InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
White House orders DOJ and CFPB to better protect citizens’ sensitive personal data
On March 1, the White House released Executive Order 14117 (E.O.) titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” to issue safeguards against Americans’ private information. The E.O. was preceded by the White House’s Fact Sheet which included provisions to protect Americans’ data on their genomic and biometric information, personal health, geolocation, finances, among others. The E.O. shared how this data can be used by nefarious actors such as foreign intelligence services or companies and could enable privacy violations. Under the E.O., President Biden ordered several agencies to act but primarily called on the DOJ. The president directed the DOJ to issue regulations on protecting Americans’ data from being exploited by certain countries. The White House also directed the DOJ to issue regulations to protect government-related data, specifically citing protections for geolocation information and information about military members. Lastly, the DOJ was directed to work with DHS to prevent certain countries’ access to citizens’ data through commercial means and the CFPB was encouraged to “[take] steps, consistent with CFPB’s existing legal authorities, to protect Americans from data brokers that are illegally assembling and selling extremely sensitive data, including that of U.S. military personnel.”
A few days before, the DOJ released its fact sheet detailing its proposals to implement the White House’s E.O., focusing on national security risks and data security. The fact sheet highlighted that our current laws leave open lawful access to vast amounts of Americans’ sensitive personal data that may be purchased and accessed through commercial relationships. In response to the E.O., the DOJ plans to release future regulations “addressing transactions that involve [Americans’] bulk sensitive data” that pose a risk of access by countries of concern. The countries of concern include China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. The DOJ will also release its Advance Notice of Proposed Rulemaking (ANPRM) to provide details of the proposal(s) and to solicit comments.
U.S. Attorney General taps professor to lead new technology-focused roles
On February 22, the U.S. Attorney General, Merrick B. Garland, announced that he tapped Jonathan Mayer to head the DOJ’s first Chief Science and Technology Advisory and Chief Artificial Intelligence (AI) Officer roles. The roles are housed in the DOJ’s Office of Legal Policy which is developing a team of technical and policy experts in technology-related areas important to the Department’s responsibilities. These topics include cybersecurity and AI with the aim to advise leadership and collaborate with other components across the Department and with federal partners on cutting-edge technological issues. As the first Chief Science and Technology Advisor, Mayer will contribute technical expertise on cybersecurity, AI, and emergent technology matters.
The Chief AI Officer role was created pursuant to a presidential executive order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. In this role, Mayer will work on intra-departmental and cross-agency efforts on AI and adjacent issues, and he will also lead the Justice Department’s newly established Emerging Technology Board, which coordinates and governs AI and other emerging technologies across the Department.
Mayer has a PhD in computer science from Stanford University and a J.D. from Stanford Law School. Mayer is an assistant professor at Princeton University’s Department of Computer Science and School of Public and International Affairs where his research is focused on the intersection of technology, policy, and law with an emphasis in criminal procedure, national security, and consumer protection.
DOJ and FTC find UDAPs in handling of women’s health data
On June 23, the DOJ and FTC announced the government has obtained substantial injunctive relief, and that the department will collect $100,000 in civil penalties, from an Illinois-based healthcare corporation pursuant to a stipulated federal court order. In the complaint, the United States claimed that the corporation violated Section 5 of the FTC Act, in which the defendant engaged in unfair and deceptive acts in connection with its period and ovulation tracking mobile app. The government alleged that the corporation shared consumers’ persistent identifiers and sensitive personal information to third-party companies without user notice or consent. Additionally, the corporation allegedly failed to disclose how those third-party companies would use consumers’ personal information. The complaint also alleges the corporation failed to take “reasonable measures” surrounding data and privacy risk when they integrated third-party software into the mobile application, and that they violated the HBNR.
The order entered by the court requires that the corporation: (i) “implement a comprehensive privacy and data security program with safeguards to protect consumer data”; (ii) “hire an independent third-party to regularly assess its compliance with the privacy program for a period of 20 years”; (iii) “[is] enjoined from sharing health information with third-parties for advertising purposes, from sharing health information with third-parties for other purposes without obtaining users’ affirmative express consent, and from making misrepresentations about [the corporation’s] privacy practices”; and (iv) comply with the HBNR’s notification provisions in any future breach of Security.
