InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California’s privacy agency amends draft privacy rules ahead of meeting
In advance of an upcoming meeting of the California Privacy Protection Agency Board (CPPA) scheduled for October 28-29, the agency posted updated draft rules for implementing the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here).
The proposed changes to the draft rules respond to comments received during the 45-day comment period, in which several businesses expressed concerns that the requirements were confusing and complying would be costly. (See also Explanation of Modified Text of Proposed Regulations.) Key clarifying modifications include:
- Adding, amending, and striking certain definitions. The proposed changes would, among other things, revise the definition of “disproportionate effort” to clarify that it applies to service providers, contractors, and third parties as well as to businesses. The revisions also provide additional details concerning factors that should be considered when evaluating whether responding to a consumer request would require disproportionate effort. The changes also add and amend terms such as “first party,” “information practices,” “nonbusiness,” “privacy policy,” and “unstructured.”
- Outlining restrictions on how a consumer’s personal information is collected or used. The revisions propose criteria for how a business should evaluate the “reasonable expectation” of consumers concerning the collection or processing of their personal information, including how to determine the purpose for which the personal information is collected, whether it is reasonably necessary and proportionate for achieving the stated purposes, and whether it is a “business purpose” under the CCPA/CPRA. According to the CPPA’s explanation of the modified text, the “factors consider relevant GDPR principles for harmonization while articulating the statutory requirements and intent of the CCPA.”
- Providing disclosure and communications requirements. The proposed changes clarify that conspicuous links for websites should appear in a similar manner as other similarly-posted links, and provide guidance on the placement of conspicuous links in a mobile environment.
- Clarifying requirements for obtaining consumer consent. The revisions explain how different user interfaces and “choice architecture” can impair or interfere with a consumer’s ability to make a choice, and thus fail to meet the definition of consent. The revisions further address provisions related to dark patterns, explaining that “[i]f a business did not intend to design the user interface to subvert or impair user choice, but the business knows of and does not remedy a user interface that has that effect, the user interface may still be a dark pattern. Similarly, a business’s deliberate ignorance of the effect of its user interface may also weigh in favor of establishing a dark pattern.”
- Amending requirements related to a business’s privacy notice. The revisions eliminate requirements for a business to either disclose the names or business practices of third parties that the business allows to collect personal information from the consumer in the business’s notice at collection. Additionally, a business and third party may provide a single notice at collection that outlines the required information about their collective information practices.
- Amending the right to limit the use/disclosure of sensitive personal information. The proposed changes clarify that a business does not need to provide a notice of right to limit the use of sensitive personal information if the business only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer. Additionally, the revisions would make it optional for businesses to provide a means by which consumers can confirm their request to limit in order to simplify implementation at this time.
- Clarifying request to delete provisions. The revisions confirm that a business’s service provider or contractor may delete collected personal information pursuant to the written contract that it has with the business. Additionally, businesses will be permitted to provide a link to a support page or other resource that explains a consumer’s data deletion options.
- Amending requests to correct/know. The proposed changes clarify that businesses, service providers, and contractors may delay compliance with requests to correct with respect to information stored on archived or backup systems. The amendments also, among other things, clarify that consumers should make good-faith efforts to provide businesses with all relevant information available at the time of the request, provide flexibility and discretion to a business concerning whether it will provide the consumer with the name of the source from which the business received the alleged inaccurate information, and clarify that a business only needs to disclose specific pieces of personal information that it maintains and has collected about the consumer in order to confirm that the business has corrected the inaccurate information that was the subject of the consumer’s request to correct. With respect to a consumer’s right to know, the proposed changes would allow a consumer to request a specific time period for which their request to know applies.
