Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 27, the Senate Committee on Commerce, Science and Transportation’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security conducted a hearing to discuss, among other topics, whether the FTC should be granted expanded authority over consumer data privacy and security. The hearing entitled “Oversight of the Federal Trade Commission” heard from the Chairman of the FTC as well as the agency’s four commissioners. Ranking Member Senator Bill Nelson’s opening statement discussed the need for providing additional resources to the FTC in order to ensure the agency is able to perform its mandated duties and effectively protect U.S. consumers from unfair or deceptive acts or practices. The five witnesses agreed that enforcement remains a priority for the FTC and called for comprehensive consumer privacy legislation that would clarify the agency’s authority and the rules relating to data security and breach notification, while fostering competition and innovation to the benefit of consumers. Specifically, FTC Chairman Joseph Simons stated he would support federal data security legislation if it provided the following three items: (i) the ability to seek civil money penalties to effectively deter unlawful conduct; (ii) jurisdiction over nonprofits and common carriers; and (iii) broad rulemaking authority to issue implementing rules under the Administrative Procedures Act for consumer protection issues such as privacy and data security. Commissioner Rohit Chopra also emphasized the need for Congress to support the FTC’s authority under Section 13B of the FTC Act, which authorizes the FTC to seek preliminary and permanent injunctions against companies and individuals.
However, Senator Blumenthal argued that too often the FTC has “fallen short” on protecting consumer privacy, particularly in terms of enforcement and pressing challenges. According to Senator Blumenthal, big tech companies misuse their power and consent orders are not “vigorously and adequately enforced.” He argued that the FTC must have the tools and resources to establish meaningful penalties for first offenses that pose a credible deterrent and recognize state attorneys general to ensure violations are investigated and punished.
Among other things, the hearing also discussed topics addressing: (i) the FTC’s ongoing series of public hearings reexamining the agency’s approach to consumer privacy in light of changing technologies (see previous InfoBytes coverage here); (ii) federal preemption versus state-by-state laws and the risk of inconsistencies and compliance challenges; (iii) the potential use of the FTC’s Section 6B authority, which would allow requests to be sent to the tech industry to understand what data is collected from consumers and how that information is used, shared, and sold; (iv) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; (v) data minimization controls; and (vi) notice and comment rulemaking authority.
On November 13, the FTC submitted comments in response to the Department of Commerce’s National Telecommunications and Information Administration (NTIA) request for input on developing the Administration’s approach to consumer data privacy protections. In its comment letter, the FTC noted that it supported a balanced approach to privacy, weighing the risks of data misuse with the benefits of data to innovation and competition, and reiterated its support for data privacy legislation. Specifically, the FTC renewed its call for Congressional action that clarifies the FTC’s authority and the rules relating to data security and breach notification. According to the FTC, any such legislation should balance “consumers’ legitimate concerns about the protections afforded to the collection, use, and sharing of their data with business’ need for clear rules of the road, consumers’ demand for data-driven products and services, and the importance of flexible frameworks that foster innovation.”
The FTC emphasized it is “uniquely situated” to balance consumers’ interest in privacy, innovation, and competition and argued it should continue to be the primary enforcer of the laws related to “information flows in the marketplace,” whether it’s under the existing or new privacy framework. The FTC noted, however, that the existing framework places a number of limitations on its powers, including (i) its lack of authority over non-profits and common carriers; (ii) its inability to levy civil money penalties; and (iii) its lack of broad rulemaking authority under the APA for consumer protection issues such as privacy and data security.
FTC to hold public hearings on consumer privacy and data security; focus will address data security enforcement program
On October 26, the FTC announced it will hold four days of public hearings in December 2018 and February 2019 to examine the Commission’s authority to deter unfair and deceptive conduct in data security and privacy matters as part of its broader series of hearings on “Competition and Consumer Protection in the 21st Century.” According to the FTC, these hearings (i) “will provide the first comprehensive re-examination of the FTC’s approach to consumer privacy since 2012,” and (ii) “will provide an opportunity to reexamine the Commission’s work in light of changing technologies, legal regimes, and business models.”
The FTC will continue to accept public comments through March 13, 2019, regarding items to be discussed at the February 2019 hearing. As previously covered by InfoBytes, a coalition of bipartisan state Attorneys General submitted a comment letter to the FTC last August requesting that they be included in the discussions regarding consumer protection during the Commission’s hearing process. Specifically, the letter emphasized the states’ “long history of protecting consumers from unfair and deceptive practices” under each state’s consumer protection authority, and noted consumers’ concerns over personal information and data security.
