InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Arizona governor amends data breach law, updates security freeze legislation
On April 11, the Arizona governor signed HB 2154 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state that maintain, own, or licenses unencrypted and unredacted computerized data to conduct a reasonable investigation of possible breaches of personal information. Owners or licensees of personal information must then notify affected individuals within 45 days, pending the needs of law enforcement. Key amendment highlights are as follows:
- makes revisions to definitions, which include (i) expanding “personal information” to include a combination of a user’s name, password/security question, and answer that grants access to an online account; (ii) defining the term “redact”; and (iii) clarifying that a “specified data element” now includes an individual’s unique “private key” used when authenticating or signing an electronic record;
- adds a requirement that for breaches impacting more than 1,000 individuals, the Attorney General and the three largest consumer reporting agencies must be notified in writing;
- amends a provision concerning “substitute notice,” which removes requirements that a notification must to be sent to affected individuals via email as well as notifying major statewide media. The amendments now stipulate that an entity is required to notify the Attorney General’s office in writing to demonstrate the reasons for substitute notice in addition to posting a notice on the entity’s website for at least 45 days; and
- clarifies a section that states entities are no longer required to notify affected individuals if an independent third-party forensic auditor or law enforcement agency “determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”
Separately, on April 3, the governor signed SB 1163, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the placement, removal, or temporary lifting of a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password.
Both bills are scheduled to take effect 91 days after the end of the legislative session.
9th Circuit amended opinion holds company not vicariously liable under TCPA
On April 4, the U.S. Court of Appeals for the 9th Circuit issued an amended opinion to further affirm a district court’s decision to grant summary judgment in favor of a defendant concerning allegations that it was vicariously liable for telemarketing activity in violation of the Telephone Consumer Protection Act (TCPA). The three-judge panel held that the defendant, who sells vehicle service contracts (VSCs) through automobile dealers and “marketing vendors,” was not vicariously liable under the TCPA for calls made by telemarketers employed by a company that sold VSCs for the defendant and multiple other companies. Last August, the three-judge panel determined that the company’s telemarketers acted as independent contractors, rather than as the defendant’s agents. In amending their opinion, the three-judge panel further determined that the telemarketers lacked actual authority (under express language contained within the parties’ contract) to place the unlawful calls, and that the defendant “exercised insufficient control over the manner and means of the work to establish vicarious liability under the asserted theory.”
State judge says Massachusetts can sue credit reporting agency over data breach
On April 2, a state court judge denied a credit reporting agency’s motion to dismiss claims for violations of state data security regulations. The court stated that while the “mere existence of data breach” does not translate into violations of the state data security regulations, the Massachusetts Attorney General plausibly suggests that the company violated such regulations by knowing of certain vulnerabilities and failing to properly address them. As previously covered by InfoBytes, Massachusetts was the first state to file an action against the credit reporting agency after its September 2017 announcement of a data breach which affected over 143 million consumers.
Alabama enacts data breach notification law
On March 28, the Alabama governor signed SB 318, The Alabama Data Breach Notification Act of 2018 (Act), which requires entities doing business in the state to (i) notify consumers within 45 days if their personal data has been compromised in a data breach; and (ii) notify the state Attorney General and consumer reporting agencies if more than 1,000 individuals have been impacted. The Act also states that third-party agents, entities that have been contracted to maintain, store, process, or otherwise access sensitive personally identifying information in connection with providing services to a covered entity, are required to notify the covered entity of a breach of security “no later than 10 days following the determination of the breach of security or reason to believe the breach occurred.” Additionally, the Act gives the state Attorney General authority to prosecute a failure to disclose a data breach as an unlawful act or practice under the Alabama Deceptive Trade Practices Act, which can result in daily penalties of up to $5,000 per violation. However, entities that follow the notice requirements of industry-specific state or federal laws or regulations are exempt from the Alabama legislation. The law is effective June 1.
NYDFS updates cybersecurity regulation FAQs
On March 23, the New York Department of Financial Services (NYDFS) provided a second update to its answers to FAQs relating to 23 NYCRR Part 500, which took effect March 1, 2017 and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. The original promulgation of the FAQs was covered in InfoBytes, as was the last update in February. The new update to the FAQs adds the following guidance:
- An individual filing a Certificate of Compliance for his or her own individual license with no Board of Directors is acting as a Senior Officer as defined by 23 NYCRR 500 and should complete the filing process in that manner; and
- Entity ID is defined as an entity’s state-issued unique license or charter number. Specific information is provided for insurance companies and mortgage loan originators in the FAQs.