- Amending opt-out preference signals. The proposed changes specify that a business that does not sell or share personal information is not required to process an opt-out preference signal as a valid request to opt-out. However, for businesses that do sell or share personal information, processing the opt-out preference signal means that the business is treating it as a valid request to opt-out of sale/sharing. The revisions also address when a business can ignore an opt-out signal to allow a consumer to continue to participate in a financial incentive program, and explain that when a consumer is known to the business, the “business shall not interpret the absence of an opt-out preference signal after the consumer previously sent an opt-out preference signal as consent to opt-in to the sale or sharing of personal information.” Moreover, a business may choose to display whether it has processed the consumer’s optout preference signal as a valid request to opt-out of sale/sharing on its website.
- Amending requests to opt-out of sale/sharing. The revisions, among other things, clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods—an interactive form accessible via the “Do No Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy. The revisions also make various changes related to service provider, contractor, and third-party obligations.
- Clarifying requests to limit use and disclosure of sensitive personal information. The revisions clarify how sensitive personal information may be used to “prevent, detect, and investigate” security incidents “even if this business purpose is not specified in the written contract required by the CCPA and these regulations.”
The proposed changes also delete examples concerning notices of the right to opt-out of the sale/sharing of personal information through connected devices and augmented or virtual reality to simplify implementation at this time. Additionally, the proposed changes further clarify provisions related to requirements for service providers, contractors, and third parties, specifying, among other things, that businesses must contractually require these entities to provide the same level of privacy protection as is required of businesses by the CCPA and these regulations.
OFAC sanctions drug network
On October 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14059 against an individual and a drug trafficking organization, two Mexican nationals and members of the designated drug trafficking organization, and three Mexico-based transportation companies. According to OFAC, the designated network evolved into a sophisticated network that is involved in the importation and transport of multi-ton quantities of illicit drugs from Mexico to the U.S. OFAC noted that the designations are the result of OFAC’s ongoing collaboration with Homeland Security Investigations San Diego Strike Force Group, U.S. Customs and Border Protection’s National Targeting Center, and the Government of Mexico. As a result of the sanctions, all property and interests in property belonging to the sanctioned entities in the U.S. are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” OFAC also noted that “persons that engage in certain transactions with the individuals and entities designated today may themselves be exposed to sanctions or subject to an enforcement action.”
OFAC sanctions Russian military technology procurement network
On October 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14024 against a Russian military technology procurement network for allegedly procuring military and sensitive dual-use technologies from U.S. manufacturers and supplying them to Russian end-users. The individual and his two companies are designated as part of a joint action with the DOJ and FBI and highlights the U.S. government’s on-going “efforts to hinder Russia’s ability to wage its war of aggression in Ukraine, including by holding accountable those who support Russia’s military by disrupting its illicit defense and technology procurement networks around the world.” The action builds upon an October 14 alert issued by OFAC and the Department of Commerce’s Bureau of Industry and Security and the Department of State, which details the impact of international sanctions and export controls (covered by InfoBytes here). The alert followed the convergence of top officials representing ministries of finance and other government agencies from 33 countries who met to discuss the effects of international sanctions and export controls on Russia’s military-industrial complex and critical defense supply chains.
As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, 50 percent or more in the aggregate by one or more of such persons are also blocked.” U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
The same day, the DOJ (with the support of the Department’s Task Force KleptoCapture) unsealed indictments against nearly a dozen individuals and several entities, including the sanctioned Russian national and his two companies, accused of scheming to export military technologies to Russia.
Treasury releases CFIUS Enforcement and Penalty Guidelines
On October 20, the U.S. Treasury Department released CFIUS Enforcement and Penalty Guidelines to provide the public with information on how the Committee on Foreign Investments in the United States (CFIUS) assesses violations of laws and regulations on transaction parties. The guidelines inform the public about how CFIUS—which is tasked with identifying and mitigating certain national security risks related to foreign investments—assesses whether to impose a penalty or take other enforcement action for a violation of a party’s obligation, as well as factors that CFIUS considers when making such a determination. “The vast majority of those who come before CFIUS abide by their legal obligations and work collaboratively with the Committee to mitigate any national security risks arising from the transaction; however, those who fail to comply with CFIUS mitigation agreements or other legal obligations will be held accountable,” Assistant Secretary of the Treasury for Investment Security Paul Rosen stressed. “Today’s announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”
Special Alert: Fifth Circuit finds CFPB funding unconstitutional — Now what?
