Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 5, the House Homeland Security Committee unanimously approved H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013 (the NCCIP). The NCCIP builds on many of the ideas set forth in the February 2013 Presidential Executive Order on cybersecurity. The bill seeks to enhance cybersecurity readiness in governmental and private institutions, in part, by facilitating information sharing and a “public-private collaboration” between government agencies and “critical infrastructure owners” and by promoting “cross-sector coordination and sharing of threat information” through NIST. The bill directs NIST to develop voluntary best practices that include individual privacy and civil liberty protections. The NCCIP also amends the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act) to provide liability protections for those selling or providing agency-approved cybersecurity technology to customers.
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
On February 3, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) again expanded his investigation of data brokers when he asked six brokers for information on the compilation and sale of products that identify consumers based on their financial vulnerability or health status. The issue was raised recently in a majority staff report, which was released in connection with a December 2013 committee hearing. The Chairman cited “serious concerns regarding the sale and dissemination of lists identifying a consumer’s fragile health or financial circumstances without the consumer’s knowledge or permission,” which Mr. Rockefeller believes can be used by businesses seeking to target vulnerable customers for financially risky lending products or fraud schemes. The Chairman seeks a broad range of information about the companies’ data collection and sales practices conducted over a five year period. The letters are the latest in an ongoing review by the Committee, which previously expanded the scope of the review in September 2013.
On January 24, the California Attorney General (AG) sued a health care company over its alleged failure to timely submit notice of a 2011 data breach. According to the complaint, the company learned of the breach at the end of September 2011, completed a preliminary investigation in December 2011, and subsequently continued the investigation through mid-February 2012. The company allegedly did not begin mailing notice letters to affected individuals until mid-March. The complaint alleges the company failed to provide such notice in the most expedient time possible, which the AG alleges could have commenced in December 2011. The complaint also includes allegations regarding the actual breach at issue. The AG is seeking statutory penalties of $2500 per violation. Among other things, the suit demonstrates the AG’s inclination to take privacy and data security actions beyond the California Online Privacy Protection Act.
On January 28, the CFPB issued a consumer advisory in response to recent reports of data breaches at several large retailers. In addition to providing tips for consumers in the wake of a retail breach, the advisory encourages card holders to submit complaints about debit and credit card issuers’ inadequate responses to consumer charge disputes related to data breaches.
The advisory is the first public response from the CFPB on data breach issues. It follows a request last month from Senator Chuck Schumer (D-NY), a member of the Senate Banking Committee, that the CFPB conduct an investigation of the data breach and issue a “full report on the findings of its investigation -- informing the public of how this breach occurred, how consumers can protect themselves from similar attacks, and any further recommendations the CFPB may have for retailers to minimize the occurrence of similar breaches.” Schumer also asked Director Cordray to “take a closer look at whether retailers systems should be required to transfer credit and debit card information as encrypted data. . . . The CFPB must ensure that necessary rules and standards for retailers are in place to validate consumers’ trust in the transaction process.”
Numerous congressional committees share jurisdiction over data breach issues. The Senate Banking Committee will be among the first to act with a hearing scheduled for February 3, 2014 that will feature governmental witnesses, as well as the views of the retailer and banking industries.
On January 21, the FTC announced agreements with 12 companies to resolve allegations that the companies falsely claimed compliance with an international privacy framework. The FTC complaints explain that the U.S.-EU Safe Harbor Framework provides a method for U.S. companies to transfer personal data outside of the EU that is consistent with the requirements of the European Union Directive on Data Protection. The Directive sets forth EU requirements for privacy and the protection of personal data and requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the European Commission has made a determination that the recipient jurisdiction’s laws ensure the protection of such personal data. To participate in the Framework, a U.S. company must self-certify to the U.S. Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard. The FTC claimed that the companies indicated compliance with the Safe Harbor principles, for example through privacy policies or certification marks, when the companies had allowed their self-certifications to lapse. The FTC alleged that this conduct violated Section 5 of the FTC Act. The companies did not admit the allegations, and the FTC acknowledged that the allegations do not necessarily mean that the companies committed any substantive violations of the privacy principles of the Safe Harbor framework. The proposed settlement agreements would prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
On January 15, NIST updated the status of its efforts to finalize the voluntary Cybersecurity Framework directed by President Obama’s Executive Order 13636. According to the update, NIST expects to publish the final framework on February 13, 2014, but the initial final version will not include an appendix with specific privacy standards. Citing insufficient support from stakeholders, NIST instead will include an alternative methodology that it believes will better allow organizations to incorporate general privacy principles when implementing a cybersecurity program.
Recently, the California Court of Appeals, Second District, held that a plaintiff must have suffered a statutory injury to have standing to pursue a cause of action under the state’s “Shine the Light Act” (SLA). Boorstein v. CBS Interactive, Inc., No. B247472, 2013 WL 6680796 (Cal. Ct. App. Dec. 19, 2013). The SLA requires businesses that collect California residents’ personal data and then share that data for marketing purposes to disclose or allow consumers to opt out of that sharing. Specifically, all businesses must make consumers aware of their SLA rights by (i) maintaining a disclosure on their website and providing contact information for consumers to make a request about information shared with direct marketers; (ii) requiring customer service agents to provide the contact information upon request; or (iii) making the contact information available at every place of business in the state. In recent years, consumers filed a series of class actions, including the instant case, alleging that companies failed to properly disclose their contact information on their websites. The class plaintiffs did not, however, allege that they had sought SLA disclosures or would have done so had contact information been available. Consistent with federal district courts that have considered these claims, the state appeals court here determined that a failure to timely, accurately, or completely respond to a disclosure request is a discrete event upon which a court could calculate a civil penalty for each violation, whereas a failure to post information on a website is a continuing event that cannot readily be quantified. The court held that such a continuing violation, without more, is not an actionable violation. The court rejected the plaintiff’s claim that he suffered an "informational injury” because he did not receive information to which he was statutorily entitled, and upheld the trial court’s holding that the alleged failure was merely a procedural injury insufficient to establish standing.
On December 17, Italy’s highest court, the Italian Supreme Court of Cassation, issued a landmark ruling upholding the acquittal of three Google senior executives by the Milan Court of Appeals. Initially, an Italian trial court convicted the executives of criminal violations of Italy’s privacy laws for allegedly allowing a controversial video to be uploaded to the precursor to YouTube by a user of the service without first screening the video. The Milan Court of Appeals rejected prosecutors’ contention that the company should be responsible for prescreening user-provided content, and agreed with the executives that requiring prescreening for such content would not only infringe on users’ freedom of expression, but would undermine websites’ functionality. The Court of Cassation will issue a written statement of its reasoning early next year. BuckleySandler attorneys Samuel Buffone and Ann Wiles represented two of the three Google executives.
- Daniel A. Bellovin to discuss “Perspectives on proposed private flood insurance” at a CoreLogic webinar
- Jonice Gray Tucker to discuss “How the new administration sets the tone for 2021” at the American Conference Institute Legal, Regulatory and Compliance Forum on Fintech & Emerging Payment Systems
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable