Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 30, the Illinois Court of Appeal for the Fourth Appellate District reversed and remanded a trial court’s decision to grant a defendant plating company’s motion for summary judgment in a Biometric Information Privacy Act (BIPA) suit. The plaintiff began working for the defendant in 2014. From the beginning of his employment, the plaintiff clocked into his job using a fingerprint, but the defendant did not have a written retention-and-destruction schedule for biometric data until 2018. The plaintiff was subsequently terminated and then filed suit claiming that the defendant violated BIPA by failing to establish a retention-and-destruction schedule for the possession of biometric information until four years after it first possessed the plaintiff’s biometric data. The trial court granted the defendant’s motion for summary judgment, finding that section 15(a) of BIPA established no time limits by which a private entity must establish a retention-and-destruction schedule for biometric data. The plaintiff appealed.
The appellate court reversed the trial court’s order, finding that Section 15(a) specified that a private entity “in possession of” biometric data must develop a written policy laying out its retention and destruction protocols, and the duty to develop a schedule is triggered by possession of the biometric data. The appellate court noted that its decision “is consistent with the statutory scheme, which imposes upon private entities the obligation to establish [BIPA]-compliant procedures to protect employees' and customers' biometric data.” The appellate court went on to note that it “can discern no rational reason for the legislature to have intended that a private entity ‘develop’ a ‘retention schedule and guidelines for permanently destroying’ (id. § 15(a)) biometric data at a different time from that specified in the notice requirement in section 15(b), which itself must inform the subject of the length of time for which the data will be stored (i.e., retained), etc.” The appellate court concluded “that the duty to develop a schedule upon possession of the data necessarily means that the schedule must exist on that date, not afterwards,” and stressed that this is “the only reasonable interpretation” in light of BIPA's “preventive and deterrent purposes.”
Furthermore, the appellate court rejected the defendant’s argument that “the statutory duty is satisfied so long as a schedule exists on the day that the biometric data possessed by a defendant is no longer needed or the parties’ relationship has ended," stating that the statutory language “belies this interpretation.”
On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by InfoBytes, plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of customers. Plaintiffs contended, among other things, that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach, downplayed the seriousness of the attack, and did not disclose that the attack on its website and the vendor’s data theft were connected. The district court held that it did not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The district court further held that the fact that the vendor was headquartered in California at the time the breach occurred was not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the district court wrote, dismissing the case with prejudice.
The 9th Circuit also determined that the district court abused its discretion in disallowing any jurisdictional discovery concerning the defendant e-commerce vendor. Explaining that the e-commerce vendor employs more than 200 people who work remotely from California, including a data-protection officer (DPO) who may have played a role related to the data breach, the appellate court wrote that “[b]ecause more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court’s denial of jurisdictional discovery with respect to the DPO’s role and responsibilities and his relationship to [the e-commerce vendor], which processed and stored the data.”
On November 22, Ranking Member James Comer (R-KY), Committee on Oversight and Reform, and Ranking Member Cathy McMorris Rodgers (R-WA), Committee on Energy and Commerce, sent a follow-up letter to a global social media company claiming it may have provided misleading or false information about its data sharing and privacy practices related to China. According to the lawmakers, the company claimed in a briefing to the committee that it does not track users’ internet data if they are not using the app, and that China-based employees cannot access U.S. users’ location-specific data—both of which appear to be “misleading at best, and at worst, false.” The lawmakers referenced reports alleging the company “clandestinely” gathers U.S. users’ sensitive internet history, and expressed concerns about statements made by employees responsible for company data that “‘it is impossible to keep data that should not be stored in [China] from being retained in [China]-based servers.’” Claiming the company has withheld information, the lawmakers are seeking additional information, including documents and communications related to the monitoring of U.S. users’ browsing data and location tracking.
On November 21, the U.S. District Court for the Central District of California granted final approval to a $500,000 class action settlement resolving allegations that a ransomware attack and data breach exposed the personal information of over 100,000 of the defendant hair-restoration clinic’s customers. According to the order, the plaintiffs alleged that defendant violated California's consumer protection statutes by failing to: (i) protect consumers' personal information; (ii) notify them quickly enough about the breach; and (iii) monitor its network for vulnerabilities and breaches. The order provided attorneys’ fees of $262,500, and awards of $1,250 each to the class representatives.
On November 28, the Irish Data Protection Commission (DPC) announced the conclusion of a “data scraping” inquiry into the practices of a global social media company’s European operations. The inquiry, which included cooperation from all of the other data protection supervisory authorities in the EU, was commenced in April 2021 following media reports that personal data for which the company was responsible was available on the internet. According to the DPC, the inquiry focused on questions related to the company’s compliance with the GDPR’s obligation for “Data Protection by Design and Default.” Specifically, the DPC “examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept).” The decision, adopted on November 25, and agreed upon by all the other EU supervisory authorities, found that the company violated Articles 25(1) and 25(2) of the GDPR. The decision imposes a reprimand and requires the company to bring its processing into compliance by implementing several specific remedial actions within a particular timeframe. In addition, the company must pay an administrative fine of €265 million.
