Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 12, the FCC announced that it shared, among the FCC staff, a notice of proposed rulemaking (NPRM) to strengthen the rules for notifying consumers and federal law enforcement of breaches of customer proprietary network information. According to the FCC, the NPRM “would better align the Commission’s rules with recent developments in federal and state data breach laws covering other sectors,” and “further advances the FCC’s efforts to ensure its rules keep pace with evolving cybersecurity threats and to protect consumers in the face of today’s challenges.” The NPRM outlines certain updates to current FCC rules that address telecommunications carriers’ breach notification requirements, including: (i) “[e]liminating the current seven business day mandatory waiting period for notifying customers of a breach”; (ii) “[e]xpanding customer protections by requiring notification of inadvertent breaches”; and (iii) “[r]equiring carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service.” The NPRM solicits feedback regarding whether the FCC should require customer breach notices to include specific categories of information “to help ensure they contain actionable information useful to the consumer.” According to FCC Chairwoman Jessica Rosenworcel, current laws “need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers.”
On January 6, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a multinational technology company 150 million euros and a global social media company 60 million euros (approximately $170 and $68 million USD respectively) for failure to comply with the French Data Protection Act related to the companies’ process for managing cookies. (See additional press releases here and here.) According to the CNIL, the companies provide a button allowing users to immediately accept cookies but do not provide an equivalent option to allow users to easily refuse the cookies through a single click. This process, CNIL stated, “influences [a user’s] choice in favor of consent” since a user “cannot refuse the cookies as easily as they can accept them,” and constitutes an infringement of Article 82 of the French Data Protection Act. In addition to the fines, the CNIL gave the companies three months “to provide […] users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent.” Failure to comply will come with the risk of an additional daily fine of 100,000 euros per day of delay.
On December 27, the U.S. District Court for the Southern District of New York issued a stipulation and order in a consolidated action, temporarily reprieving three delivery app companies from complying with New York City’s Administrative Code §§ 20-847.3 and 20-563.7 (collectively, “the ordinances”). The amended complaint contends that the ordinances “create an unconstitutional, privacy-infringing, data-disclosure requirement pursuant to which third-party food-ordering and delivery platforms. . . must divulge, against their will, sensitive, proprietary customer information,” including full names, phone numbers, email addresses, delivery addresses, and order contents to New York City restaurants “regardless of whether that restaurant maintains any security infrastructure, and regardless of whether the customer has expressly consented to their personal information being so shared.” According to the plaintiffs, the ordinances “state that customers are presumed to have consented to this dangerous flow of their information unless they specifically opt out for each and every order they place, contrary to the common view that opt-out requests should be valid for at least several months.” The plaintiffs allege, among other things, that the ordinances are preempted by New York State’s Right of Privacy and violate delivery app companies’ First Amendment rights.
Notably, while New York City “has agreed to stay enforcement of the Challenged Laws pending final determination by this Court resolving, or disposing of, this action in exchange for Plaintiff’s agreement not to file a motion for a preliminary injunction,” the stipulation and order is not an indefinite agreement to stop enforcement of the ordinances.
On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately safeguard patient data. The settlement resolved allegations that patients’ personal and protected health information, including health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers, were exposed when several employee email accounts were compromised in a 2019 data breach. The AG additionally contended that while notifying clients of the initial data breach, the defendants “improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin.” Federal and state law require medical providers to implement appropriate safeguards to protect consumers’ sensitive health and personal information and identify potential threats—measures, the AG alleged, the defendants failed to take. Without admitting to any violation of law, the defendants agreed to the terms of the consent order and will pay $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. The defendants will also adopt additional comprehensive privacy and security measures to safeguard consumers’ protected information and will obtain a third-party assessment of their policies and practices related “to the collection, storage, maintenance, transmission, and disposal of patient data.”
On December 13, the New Mexico attorney general announced a settlement in two federal court cases filed against a multinational technology company both of which resolve allegations against the company under the federal Children’s Online Privacy Protection Act (COPPA) and other state consumer protection laws. According to one complaint, the company allegedly violated COPPA and the New Mexico Unfair Practice Act by collecting the personal information of minors and the mining of student emails in connection with the use of the company’s educational tools. In a separate complaint, among other things, the company’s mobile ad platform permitted a third-party game developer to collect the personal data of minors without “verifiable parental consent.” According to the AG, under the terms of the settlement, the company must, among other things: (i) fund a new initiative to promote education, privacy, and safety for children across New Mexico and work with the AG to identify recipients of these funds; (ii) “provide school administrators with tools to protect minor students from improper collection of their personal data, including age-based access settings to ensure that minor children’s data is protected from unauthorized collection and disclosure”; (iii) monitor app developers that mislabel their child-directed apps; and (iv) require apps to implement age screening measures which ensure that these apps do not collect information from children.
