InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC hosts forum on commercial surveillance and lax data security practices
On September 8, the FTC hosted a forum regarding its Advance Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security practices. As previously covered by InfoBytes, the ANPR was issued in August to solicit public comment on “the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.” The ANPR noted that there is increasing evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms. The forum featured remarks by FTC Chair Lina M. Khan, Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, as well as a staff presentation, two panel discussions, and comments from the public. Chair Khan noted in her remarks that the discussion and comments at the forum will be critical in determining the evidentiary basis for proceeding with a rulemaking and whether legal requirements needed for crafting any particular type of rule. However, some observers expressed concern that the FTC’s ANPR could undermine efforts to pass federal privacy legislation. Slaughter noted in her remarks that she “support[s] strong federal privacy legislation, but until there’s a law on the books, the commission has a duty to use all the tools we have to investigate and address unlawful behavior in the market.” Commissioners Slaughter and Bedoya also expressed the need for public engagement to understand commercial surveillance.
The first panel focused on industry perspectives on commercial surveillance and data security. When asked about some of the best practices or potential business models developed by businesses to mitigate consumer harm and protect data, a panelist noted that there are many approaches underway, but the guiding principle is that the process of documentation supports transparency by prompting processes and critical thinking of each step in the mission learning lifecycle. One panelist expressed concerns about businesses tracking personal data, stating that because retailers collect information about their customers when they make purchases online and may recommend related offerings, regulators “should not interfere with these direct relationships.” Another panelist warned against treating all data collection and processes equally, stressing that the FTC should use its enforcement tools against third parties.
The second panel featured consumer advocates discussing interests, concerns, risks, and harms related to commercial surveillance, in addition to mitigating consumer harms and protecting data. The advocates noted, among other things, that the FTC should impose heightened safeguards on sensitive data, such as precise location records and information associated with children. Additionally, the panelists advocated for establishing a regulation and broadening the FTC’s Section 5 unfairness authority that limits widescale tracking. Specifically, one panelist discussed how the FTC should approach a data minimization rule under Section 5, recommending that such a rule should ban secondary use and third-party disclosures. In regard to combating discrimination through data collection and advertising, a panelist noted that shifting data protection responsibilities from individuals onto companies could play an important part to ensure that data-driven algorithms that deliver ads or content are not discriminating against consumers.
11th Circuit says plaintiff lacks standing in collection letter case
On September 8, the U.S. Court of Appeals for the Eleventh Circuit issued an en banc decision in Hunstein v. Preferred Collection & Management Services, dismissing the case after determining the plaintiff lacked standing to sue. The majority determined that “[b]ecause Hunstein has alleged only a legal infraction—a ‘bare procedural violation’—and not a concrete harm, we lack jurisdiction to consider his claim.” In April 2021, the 11th Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” The decision revived claims that the debt collector’s use of a third-party mail vendor to write, print, and send requests for medical debt repayment violated privacy rights established in the FDCPA. The 11th Circuit last November, however, voted sua sponte to rehear the case en banc and vacated its earlier opinion. (Covered by InfoBytes here.)
The en banc decision relied heavily on the U.S. Supreme Court’s ruling in TransUnion v. Ramirez (covered by InfoBytes here), which clarified the type of concrete injury necessary to establish Article III standing and directed courts “to consider common-law torts as sources of information on whether a statutory violation had caused a concrete harm.” The majority pointed out that when making a common-law tort comparison, courts “do not look at tort elements in a vacuum” but rather “make the comparison between statutory causes of action and those arising under the common law with an eye toward evaluating commonalities between the harms.”
“What harm did this alleged violation cause?” the majority questioned in its opinion, finding that no tangible injury or loss was identified in the complaint. Rather, the plaintiff analogized to the tort of public disclosure. The majority found that this comparison was inapposite, because “the disclosure alleged here lacks the fundamental element of publicity.” Because there was no public disclosure, there was no invasion of privacy and therefore no cognizable harm.
Four judges dissented, arguing that the plaintiff had standing to sue. They opined that the court’s job is not to determine whether the plaintiff stated a viable common-law tort claim, but rather to “compare the ‘harm’ that Congress targeted in the FDCPA and ‘harm’ that the common law sought to address” and to determine whether those harms bear a sufficiently “close relationship.” The dissenting judges found that the plaintiff’s allegations that the delivery of “intensely private information” to the vendor is the “same sort of harm that common-law invasion-of-privacy torts—and in particular, public disclosure of private facts—aim to remedy.” The dissent also stressed that even if the disclosure alleged by the plaintiff is less extensive than the type of disclosure of private information typically at issue in a common law invasion of privacy claim, that is a question of the degree of harm and not a question of the kind of harm, and therefore should not be the basis for dismissal.
