Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • SEC penalizes investment company $1 million for cyber security failings

    Privacy, Cyber Risk & Data Security

    On September 26, the SEC announced a settlement with an Iowa-based broker-dealer and investment advisement company, which agreed to pay $1 million to resolve allegations that the company violated the Safeguards Rule and the Identity Theft Red Flags Rule arising out of the company’s failure to protect confidential customer information from intrusion. This is the SEC’s first enforcement action charging violations under the Rule. According to the order, intruders were able to access the company’s system by impersonating company contractors, calling the company’s support line, and requesting their passwords be reset. The intruders gained access to the company’s system that contained personally identifiable information for approximately 5,600 customers and obtained unauthorized access to account documents for three customers. The SEC identified weaknesses in the company’s cybersecurity procedures, including failure to terminate the intruders’ access even after the intrusion was flagged and failure to apply its procedures to the systems used by its independent contractors. The order takes into account remedial acts undertaken by the company, including blocking malicious IP addresses and issuing breach notices to affected customers, and requires the company to pay a $1 million penalty and retain an independent consultant to evaluate its compliance with the Safeguards Rule and the Identity Theft Red Flags Rule. The company did not admit nor deny the SEC’s findings.

    Privacy/Cyber Risk & Data Security SEC Enforcement Settlement

  • Global technology companies testify before Senate Commerce Committee on need for federal consumer data privacy legislation

    Privacy, Cyber Risk & Data Security

    On September 26, the Senate Committee on Commerce, Science, and Transportation held a hearing entitled “Examining Safeguards for Consumer Data Privacy” to discuss whether federal lawmakers should write a broad federal online privacy law in the wake of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, which was amended on September 23. Committee Chairman, Senator John Thune, noted that the September 26 hearing was the first in a series of hearings the Committee plans to hold to discuss consumer data privacy concerns. Testifying before the Committee were executives representing six global technology and telecommunications companies who all agreed that there is a need for federal consumer privacy safeguards that would give consumers more control over the way their data is used. The witnesses also supported the idea of engaging in further discussions with the Committee regarding the FTC’s enforcement powers under its current authority to determine whether the agency needs more resources and tools to carry out its responsibilities effectively. However, the witnesses cautioned that Congress needed to strike an appropriate balance between industry accountability and giving government agencies unchecked power. The witnesses also voiced their opposition to proposed legislation that would require businesses to notify consumers of data breaches within 72 hours of their discovery.

    Among other things, the hearing also discussed topics addressing: (i) GDPR compliance burdens; (ii) the need for federal privacy laws to preempt the growing “patchwork” of inconsistent state laws; (iii) pitfalls of mandatory opt-in requirements for consumers; (iv) data use transparency and mandatory disclosures; and (v) efforts undertaken by companies to monitor violations of the Children’s Online Privacy Protection Act, particularly with respect to both in-house and third-party apps offered by the several of the witnesses’ companies.

    Privacy/Cyber Risk & Data Security U.S. Senate Data

  • California amends the California Consumer Privacy Act of 2018

    Privacy, Cyber Risk & Data Security

    On September 23, the California governor signed SB 1121, a bill amending the California Consumer Privacy Act of 2018 (the Act) enacted on June 28. (See Buckley Sandler Special Alert here.) The Act, which carries an effective date of January 1, 2020, on most provisions, sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information. Among other changes, SB 1121 makes the following amendments to the Act:

    • The bill requires businesses that collect a consumer’s personal information to disclose the consumer’s right to delete personal information in a form that is reasonably accessible to the consumer;
    • The bill clarifies that the requirements imposed and rights afforded to consumers by the Act should not be interpreted in a way that infringes on a business’s ability to comply with federal, state, or local laws or that conflicts with the California Constitution;
    • The bill prohibits application of the Act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies or pursuant to the California Financial Information Privacy Act;
    • The bill clarifies that the only private right of action permitted under the Act is a private right of action for violations of the data breach provisions involving a consumer’s nonencrypted or nonredacted personal information and only to the extent that the business’ failure to maintain reasonable security measures caused the breach;
    • The bill eliminates the requirement that plaintiffs notify the California Attorney General prior to proceeding with private litigation under the Act;
    • The bill limits the civil penalties that the California Attorney General may assess for violations to $2,500 per violation or $7,500 per intentional violation; and
    • The bill prohibits the California Attorney General from bringing an enforcement action under the Act until the earlier of either July 1, 2020, or six months after the publication of the final regulations.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach State Attorney General CCPA

