InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FCC Cites Two Companies over Unauthorized Telemarketing Allegations
On September 11, the FCC issued citations against a Pennsylvania-based financial institution and a transportation network company (TNC), alleging that both companies engaged in unlawful business practices by infringing consumers’ rights to be free of unauthorized telemarketing robocalls to residential and wireless phones. The financial institution’s citation alleges that the bank required customers to agree to receive autodialed telemarketing texts in order to use its online banking and Apple Pay services. The TNC’s citation alleges that, although it allows consumers who sign up for ride-sharing service to opt out of receiving autodialed or prerecorded telemarketing calls and texts, the TNC does not allow users to access the service if they exercise these opt out rights. Both citations allege that these practices violate the FCC’s rules implementing the Telephone Consumer Protection Act (TCPA), and direct the companies to take immediate steps to come into compliance with the FCC’s rules, orders, and the TCPA prohibition against unlawful marketing and advertising calls. The FCC also warned that future violations may result in monetary forfeitures.
Treasury Deputy Secretary Raskin Delivers Remarks On Cybersecurity and Insurance
On September 10, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the Center for Strategic and International Studies Strategic Technologies Program in Washington, D.C. After summarizing threats posed to U.S. companies and strategic interests, citing to notable recent cyberattacks, Raskin laid out the roles governments, the insurance industry, and state insurance regulators can take in responding to cyberattacks.
Raskin noted that governments can facilitate information-sharing related to cyber threats and deter incidents through law enforcement and diplomatic engagement as well as by imposing financial sanctions on wrongdoers overseas. The insurance sector can gauge the risks and costs posed by cyber incidents and provide an important risk mitigation tool by allowing policyholders to transfer some financial exposure associated with cyber events. The insurance qualification and underwriting process also encourages businesses to engage in increased cybersecurity and risk-mitigation activities. Finally, state insurance regulators can assist response by setting standards for cybersecurity and the protection of the sensitive information of policyholders at the entities that they regulate.
Pennsylvania Regulator Addresses Cybersecurity
On September 8, Pennsylvania Department of Banking and Securities’ Secretary Robin Wiessmann issued a letter to Pennsylvania state-chartered, licensed, and registered financial services institutions and companies regarding the Department’s cybersecurity efforts to “prevent and defend against cyberattacks, reduce vulnerability, minimize damage and recover times, and promote awareness and education.” The letter encourages such entities to (i) develop cybersecurity attack prevention and mitigation plans; (ii) identify their cybersecurity vulnerabilities; (iii) evaluate the means necessary to protect their networks and data; (iv) conduct regular vulnerability assessments and penetration tests of their networks; (v) encrypt customer and investor data; (vi) ensure their operating systems are up-to-date; (vii) frequently update and utilize anti-virus software; and (viii) train and evaluate their staff and vendors, as well as educate their customers, regarding cybersecurity risks. In addition to reminding the Department’s regulated financial institutions and companies of the FFIEC’s June 30 release of a self-assessment tool designed to help evaluate cybersecurity risk, the letter also urges such entities to review the SEC's April 2015 cybersecurity guidance, which identifies cybersecurity “best practices” for registered investment companies and registered investment advisers.
In a separate September 8 press release, the Department announced the formation of a Cybersecurity Task Force. Comprised of regulatory, legal, and information technology staff, the task force is one of the first created by a state financial regulator to provide financial service companies with resources to address cybersecurity issues.
FTC Chairwoman Ramirez Urges Start-Ups to Establish a "Culture of Security"
On September 9, FTC Chairwoman Edith Ramirez delivered remarks at the Start For Security workshop, an FTC initiative intended to provide start-ups and developers with the resources and information necessary to integrate effective data security strategies into their products. In her remarks, Ramirez advised companies to establish a “culture of security” by: (i) embedding privacy and security into the development process of apps and other products; (ii) testing the product to ensure that security defaults work properly and controls are secure; and (iii) establishing a “bug bounty” program or a contact point for when flaws, bugs, and vulnerabilities in software are discovered.
State AGs File Amicus Brief With U.S. Supreme Court in FCRA Standing Case
On September 9, the Massachusetts Attorney General announced that her office, along with 12 other states and the District of Columbia, had filed with the U.S. Supreme Court an amicus brief supporting the plaintiff-respondent in Spokeo v. Robins. (Previous InfoBytes coverage can be seen here). The putative class-action plaintiff in that case claimed that an online data broker published inaccurate information about him in violation of the Fair Credit Reporting Act (FCRA). Reversing the district court, the U.S. Court of Appeals for the Ninth Circuit held that the violation of a statutory right created by FCRA was, in itself, a sufficient injury to confer standing to sue under Article III of the Constitution. In their multistate amicus brief, the AGs argued that the Supreme Court should affirm this holding. The states asserted that businesses frequently rely on consumer data profiles to make important credit, employment, housing, and insurance decisions. However, “the damage done by . . . an inaccurate data profile is frequently impossible for the affected consumer to detect or quantify,” they argued. Accordingly, “Congress rightly has authorized statutory damages for a willful violation of the FCRA.” The AGs asserted that, given their limited resources, statutory damage cases and private class actions are needed to supplement their own consumer protection actions.
FTC to Host Privacy and Security Event
On August 28, the FTC announced that it will hold a public event, PrivacyCon, to examine current research and trends in protecting consumer privacy and security. Several “whitehat” researchers, academics, industry representatives, consumer advocates, and a range of government regulators are scheduled to address, among other things, how companies can protect against new security vulnerabilities. PrivacyCon will take place in Washington, D.C. on January 14, 2016.
California Governor Signs Executive Order Aimed At Strengthening Cybersecurity Strategy
On August 31, California Governor Edmund G. Brown signed Executive Order B-34-15. A response to recent cyber-attacks, this order is intended to bolster the state’s preparedness, to improve inter-agency, cross-sector coordination, and to reduce the likelihood and severity of such attacks. Specifically, the order establishes the California Cybersecurity Integration Center (Cal-CSIC) and explains that the Cal-CSIC “will work closely with the California State Threat Assessment System and the U.S. Department of Homeland Security and will facilitate more integrated information sharing and communication with local, state and federal agencies, tribal governments, utilities and other service providers, academic institutions and non-governmental organizations.”
Under the order, the Cal-CSIC will also establish a multi-agency Cyber Incident Response Team, which will be comprised of personnel from agencies, departments, and organizations from the Cal-CSIC. The Response Team will serve as California’s “primary unit to lead cyber threat detection, reporting, and response in coordination with public and private entities across the state.”
Special Alert: Third Circuit Gives FTC Green Light to Continue Enforcing Corporate Data Security
On August 24, the U.S. Court of Appeals for the Third Circuit affirmed the Federal Trade Commission’s authority to hold companies accountable for their data security practices under Section 5 of the FTC Act (15 U.S.C. § 45(a)), which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” The unanimous ruling found that “deficient cybersecurity,” practices, which “fail to protect consumer data against hackers,” may be found to be “unfair” practices under the Act, subject to FTC enforcement. The FTC had sued Wyndham for allegedly deficient cybersecurity practices that enabled hackers to obtain payment card information from over 619,000 consumers.
In affirming that the FTC has authority under Section 5 to pursue claims of inadequate data security, the Third Circuit explained that a company’s inadequate data security in the face of foreseeable intrusions falls within the plain meaning of “unfair.” The Third Circuit assured Wyndham that this authority does not enable the agency to dictate the type of locks on hotel room doors or the placement of guards on corporate premises. Nor does it have the authority to sue for every perceived deficiency, just as it would not have the authority to sue supermarkets simply for failing to consistently “sweep up banana peels.” However, the court pointed out that it matters how – and how many – consumers are affected by a company’s practice: “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a).”
Wyndham had also argued that it lacked fair notice that the FTC had the authority to assess data security practices under Section 5, but the Third Circuit disagreed, pointing out that the FTC has offered specific public guidance on data security over the years, and has filed multiple complaints and consent decrees “raising unfairness claims based on inadequate corporate cybersecurity” that put companies on notice of its enforcement authority in this space.
The Third Circuit provided some guidance of its own on how can companies avoid FTC enforcement actions alleging unfairness in data security practices, stating that “the relevant inquiry here is a cost-benefit analysis . . . that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” The more sensitive consumer data a company collects, the more it must invest in sound data security safeguards.
As a result, companies need to review their data security practices against both the standard enacted by Congress specifically to govern data security in the Gramm-Leach-Bliley Act and the much more general “unfairness” standard found in the FTC Act as well as other federal and state laws.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeffrey P. Naimon, (202) 349-8030
- Walter E. Zalenski, (202) 461-2910
Third Circuit Affirms District Court's Decision Asserting FTC's Authority over Companies' Data Security Practices
On August 24, the U.S. Court of Appeals for the Third Circuit affirmed the Federal Trade Commission’s authority to hold companies accountable for their data security practices under Section 5 of the FTC Act (15 U.S.C. § 45(a)), which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd Cir. Aug. 24, 2015). The unanimous ruling found that deficient cybersecurity practices that fail to protect consumer data against hackers may be found to be “unfair” practices under the Act, subject to FTC enforcement. The FTC had sued Wyndham for allegedly deficient cybersecurity practices that enabled hackers to obtain payment card information from over 619,000 consumers. Wyndham argued that it lacked fair notice that the FTC had the authority to police data security practices under Section 5, but the Third Circuit disagreed, pointing out that the FTC has offered specific public guidance on data security over the years, and has filed multiple complaints and consent decrees raising unfairness claims based on inadequate cybersecurity that put companies on notice of its enforcement authority in this space.
FTC Commissioner Wright to Resign
On August 17, the FTC announced the resignation of Joshua D. Wright who served as one of the agency’s five commissioners since January 2013. Prior to being appointed as a Commissioner, Wright previously served at the FTC as an inaugural Scholar in Residence in the Bureau of Competition from 2007 to 2008. Wright’s term was set to expire in September 2019, but his resignation will become effective on August 24. Chairwoman Edith Ramirez noted that, “[t]he agency has benefited greatly from his perspective as a lawyer and economist.” Wright will return to his prior position as a professor at George Mason University School of Law.