On November 28, the Council of the European Union (EU) announced that it adopted legislation for a new cybersecurity directive intended to improve resilience and incident response capacities across the EU by replacing the NIS, the current directive on the security of network and information systems. According to the announcement, the new directive, called NIS2, is intended “to harmonise cybersecurity requirements and implementation of cybersecurity measures in different member states.” Among other things, the directive establishes minimum rules for a regulatory framework and mechanisms for effective cooperation among relevant authorities in each member state, according to the EU. Additionally, the directive updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement. The new directive has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.
On November 17, the Massachusetts attorney general announced that a coalition of more than 30 state AGs sent a letter to the FTC urging the Commission to consider the heightened sensitivity around consumers’ medical data, biometric data, and location data, along with other dangers that arise from data brokers and the surveillance of consumers in response to the FTC’s August advanced notice of proposed rulemaking (ANPR). As previously covered by InfoBytes, in August the FTC announced the ANPR covering a wide range of concerns about commercial surveillance practices, specifically related to the business of collecting, analyzing, and profiting from information about individuals. In the letter, the AGs expressed that they share the FTC’s concern about “the alarming amount of sensitive consumer data that is amassed, manipulated, and monetized.” The AGs noted, among other things, that many consumers are not even aware that their location information is being collected, and when a consumer wishes to disable location sharing, their options are quite limited. The coalition also urged the FTC to consider the risks of commercial surveillance practices that use or facilitate the use of facial recognition, fingerprinting, or other biometric technologies. The letter stated that “consumers provide this information to companies for security purposes or personal pursuits, such as to learn about their ancestry,” but are not always aware of when and how their data is collected. The AGs emphasized the persistent dangers of data brokers, and warned that data brokers profile consumers by scouring their information and use it to create profiles of certain consumers who are susceptible to certain advertising or are likely to buy certain products. In regard to data minimization, the letter emphasized that it is “vital that the Commission consider data minimization requirements and limitations.” The AGs encouraged the FTC “to examine the approach taken in the California, Colorado, Connecticut, Utah and Virginia consumer privacy laws,” and further explained that “each statute mandates that businesses tie and limit the collection of personal data to what is ‘reasonably necessary’ in relation to specified purposes.”
On November 22, the European Court of Justice (ECJ) announced a ruling invalidating a provision of the 2018 amended EU anti-money laundering directive that guaranteed public access to the beneficial ownership information of legal entities incorporated within member states. The case was referred to the ECJ by a Luxembourg court following two actions that disputed the compatibility of this directive with the beneficial owners’ fundamental right to privacy. The ECJ was asked to issue a preliminary ruling on a series of questions concerning the interpretation of “exceptional circumstances” and “disproportionate risk,” as well as the directive’s compatibility with the Charter of Fundamental Rights of the European Union (Charter) and the GDPR. Under the directive, member states are required to enter and maintain beneficial ownership information in registers that are accessible to the general public. The directive is intended to prevent the financial system from being exploited for the purposes of money laundering or terrorist financing, and requires, with limited exemptions, that member states provide information on “the beneficial owner’s name, month and year of birth, nationality and country of residence, as well as the nature and extent of his or her beneficial interests.”
In its announcement, the ECJ said that public access to beneficial ownership information “constitutes a serious interference with the fundamental rights to respect for private life and the protection of personal data” provided in Articles 7 and 8 of the Charter. “[T]he potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated,” the ECJ wrote in the judgment, adding that “in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse.”
While the ECJ found that, by the measure at issue, the EU legislature is pursuing “an objective of general interest capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter, and that the general public’s access to information on beneficial ownership is appropriate for contributing to the attainment of that objective,” the “interference entailed by that measure is neither limited to what is strictly necessary nor proportionate to the objective pursued.” Additionally, the ECJ held that the amended “directive amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter” without being offset by any benefits that may result from the amended directive as compared to the previous version in terms of combating money laundering and terrorist financing. However, the ECJ did recognize that civil society and the press have a legitimate interest in accessing such information, given their role in the fight against money laundering.
On November 17, seven Democratic senators sent a letter to FTC Chair Lina Khan requesting that the Commission investigate whether recent changes made to a global social media company will impact the company’s compliance with privacy and security regulations. The senators also encouraged Khan to investigate any breach of the company’s 2011 consent order, which prohibits misrepresentation and requires the company to maintain a comprehensive information security program. The FTC was already alerted to allegations made by a former security employee concerning the company’s supposedly inadequate security practices even prior to the company’s recent acquisition, the senators said, adding that the company also previously agreed to pay a $150 million penalty to the FTC and DOJ to settle allegations that it violated the FTC Act and the 2011 consent order related to misleading claims about its privacy and security practices. (Covered by InfoBytes here.) The senators urged the FTC “to vigorously oversee its consent decree with [the company] and to bring enforcement actions against any breaches or business practices that are unfair or deceptive, including bringing civil penalties and imposing liability on individual [company] executives where appropriate.”
