Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 15, the FTC released its annual report highlighting the agency’s privacy and data security work in 2018. Among other items, the report highlights consumer-related enforcement activities in 2018, including:
- an expanded settlement with a global ride-sharing company over allegations that the company violated the FTC Act by deceiving consumers regarding the company’s privacy and data practices (covered by InfoBytes here).
- a settlement with a global online payments system company to resolve allegations that its payment and social networking service failed to adequately disclose to consumers that transfers to external bank accounts were subject to review and that funds could be frozen or removed based on a review of the underlying transaction (covered by InfoBytes here).
- a settlement with a Texas-based company over allegations that it violated the FCRA by failing to take reasonable steps to ensure the accuracy of tenant-screening information furnished to landlords and property managers (covered by InfoBytes here).
The report also highlighted the FTC’s hearings on big data, privacy, and competition conducted through its Hearings on Competition and Consumer Protection in the 21st Century initiative. (Covered by InfoBytes here and here.)
On March 5, Attorneys General from all 50 states, as well as from the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, sent a letter to the Senate Committee on Commerce, Science, and Transportation supporting a recently introduced bipartisan bill to combat illegal robocalls. Among other things, S. 151, the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), would: (i) grant the FCC three years to take action against robocall violations, instead of the current one-year window; (ii) authorize the agency to issue penalties of up to $10,000 per robocall; and (iii) require service providers to implement the FCC’s new call authentication framework. The AGs state that they “are encouraged that the TRACED Act prioritizes timely, industrywide implementation of call authentication protocols,” and note their support for an interagency working group that the bill would establish consisting of members from the DOJ, FCC, FTC, CFPB, other relevant federal agencies, state AGs, and non-federal stakeholders.
On February 14, the FCC released a notice of proposed rulemaking intended to strengthen its rules against caller ID spoofing and expand the agency’s enforcement efforts against illegal spoofed text messages and phone calls, including those from overseas. The proposed rules would enact requirements in the recently passed RAY BAUM’S Act of 2018, and expand Truth in Caller ID Act prohibitions against the transmittal of “misleading or inaccurate caller ID information (‘spoofing’) with the intent to defraud, cause harm, or wrongfully obtain anything of value” to text messages and calls to U.S. residents originating from outside the U.S.
The FCC seeks comments on the proposed rules—adopted unanimously at the agency’s February 14 meeting—on, among other things, what changes to the Truth in Caller ID rules can be made “to better prevent inaccurate or misleading caller ID information from harming consumers.” Comments will be due 60 days after publication in the Federal Register.
On February 13, Senate Committee on Banking, Housing, and Urban Affairs Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) invited stakeholder feedback on “the collection, use and protection of sensitive information from financial regulators and private companies” as a means of informing potential future legislation. In a press release issued by the committee, Crapo noted, “Given the exponential growth and use of data, and corresponding data breaches, it is worth examining how the Fair Credit Reporting Act should work in a digital economy, and whether certain data brokers and other firms serve a function similar to the original consumer reporting agencies.” He further stressed the importance of understanding how consumer data is compiled and protected, and how consumers are able to access and correct sensitive information. The release sought answers to five questions designed to help examine ways in which legislation, regulation, or the implementation of best practices can (i) provide consumers better control over their financial data, as well as timely data breach notifications; (ii) ensure consumers receive disclosures concerning both the type of information being collected and its purpose for collection; (iii) provide consumers control over how their data is being used—including the sharing of information by third-parties; (iv) protect consumer data and ensure the accuracy of reported information in a consumer’s credit file; and (v) allow consumers the ability to “easily identify and exercise control of data that is being . . . collected and shared” as a determining factor when establishing whether a consumer is eligible for, among other things, credit or employment.
NYDFS’ cybersecurity FAQs provide process for covered entities that no longer qualify for exemptions
On February 2, NYDFS updated its answers to FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See here for previous InfoBytes coverage on updates to the FAQs.) Among other things, the update outlines the procedures covered entities must follow if the entity ceases to qualify for exemptions under Section 500.19. Covered entities who no longer qualify for an exemption will have 180 days from the end of their most recent fiscal year to comply with all applicable requirements of 23 NYCRR Part 500. NYDFS further notes that covered entities may be required to periodically refile their exemptions to ensure qualification.
On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services institutions regulated by NYDFS are required to implement a cybersecurity program to protect consumer data. The last step in the implementation timeline requires covered entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, such third parties. NYDFS also reminded regulated entities that the deadline to file their second certification of compliance via NYDFS’ cybersecurity portal is February 15.
Previously InfoBytes coverage on NYDFS’ cybersecurity regulation are available here.
On November 27, the Senate Committee on Commerce, Science and Transportation’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security conducted a hearing to discuss, among other topics, whether the FTC should be granted expanded authority over consumer data privacy and security. The hearing entitled “Oversight of the Federal Trade Commission” heard from the Chairman of the FTC as well as the agency’s four commissioners. Ranking Member Senator Bill Nelson’s opening statement discussed the need for providing additional resources to the FTC in order to ensure the agency is able to perform its mandated duties and effectively protect U.S. consumers from unfair or deceptive acts or practices. The five witnesses agreed that enforcement remains a priority for the FTC and called for comprehensive consumer privacy legislation that would clarify the agency’s authority and the rules relating to data security and breach notification, while fostering competition and innovation to the benefit of consumers. Specifically, FTC Chairman Joseph Simons stated he would support federal data security legislation if it provided the following three items: (i) the ability to seek civil money penalties to effectively deter unlawful conduct; (ii) jurisdiction over nonprofits and common carriers; and (iii) broad rulemaking authority to issue implementing rules under the Administrative Procedures Act for consumer protection issues such as privacy and data security. Commissioner Rohit Chopra also emphasized the need for Congress to support the FTC’s authority under Section 13B of the FTC Act, which authorizes the FTC to seek preliminary and permanent injunctions against companies and individuals.