Senate Democrats urge CFPB for guidance on P2P apps
On September 1, five Senate Democrats sent a letter to CFPB Director Rohit Chopra urging the Bureau to issue guidance to provide better tools to protect older Americans and their families from the increased prevalence of P2P fraud. The letter discussed that, according to the FTC, P2P apps are used by scammers because “the ease with which consumers may make payments to individuals they have never met on P2P platforms facilitates quick purchasing decisions.” The FTC also found that older adults are increasingly using payment apps or services, noting that P2P-related complaints received by the FTC tripled from 2019 to 2020, and older adults reported $10 million in losses associated with complaints related to payment apps and services in 2020 alone. The letter concluded that the CFPB should “move forward with the guidance under consideration, keeping in mind the disproportionate effect that frauds and scams have on communities of color and people with Limited English Proficiency.”
CFPB reports on nursing home debt collection
On September 8, the CFPB released an Issue Spotlight on nursing home debt collection, which focuses on the risk of financial harm that nursing homes and their debt collectors cause by attempting to collect invalid debts. The report, conducted by the Bureau’s Office of Financial Protection for Older Americans, analyzes consumer complaints, nursing home admission contracts, and debt collection lawsuits to assess risks to nursing home residents and their caregivers. In particular, the report found that many facilities include clauses in admission contracts that require caregivers to be a “responsible party” for the resident’s costs of care, or that otherwise subject the caregiver to financial liability should the admitted resident incur a debt. The report also found that nursing home residents stay for significant amounts of time, the average nursing home stay among residents being 1 year and 4 months, and that most older adults are not insured against the costs of long-term care. According to a statement by CFPB Director Rohit Chopra, he expects the "Office for Older Americans will emerge as a key pillar within the policymaking and law enforcement community on financial issues faced by older adults and their caregivers."
The same day, the CFPB released Circular 2022-05, which asks the question: “Can debt collection and consumer reporting practices relating to nursing home debts that are invalid under the Nursing Home Reform Act [(NHRA)] violate the Fair Debt Collection Practices Act (FDCPA) and Fair Credit Reporting Act (FCRA)?” The Circular explained, though the Bureau does not enforce the NHRA, that the NHRA prohibits a nursing facility from conditioning a resident’s admission or continued stay on receiving a guarantee of payment from a third party, such as a relative or friend. The Circular also highlighted certain practices related to the collection of nursing home debts that are invalid under the NHRA and its implementing regulation that also violate the FDCPA and FCRA. The Bureau also issued a joint letter with the Centers for Medicare & Medicaid Services to nursing facilities and debt collectors reminding them of their responsibilities under the NHRA, FDCPA, and FCRA.
OCC issues expectations for protecting non-public information
On September 7, the OCC issued Bulletin 2022-21, Information Security: Expectations for Protecting Non-public OCC Information on Institution- or Other Non-OCC-Owned or Managed Video Teleconferencing Services, outlining its expectations for protecting non-public OCC information shared on video teleconferencing services that are operated or managed by an institution or any other party. The OCC reiterated that banks and other parties in possession of such information are prohibited from disclosure without the agency’s prior approval, except under certain limited circumstances. Further, the prohibition extends to the disclosure of information displayed, processed, stored, or transmitted by information systems, including video teleconferencing services. The Bulletin states that non-public OCC information is the property of the OCC and includes, among other things: (i) “OCC reports of examination, including ratings such as CAMELS and the Uniform Rating System for Information Technology ratings”; (ii) “supervisory correspondence”; (iii) “institution responses to supervisory correspondence”; (iv) “investigatory files”; and (v) “certain enforcement-related information, including matters requiring attention.” The OCC also listed several security expectations for any videoconference in which non-public OCC information will be communicated, which includes using an encrypted connection, moderating the meetings, making no recordings or transcriptions, and ensuring the videoconference service is securely configured and routinely patched to protect against cyber intrusion and data loss.