  • New Mexico Attorney General sues technology companies over COPPA violations regarding the collection of children’s personal data

    Privacy, Cyber Risk & Data Security

    On September 12, the New Mexico Attorney General announced the filing of a lawsuit against a group of technology companies for allegedly designing and marketing mobile gaming applications (apps) targeted towards children that contain illegal tracking software. The complaint asserts that the defendants’ practices violate both the Children’s Online Privacy Protection Act (COPPA) and New Mexico’s Unfair Practices Act, and pose the risk of data breaches and third-party access. Among other things, the complaint alleges the defendants’ data collection and sharing practices did not comply with COPPA’s specific notice and consent requirements, while the apps’ embedded software development kits allow the apps to communicate directly with the advertising companies that analyze, store, use, share, and sell the data to other third-parties to build “increasingly-detailed profiles of child users” in order to send highly-targeted advertising. The complaint seeks injunctive relief and nominal and punitive damages.

    Privacy/Cyber Risk & Data Security State Issues State Attorney General COPPA

  • Court approves $115 million settlement for health insurer data breach

    Privacy, Cyber Risk & Data Security

    On August 15, the U.S. District Court for the Northern District of California issued final approval for a $115 million class action settlement to resolve claims stemming from a large health insurer’s 2015 data breach. As previously covered by InfoBytes, in June 2017, the health insurer and plaintiffs came to the $115 million agreement regarding the company’s 2015 data breach, exposing consumers’ and employees’ social security numbers, birthdays, and other personal data to hackers. The settlement agreement provides for (i) two years of credit monitoring; (ii) reimbursement of out-of-pocket costs related to the breach; and (iii) alternative cash payment for credit monitoring services already obtained. While the settlement agreement was challenged after the initial deal was struck, the court noted that the objectors “ignore that the [s]ettlement provides the class with a timely, certain, and meaningful recovery.” Moreover, the court notes the objectors do not account for the “strong message” it sends to the health insurer, stating, “a settlement does not need to provide for all possible recoverable damages to deter wrongdoing.”

    Privacy/Cyber Risk & Data Security Courts Data Breach Settlement

  • FTC seeks comments on possible adjustments to privacy and data security rulemaking authority

    Privacy, Cyber Risk & Data Security

    On August 6, the FTC published a request for comments in the Federal Register—in advance of a series of 15 to 20 public hearings scheduled to start this September—on whether the agency should make adjustments to competition and consumer protection law, enforcement priorities, and policy in light of evolving technologies and market developments. The hearings will cover a range of consumer-related issues, including the agency’s “remedial authority to deter unfair and deceptive conduct in privacy and data security matters” and the “interpretation and harmonization of state and federal statutes and regulations that prohibit [such conduct].” According to testimony presented by FTC Chairman Joseph Simons at a July 18 House Subcommittee on Digital Commerce and Consumer Protection hearing, there exists a need for expanded rulemaking and civil penalty authority. Specifically, Simons discussed Section 5 of the FTC Act, which he stated is too limited to address all of the privacy and security concerns in the marketplace and does not provide for civil penalties. Comments on the hearing topics must be received by August 20.

    Privacy/Cyber Risk & Data Security FTC Federal Register FTC Act

  • FTC announces settlement with California company over EU-U.S. Privacy Shield false certification claims

    Privacy, Cyber Risk & Data Security

    On July 2, the FTC announced it had reached a settlement with a California-based company over allegations that it falsely claimed participation in the European Union-U.S. Privacy Shield framework, EU-U.S. Privacy Shield. According to the FTC, the company’s false claim that it was in the process of certification is a violation of the FTC Act’s prohibition against deceptive acts or practices. The settlement prohibits the company from misrepresenting its participation in “any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization” and requires the submission of timely compliance notices. This action marks the fourth FTC EU-U.S. Privacy Shield enforcement action following the EU’s finalization and adoption in July 2016 (see previous InfoBytes coverage here) of the EU-U.S. Privacy Shield, which established a mechanism for companies to transfer consumer data between the EU and the U.S. in compliance with specified obligations.

