InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
First Circuit Upholds Dismissal of Claims Against Third-Party for Failure to Protect Personal Information
On February 28, the U.S. Court of Appeals for the First Circuit upheld the dismissal of a putative class action brought against a securities clearing company for alleged failures to protect certain personal information. Katz v. Pershing, LLC, No. 11-1983, 2012 WL 612793 (1st Cir. Feb. 28, 2012). In this case, the plaintiff was the customer of a brokerage firm that used defendant Pershing LLC’s online clearing system, but the customer had no direct relationship with the defendant. The plaintiff alleged that Pershing had contractual and statutory obligations to encrypt and protect the personal information of brokerage firm customers. Specifically, the plaintiff alleged various contract claims, including one that Pershing’s failures constituted a breach of its contract with the brokerage. She also claimed that Pershing violated Massachusetts consumer protection laws. The First Circuit upheld the district court’s dismissal, holding that the agreement between the brokerage and the defendant clearing firm did not confer any benefits on the plaintiff – the brokerage’s customer. The court stated that the separate contractual agreements between the plaintiff and her brokerage on the one hand, and between the brokerage and the defendant clearing firm on the other, could not be mixed and matched. The court also held, with regard to claims that Pershing violated the state data protection law, that plaintiff’s claims of potential harm from unprotected data were purely theoretical and “simply do[] not rise to the level of a reasonably impending threat.” As such plaintiff lacked standing to bring the statutory claims. Because the court found that the plaintiff lacked standing, it did not reach the issue of whether the Massachusetts data privacy law provides a private right of action.
California Class Action Suits Allege Mislabeled Privacy Policy Links
In the last three months, five class action cases filed in California under the state’s “Shine a Light” statute have alleged that online businesses, including Microsoft Corp., CBS Interactive Inc., and Time Inc., failed to properly label links to their privacy policies. The five suits, all filed by a single firm, claim $3,000 per violation plus additional damages (Boorstein v. CBS Interactive Inc., Cal. Super. Ct., No. 476015, complaint filed 12/28/11; Boorstein v. Men's Journal LLC, Cal. Super. Ct., No. 475697, complaint filed 12/22/11; Miller v. Hearst Communications, C.D. Cal., No. 12-733, complaint filed 1/27/12; Murray v. Time Inc., N.D. Cal., No. 12–431, notice of removal filed 1/26/12; Smith v. Microsoft Corp., Cal. Super. Ct., No. 476413, complaint filed 1/9/12). The "Shine a Light" statute, in effect since 2005, requires businesses that collect California residents’ personal data and then share that data for marketing purposes to disclose or allow consumers to opt out of that sharing. Each defendant company allegedly mislabeled links to their online privacy policies or otherwise failed to meet the statute’s requirements.
California AG and Mobile Platforms Agree to Require Privacy Policies for Apps
On February 22, California Attorney General Kamala Harris announced an agreement with six leading mobile platform companies to ensure that apps on those platforms have privacy policies. Privacy policies are already required under the California Online Privacy Protection Act, which governs commercial websites and online services that collect personal data from California residents. The new agreement also includes commitments from the six companies - Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion - to educate app developers about user privacy obligations.
White House Privacy Report Pushes for New Laws and Industry Self-Regulation
On February 23, the White House released a report on consumer privacy, setting out a Consumer Privacy Bill of Rights. The proposed Bill of Rights consists of seven broad principles, including individual control, security, and transparency of data use. The report asks Congress to codify the recommendations as a statute enforceable by the Federal Trade Commission, and identifies FTC enforcement as critical to ensuring privacy protections. Pending or absent congressional action, the report promises that the administration will work with the private sector to adopt new protections on voluntary basis. The administration will hold stakeholder forums to develop legally enforceable codes of conduct. Finally, the report addresses the need for international interoperability and coordination of enforcement.
NIST Publishes Recommendations for Establishing Governance Structure for Implementation of National Trusted Identities Strategy
On February 7, the National Institute of Standards and Technology (NIST) published a report with recommendations for developing a governance system to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC directs the federal government to work with private sector stakeholders to establish and maintain an identity ecosystem for internet transactions aimed at promoting trust, privacy, and security. The report summarizes comments received in response to a June 2011 Notice of Inquiry (NOI) that sought public input regarding the establishment and structure of a private sector-led steering group to implement the NSTIC. Based on those comments, stakeholder workshops, and best practices from similar governance efforts, the report presents recommendations in four areas: (i) steering group initiation, (ii) steering group structure, (iii) stakeholder representation, and (iv) international coordination. The report also includes a recommended charter to establish the steering group and notes that, subject to public comment and finalization of the approach outlined in the report, NIST intends to initiate a competitive grant program to fund a secretariat responsible for convening the initial steering group.
