerated individuals, and, among other things, allowed non-incarcerated individuals to deposit funds into the accounts of incarcerated individuals. According to the complaint, and due to the nature of its operations, the company collected individuals’ sensitive personally identifiable information, including names, addresses, passport numbers, driver’s license numbers, Social Security numbers, and financial account information, some of which was exposed as a result of a data breach in August 2020 due to a misconfiguration in the company’s cloud storage environment.

    In its decision, the FTC ordered the company to, among other things, (i) implement a comprehensive data security program, including “change management” measures and multifactor authentication; (ii) notify users affected by the data breach, who had not yet received notice, and offer credit monitoring and identity protection products; (iii) inform consumers and facilities within 30 days of future data breaches; and (iv) notify the FTC within 10 days of reporting any security incident to local, state, or federal authorities.

    Privacy, Cyber Risk & Data Security Federal Issues FTC Data Enforcement

  • District Court grants defendant’s motion for summary judgment in data collection suit

    Courts

    On December 12, the U.S. District Court for the Northern District of California granted a defendant’s motion for summary judgment in a suit alleging that it collected consumers’ data without first obtaining their consent. According to the opinion, the plaintiffs are users of the defendant’s browser who alleged that they chose not to sync their browsers with the defendant’s accounts while browsing the web from July 2016 to the present. The complaint further noted that the browser’s sync feature permits “users to store their personal information by logging into the browser with their [defendant’s] account.” The district court granted the defendant’s motion for summary judgment after determining that most of the issues are “browser agnostic” rather than specific to the browser. Furthermore, the district court determined that because those issues are not specific to the browser, the defendant’s general privacy policies “governs the collection of those categories of information identified by plaintiffs.” The district court also found that “a reasonable person viewing those disclosures would understand that [the defendant] maintains the practices of collecting its users' data when users use [the defendant’s] services or third-party sites that use [the defendant’s] services and that [the defendant] uses the data for advertising purposes.” The district court also noted that “a reasonable user reviewing these same disclosures would understand that [the defendant] combines and links this information across sites and services for targeted advertising purposes.”

    Courts Data Privacy Data Collection / Aggregation

  • Treasury establishes data hub to assist with climate-risk assessments

    Federal Issues

    On July 28, the U.S. Department of Treasury’s Office of Financial Research (OFR) announced the establishment of the Climate Data and Analytics Hub pilot, which will be used to help financial regulators assess risks to financial stability due to climate change. According to the announcement, the Climate Data and Analytics Hub permits participants to integrate data from across the federal government, including wildfire, crop condition, precipitation, and other climate-related data, with their public supervisory data for a more precise view of the relationship between climate change and financial stability risk. Additionally, it is “equipped with statistical and visualization applications that will allow deeper insight into climate-related financial risks and vulnerabilities.” Access to the pilot is initially limited to the Federal Reserve Board of Governors and the Federal Reserve Bank of New York, with the goal of expanding access to all of the Financial Stability Oversight Council member agencies. The OFR also released a Fact Sheet, which provides more information on the Climate Data and Analytics Hub.

    Federal Issues Department of Treasury Data Climate-Related Financial Risks

  • House committee advances comprehensive consumer privacy bill

    Privacy, Cyber Risk & Data Security

    On July 20, the U.S. House Committee on Energy and Commerce voted 53-2 to send H.R. 8152, the American Data Privacy and Protection Act, to the House floor. As previously covered by a Buckley Special Alert, a draft of the bill was released in June, which would, among other things, require companies to collect the least amount of data possible to provide services, implement special protections for minors, and allocate enforcement responsibilities to the FTC. The bill has been revised from its initial draft to allow consumers to bring lawsuits after notifying certain state and federal regulators beginning two years after the law takes effect, which is different from the four-year wait period proposed in the draft. Additionally, the current patchwork of five state privacy laws would be preempted, although under the revised bill California's new privacy agency would be allowed to enforce the federal law. The revised bill also includes a provision that narrows the scope of algorithmic impact assessments required of large data holders to focus on algorithms that pose a “consequential risk of harm.” Additionally, the revised bill includes a more expansive definition of “sensitive data” to include browsing history, race, ethnicity, religion and union membership. It also sets a tiered system of responsibility depending on the size of companies for data related to people under 17.