Separately, Senator Charles E. Grassley (R-IA) sent a letter to the company’s CEO expressing concerns with its security practices. Citing an unanswered request for information sent to the former head of security related to alleged security failures, Grassley asked the current CEO to perform a threat assessment of the company’s security protocol to ensure user data and privacy is protected and requested that findings be submitted to the Senate Judiciary Committee.
On November 15, the Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Oversight of Financial Regulators: A Strong Banking and Credit Union System for Main Street” to hear from federal financial regulators about growing risks related to bank mergers, bailouts, climate change, crypto assets, and cyberattacks, among other topics. Committee Chairman Sherrod Brown (D-OH) opened the hearing by emphasizing that Congress “must stay vigilant and empower regulators with the tools to combat these growing risks,” and said that banks and credit unions must be able to partner with third parties in a manner that enables competition but without risking consumer money. He also warned that big tech companies and shadow banks should not be allowed to “play by different rules because of special loopholes.” In his opening statement, Ranking Member Patrick J. Toomey (R-PA) challenged the regulators to “not stray beyond their mandates into politically contentious issues or establish unnecessary new regulatory burdens,” pointing to the participation of the Federal Reserve Board, FDIC, and OCC in the Network for the Greening the Financial System as an example of politicizing financial regulation.
Testifying at the hearing were the Fed’s Vice Chair for Supervision Michael S. Barr, NCUA Chair Todd M. Harper, acting FDIC Chairman Martin J. Gruenberg, and acting Comptroller of the Currency Michael J. Hsu. Cryptocurrency concerns were a primary focus during the hearing, where Toomey asked the regulators why they still have not provided public clarity on banks’ involvement in crypto activities, such as providing custody services or issuing stablecoins.
Pointing to a major cryptocurrency exchange’s recent major collapse, Toomey pressed Hsu on whether the OCC “discourages banks from providing custody services” for crypto assets. Toomey speculated, “it seems to me if people had access to custody services provided by a wide range of institutions, including regulated financial institutions, they might be able to sleep more comfortably knowing that those assets are unlikely to be used for some completely inappropriate purpose.” Answering that the OCC discourages banks from engaging in activities that are not safe, sound, and fair, Hsu acknowledged that there are underlying fundamental issues and questions about what it means to control crypto through a custody “which have not been fully worked out.” Toomey emphasized that part of the obligation rests on the OCC to provide clarity on how banks could provide these services in a safe, sound, and fair manner, and stressed that currently these activities are operating in a space outside the regulatory perimeter. Barr agreed that it would be useful for the Fed to provide guidance to banks on how to safely custody crypto assets and said it is something he plans to work on with his colleagues.
Toomy further noted that Congress’s failure “to pass legislation in this space and the failure of regulators to provide clear guidance has created ambiguity that has driven developers and entrepreneurs overseas where regulations are often lax at best.” Senator Bill Haggerty (R-TN) cautioned that lawmakers should not resort to a “heavy-handed” regulatory response to the cryptocurrency exchange’s collapse. “No amount of poorly considered, knee-jerk over-regulation here in the U.S. would have prevented a foreign-domiciled company like [the collapsed cryptocurrency exchange] from doing what it did,” Haggerty said. “The fact of the matter is that crypto, much like all of finance, isn’t beholden to a specific country or a specific legal system, and by not acting and by failing to provide legal clarity here in the United States, Congress only incentivizes activity to migrate outside of our country’s borders,” Haggerty stated, adding that it is “important to recognize that whatever happened with a bad actor running a centralized exchange and defrauding customers” has “nothing to do with the technology underpinning crypto itself.” When asked by Sen. John Kennedy (R-LA) which regulator was responsible for watching the collapsed cryptocurrency exchange, Gruenberg said “I think in the first instance, you’d probably want to engage with the market regulators, the SEC and the CFTC, to talk about the activities and the authorities in this area.”
The regulators also discussed efforts to mitigate cybersecurity risks and strengthen information security within the banking industry. Hsu stressed during the hearing that “the greatest risk is the risk of complacency,” while noting in his prepared remarks that the OCC is aware of the risks associated with cybersecurity and has “encouraged banks to stay abreast of new technology and threats.” Barr pointed to the importance of operational resilience in his prepared remarks, noting that “technology-based failures, cyber incidents, pandemics, and natural disasters,” combined with the growing reliance on third-party service providers, expose banks to a range of operational risks that are often challenging to anticipate. Harper commented in his prepared remarks that the NCUA continues to provide guidance for credit unions to reinforce their ability to withstand potential cyberattacks, and recommends that credit unions report cyber incidents to the NCUA, the FBI, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In his prepared remarks, Gruenberg pointed to recent examination findings revealing that banks that have dedicated resources for implementing appropriate controls are better at defending against cyberattacks, and said the FDIC is “piloting technical examination aids that will help  examiners focus on the controls  found to be most effective in defending against these attacks.”
The House Financial Services Committee also held a hearing later in the week that focused on similar topics with the regulators. Chair Maxine Waters (D-CA) and Rep. Patrick McHenry (R-NC) also announced that the committee will hold a hearing in December to investigate the aforementioned cryptocurrency exchange’s collapse and understand the broader consequences the collapse may have on the digital asset ecosystem.