InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California AG Issues Mobile Application Privacy Recommendations
On January 10, California Attorney General Kamala Harris (AG) issued recommended privacy practices for mobile application developers, mobile application platform providers, mobile advertising networks, operating system developers, and mobile carriers. The AG recommends a “surprise minimization” approach, which could include measures to (i) avoid collecting personally identifiable data that are not needed for basic functionality, (ii) make an app’s general privacy policy easy to understand and available before download, and (iii) supplement a legally required general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an application’s basic functionality or that involve sensitive information. Supplemental policies could include “special notices” delivered in context and “just-in-time,” or short privacy statements made readily available within an application and that highlight potentially unexpected practices and allow users to make privacy choices. The issuance of the recommendations is the latest action by the AG as part of a broader privacy initiative and follows the state’s first mobile application privacy suit filed last month.
California Federal District Court Dismisses Privacy Class Action for Lack of Injury
On December 28, the U.S. District Court for the Northern District of California dismissed a putative class action alleging that Google Inc.’s privacy policy violates the federal Wiretap Act and state consumer protection statutes. In re Google, Inc. Privacy Policy Litig., No. 12-01382, 2012 WL 6738343 (N.D. Cal. Dec. 28, 2012). The plaintiffs allege that Google’s universal privacy policy, which applies across its various products and allows Google to aggregate, store, and cross-reference certain personal information collected across those products, violates consumer privacy rights by allowing the company to collect information from one product where the consumer has an expectation of privacy, and use that information to, for example, target advertising to the consumer in other products. The court held that no precedent exists in the Ninth Circuit or any other appellate court to allow claims to proceed based on only the alleged unauthorized disclosure of personal information, let alone such disclosure of information by the defendant to itself, as is the case here. The court also held that the plaintiffs failed to support their claims under the federal Wiretap Act that a provider can intercept information when such information already is in its possession, particularly given that the Act excludes the provider’s own equipment from the definition of device. The court found that the plaintiffs had failed to plead sufficient injury to establish standing, and dismissed the plaintiffs’ claims with leave to amend.
FDIC Supervisory Insights Focuses on Mobile Payments and High-Yield Checking
On December 17, the FDIC published the Winter 2012 issues of Supervisory Insights. The two featured articles focus on mobile payments and high-yield checking. In “Mobile Payments: An Evolving Landscape,” FDIC staff (i) review mobile payment technology, (ii) provide guidance regarding understanding and managing risks, and (iii) include a chart explaining the applicability of various federal laws to mobile payments. The article states that, going forward, non-bank mobile payment providers may start to capture greater market share from financial institutions and alter bank/customer relationships. The article describes the potential for banks to gradually be pushed out of the payment transaction, and identifies potential impacts of such disintermediation, including loss of access to key customer data. A second article, “High-Yield Checking Accounts: Know the Rules,” reviews the features of high-yield checking accounts and identifies problematic disclosures that may accompany their promotion. The article identifies what examiners look for when examining high-yield account offerings and provides best practices for banks.
Tenth Circuit Enforces Electronic Agreement Entered Into on an Installation Technician's Laptop
On December 11, the U.S. Court of Appeals for the Tenth Circuit affirmed dismissal of plaintiffs’ claims concerning AT&T’s U-Verse services, based on forum selection and arbitration clauses in the agreements between the parties. Hancock v. Am. Tel. & Tel. Co., Inc., 11-6233, 2012 WL 6132070 (10th Cir. Dec. 11, 2012). In support of the motion to dismiss, AT&T offered declarations from its employees concerning its standard practices for entering into agreements with customers obtaining U-Verse services. Under those practices, customers purchasing U-Verse TV and Voice services agreed to terms of service (TV Terms) that included a forum selection clause. The TV Terms were provided to customers in writing by the installation technician at the time the services were installed. The customers agreed to the TV Terms by clicking on an acknowledgement and acceptance box on the technician’s laptop after being given the printed terms – the acknowledgement and acceptance stated that the customer had received and reviewed the TV Terms. Details of each acceptance were captured and stored on AT&T’s servers at the time of acceptance. Also under AT&T’s standard practices, customers purchasing U-Verse Internet Services agreed to separate terms of service (Internet Terms) during the online registration process – to complete registration, customers had to click on an “I Agree” button underneath the Internet Terms. For two of the plaintiffs, the Internet Terms included a mandatory arbitration clause at the time of registration. For another plaintiff, the mandatory arbitration clause was added after a notice of amendment, describing the new arbitration clause, was provided to the plaintiff via email. On appeal, the court held that the declarations concerning AT&T’s standard practices were admissible in evidence, and since they were not contradicted by the plaintiffs’ affidavits, the district court did not abuse its discretion by accepting the declarations as true. The court went on to hold that under AT&T’s standard practices both the TV Terms and the Internet Terms were clearly presented, and that enforceable contracts were formed between the plaintiffs and AT&T. The court also concluded that the e-mail notification process used to add the arbitration clause to the Internet Terms was sufficient to make the amendment effective.
FTC Report Urges Mobile Application Developers to Improve Disclosures, Announces Multiple COPPA Investigations
On December 10, the FTC issued a staff report on the privacy disclosures and practices of mobile applications offered for children in certain online application stores. The report provides the results of an FTC survey of the disclosures and links on the promotion page in the application store, on the application developer’s website, and within the application, for hundreds of applications for children. According to the report, most mobile applications failed to give parents any information needed to determine what data is being collected from their children, how it is being shared, and with whom it is being shared. Further, the FTC states that many applications shared certain information with third parties without disclosing that fact to parents, and a number of applications contained interactive features – such as advertising, the ability to make in-application purchases, and links to social media – without disclosing these features to parents prior to download. The report also states that FTC staff is launching multiple nonpublic investigations of certain entities that may have violated the Children’s Online Privacy Protection Act (COPPA) or engaged in unfair or deceptive trade practices in violation of the FTC Act, and the FTC “strongly urges” the mobile application industry to develop and implement best practices to protect privacy, including those recommended in an FTC privacy report issued earlier this year. In a related development, on December 11, the Center for Digital Democracy filed a complaint with the FTC seeking an investigation of one firm for allegedly offering and operating a mobile application in violation of COPPA.
California AG Files First Mobile Application Privacy Suit
On December 6, California Attorney General Kamala Harris (AG) announced an enforcement action against Delta Airlines for allegedly failing to comply with the state’s Online Privacy Protection Act. This is the first action brought by the AG’s office under this law and follows other efforts by the AG’s office to require enhanced mobile privacy disclosures. In October, the AG’s office sent letters to 30 companies, including Delta, advising those entities that their mobile applications failed to comply with the state privacy law and providing them 30 days to remedy the alleged failure. The complaint alleges that since at least 2010, Delta has operated a mobile application that may be used to, for example, check-in online for an airplane flight, view reservations for air travel, or rebook cancelled or missed flights. The AG claims that the Delta application collections substantial personally identifiable information but does not have a privacy policy. The suit seeks to enjoin Delta from distributing its application without a privacy policy and penalties of up to $2,500 for each violation.
President, Congress Extend Cross-Border Fraud Enforcement Law
On December 4, President Obama signed a bill, H.R. 6131, that extends through December 2020, a law that enhances the FTC’s ability to address cross-border fraud, and particularly to fight spam, spyware, and Internet fraud and deception. Originally passed in December 2006 and set to expire in December 2013, the U.S. SAFE WEB Act amended the FTC Act to include within the definition of "unfair or deceptive acts or practices" certain acts or practices involving foreign commerce. Further, the law authorizes the FTC to (i) disclose certain privileged or confidential information to foreign law enforcement agencies, and (ii) provide investigative assistance to a foreign law enforcement agency pursuing violations of laws prohibiting fraudulent or deceptive commercial practices or other practices substantially similar to practices prohibited by laws administered by the FTC without requiring that the conduct identified constitute a violation of U.S. laws.