On October 25, NYDFS provided a new update to its answers to FAQs relating to 23 NYCRR Part 500, which took effect March 1, 2017, and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. The original promulgation of the FAQs was covered in Infobytes, as were the last updates in February, March, and August.
The new update states that when a covered entity uses an independent “Utilization Review” agent (UR agent) who receives nonpublic information, the covered entity should treat the UR agent as a third-party service provider in order to properly assess and address any potential risks to their data and systems. NYDFS emphasizes that covered entities bear the responsibility for these protections.
On October 26, the FTC announced its final approval of an expanded settlement with a global ride-sharing company over allegations that the company violated the FTC Act by deceiving consumers regarding the company’s privacy and data practices. Specifically, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, the company failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. In April, the FTC announced it would be expanding the original settlement from August 2017 (previously covered by InfoBytes here), which covered a 2014 data breach, because it was discovered the company failed to disclose a subsequent data breach that occurred in 2016 for more than a year, despite the on-going FTC investigation of the 2014 data breach.
The expanded final settlement subjects the company to civil penalties if it fails to notify the FTC of future incidents involving unauthorized access to data. The settlement also, among other things, requires the company to implement a comprehensive privacy program, including biennial third-party privacy assessments for 20 years.
Consumer advocates testify before Senate Commerce Committee on need for federal consumer data privacy legislation
On October 10, the Senate Committee on Commerce, Science, and Transportation held the second in a series of hearings on the subject of consumer data privacy safeguards. The hearing entitled “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act” heard from consumer privacy advocates on lessons from the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, and what types of consumer protections should be considered in future federal legislation. Committee Chairman, Senator John Thune, opened the hearing by emphasizing the importance of promoting privacy without stifling innovation. Senator Thune stated that, while understanding the experience of technology and telecommunications companies in this space is important, any new federal privacy law must also incorporate views from affected industry stakeholders and consumer advocates.
The consumer privacy advocate witnesses agreed there is a need for heightened consumer protections and rights, and that the time is ripe to have a debate on what a consumer data privacy law at the federal level would look like and how it would work with state level laws. However, witnesses cautioned that federal legislation should create a floor and not a ceiling for privacy that will not prevent states from passing their own privacy laws. One of the witnesses who led the effort behind the California ballot initiative that resulted in the CCPA emphasized that federal legislation should contain a robust enforcement mechanism, while a witness from the Center for Democracy & Technology said that (i) lawmakers should give the FTC the ability to fine companies that violate consumers’ privacy and provide the agency with more resources; and (ii) a federal law should cover entities of all sizes and clarify what secondary and third-party uses of data are permissible.
Among other things, the hearing also discussed topics addressing: (i) GDPR open investigations; (ii) support for state Attorney General enforcement rights; (iii) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; and (iv) consumers’ rights to control their personal data.
On September 28, the DOJ issued updated guidance originally presented the day before at a cybersecurity roundtable discussion on best practices for companies when responding to and reporting cybersecurity incidents. Officials from the DOJ, National Security Council, and the Department of Homeland Security made remarks regarding the difficulty in handling data breach investigations at the roundtable. The revised guidance, titled Best Practices for Victim Response and Reporting Cyber Incidents, addressed new issues such as creating relationships with incident response firms, cloud computing, ransomware attacks, and information-sharing with law enforcement. The DOJ further emphasized that properly assessing risk is the key to establishing effective cybersecurity priorities.
On September 26, the SEC announced a settlement with an Iowa-based broker-dealer and investment advisement company, which agreed to pay $1 million to resolve allegations that the company violated the Safeguards Rule and the Identity Theft Red Flags Rule arising out of the company’s failure to protect confidential customer information from intrusion. This is the SEC’s first enforcement action charging violations under the Rule. According to the order, intruders were able to access the company’s system by impersonating company contractors, calling the company’s support line, and requesting their passwords be reset. The intruders gained access to the company’s system that contained personally identifiable information for approximately 5,600 customers and obtained unauthorized access to account documents for three customers. The SEC identified weaknesses in the company’s cybersecurity procedures, including failure to terminate the intruders’ access even after the intrusion was flagged and failure to apply its procedures to the systems used by its independent contractors. The order takes into account remedial acts undertaken by the company, including blocking malicious IP addresses and issuing breach notices to affected customers, and requires the company to pay a $1 million penalty and retain an independent consultant to evaluate its compliance with the Safeguards Rule and the Identity Theft Red Flags Rule. The company did not admit nor deny the SEC’s findings.