Property manager settles with DOJ on SCRA violations
On June 13, the DOJ announced a settlement with a property management company resolving allegations that it charged nine servicemembers early termination fees after receiving military orders to relocate, in violation of the Servicemembers Civil Relief Act (SCRA) (see DOJ complaint here.) The SCRA affords protections to servicemembers who terminate a lease upon entering military service or receiving military orders to relocate, and prohibits landlords from imposing early termination charges on such servicemembers. Under the terms of the proposed consent order, the defendant will be required to pay $51,587 to the servicemembers and an additional $22,500 civil penalty. The DOJ also noted that the company must repair the servicemembers’ tenant database entries, implement new policies and procedures that comply with the SCRA, and train its employees on the SCRA.
Custody bank to pay $115 million to end overbilling investigation
On May 13, a Massachusetts-based custody bank entered into a deferred prosecution agreement (agreement) with the DOJ related to a criminal indictment for a single count of conspiracy to commit wire fraud. According to the DOJ’s press release, the bank acknowledged that, from at least 1998 through 2015, it, along with eight co-conspirator bank executives (collectively, “defendants”), defrauded clients of more than $290 million by charging hidden markups to out-of-pocket (OOP) expenses “on top of fees that the clients had agreed to pay the bank, and despite written agreements that caused clients to believe the expenses would be passed through to them without a markup.”
Under the terms of the agreement, the bank agreed to (i) pay a $115 million monetary penalty; (ii) continue to cooperate with the U.S. Attorney’s Office; (iii) enhance its compliance practices; and (iv) hire an independent compliance and business ethics monitor for two years. The DOJ credited the bank for (i) voluntarily disclosing its misconduct; (ii) cooperating with the DOJ’s investigation; (iii) undertaking remedial measures to enhance its compliance program and to ensure consequences for individuals and business units involved in the misconduct; (iv) reimbursing affected clients for the overbilled amounts; and (v) previously paying $88 million in civil money penalties to the SEC and $8.575 million in civil penalties to state regulators.
OFAC sanctions Mexican cartel members and facilitator
On May 12, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to the Foreign Narcotics Kingpin Designation Act against a commander and his organization responsible for facilitating drug trafficking between Mexico and the U.S. OFAC also designated six other individuals and one entity as Specially Designated Narcotics Traffickers pursuant to the Kingpin Act for their connections to the organization. Director of OFAC Andrea Gacki noted that the sanctioned organization “help[s] fuel our nation’s opioid epidemic” and that “Treasury and our U.S. government partners, including the Drug Enforcement Administration, will continue to use every available resource to dismantle these criminal networks.” As a result of the sanctions, all property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. U.S. persons are also generally prohibited from engaging in any dealings involving the property of blocked or designated persons.
These sanctions against the drug trafficking cartel are the most recent efforts taken by OFAC pursuant to the Kingpin Act (covered in InfoBytes, here and here).
OFAC sanctions Mexican cartel members and facilitator
On May 12, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to the Foreign Narcotics Kingpin Designation Act against a commander and his organization responsible for facilitating drug trafficking between Mexico and the U.S. OFAC also designated six other individuals and one entity as Specially Designated Narcotics Traffickers pursuant to the Kingpin Act for their connections to the organization. Director of OFAC Andrea Gacki noted that the sanctioned organization “help[s] fuel our nation’s opioid epidemic” and that “Treasury and our U.S. government partners, including the Drug Enforcement Administration, will continue to use every available resource to dismantle these criminal networks.” As a result of the sanctions, all property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. U.S. persons are also generally prohibited from engaging in any dealings involving the property of blocked or designated persons.
These sanctions against the drug trafficking cartel are the most recent efforts taken by OFAC pursuant to the Kingpin Act (covered in InfoBytes, here and here).