Coalition of state Attorneys General urges Congress to oppose data breach bill
On March 19, the Illinois Attorney General, along with 30 other state Attorneys General and the Executive Director of the Hawaii Office of Consumer Protection, issued a letter to selected members of Congress opposing the Data Acquisition and Technology Accountability and Security Act (the DATAS Act), which would establish broad standards for data protection across industries and create federal notification requirements for covered entities after certain types of data breaches. (See previous InfoBytes coverage here.) According to the Illinois Attorney General’s letter, the DATAS Act would preempt state data breach and data security laws. The letter also stated that “States have proven themselves to be active, agile, and experienced enforcers of their consumers’ data security and privacy. With the increasing threat and ever-evolving nature of data security risks, the state consumer protection laws that our Offices enforce provide vital flexibility and a vehicle by which the States can rapidly and effectively respond to protect their consumers.” Serious potential concerns arising from the DATAS Act raised in the letter include (i) reduced transparency to consumers; (ii) delayed notification to consumers affected by data breaches; and (iii) an overly narrow focus on large-scale data breaches “affecting 5,000 or more consumers” which “prevent[s] attorneys general from learning of or addressing breaches that happen on a smaller national scale.”
States enact data breach notification laws; Oregon prohibits fees for security freezes
On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.
A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:
- Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
- Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).
FTC reaches $45.5 million settlement with companies over illegal telemarketing calls
On March 16, the FTC and three Utah-based movie companies (defendants) agreed to a proposed stipulated final order settling charges that they violated the FTC Act and the Telemarketing Sales Rule (TSR). In 2011, the DOJ filed a complaint on behalf of the FTC, which alleged defendants engaged in abusive telemarketing practices by making more than 117 million deceptive and unlawful calls to consumers to pitch movies and induce DVD sales in violation of the TSR, including 99 million calls to numbers on the Do Not Call Registry. In 2016, a federal court jury found the defendants guilty of six TSR violations and collectively responsible for the more than 117 million unlawful calls alleged in the complaint. The jury additionally found that the defendants had “actual or implied knowledge of the TSR violations,” meaning that the court was allowed to assess civil penalties under the FTC Act. According to the FTC’s press release, this was the first-ever jury verdict in an action to enforce the TSR and DNC Registry rules.
The proposed stipulated final order bans the defendants from engaging in the alleged misconduct, orders the defendants to train and monitor its solicitors to ensure compliance with the TSR, and imposes a $45.5 million civil money penalty, of which $487,735 is suspended unless it is determined that the financial statements defendants submitted to the FTC contain any inaccuracies.
Washington governor enacts amendment relating to security freeze fees
On March 13, the Washington governor signed Senate Bill 6018, which amends sections of the state’s Fair Credit Reporting Act addressing the removal of security freezes. Among other things, the amended act prohibits credit reporting agencies (CRAs) from charging a fee for placing, temporarily lifting, or removing a security freeze, or when assigning consumers unique personal identification numbers. Additionally, the offices of cybersecurity and privacy and data protection and the Attorney General’s office are instructed to work with stakeholders to evaluate the amendment’s impact on consumers and CRAs. A findings report must be submitted by December 1, 2020, and include data breach trends and recommendations by federal and state agencies. The amendment takes effect June 7.
NYDFS issues cybersecurity compliance certificate reminder
On March 5, the New York Department of Financial Services (NYDFS) published FAQs for regulated entities that have not yet filed cybersecurity certifications of compliance (Certification of Compliance) required under 23 NYCRR 500. The deadline to file was February 15 and notices recently were sent to regulated entities. Among other things, the FAQs state that a separate Certification of Compliance must be filed for each license an entity holds, and that entities who have failed to submit a Certification of Compliance must do so “as soon as possible.” Entities that received a reminder to certify their compliance but filed for an exemption under Section 500.19 are still required to file the Certificate of Compliance to “confirm that they are in compliance with those provisions of the regulation that apply.”
Find continuing InfoBytes coverage on NYDFS’s cybersecurity regulation here.