    Privacy/Cyber Risk & Data Security FTC Enforcement Settlement

  • Buckley Special Alert: California governor signs significant data privacy bill into law

    Privacy, Cyber Risk & Data Security

    On June 28, California Governor Jerry Brown signed the California Consumer Privacy Act (the “Consumer Privacy Act” or the “Act”) into law. The Act was enacted largely in response to a more restrictive ballot initiative (“Ballot Initiative”) that appeared to have gained a sufficient number of signatures to appear on the November 2018 ballot in the state. Both the Act and the Ballot Initiative were a reaction to high-profile news stories involving large-scale consumer data collection and sharing by online companies, often done without notice to or consent from consumers.

    The Ballot Initiative, driven and funded by a coalition of privacy advocates, proposed both expanding consumer privacy rights under existing state laws such as the California Online Privacy Protection Act and the “Shine the Light” law, and giving new consumer rights with regard to information sharing. The Ballot Initiative, which was withdrawn in response to the enactment of the Act, would have provided state residents with increased rights regarding the types of information online companies possess about them, the purposes for which the information is used, and the entities with which the information is shared. Consumers would also have been given the right to stop certain sharing of their personal information. Critics asserted that the Ballot Initiative was poorly crafted and would stifle innovation in data services. Last minute revisions to the language of the Act, which generally follows the requirements of the Ballot Initiative, sought to address some of these concerns and several industry groups that had opposed the Ballot Initiative did not lobby against the quick passage of the Act.

     

    * * *

    Click here to read the full special alert.

    If you have questions about the act or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.

    Privacy/Cyber Risk & Data Security State Issues Special Alerts CCPA

  • Credit reporting agency agrees to cybersecurity corrective action with eight state regulators

    Privacy, Cyber Risk & Data Security

    On June 27, the New York Department of Financial Services (NYDFS) announced that a major credit reporting agency has agreed to cybersecurity and internal control corrective action following its 2017 data breach, which reportedly affected 143 million American consumers. The consent order, which was entered into with NYDFS and seven other state regulators, requires a wide range of corrective actions. The company must: (i) review and approve a written risk assessment which identifies data breach risks and the likelihood of threats; (ii) establish and oversee a formal internal audit program; (iii) improve oversight of its information security program; and (iv) improve oversight and ensure sufficient controls are developed for critical vendors. The consent order does not include any monetary penalties.

    The consent order follows the June 25 announcement by NYDFS that credit reporting agencies will be required to register annually with the state and comply with the state’s cybersecurity regulation (covered by InfoBytes here).

    Privacy/Cyber Risk & Data Security State Issues Data Breach NYDFS

  • Rhode Island and New Hampshire prohibit security freeze fees

    Privacy, Cyber Risk & Data Security

    On June 14, the governor of Rhode Island signed S2562, which prohibits consumer reporting agencies from charging a fee for security freeze services, including the placement, removal, or temporary lifting of a security freeze for a consumer. The law also prohibits the charging of a fee in connection with issuing or reissuing a personal identification number that is used by a consumer to authorize the use of his or her credit or to remove the freeze. Previously, Rhode Island allowed credit reporting agencies to charge a fee up to $10 dollars for security freeze services and $5 for reissuances of personal identification numbers, although customers were entitled to a free initial reissuance of their personal identification numbers. The law is effective September 1.

    Similarly, on June 8, the governor of New Hampshire signed HB1700, which prohibits a consumer reporting agency from charging a fee to place, remove, or temporarily lift a security freeze. The law also prohibits a consumer reporting agency from charging a fee to issue or replace a consumer’s personal identification number used in connection with the security freeze. The law requires the consumer reporting agencies to place the freeze within three business days after receiving a consumer request, if the consumer makes the request via mail and within 24 hours after receiving a consumer request, if made electronically or by telephone. The law is effective January 1, 2019.

    Privacy/Cyber Risk & Data Security Security Freeze State Issues State Legislation Credit Reporting Agency

Pages

Upcoming Events