InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Pennsylvania amends privacy bill
On November 3, the Pennsylvania governor signed SB 696 to amend the Breach of Personal Information Notification Act. The bill, among other things, prohibits employees of the Commonwealth from using non-secured Internet connections. The bill also includes data storage policy provisions, which establish that an entity that maintains, stores, or manages computerized data on behalf of Pennsylvania that constitutes personal information must develop a policy to govern reasonably proper storage of the personal information. The bill further notes that a goal of the policy must be to reduce the risk of future breaches of the security of the system. The bill is effective 180 days after approval by the governor.
OFAC sanctions individuals and entities tied to ISIS
On November 7, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against four members of an Islamic State of Iraq and Syria (ISIS) cell operating in South Africa, along with eight companies owned, controlled, or directed by the individuals in the ISIS cell. According to OFAC, the individuals provided technical, financial, or material support to the terrorist group. As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities, and of “any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons” that are subject to U.S. jurisdiction are blocked. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to designation, OFAC warned, adding that foreign financial institutions that knowingly conduct or facilitate significant transactions to any of the sanctioned persons could also be subject to U.S. sanctions.
OFAC sanctions Haitian politicians for narcotics trafficking
On November 4, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), along with the Government of Canada, announced sanctions pursuant to Executive Order 14059 against two Haitian politicians for having allegedly “engaged in, or attempted to engage in, activities or transactions that have materially contributed to, or pose a significant risk of materially contributing to, the international proliferation of illicit drugs or their means of production.” OFAC said it coordinated its efforts closely with the Drug Enforcement Administration on this designation. As a result, all property, and interests in property of the designated individuals and “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” OFAC’s regulations also generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of designated or otherwise blocked persons. OFAC also warned that “persons that engage in certain transactions with the individuals designated today may themselves be exposed to sanctions or subject to an enforcement action. Furthermore, unless an exception applies, any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for the individuals designated today could be subject to U.S. sanctions.”
Gensler says penalties should not be “seen as the cost of doing business”
On November 2, SEC Chair Gary Gensler delivered remarks before the Practising Law Institute’s 54th Annual Institute on Securities Regulation, warning companies they may face enforcement consequences should they engage in misconduct. Explaining that penalties should not be “seen as the cost of doing business,” Gensler cautioned that “fraud is fraud, regardless of the types of investors you have defrauded and the types of securities used in the fraud.” Reminding companies that they are in violation of federal securities laws should they fail to register a security as required or fail to register an investment company, he highlighted a $100 million action taken against a New Jersey-based financial services crypto lending platform accused of failing to register the offers and sales of its retail credit lending product as one example of a company making materially false and misleading statements about its securities. (Covered by InfoBytes here.) Gensler also warned companies that improperly trading securities on inside information is a violation of securities laws, “regardless of the ‘form’ or ‘name’ of the securities involved,” and touched upon topics related to accountability, high-impact cases, working with partners at the federal, state, and international level, and professionals who violate public trust. Gensler stressed, however, that knowing when to pursue an enforcement action is important, and said that “[i]f the facts and the law merit we do not make a case,” he is “comfortable with that.” He added that the SEC rewards good behavior and encouraged companies to promptly self-report errors and cooperate with investigations. “If you mess up—and people do mess up sometimes—come in and talk to us, cooperate with our investigation, and remediate your misconduct,” he said.
6th Circuit affirms FCRA summary judgment
On November 4, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s summary judgment ruling in favor of a credit reporting agency (defendant) accused of violating the FCRA. According to the opinion, a father and son (plaintiff) filed Chapter 7 bankruptcy petitions just over a year apart with the same attorney. Both petitions had their similar names, identical address, and, mistakenly, the plaintiff’s social security number. Although the attorney corrected the social security number on the father’s bankruptcy petition the day after it was filed, the defendant allegedly failed to catch the amendment and erroneously reported the father’s bankruptcy on the plaintiff’s credit report for nine years. When the plaintiff noticed the error, he sent the defendant a letter and demanded a sum in settlement. The defendant removed the father’s bankruptcy filing from the plaintiff’s credit report. The plaintiff sued two credit reporting agencies, alleging they violated the FCRA by failing to “follow reasonable procedures to assure maximum possible accuracy” of his reported information. One of the agencies settled with the plaintiff. A district court granted the other defendant’s motion for summary judgment, which the plaintiff appealed.
On the appeal, the 6th Circuit noted that the plaintiff “has standing to bring this action, but also agree that he cannot establish that [defendant’s] procedures were unreasonable as a matter of law.” The appellate court found that, because the defendant gathered information from reliable sources and because someone “with at least some legal training” would have had to manually review the bankruptcy docket to notice that the Social Security number had been updated, the defendant did not violate the FCRA. The appellate court wrote that the defendant’s “processes strike the right balance between ensuring accuracy and avoiding ‘an enormous burden’ on consumer credit reporting agencies.” Furthermore, the 6th Circuit stated that, “[g]iven the sheer amount of data maintained by these companies, we know that consumers are ‘in a better position . . . to detect errors’ in their credit reports and inquire about a fix.”
CPPA says comments on modified draft privacy rules due November 21
On November 3, the California Privacy Protection Agency (CPPA) Board officially posted updated draft rules for implementing the Consumer Privacy Rights Act of 2020, which amends and builds on the California Consumer Privacy Act of 2018. The draft rules were previously released in advance of a CPPA Board meeting held at the end of October (see previous InfoBytes coverage here for a detailed breakdown of the proposed changes). A few notable changes between the versions include:
- A requirement that a business must treat an opt-out preference signal as a valid request to opt out of sale/sharing for not only that browser or device but also for “any consumer profile associated with that browser or device, including pseudonymous profiles.”
- A requirement that if a business does not ask a consumer to affirm their intent with regard to a financial incentive program, “the business shall still process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or devise and any consumer profile the business associates with that browser or device.” However if a consumer submits an opt-out of sale/sharing request but does not affirm their intent to withdraw from a financial incentive program, the business may ignore the opt-out preference signal with respect to the consumer’s participation in the financial incentive program.
- The addition of the following provision: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
Comments on the amended draft rules are due November 21 by 8 am PT.
OFAC sanctions oil shipping network connected to IRGC-QF and Hizballah
On November 3, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against members of an international oil smuggling network for allegedly facilitating oil trades and generating revenue for Hizballah and the Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF). Included are “several key individuals and numerous front companies and vessels involved in blending oil to conceal the Iranian origins of the shipments and exporting it around the world in support of Hizballah and the IRGC-QF.” According to Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson, the responsible individuals “use a web of shell companies and fraudulent tactics including document falsification to obfuscate the origins of Iranian oil, sell it on the international market, and evade sanctions” in order to generate revenue to enable Hizballah and IRGC-QF terrorist activities. The sanctions follow the designation of another Iranian oil smuggling network earlier in May (covered by InfoBytes here). As a result, all property, and interests in property of the designated persons, “and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, must be blocked and reported to OFAC.” Unless authorized by general or specific OFAC licenses or otherwise exempt, OFAC regulations generally prohibit all transactions by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of designated individuals. OFAC further warned that “engaging in certain transactions with the individuals and entities designated today entails risk of secondary sanctions.” Additionally, OFAC warned that a foreign financial institution that knowingly conducts or facilitates a significant transaction on behalf of a Specially Designated Global Terrorist could be subject to U.S. correspondent or payable-through account sanctions.
FTC’s annual PrivacyCon focuses on consumer privacy and security issues
On November 1, the FTC held its annual PrivacyCon event, which hosted research presentations on a wide range of consumer privacy and security issues. Opening the event, FTC Chair Lina Khan stressed the importance of hearing from the academic community on topics related to a range of privacy issues that the FTC and other government bodies may miss. Khan emphasized that regulators cannot wait until new technologies fully emerge to think of ways to implement new laws for safeguarding consumers. “The FTC needs to be on top of this emerging industry now, before problematic business models have time to solidify,” Khan said, adding that the FTC is consistently working on privacy matters and is “prioritizing the use of creative ideas from academia in [its] bread-and-butter work” to craft better remedies to reflect what is actually happening. She highlighted a recent enforcement action taken against an online alcohol marketplace and its CEO for failing to take reasonable steps to prevent two major data breaches (covered by InfoBytes here). Khan noted that while the settlement’s requirements, such as imposing multi-factor authentication requirements and destroying unneeded user data, may not sound “very cutting-edge” they serve as a big step forward for government enforcers. Chief Technology Officer Stephanie Nguyen, who is responsible for leading the charge to integrate technologists across the FTC’s various lines of work, including consumer privacy, discussed the work of these technologists (including AI and security experts, software engineers, designers, and data scientists) to help develop remedies in data security-related enforcement actions and to push companies to not just do the minimum to remediate areas like unreasonable data security but to model best practices for the industry. “We want to see bad actors face real consequences,” Nguyen said, adding that the FTC wants to hold corporate leadership accountable as it did in the enforcement action Khan cited. Nguyen further stressed that there is also a need to address systemic risk by making companies delete illegally collected data and destroy any algorithms derived from the data.
The one-day conference featured several panel sessions covering a number of topics related to consumer surveillance, automated decision-making systems, children’s privacy, devices that listen to users, augmented/virtual reality, interfaces and dark patterns, and advertising technology. Topics addressed during the panels include (i) requiring data brokers to provide accurate information; (ii) understanding how data inaccuracies can disproportionately affect minorities and those living in poverty, and why relying on this data can lead to discriminatory practices; (iii) examining bias and discrimination risks when engaging in emotional artificial intelligence; (iv) understanding automated decision making systems and how the quality of these systems impact populations they are meant to represent; (v) recognizing the lack of transparency related to children’s data collection and use, and the impact various privacy laws, including the Children’s Online Privacy Protection Rule, the General Data Protection Regulation, and the California Consumer Privacy Act, have on the collection/use/sharing of personal data; (vi) recognizing challenges related to cookie-consent interfaces and dark patterns; and (vii) examining how targeted online advertising both in the U.S. and abroad affects consumers.