FTC Enhances Confidentiality of Investigations and Proposes Rule to Expedite Investigatory Processes
On January 13, by a vote of 5-0, the FTC adopted a new rule of practice (Rule 2.17) that streamlines internal procedures for staff seeking a court order to prevent investigation targets from learning about subpoenas and civil investigative demands issued by the FTC. The rule allows individual FTC Commissioners or the FTC’s general counsel to authorize the filing of a court action to delay notification to individuals required under the Right to Financial Privacy Act and the Electronic Communications Privacy Act when the FTC is seeking records from financial institutions or service providers.
Also on January 13, the FTC proposed additional changes to Parts 2 and 4 of its Rules of Practice to expedite Commission investigations and ensure that the FTC’s investigatory processes keep pace with electronic discovery advances. Among the proposed changes is a requirement for an accelerated meet-and-confer schedule to resolve electronic discovery disputes, as well as a proposal to relieve parties of their obligations to preserve documents after a year passes with no written communication from the FTC. The public can comment on the proposed rule changes through March 23, 2012.
Upromise Settles with FTC Over Collection of Consumers' Personal Information
On January 5, the FTC announced that Upromise had agreed to settle charges that its collection of consumers’ personal information was deceptive and an unfair practice, and that the collection violated federal law. Upromise’s website offered consumers a “TurboSaver Toolbar” download with a “Personalized Offers” feature to tailor savings opportunities to the consumer. The FTC alleged that the feature collected and transmitted, without encryption, the names of websites consumers visited, which links they clicked on, and information entered into webpages such as search terms, user names, and passwords. According to the FTC, the information collected also included credit card and financial account numbers, security codes and expiration dates, and Social Security numbers. Upromise’s privacy statement, however, stated that (i) the toolbar would only infrequently and inadvertently collect personal identifying information, (ii) personal information would be removed before the data was transmitted, and (iii) Upromise automatically encrypts users’ sensitive information. The proposed settlement requires in part that Upromise (i) destroy data collected, (ii) update its disclosures, (iii) notify consumers regarding the type of information collected and how to disable the toolbar, and (iv) obtain a biennial independent audit for the next twenty years. The proposed settlement is open for public comment through February 6.
CFPB Releases Mortgage Origination Exam Procedures
On January 11, the CFPB took its first action to implement its nonbank supervision program by releasing the procedures it will use in examining all bank and nonbank mortgage originators. The Mortgage Origination Examination Procedures describe the types of information examiners will collect to (i) evaluate policies and procedures, (ii) assess compliance with applicable consumer financial services law, and (iii) identify risks to consumers throughout the mortgage origination process. CFPB mortgage origination exams will focus on specific products and will cover one or more of the following modules: (i) company business model; (ii) advertising and marketing; (iii) loan disclosures and terms; (iv) underwriting, appraisals, and originator compensation; (v) closing; (vi) fair lending; and (vii) privacy. These newly released procedures are an extension of the Supervision and Examination Manual the CFPB released in October 2011 (see BuckleySandler Special Alert, October 17, 2011).
California Federal Court Dismisses Lawsuit After Finding Adequate Disclosures Regarding Online Discount Program
On April 11, the U.S. District Court for the Southern District of California dismissed claims against an online discount program and online movie ticketing website that the defendants deceptively enrolled the plaintiff into a costly program. Berry v. Webloyalty.com, Inc., et al., No. 10-1358, 2011 WL 1375665 (S.D. Cal. Apr. 11, 2011). Plaintiff alleged that, while purchasing movie tickets online, he clicked on an advertisement promising discounted movie tickets and, after later providing his email address, unwittingly enrolled in a "savings club" that began charging a monthly fee. The court dismissed plaintiff’s claims of misrepresentation, unfair competition, false advertising, and invasion of privacy on the ground that multiple disclosures in the advertisement (which plaintiff did not read) adequately disclosed the terms and conditions of membership in the savings club, including the monthly fee.
New Hampshire Enacts Bills Relating to Health Data Privacy
On August 7, New Hampshire Governor John Lynch signed into law H.B. 542, which primarily addresses health privacy issues. The new law (i) authorizes health care providers to disclose an individual’s protected health information to health information exchanges, and (ii) allows individuals to opt out of sharing their protected health care information through health information exchanges. The operative provisions of the new law become effective January 1, 2010.