The Fifth Circuit ruled last night in CFSA v. CFPB that the Consumer Financial Protection Bureau’s funding structure is unconstitutional, triggering a potential wave of implications discussed below.
The holdings
A panel of three Fifth Circuit judges unanimously held that the CFPB funding structure created by Congress violated the Appropriations Clause of the Constitution, which provides that “no money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law.” It ruled that, although the CFPB spends money pursuant to a validly enacted statute, the structure violates the Appropriations Clause because the CFPB obtains its funds from the Federal Reserve (not the Treasury), the CFPB maintains funds in a separate account, the Appropriations Committees do not have authority to review the agency’s expenditures, and the bureau exercises broad authority over the economy. The court rejected the bureau’s arguments that the funding structure was necessarily constitutional because it was created by and subject to Congress, and distinguished other agencies that are funded outside of the annual appropriations process.
New Jersey reaches $495 million RMBS settlement with Swiss bank
On October 17, the New Jersey attorney general’s office announced it had reached a $495 million agreement in principle with a Swiss bank to resolve allegations related to its residential mortgage-backed securities (RMBS) practices leading up to the 2008 financial crisis. The AG stated that if finalized, the settlement will be one of the state’s largest civil monetary recoveries in history. According to the AG, the bank violated New Jersey’s securities laws by making material misrepresentations about the risks of the RMBS in offering documents, including by purportedly failing to disclose to investors material defects about the underlying mortgages. The announcement further stated that the bank allegedly sold the RMBS through registration statements, prospectuses, and other offering materials that contained fraudulent representations about the quality of the underlying loans, and allegedly “failed to disclose to investors the wholesale abandonment of underwriting guidelines designed to ensure that the mortgage loans underlying its securities trusts were made in accordance with appropriate lending guidelines; that numerous loan originators had poor track records of defaults and delinquencies; and that some loan originators had even been suspended from doing business with [the bank].” While neither admitting nor denying the allegations, the bank agreed to pay a $100 million civil monetary penalty and will provide approximately $300 million in restitution for affected investors. The bank is also permanently enjoined from future violations of state securities laws.
OFAC issues finding of violation to entity for sanctions violations
On October 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced the issuance of a Finding of Violation to an international financial entity in Puerto Rico, for violations of the Venezuelan Sanctions Regulations (VSR), and the Reporting, Penalties and Procedures Regulations (RPPR). According to the web notice, OFAC claimed that the entity engaged in three transactions totaling approximately $50,000 in violation of VSR, failed to maintain full and accurate records related to the handling of the blocked accounts in violation of RPPR, and failed to report the blocked accounts accurately. In determining the Finding of Violation, OFAC considered aggravating factors, including that the entity failed to exercise a minimal degree of caution or care when it (i) engaged in transactions involving blocked property without obtaining an OFAC license, even though senior managers at the bank were aware an OFAC license was needed; and (ii) failed to maintain relevant records associated with the bank’s handling of the blocked property, which may have impaired its ability to provide full and accurate information to OFAC. OFAC also considered various mitigating factors, including that the entity has not received a penalty notice from OFAC in the preceding five years, it voluntarily self-disclosed the alleged violations, and it has taken numerous remedial measures.
NYDFS reaches $4.5 million settlement over cybersecurity violations
On October 18, NYDFS announced a $4.5 million settlement with a licensed health insurance company for alleged violations of the Department’s Cybersecurity Regulation (23 NYCRR Part 500), which contributed to the exposure of consumers’ sensitive non-public information (NPI). According to NYDFS, a bad actor gained access to a shared email mailbox in 2020 via a phishing attack. This mailbox, NYDFS said, allegedly contained more than six years’ worth of consumer NPI. An NYDFS investigation found that the company allegedly, among other things, failed to implement multi-factor authentication throughout its email environment, did not limit user access privileges (thus allowing nine employees to share login credentials to the compromised mailbox), and failed to implement sufficient data retention and disposal procedures. NYDFS asserted that the cybersecurity event may have been avoided or limited in scope if these security controls had been implemented. Furthermore, the company’s alleged failure to conduct an adequate risk assessment as required by 23 NYCRR Part 500, prevented it from being able to identify the user access privilege and data disposal risks associated with the mailbox that was impacted by the phishing attack. Consequently, the company’s cybersecurity certifications for calendar years 2018 - 2021 were improper, NYDFS said.