4th Circuit says website does not qualify for Section 230 immunity
On November 3, the U.S. Court of Appeals for the Fourth Circuit reversed and remanded a district court’s summary judgment ruling that a public records website, its founder, and two affiliated entities (collectively, “defendants”) could use Section 230 liability protections under the Communications Decency Act (CDA) to shield themselves from credit reporting violations. As previously covered by InfoBytes, plaintiffs alleged, among other things, that because the defendants’ website collects, sorts, summarizes, and assembles public record information into reports that are available for third parties to purchase, it qualifies as a consumer reporting agency (CRA) under the FCRA, and as such, must follow process-oriented requirements that the FCRA imposes on CRAs. However, the district court determined that the immunity afforded by Section 230 of the Communication and Decency Act applied to the FCRA and that the defendants qualified for such immunity and could not be held liable for allegedly disseminating inaccurate information and failing to comply with the law’s disclosure requirements.
On appeal, the 4th Circuit reviewed whether a consumer lawsuit alleging violations of the FCRA’s procedural and disclosure requirements and seeking to hold the defendants liable as the publisher or speaker of information provided by a third party is thereby preempted by Section 230. The appellate court agreed with an amicus brief filed in 2021 by the FTC, CFPB, and the North Carolina Department of Justice, which urged the appellate court to overturn the district court ruling on the basis that the court misconstrued Section 230—which they assert is unrelated to the FCRA—by extending immunity to “claims that do not seek to treat the defendant as the publisher or speaker of any third-party information.” According to the amicus brief, liability turns on the defendants’ alleged failure to comply with FCRA obligations to use reasonable procedures when preparing reports, to provide consumers with a copy of their files, and to obtain certifications and notify consumers when reports are furnished for employment purposes.
The 4th Circuit held that Section 230(c)(1) of the CDA “extends only to bar certain claims, in specific circumstances, against particular types of parties,” and that the four claims raised in this case were not subject to those protections. “Section 230(c)(1) provides protection to interactive computer services,” the appellate court wrote, “[b]ut it does not insulate a company from liability for all conduct that happens to be transmitted through the internet.” Specifically, the appellate court said two of the counts—which allege that the defendants failed to give consumers a copy of their own report when requested and did not follow FCRA requirements when providing reports for employment purposes—do not seek to hold the defendants liable as a speaker or publisher, and therefore fall outside Section 230 protections. As for the remaining two counts related to claims that the defendant failed to ensure records for employment purposes were complete and up-to-date, or adopt procedures to assure maximum possible accuracy when preparing reports, the 4th Circuit concluded that the defendants “made substantive changes to the records’ content that materially contributed to the records’ unlawfulness. That makes [defendants] an information content provider, under the allegations, for the information relevant to Counts Two and Four, meaning that it is not entitled to § 230(c)(1) protection for those claims.”
Plaintiff wins $148,000 in data breach suit
On November 3, the U.S. District Court for the District of Minnesota granted a plaintiff technical consulting and software development company’s motion for summary judgment in a data breach suit. According to the order, an unknown bad actor gained unauthorized access to the email account of a plaintiff’s employee and created multiple “rules” that interfered with the proper receipt of incoming emails. The bad actor sent emails to and from the account, at times impersonating the employee and at times impersonating clients. The plaintiff issued two invoices to a particular client while these rules were in place: one invoice was for $137,000 for the plaintiff’s services, and the other invoice was for an additional $39,962. The bad actor emailed the client, posing as the employee, and wrote that it had “recently changed banks and our previous account . . . has been closed, hence, all payments effective immediately will be made directly to our new bank account in compliance with the policy of the company.” The bad actor requested confirmation as to when the client would pay the first invoice “so we can forward our new bank account details.” The client sent the payment to an account controlled by the bad actor. After discovering the bad actor’s conduct, the plaintiff recovered some of that money with the help of the U.S. Secret Service but sought insurance coverage for nearly $148,000, court records show. The defendant had insured the plaintiff under a technology professional liability (TPL) policy that incorporated a Data Breach Coverage Form, which included a “Cyber Business Interruption and Extra Expense” clause. The plaintiff submitted a claim to the defendant seeking coverage under the policy for the money lost to the bad actor. The defendant denied the plaintiff’s claim for coverage. The plaintiff sued, alleging that the defendant’s denial of coverage breached the TPL policy. The court found that using “‘impairment’ rather than ‘interruption’ in the Clause itself demonstrates that the TPL policy specifically grants coverage when a business suffers something less than a total suspension of operations.” The court further noted that the policy covers the loss, granted summary judgment to the plaintiff on its claim that the defendant breached the policy by denying coverage, and awarded the plaintiff nearly $148,000 in damages.