Global technology companies testify before Senate Commerce Committee on need for federal consumer data privacy legislation
On September 26, the Senate Committee on Commerce, Science, and Transportation held a hearing entitled “Examining Safeguards for Consumer Data Privacy” to discuss whether federal lawmakers should write a broad federal online privacy law in the wake of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, which was amended on September 23. Committee Chairman, Senator John Thune, noted that the September 26 hearing was the first in a series of hearings the Committee plans to hold to discuss consumer data privacy concerns. Testifying before the Committee were executives representing six global technology and telecommunications companies who all agreed that there is a need for federal consumer privacy safeguards that would give consumers more control over the way their data is used. The witnesses also supported the idea of engaging in further discussions with the Committee regarding the FTC’s enforcement powers under its current authority to determine whether the agency needs more resources and tools to carry out its responsibilities effectively. However, the witnesses cautioned that Congress needed to strike an appropriate balance between industry accountability and giving government agencies unchecked power. The witnesses also voiced their opposition to proposed legislation that would require businesses to notify consumers of data breaches within 72 hours of their discovery.
Among other things, the hearing also discussed topics addressing: (i) GDPR compliance burdens; (ii) the need for federal privacy laws to preempt the growing “patchwork” of inconsistent state laws; (iii) pitfalls of mandatory opt-in requirements for consumers; (iv) data use transparency and mandatory disclosures; and (v) efforts undertaken by companies to monitor violations of the Children’s Online Privacy Protection Act, particularly with respect to both in-house and third-party apps offered by the several of the witnesses’ companies.
On September 23, the California governor signed SB 1121, a bill amending the California Consumer Privacy Act of 2018 (the Act) enacted on June 28. (See Buckley Sandler Special Alert here.) The Act, which carries an effective date of January 1, 2020, on most provisions, sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information. Among other changes, SB 1121 makes the following amendments to the Act:
- The bill requires businesses that collect a consumer’s personal information to disclose the consumer’s right to delete personal information in a form that is reasonably accessible to the consumer;
- The bill clarifies that the requirements imposed and rights afforded to consumers by the Act should not be interpreted in a way that infringes on a business’s ability to comply with federal, state, or local laws or that conflicts with the California Constitution;
- The bill prohibits application of the Act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies or pursuant to the California Financial Information Privacy Act;
- The bill clarifies that the only private right of action permitted under the Act is a private right of action for violations of the data breach provisions involving a consumer’s nonencrypted or nonredacted personal information and only to the extent that the business’ failure to maintain reasonable security measures caused the breach;
- The bill eliminates the requirement that plaintiffs notify the California Attorney General prior to proceeding with private litigation under the Act;
- The bill limits the civil penalties that the California Attorney General may assess for violations to $2,500 per violation or $7,500 per intentional violation; and
- The bill prohibits the California Attorney General from bringing an enforcement action under the Act until the earlier of either July 1, 2020, or six months after the publication of the final regulations.
- Buckley Webcast: Tips for this year’s FHA annual recertification and what the shutdown means
- Jessica L. Pollet to discuss "Your career is impacting your life..." at the Ark Group Women Legal Conference
- Melissa Klimkiewicz to discuss "RESPA-compliant marketing" at NEXT
- Daniel P. Stipano to provide "Update on AML/SAR reporting and enforcement" at an Mortgage Bankers Association webinar
- Daniel P. Stipano to discuss "Dynamic customer due diligence and beneficial ownership from KYC to ongoing CDD and the new rule implementation" at the Puerto Rican Symposium of Anti-Money Laundering
- Jon David D. Langlois to discuss "Successors in interest updates" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Brandy A. Hood to discuss "Keeping your head above water in flood insurance compliance" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Melissa Klimkiewicz to discuss "Servicing super session" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Moorari K. Shah to provide "Regulatory update – California and beyond" at the National Equipment Finance Association Summit
- Daniel P. Stipano to discuss "Lessons learned from ABLV and other major cases involving inadequate compliance oversight" at the ACAMS International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "A year in the life of the CDD final rule: A first anniversary assessment" at the ACAMS International AML & Financial Crime Conference