IRS Ready to Accept Electronic Signatures on the 4506-T
Recently, the Internal Revenue Service issued Electronic Signature Requirements that will allow applicants to electronically sign and submit IRS Forms 4506-T and 4506T-EZ (4506-T) beginning January 7, 2013. IRS regulations permit taxpayers to order a tax transcript using a form 4506-T through the IRS Income Verification Express Services (IVES). Under the Requirements, IVES participants may accept and submit an electronically signed 4506-T if the electronic signature process includes: (i) a structure that places creation of the signature under the signer’s sole control; (ii) a signature technology that permits the signature to be verified, either through the use of software algorithms or forensic analysis; (iii) the ability to establish that the signature was created by a specific individual; (iv) a signature block on the document with a symbol, logically associated with the 4506-T, that allows validation of the signer’s name against the name listed on the 4506-T; (v) a process flow or communication with the signer establishing the intent to sign and the purpose of the signature; and (vi) application of the signature in a tamper-evident manner. In addition, the process used to present and sign the 4506-T must include each of the following: (i) authentication, (ii) consent, (iii) tamper-proofing, and (iv) an audit log. Each IVES participant accepting electronically signed 4506-Ts must determine that the electronic signature process adheres to the Requirements, and must also retain a copy of each signed 4506-T and accompanying audit log for at least two years. Such participants also must implement a third-party audit program and comply with specific monthly and annual third-party audit and reporting requirements. BuckleySandler’s Electronic Signatures and Records Team has substantial experience assisting entities seeking to comply with electronic signature requirements.
District Court Declines to Find Implied Contract to Adhere to Payment Industry Standards
On November 20, the U.S. District Court for the Northern District of California dismissed a putative class action that claimed, among other allegations, that Google violated an implied contract to handle certain users’ credit card information in accordance with the Payment Card Industry Security Standards. Frezza v. Google, Inc., Case No. 12-CV-00237-RMW, 2012 WL 5877587 (N.D. Ca. Nov. 20, 2012). The named plaintiffs alleged that they submitted credit card information when they bought Google Tags, which display advertisements in search results as part of a promotion. The plaintiffs claim that entering their credit card information into Google’s billing system established an implied contract requiring that Google handle such information responsibly, which the plaintiffs allege is in accordance with the Data Security Standards promulgated by the Payment Card Industry Security Standards Council. The court found that Google did not make any indication that it adopted the DSS recommendations when dealing with plaintiffs, and that Google had not violated any implied contract to handle its customers’ credit card information responsibly when it retained credit card data after the plaintiffs cancelled their subscriptions to Google Tags. The court also dismissed the plaintiffs’ breach of contract claims and other claims made under California statutes.
Eleventh Circuit Holds Bank Security Procedure Insufficient to Provide Safe Harbor from Liability for Fraudulent Wire Transfer
On November 27, the U.S. Court of Appeals for the Eleventh Circuit held that a bank may be liable for an allegedly fraudulent in-person wire transfer because it failed to implement a commercially reasonable security procedure to verify the authenticity of the wire transfer order and to detect transmission or content errors. Chavez v. Mercantil Commercebank N.A., No. 11-15804, 2012 WL 5907151 (11th Cir. Nov. 27, 2012). The plaintiff, a Venezuelan resident who opened an account at a Florida bank, elected a security procedure under the account’s Funds Transfer Agreement that provided only that the bank require written authorization by him in order to process any orders for the account. The plaintiff sued the bank for lost funds, claiming that the bank allowed an unauthorized individual to initiate a fraudulent in-person wire transfer of funds out of the account. The district court granted summary judgment in favor of the bank, holding that state law creates a safe harbor that relieves banks of liability for fraudulent payment orders if the bank and the customer agree to a commercially reasonable security procedure and the bank follows that procedure in good faith. The appellate court held that the agreed-upon security procedure was not in fact a security procedure as defined by statute. The court explained that state law disavows security procedures that require only a comparison of a signature on a payment order with an authorized specimen signature of the customer. In this case, the security procedure required written authorization, but was silent as to how the bank was to verify that authorization, i.e., it did not even require that the signature be compared to one on file. The court held that because the bank and the account holder did not agree to a security procedure, the bank could not seek safe harbor protection and reversed the district court’s order. One judge dissented from the majority opinion and argued that the Funds Transfer Agreement encompassed both the required and discretionary security procedures, which, taken together, were commercially reasonable and followed in good faith, therefore affording the bank safe harbor protection.