According to sources, the Luxembourg President of the Administrative Tribunal issued an ordinance on December 17 partially suspending a July decision issued by the Luxembourg National Commission for Data Protection (CNPD) against a global technology corporation for alleged violations of the EU’s General Data Protection Regulations (GDPR). As previously covered by InfoBytes, the CNPD fined the corporation $746 million euro (approximately $888 million USD), issuing a decision against the corporation’s European headquarters, claiming the corporation’s “processing of personal data did not comply with the [GDPR].” The decision—which required corresponding practice revisions, the details of which were not disclosed—followed an investigation started in 2018 when a French privacy group claiming to represent the interests of Europeans filed complaints against several large technology companies to ensure European consumer data is not manipulated for commercial or political purposes. The December ordinance suspends orders that required the corporation to make a number of changes to its data processes by January 15 or risk additional daily fines. Sources stated that the CNPD’s order “had not been formulated in clear, precise and free of uncertainty terms” that would allow the corporation to meet the conditions. The corporation’s appeal is still pending.
On December 10, the FTC published a statement disclosing its regulatory priorities for 2022. Among other things, the statement highlights; (i) newly initiated and upcoming periodic reviews of rules and guides; (ii) ongoing periodic reviews of rules and guides; (iii) proposed rules; and (iv) final actions. According to the Plan, the FTC “will consider developing both unfair methods-of-competition rulemakings as well as rulemakings to define with specificity unfair or deceptive acts or practices.” The FTC noted that there are many pressing issues consumers face in the modern economy, such as the “abuses stemming from surveillance-based business models,” which also threaten competition. “The Commission is considering whether rulemaking in this area would be effective in curbing lax security practices, limiting intrusive surveillance, and ensuring that algorithmic decision-making does not result in unlawful discrimination.” The Plan further explains that the FTC will “explore whether rules defining certain ‘unfair methods of competition’ prohibited by section 5 of the FTC Act would promote competition and provide greater clarity to the market.” According to the Dissenting Statement by FTC Commissioner Christine S. Wilson, though, the plan takes “a big step into uncharted waters” with this latter statement, given the breadth of potential rulemakings and lack of clarity on which areas the FTC would pursue. Wilson’s view is that many existing rules “should be abolished,” rather than issuing new rules.
Recently, the Financial Stability Board (FSB) issued a survey requesting stakeholder feedback on “how existing national and regional data frameworks interact with and affect the functioning, regulation and supervision of cross-border payment arrangements,” in addition to feedback on issues concerning the cross-border use of these data frameworks by national authorities and the private sector. Data frameworks within the survey’s scope include those concerning data access; data privacy, security, or storage; requirements for data retention; and multilateral or bilateral trade agreements covering the use and sharing of data across borders. Among other things, the survey seeks information on (i) ways data-specific national and regional data frameworks affect the costs and speed of delivering payments, as well as access and transparency; (ii) potential barriers to cross-border data use; (iii) areas of improvement for overcoming barriers in data frameworks; (iv) whether one jurisdiction’s data framework can impact the provision or supervision of cross-border payments services offered in other jurisdictions; and (v) whether there are particular payment corridors (especially related to emerging markets) that face specific challenges related to data frameworks. The survey also requests information on the implementation of international standards from the FSB and other standard-setting bodies, “if not included as part of formal, domestic data frameworks,” and “[o]ther international efforts, arrangements, or agreements that jurisdictions may implement in their domestic data frameworks or that may affect cross-border data flows.” The survey will close on January 14, 2022.
On December 9, NYDFS updated its FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on 23 NYCRR Part 500 here.) New FAQ 41 addressed whether covered entities should use a cyber assessment framework as part of their risk assessment process as required by Sections 500.9 and 500.2(b). NYDFS clarified that while it “does not require a specific standard or framework for use in the risk assessment process," it expects covered entities “to implement a framework and methodology that best suits their risk and operations.” Commonly employed frameworks cited by NYDFS include the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework.
- Jonice Gray Tucker to discuss “Be Your Compliance Best in 2022” at the California Mortgage Bankers Association webinar
- Lauren R. Randell to discuss “Significant legal developments in the Northeast” at the 37th Annual National Institute on White Collar Crime
- Jonice Gray Tucker to discuss “Small business & regulation: How fair lending has evolved & where it is heading?” at the Consumer Bankers Association Live program
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek
- Jonice Gray Tucker and Kari Hall to discuss “Equity, equality, regulation and enforcement – The evolving regulatory landscape of fair lending, redlining, and UDAAP” at the ABA Business Law Committee Hybrid Spring Meeting