InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California judge limits plaintiffs’ ability to seek certain punitive damages in internet data breach
On March 9, the U.S. District Court for the Northern District of California partially granted a motion to dismiss limiting plaintiffs’ ability to seek certain punitive damages for data breaches. The court also held that the plaintiffs cannot seek claims under the California Customer Records Act (CRA). The consolidated litigation results from announcements that hackers had breached the defendant’s systems and accessed users’ personal information in multiple attacks between 2013 and 2016. While the court kept several claims alive, including one alleging company executives purposefully concealed the hacks and others related to good faith and fair dealing, the court found the plaintiffs had failed to establish when the company learned about the 2013 and 2014 hacks, which warranted dismissal of most of the claims brought under the CRA. With respect to the limit on punitive damages, the court held that there is no punitive remedy for the alleged breaches relating to the breach of contract and CRA claims. However, the court did allow the plaintiffs to seek punitive damages for concealment, negligence, and misrepresentation related to the executives’ alleged suppression of the breach.
House Financial Services Committee holds hearing on data security, breach notifications
On March 7, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime” to discuss data security and breach notification rules and cybersecurity supervision and examination standards for reporting agencies. Subcommittee Chairman Blaine Luetkemeyer, R-Mo., opened the hearing by stating that “[f]orty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted differing laws requiring private companies to notify individuals of breaches of personal information,” and emphasized the need for a “national solution” to create data security safeguards and responsible notification processes.
Legislation. The hearing discussed two legislative proposals sponsored by Representatives Luetkemeyer and Patrick McHenry, R-NC, respectively: the “Data Acquisition and Technology Accountability and Security Act” (DATAS Act) and the “Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017” (PROTECT Act). The DATAS Act would, among other things, (i) establish broad standards for data protection across industries; (ii) create new federal post-data breach notification requirements; and (iii) establish steps that covered entities must take to notify regulators, law enforcement, and victims after certain types of data breaches. Included within the PROTECT Act are provisions that would (i) subject large consumer reporting agencies to cybersecurity supervision and examination measures; (ii) amend the FCRA to allow consumers to request security freezes be placed, removed, or temporarily lifted on their credit reports; (iii) provide provisions for fees and exceptions from such fees; and (iv) prohibit consumer reporting agencies from including a consumer’s Social Security number in a credit report or being used as a method to identify a consumer.
Hearing Testimony. The hearing’s four witnesses provided testimony related to current issues with data beaches and protecting consumer information, and commented on the inconsistencies in data breach laws. Among the issues discussed were (i) the challenges of creating a “universal, unique identifier” separate from a Social Security number; (ii) efforts to establish streamlined, uniform, national data breach notification, security, and credit freeze standards; and (iii) the need for U.S. businesses that handle sensitive financial information to implement measures to protect the data and maintain consumers’ trust. Massachusetts Assistant Attorney General and Director of Data Privacy & Security for the Attorney General’s Consumer Protection Division, Sara Cable, stated in her written testimony and during the hearing that the proposed DATAS Act’s consumer notice provisions would “leave consumers in a worse position than the status quo.” She also expressed concern that the bill “allows entities to push the cost of the data security crisis onto consumers without providing any meaningful remedy, strips the state Attorneys General of the authority they are presently and actively using to protect their consumers from breaches, and hamstrings efforts of the States to enact laws in response to future risks in an era of increasing and rapidly evolving technology.”
Nebraska, South Dakota enact legislation relating to security breaches and credit freezes
On March 1, the governor of South Dakota signed House Bill 1078 to revise certain provisions addressing the removal of credit security freezes. The amended act states that a security freeze will remain in place until a consumer requests the removal from the consumer reporting agency. The consumer reporting agency is then required to remove the freeze within three business days. Separately, on February 27, the governor signed House Bill 1127 (HB 1127) to revise certain provisions concerning fees charged for security freezes. Among other things, HB 1127 prohibits consumer reporting agencies from charging a fee for placing or removing a security freeze, and stipulates that a consumer reporting agency may advise a third party that a consumer’s credit report has been frozen.
On February 28, the governor of Nebraska approved Legislative Bill 757 strengthening certain provisions of the state’s Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006. Among other things, the amendments state that (i) any individual or commercial entity in the state that possesses computerized data containing personal information of Nebraska residents must maintain reasonable security and disposal procedures and practices; (ii) nonaffiliated third-parties with access to personal information must also maintain reasonable security and disposal procedures; and (iii) consumer reporting agencies must provide services free-of-charge for the placement or removal of a credit security freeze. The legislation also outlines additional violations under which the Nebraska Attorney General can enforce protection of consumer privacy in the event of a data breach.
Online payments system company settles FTC privacy, security, and money transfer allegations
On February 23, the FTC announced a proposed settlement with a global online payments system company (company) to resolve a complaint filed in 2016 concerning allegations that its payment and social networking service (service) violated the FTC Act when it, among other things, failed to adequately disclose to consumers that transfers to external bank accounts were subject to review and that funds could be frozen or removed based on a review of the underlying transaction. According to FTC allegations, many consumers who relied on notifications from the service that funds were available for transfer found themselves unable to pay rent or other bills. In some instances, the service reversed transactions after initially notifying consumers the funds were available. Additionally, the service allegedly violated the Gramm-Leach-Bliley Act’s Privacy and Safeguard Rules (GLBA Rules) by misleading consumers about protections for their accounts when it claimed to use “bank-grade security systems” and failed to have a written security program or implement basic security safeguards. As a result, the FTC claims unauthorized users were able to, in certain cases, withdraw funds from consumer accounts or change passwords and/or associated email addresses without consumers being notified.
Under the proposed settlement, the company—which did not admit or deny liability and is not required to pay a fine—has agreed that it will not misrepresent any material restrictions on the use of its service, the extent of control provided by any privacy settings, and the extent to which it “implements or adheres to a particular level of security.” The company will also, among other things, make certain disclosures to consumers about its transaction and privacy practices, obtain biennial third-party assessments of its compliance with these rules for 10 years, and refrain from violating any provisions of the GLBA Rules.
NYDFS releases new updates to cybersecurity regulation FAQs
On February 21, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500, which was last updated in December 2017. As previously covered in InfoBytes, 23 NYCRR Part 500 took effect March 1, 2017, and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. This week’s updates to the FAQs add the following guidance:
- Due to increasing cybersecurity risks facing financial institutions, NYDFS “strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500”;
- Not-for-profit mortgage brokers are Covered Entities under the cybersecurity regulation;
- Covered Entities, when acquiring or merging with a new company, must conduct a factual analysis of how the cybersecurity regulation applies to the acquisition or merger. In addition, NYDFS emphasized that Covered Entities must have in place serious due diligence processes and ensure cybersecurity is a priority; and
- Health Maintenance Organizations and continuing-care retirement communities are Covered Entities and must comply with the cybersecurity regulation requirements.
As previously covered in InfoBytes, on January 22, NYDFS issued a reminder to all NYDFS-regulated banks, insurance companies, and other financial services institutions that the deadline to file cybersecurity certifications of compliance was February 15.
SEC issues new cybersecurity reporting guidance
On February 21, the SEC released Cybersecurity Interpretive Guidance designed to provide assistance to public companies when preparing disclosures about cybersecurity risks and incidents. According to a press release, the commissioners voted unanimously on February 20 to approve the guidance, which reinforces and expands guidance previously issued in 2011. The guidance, which addresses the “grave threats” cybersecurity risks pose to investors, the capital market, and the United States, states the SEC’s expectations that companies should, among other things, (i) provide disclosures tailored to a particular company’s cybersecurity risks rather than using “boilerplate language or static requirements,” and (ii) adopt policies that will restrict executive trading in a firm’s securities while possessing nonpublic information related to cybersecurity risks or attacks. In connection with the release of the guidance, SEC Chairman Jay Clayton released a statement urging public companies to “examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” The statement also stressed the federal securities law disclosure requirements that companies “must pay particular attention to when considering their disclosure obligations with respect to cybersecurity risks and incidents.”
Attorney General Sessions announces plans to create Cyber-Digital Task Force
On February 20, U.S. Attorney General Jeff Session announced plans to create a Cyber-Digital Task Force (Task Force) designed to combat global cyber threats. According to the DOJ’s press release, Attorney General Sessions stated that the Task Force will “advise me on the most effective ways that this Department can confront these threats and keep the American people safe.” His February 16 memorandum identified certain cyber-related issues as particularly “pressing,” including: (i) the use of the internet to spread violent ideologies; (ii) the theft of corporate, governmental, and private information on a large scale; (iii) the use of technology to evade or frustrate law enforcement; and (iv) the weaponization of consumer devices, including computers and other consumer devices, to attack U.S. citizens and businesses. The Task Force will issue a report by June 30, 2018 outlining the DOJ’s current cyber-related activities and offering recommendations.
House Financial Services Committee holds hearing on current data security regulatory regime
On February 14, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Examining the Current Data Security and Breach Notification Regulatory Regime” to discuss opportunities to reform data security regulations at the federal and state level in order to close gaps in the regulations and reduce vulnerabilities in the system. Subcommittee Chairman Blaine Luetkemeyer (R-Mo.) opened the hearing by stating that (1) technological advancements are paired with increasingly sophisticated threats to data security; and (2) data breaches seem to be increasing in number and severity. Luetkemeyer emphasized that the time has come to consider regulatory reform to address these complex issues.
The hearing’s five witnesses offered numerous insights related to the current issues with data security. Among the issues discussed included highlighting the significance of the global data threats the U.S. faces today and the cost they have on the public’s trust in technology. Several witnesses commented on the inconsistencies in state data breach laws and offered suggestions for future regulatory reform, such as federal legislation that (i) requires companies to maintain reasonable data security policies; (ii) implements prompt consumer notification requirements of suspected breaches; and (iii) contains a safe harbor for compliance with federal data security standards. The hearing also had significant discussion regarding whether a new federal law should preempt current state laws in their entirety. The discussion recognized the challenges of pursuing a preemption approach. On one hand, partial preemption would not solve the inconsistencies that exist today, but total preemption may override state laws that currently provide strong protections with a weaker national standard.
District Court dismisses First Amendment challenge to Montana’s statute banning robocalls
On February 9, a federal judge for the U.S. District Court for the District of Montana denied a plaintiff’s motion for summary judgment, which sought to overturn the State of Montana’s statutory restrictions on robocalls. Among other things, the plaintiff—a Michigan-based political consulting firm that relies on automated calls to gather data—claimed the 1991 Montana statute violated its right to free speech under the First and Fourteenth Amendments of the United States Constitution by prohibiting automated sales and political campaign calls. However, the court ruled that the Montana statute is sufficiently narrowly tailored and is intended to preserve and protect residents’ “control over [their] property and personal choices regarding receipt of communications.” Exemptions to the ban, the court explained, can occur “if the permission of the called party is obtained by a live operator before the recorded message is delivered.” The narrow tailoring leaves “ample alternative (including all of the more traditional) channels of communication for the protected political speech.”
Massachusetts attorney general launches data breach reporting portal
On February 1, Massachusetts Attorney General Maura Healey launched a Data Breach Reporting Online Portal, which is available through the agency’s Security Breaches site. Organizations can use the online portal to provide notice to the attorney general’s office of a data breach as required by the Massachusetts Data Breach Notification Law (law), M.G.L. c. 93H. According to the announcement, the law requires any entity that “owns or licenses a consumer’s personal information” to notify the attorney general’s office, among others, “any time personal information is accidentally or intentionally compromised.” The announcement notes that organizations are not required to use the online portal and may still send written notice to the attorney general’s office through the mail.
The online portal announcement follows other recent actions by Healey in response to consumer data breaches. In September, Healey filed the first enforcement action in the nation against a major credit reporting agency after its significant data breach announcement (previously covered by InfoBytes here) and introduced proposed legislation, SB 130/HB 134, which, among other things, would eliminate fees for credit freezes and mandate encryption of personal information in credit reports.