InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Healthcare clearinghouse settles for $1.4M over data breach
On October 17, a healthcare clearinghouse reached a $1.4 million settlement with a coalition of 33 state attorneys general for allegedly exposing the protected health information of approximately 1.5 million consumers. As a health care clearinghouse, the company facilitates transactions between health care providers and insurers. The states began investigating the company in 2019, when the U.S. Department of Health and Human Services discovered that personal health information maintained by the company was available through search engines, which appeared to be the result of a coding error by the company. According to the states, after the company was alerted to the breach, it delayed notification to impacted customers for over three months and sent notices to impacted consumers that were vague and confusing. Under the settlement, in addition to the $1.4 million payment, the company agreed to overhaul its data security and breach notification practices. The multistate coalition was led by the Indiana Attorney General’s Office.
CFPB proposes rule to accelerate a shift toward open banking
On October 19, the CFPB announced a proposed rule that it said would accelerate a shift toward open banking, would give consumers more control over their financial data, and would offer new protections against companies misusing consumer data. The proposed Personal Financial Data Rights rule activates a dormant provision of law enacted by Congress more than a decade ago, Section 1033 of the Consumer Financial Protection Act. According to the CFPB, the rule would “jumpstart competition” by prohibiting financial institutions from “hoarding” a person’s data and requiring companies to share data with other companies at the consumer’s direction about their use of checking and prepaid accounts, credit cards, and digital wallets. This would allow consumers to access competing products and services while ensuring that their data would be used only for their own preferred purpose. Among other things, the proposed rule would ensure that consumers: (i) can obtain their personal financial data at no cost; (ii) have a legal right to grant third parties access to information associated with their credit card, checking, prepaid, and digital wallet accounts; and (iii) can walk away from bad service. Comments on the proposed rule must be received on or before December 29, 2023.
California enacts new data broker regulations
The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.
Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.
The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.
California enacts two privacy bills AB 1194 and AB 947
On October 8, the California governor signed two bills, AB 947 amending the California Consumer Privacy Act of 2018, and AB 1194 amending the California Privacy Rights Act (CPRA) of 2020. AB 947 amends the definition of “sensitive personal information” to include any personal information that reveals a consumer’s citizenship or immigration status. AB 1194 will ensure that when a consumer’s personal information relates to “accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services,” business are obligated to comply with CPRA, except in cases where the information is in an aggregated, deidentified form and is not sold or shared. CRPA already empowers consumers to request the deletion of their personal information, with some exceptions to accommodate a business's obligations to adhere to federal, state, or local laws, fulfill court orders, respond to subpoenas for information, or cooperate with government agencies in emergency situations involving potential risks to a person's life or physical well-being.
AB 947 is effective January 1, 2024 and AB 1194 is effective July 1, 2024.
Software provider settles allegations related to data breach
On October 5, a software provider serving nonprofit fundraising entities agreed to pay almost $50 million to settle claims with 49 states and the District of Columbia alleging that the provider maintained insufficient data security measures and inadequately responded to a 2020 data breach. Specifically, the settlement resolved claims that the software provider violated state consumer protection laws, breach-notification laws, and the Health Insurance Portability and Accountability Act (HIPAA).
According to the allegations, the data breach exposed donor information, including Social Security numbers and financial records, of over 13,000 nonprofit groups and organizations and the provider waited two months before informing these clients of the breach.
The settlement requires the provider to improve its cybersecurity protections and breach notification procedures.
Earlier this year, the software provider also settled claims with the SEC for $3 million to address allegations of misleading disclosures relating to the same 2020 data breach.
OCC releases bank supervision operating plan for FY 2024
On September 28, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2024. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) asset and liability management; (ii) credit; (iii) allowances for credit losses; (iv) cybersecurity; (v) operations; (vi) digital ledger technology activities; (vii) change in management; (viii) payments; (ix) Bank Secrecy Act/AML compliance; (x) consumer compliance; (xi) Community Reinvestment Act; (xii) fair lending; and (xiii) climate-related financial risks.
Two of the top areas of focus are asset and liability management and credit risk. In its operating plan the OCC says that “Examiners should determine whether banks are managing interest rate and liquidity risks through use of effective asset and liability risk management policies and practices, including stress testing across a sufficient range of scenarios, sensitivity analyses of key model assumptions and liquidity sources, and appropriate contingency planning.” With respect to credit risk, the OCC says that “Examiners should evaluate banks’ stress testing of adverse economic scenarios and potential implications to capital” and “focus on concentrations risk management, including for vulnerable commercial real estate and other higher-risk portfolios, risk rating accuracy, portfolios of highest growth, and new products.”
The plan will be used by OCC staff to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches and agencies of foreign banking organizations, and certain identified third-party service providers subject to OCC examination.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered here.