Under the terms of the consent order, the company is required to pay a $4.5 million civil money penalty and must conduct a comprehensive cybersecurity risk assessment of its information systems. NYDFS recognized the company’s cooperation throughout the investigation and commended its ongoing and completed remediation efforts, including “devoting significant financial and other resources to enhance its cybersecurity program” and making “changes to its policies, procedures, systems, and governance structures.”
District Court rules FCRA allegation filed before expiration of 30-day investigation period is not ripe
On October 14, the U.S. District Court for the District of South Carolina adopted a magistrate judge’s report and recommendation to grant summary judgment in favor of a defendant accused of violating the FCRA. According to the plaintiff’s amended complaint, the plaintiff opened a loan with the defendant and later entered into a modified agreement that reduced his monthly payments and the future projected balance. He later noticed that his credit report showed (i) the reported balance for his account to be higher than it should have been under the terms of the modified agreement, and (ii) three months of late payments. The plaintiff filed a dispute with the credit reporting agency (CRA) arguing, among other things, that the balance was being misstated. The plaintiff filed another dispute with the CRA regarding the late payments. Plaintiff filed the instant action before the end of the 30-day investigation period for disputes regarding the late payments. The magistrate judge recommended summary judgment be granted to defendant related to claims alleging violation of Section1681s-2b for both (i) the claim predicated on the restated balance, and (ii) the claim predicted on the late payments, but for different reasons. The “late payment” claim “was not ripe when the action was filed” because the 30-day investigation period had not yet expired when the plaintiff filed his amended complaint. For the “restated balance” claim, the magistrate judge’s report found that the parties had a genuine legal dispute over their interpretations of the modified agreement—whether the balance due should be reduced at the time of the modification agreement or at the end of the modification term, which was not a factual inaccuracy: “the Report found violations of 15 U.S.C. 1681a-2(b) must be based on factual inaccuracies, not legal disputes, and as Plaintiff bases his claim on a legal dispute, he cannot prevail on his FCRA claim.” This district court agreed noting that the plaintiff did not appear to object to the legal determination that “as a matter of a law a violation of a §1681s-2(b) could not be based on a legal dispute over the terms of a contract[.]” The report also noted that the plaintiff failed to demonstrate that he is entitled to actual damages—a requirement for a negligent violation of the FCRA—nor did he show that the defendant willfully violated the FCRA in order to be entitled to statutory or punitive damages. The district court agreed with the report and recommendations and dismissed the case with prejudice.
FDIC proposes amendments to its guide on supervisory appeals process
On October 18, the FDIC Board of Directors announced it is soliciting further public comments on proposed amendments to its Guidelines for Appeals of Material Supervisory Determinations. The notice follows an action taken by the Board earlier in May, which restored the Supervision Appeals Review Committee (SARC) as the final level of review in the agency’s supervisory appeals process (covered by InfoBytes here). While the revised guidelines took effect immediately, the FDIC solicited comments on the changes. In response to comments received, the proposed amendments would add the agency’s ombudsman to the SARC as a non-voting member, and the ombudsman would be responsible for monitoring the supervision process after a financial institution submits an appeal. The proposed amendments would also require that materials considered by the SARC be shared with both parties to the appeal (subject to applicable legal limitations on disclosure), and allow financial institutions to request a stay of material supervisory determination while an appeal is pending. Additionally, the division director would be given the discretion to grant a stay or grant a stay subject to certain conditions. Comments on the proposed amendments are due within 30 days of publication in the Federal Register.