However, Senator Blumenthal argued that too often the FTC has “fallen short” on protecting consumer privacy, particularly in terms of enforcement and pressing challenges. According to Senator Blumenthal, big tech companies misuse their power and consent orders are not “vigorously and adequately enforced.” He argued that the FTC must have the tools and resources to establish meaningful penalties for first offenses that pose a credible deterrent and recognize state attorneys general to ensure violations are investigated and punished.
Among other things, the hearing also discussed topics addressing: (i) the FTC’s ongoing series of public hearings reexamining the agency’s approach to consumer privacy in light of changing technologies (see previous InfoBytes coverage here); (ii) federal preemption versus state-by-state laws and the risk of inconsistencies and compliance challenges; (iii) the potential use of the FTC’s Section 6B authority, which would allow requests to be sent to the tech industry to understand what data is collected from consumers and how that information is used, shared, and sold; (iv) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; (v) data minimization controls; and (vi) notice and comment rulemaking authority.
On November 13, the FTC submitted comments in response to the Department of Commerce’s National Telecommunications and Information Administration (NTIA) request for input on developing the Administration’s approach to consumer data privacy protections. In its comment letter, the FTC noted that it supported a balanced approach to privacy, weighing the risks of data misuse with the benefits of data to innovation and competition, and reiterated its support for data privacy legislation. Specifically, the FTC renewed its call for Congressional action that clarifies the FTC’s authority and the rules relating to data security and breach notification. According to the FTC, any such legislation should balance “consumers’ legitimate concerns about the protections afforded to the collection, use, and sharing of their data with business’ need for clear rules of the road, consumers’ demand for data-driven products and services, and the importance of flexible frameworks that foster innovation.”
The FTC emphasized it is “uniquely situated” to balance consumers’ interest in privacy, innovation, and competition and argued it should continue to be the primary enforcer of the laws related to “information flows in the marketplace,” whether it’s under the existing or new privacy framework. The FTC noted, however, that the existing framework places a number of limitations on its powers, including (i) its lack of authority over non-profits and common carriers; (ii) its inability to levy civil money penalties; and (iii) its lack of broad rulemaking authority under the APA for consumer protection issues such as privacy and data security.
FTC to hold public hearings on consumer privacy and data security; focus will address data security enforcement program
On October 26, the FTC announced it will hold four days of public hearings in December 2018 and February 2019 to examine the Commission’s authority to deter unfair and deceptive conduct in data security and privacy matters as part of its broader series of hearings on “Competition and Consumer Protection in the 21st Century.” According to the FTC, these hearings (i) “will provide the first comprehensive re-examination of the FTC’s approach to consumer privacy since 2012,” and (ii) “will provide an opportunity to reexamine the Commission’s work in light of changing technologies, legal regimes, and business models.”
The FTC will continue to accept public comments through March 13, 2019, regarding items to be discussed at the February 2019 hearing. As previously covered by InfoBytes, a coalition of bipartisan state Attorneys General submitted a comment letter to the FTC last August requesting that they be included in the discussions regarding consumer protection during the Commission’s hearing process. Specifically, the letter emphasized the states’ “long history of protecting consumers from unfair and deceptive practices” under each state’s consumer protection authority, and noted consumers’ concerns over personal information and data security.
On October 25, NYDFS provided a new update to its answers to FAQs relating to 23 NYCRR Part 500, which took effect March 1, 2017, and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. The original promulgation of the FAQs was covered in Infobytes, as were the last updates in February, March, and August.
The new update states that when a covered entity uses an independent “Utilization Review” agent (UR agent) who receives nonpublic information, the covered entity should treat the UR agent as a third-party service provider in order to properly assess and address any potential risks to their data and systems. NYDFS emphasizes that covered entities bear the responsibility for these protections.
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Daniel P. Stipano to discuss "The state of the BSA 2019: What’s working, what’s not, and how to improve it" at the West Coast Anti Money-Laundering Forum
- Buckley Webcast: The future of the Community Reinvestment Act
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Buckley Webcast: Amendments to the CFPB's proposed debt collection
- Brandy A. Hood to discuss "Flood NFIP in the age of extreme weather events" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "UDAAP compliance" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Major state law developments" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Leveraging big data responsibly" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State examination/enforcement trends" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Benjamin K. Olson to discuss "LO compensation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- APPROVED Webcast: State and SAFE Act licensing requirements for banks
- John C. Redding to discuss "TCPA compliance in the era of mobile" at the Auto Finance Risk Summit
- Buckley Webcast: The next consumer litigation frontier? Assessing the consumer privacy litigation and enforcement landscape in 2019 and beyond
- Buckley Webcast: Data breach litigation and biometric legislation
- Buckley Webcast: Trends in e-discovery technology and case law
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Douglas F. Gansler to discuss "Role of state AGs in consumer protection" at a George Mason University Law & Economics Center symposium