SEC adopts truth-in-advertising rule enhancements for funds
On September 20, the SEC adopted amendments (as set forth in the final rule and as discussed in the fact sheet) to the Investment Companies Act rule that requires investment companies whose names suggest a focus in a particular type of investment to adopt a policy to invest not less than 80 percent of the value of their assets in those investments (the “Names Rule”). The agency said amendments to the Names Rule will enhance its protections by addressing gaps in the current requirements and will “help ensure that a fund’s portfolio aligns with a fund’s name.”
The Names Rule promotes truth-in-advertising by ensuring that a fund whose name accurately suggests a focus on a particular type of investment adopt a policy to align its portfolio to put 80 percent of its assets toward the cause suggested by its name (the “80 percent investment policy”).
The SEC said, “the amendments will enhance the rule’s protections by requiring more funds to adopt an 80 percent investment policy, including funds with names suggesting a focus in investments with particular characteristics, for example, terms such as 'growth' or 'value,' or certain terms that reference a thematic investment focus, such as the incorporation of one or more Environmental, Social, or Governance factors.”
The amendments will expand the requirement to adopt an 80 percent investment policy to more funds, including those with names suggesting a focus in investments with particular characteristics (e.g., “growth” or “value”), or certain terms that reference the incorporation of one or more ESG factors. The amendments will also (i) require that a fund conduct a quarterly review of its portfolio assets’ treatment under its 80 percent investment policy; (ii) establish deadlines for getting back into compliance if a fund departs from its 80 percent investment policy; (iii) enhanced prospectus disclosure requirements to require that terminology used in fund names that suggest an investment focus must be consistent with the plain English meaning or established industry use of such terms.
The amendments will become effective 60 days after publication in the Federal Register. Fund groups with more than $1 billion in assets under management will have two years to comply with the rule. Funds that manage less than $1 billion will be given 30 months to comply with the rule.
SEC approves final Privacy Act rules
On September 20, the SEC announced the approval of its revised Privacy Act rules, which govern the handling of personal information in the federal government. Among other things, the final rule will update, clarify, and streamline the SEC’s Privacy Act Regulations by (i) clarifying the purpose and scope of the regulations; (ii) updating definitions to plainly describe regulation processes; (iii) allowing for electronic methods to verify requesters identities and submit Privacy Act requests; and (iv) providing for a shorter response time to Privacy Act requests. The final rule will also update fee provisions and eliminate unnecessary provisions. The SEC last updated its Privacy Act rules in 2011, and due to the extent of the provisions, the final rule will replace the commission’s current Privacy Act regulations entirely.
The revised rule will take effect 30 days after publication in the Federal Register.
UK-U.S. data bridge adequacy regulations to come into effect October 12
The EU-US Data Privacy Framework (the “Framework”) sets forth a set of principles and requirements that US organizations can comply with and, following certification, be permitted to join the Framework. On October 12, the UK extension to the Framework will come into effect following the UK digital minister’s submission of regulation and the US Attorney General’s designation of the UK as a “qualifying state.”
This data bridge and the associated framework ensures that the level of protection for UK individual’s personal data, as provided for under UK GDPR, is maintained. The FTC and U.S. Department of Transportation are the independent supervisory authorities for the UK extension, which is administered by the U.S. Department of Commerce.
Tech giant to pay $62M in smartphone location tracking suit
On September 14, 2023, in the U.S. District Court of the Northern District of California, San Jose Division, plaintiffs filed a motion for preliminary approval of a proposed Class Action Settlement Agreement and Release pursuant to which a tech giant will pay $62 million to resolve claims that it illegally tracked and stored such users’ private location information even after users opted out. According to the filing, the proposed settlement “would be used to pay for the costs of Notice and Settlement administration, any Court-awarded attorneys’ fees and expenses and Class Representative Service Awards” with the balance being “distributed to one or more Court-approved cy pres recipients” each of which must be “independent 501(c)(3) organizations with a track record of addressing privacy concerns on the Internet.”
The company also agreed to injunctive relief for a period of at least three years, requiring it to, among other things: (i) “maintain a policy whereby (a) Location Information stored through Location History (“LH”) and Web & App Activity (“WAA”) is automatically deleted by default after a period of at least 18 months when users opt into these settings for the first time, and (b) users can set their own auto-delete periods;” (ii) provide users with instructions on how to disable each data collection setting, delete the data collected, and set retention limits; and (iii) confirm that the company “does not now share users’ precise Location Information collected in LH or WAA with third parties (except for valid legal reasons).” The settlement class includes as many as 247 million smartphone users whose location information the company stored “while “Location History” was disabled” from January 1, 2014, through the notice date.
In a statement on September 15, a spokesperson for the company said “[c]onsistent with improvements we've made in recent years, we have settled this matter, which was based on outdated product policies that we changed years ago."