OFAC reaches $2.1 million settlement with German software company
On April 29, OFAC announced a more than $2.1 million settlement with a Germany-based software company for 190 apparent violations of the Iranian Transactions and Sanctions Regulations. According to OFAC’s website notice, between June 2013 and January 2018, the company “authorized 13 sales of [company] software licenses, 169 sales of related maintenance services and updates, and eight sales of cloud-based subscription services.” Third-party resellers, which the company allegedly referred to as “pass-through entities” in Turkey, the United Arab Emirates (UAE), Germany, and Malaysia, sold the software licenses and related maintenances services and updates, OFAC noted.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that the company (i) demonstrated reckless disregard and failed to exercise sufficient caution or care for U.S. economics sanctions by failing to act on audit findings regarding sanction risk or warnings from compliance, and by ignoring whistleblower complaints; (ii) failed to have an adequate compliance program for a company of its size; (iii) had information to conclude that the software and cloud services were being utilized by entities and end-users in Iran and were supported from the US; and (iv) “is a sophisticated software company with significant international operations and has numerous foreign subsidiaries.”
OFAC also considered various mitigating factors, including that the company (i) cooperated with OFAC’s investigation; (ii) has undertaken remedial measures, including terminating the users connected to the third-country entities, the partners who participated in the sales to Iranian companies, and five employees who were found to have “knowingly engaged in the sale of. . . products to Iran”; (iii) has prohibited downloads of software, support, and maintenance from embargoed countries; (iv) implemented a risk-based export control framework for partners that requires a stringent review of proposed sales by a third-party auditor; (v) created an upgraded compliance program; and (vi) hired new employees responsible for export control and trade sanctions compliance.
Separately, the DOJ announced that the company agreed to pay a $8 million fine and entered into a Non-Prosecution Agreement as a result of its voluntary disclosure to the DOJ and “extensive cooperation and strong remediation.” Pursuant to the agreement, the company “will disgorge $5.14 million of ill-gotten gain.”
FTC brings first action under Covid-19 Consumer Protection Act
On April 15, the FTC announced a civil complaint filed by the DOJ on its behalf, against a St. Louis-based company and its owner for violating the Covid-19 Consumer Protection Act and the FTC Act by making deceptive marketing health claims about their products. (See also DOJ press release here.) This is the first action the FTC has brought under the new law, which makes it unlawful under Section 5 of the FTC Act “for any person, partnership, or corporation to engage in a deceptive act or practice in or affecting commerce . . . that is associated with the treatment, cure, prevention, mitigation, or diagnosis of COVID–19” or “a government benefit related to COVID–19.” The FTC’s complaint alleges that the defendants deceptively marketed their products as being an effective treatment for Covid-19 based on the results of certain scientific studies, even though they “lacked any reasonable bases” for their claims. According to the FTC’s announcement, the defendants also allegedly advertised—without scientific support—that their products were equally, or more, effective than the currently available vaccines. The FTC seeks an injunction against the defendants, along with monetary penalties and other civil remedies to prevent harm caused by the defendants’ misrepresentations.
DOJ charges unlicensed money service business with AML violations
On April 14, the DOJ unsealed an indictment charging two defendants with allegedly failing to maintain anti-money laundering (AML) controls, failing to file suspicious activity reports (SARs) with the Department of Treasury, and owning and operating an unlicensed, unregistered money transmitting business in violation of the Bank Secrecy Act (BSA). According to the DOJ, the defendants allegedly conducted high-risk transactions through their unlicensed money transmitting and money service business via a New York credit union, “caus[ing] the transfer of more than $1 billion in high-risk transactions, including hundreds of millions of dollars originating from foreign jurisdictions.” The DOJ alleged that while the defendants represented to financial institutions that they were aware of the risks associated with the high-risk business and would conduct the required, appropriate BSA/AML oversight, one of the defendants “willfully failed to implement and maintain the requisite [AML] programs or conduct oversight required to detect, identify, and report suspicious transactions.” The defendants have been charged with failure to maintain an AML program, failure to file SARs, and operating an unlicensed money transmitting business. The indictment seeks forfeiture of any property constituting, or derived from, proceeds obtained directly or indirectly as a result of the alleged offenses.