    Privacy, Cyber Risk & Data Security U.S. House Data Data Collection / Aggregation American Data Privacy and Protection Act Federal Legislation

  • CFPB outlines regulatory flexibility related to Covid-19

    Federal Issues

    On March 26, the CFPB announced several regulatory flexibility measures to help financial companies work with consumers affected by Covid-19. Specifically, the measures postpone certain industry data collections on Bureau-related rules. These include:

    • HMDA. Quarterly information reporting by certain mortgage lenders as required under HMDA and Regulation C will not be expected during this time. However, entities should continue collecting and recording HMDA data in anticipation of making annual submissions. Entities will be provided information by the Bureau on when and how to commence new quarterly HMDA data submissions. (See statement here.)
    • TILA. During this time, annual submissions required under TILA, Regulation Z, and Regulation E “concerning agreements between credit card issuers and institutions of higher education; quarterly submission of consumer credit card agreements; collection of certain credit card price and availability information; and submission of prepaid account agreements and related information” will not be expected. (See statement here.)
    • Section 1071. A survey seeking information from financial institutions on the cost of compliance in connection with pending rulemaking on Section 1071 of the Dodd-Frank Act has been postponed. As previously covered by InfoBytes, under the terms of a stipulated settlement resolving a 2019 lawsuit that sought an order compelling the Bureau to issue a final rule implementing Section 1071, the Bureau agreed to outline a proposal for collecting data and studying discrimination in small-business lending.
    • PACE Financing. A survey of firms providing Property Assessed Clean Energy (PACE) financing to consumers for the purposes of implementing Section 307 of the Economic Growth, Regulatory Relief, and Consumer Protection Act has been postponed.
    • Supervision and Enforcement. The Bureau’s policy statement provides “that it does not intend to cite in an examination or initiate an enforcement action against any entity for failure to submit to the Bureau” specified information related to credit card and prepaid accounts. However, the Bureau’s announcement advises entities to “maintain records sufficient to allow them to make delayed submissions pursuant to Bureau guidance.” With respect to operational challenges facing institutions due to Covid-19, the Bureau states that it will work with institutions when scheduling examinations and other supervisory activities to minimize disruption and burden. “[W]hen conducting examinations and other supervisory activities and in determining whether to take enforcement action, the Bureau will consider the circumstances that entities may face as a result of the [Covid-19] pandemic and will be sensitive to good-faith efforts demonstrably designed to assist consumers,” the announcement states.

    Federal Issues CFPB Agency Rule-Making & Guidance Data Collection / Aggregation Mortgages Data HMDA Credit Cards Prepaid Cards TILA Dodd-Frank PACE Programs Examination Supervision Consumer Finance Covid-19

  • Global technology companies testify before Senate Commerce Committee on need for federal consumer data privacy legislation

    Privacy, Cyber Risk & Data Security

    On September 26, the Senate Committee on Commerce, Science, and Transportation held a hearing entitled “Examining Safeguards for Consumer Data Privacy” to discuss whether federal lawmakers should write a broad federal online privacy law in the wake of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, which was amended on September 23. Committee Chairman, Senator John Thune, noted that the September 26 hearing was the first in a series of hearings the Committee plans to hold to discuss consumer data privacy concerns. Testifying before the Committee were executives representing six global technology and telecommunications companies who all agreed that there is a need for federal consumer privacy safeguards that would give consumers more control over the way their data is used. The witnesses also supported the idea of engaging in further discussions with the Committee regarding the FTC’s enforcement powers under its current authority to determine whether the agency needs more resources and tools to carry out its responsibilities effectively. However, the witnesses cautioned that Congress needed to strike an appropriate balance between industry accountability and giving government agencies unchecked power. The witnesses also voiced their opposition to proposed legislation that would require businesses to notify consumers of data breaches within 72 hours of their discovery.

    Among other things, the hearing also discussed topics addressing: (i) GDPR compliance burdens; (ii) the need for federal privacy laws to preempt the growing “patchwork” of inconsistent state laws; (iii) pitfalls of mandatory opt-in requirements for consumers; (iv) data use transparency and mandatory disclosures; and (v) efforts undertaken by companies to monitor violations of the Children’s Online Privacy Protection Act, particularly with respect to both in-house and third-party apps offered by the several of the witnesses’ companies.

    Privacy/Cyber Risk & Data Security U.S. Senate Data

Pages

Upcoming Events