Fed vice chair for supervision outlines future priorities
On September 7, Federal Reserve Board Vice Chair for Supervision Michael Barr laid out his goals for making the financial system safer and fairer during a speech at the Brookings Institution, highlighting priorities related to risk-focused capital frameworks and bank resiliency, mergers and acquisitions, digital assets and stablecoins, climate-related financial risks, innovation, and Community Reinvestment Act modernization plans. Addressing issues related to resolvability, Barr signaled that the Fed would begin “looking at the resolvability of some of the other largest banks [in addition to globally systemically important banks] as they grow and as their significance in the financial system increases.” With respect to bank mergers, Barr commented that “the advantages that firms seek to gain through mergers must be weighed against the risks that mergers can pose to competition, consumers and financial stability.” He said he plans to work with Fed staff to assess how the agency performs merger analysis and whether there are areas for improvement. Barr also discussed financial stability risks posed by new forms of private money created through stablecoins and stressed that Congress should work quickly to enact legislation for bringing stablecoins (especially those intended to serve as a means of payment) within the prudential regulatory perimeter. He added that the Fed plans to make sure that the crypto activity of supervised banks “is subject to the necessary safeguards that protect the safety of the banking system as well as bank customers,” and said “[b]anks engaged in crypto-related activities need to have appropriate measures in place to manage novel risks associated with those activities and to ensure compliance with all relevant laws, including those related to money laundering.”
11th Circuit affirms denial of title company’s cyber fraud claim
On September 6, the U.S. Court of Appeals for the Eleventh Circuit upheld a district court’s decision to deny insurance coverage to a Florida title company under its Cyber Protection Insurance Policy after it was allegedly “fraudulently induced—by an unknown actor impersonating a mortgage lender—to wire funds to an incorrect account.” The insurance company denied coverage on the basis that the title company did not meet the policy’s requirements. The title company submitted a claim under the cybercrime endorsement of its insurance policy, which includes a deceptive transfer fraud insurance clause that grants coverage provided certain criteria are met, including that the loss resulted from intentionally misleading actions, was done by a person purporting to be an employee, customer, client or vendor, and the authenticity of the wire transfer instructions was verified according to the title company’s internal procedures. The insurance company denied coverage, claiming that: (i) the mortgage lender to whom the funds were intended was not an employee, customer, client or vendor of the title company; and (ii) that the title company failed to verify the transfer request according to its procedures. The district court granted summary judgment in favor of the insurance company, agreeing that coverage did not exist under the plain language of the policy.
On appeal, the 11th Circuit determined that the mortgage lender was not listed as an entity under the plain language of the policy. It further disagreed with the title company’s position that under Florida law, insurance coverage clauses must “be construed as broadly as possible to provide the greatest amount of coverage,” and that the deceptive transfer fraud clause should also include “persons and entities involved in the real estate transaction.” The appellate court noted that “[a]s attractive as that proposition may be, it is simply not what the clause provides,” adding that because the clause “limits coverage to misleading communications ‘sent by a person purporting to be an employee, customer, client or vendor’” it must interpret these terms according to their plain meaning and may not “alter[] the terms bargained to by parties to a contract.”
CARU orders app company to correct violations of children’s privacy rules
On September 7, the Children’s Advertising Review Unit (CARU) announced that the owner of a cartoon-themed app company has agreed to correct alleged violations of the Children’s Online Privacy Protection Act (COPPA) and CARU’s Self-Regulatory Guidelines for Advertising and for Children’s Online Privacy Protection. CARU found that the company served multiple automated ads that could not be stopped—which included interactive features that mimicked the app's gameplay—until users downloaded the advertised app or watched the entire ad. CARU found that these “ads unduly interfered with gameplay, encouraged excessive ad viewing by children through deceptive door openers and other manipulative design techniques, required children to download and install unnecessary apps, and often provided unclear and inconspicuous methods for children to exit the ad and return to the game.” CARU further noted that while its Advertising Guidelines do not require in-app ads to provide an exit method, “they specify that where one is offered it must be clear and conspicuous.” CARU also said that the app “failed to use simple, clear, and conspicuous language to let children know when they were selecting a button that would force them to watch or engage with an ad, and instead used small disclosures in tiny, inconspicuous text.” The company also displayed some ads that were unsafe and inappropriate for children in violation of CARU's Advertising Guidelines.
CARU noted that the company did take proactive steps to address each of CARU's concerns regarding its advertising and privacy practices. Specifically, the company will, among other things, “[u]pdate its age screening mechanism to allow users to freely enter the month and year of their birth and, use technical measures to prevent a child from entering a different age once they initially submit their age,” and “[u]pdate its privacy policy to align with COPPA and better reflect its data practices as a mixed-audience site.” In particular, the app company has already voluntarily updated its age screen to direct users to two different versions of the app, with one directed towards users under age 13 and a separate version for those age 13 and up.
Treasury discusses combating corruption
On September 7, U.S. Treasury Department Assistant Secretary for Terrorist Financing and Financial Crimes Elizabeth Rosenberg spoke at the Brookings Institution as part of a series of discussions regarding corruption and the Department’s efforts to strengthen global beneficial ownership standards against corruption. During her remarks, she discussed Treasury’s focus on three efforts to counter corruption: (i) analyzing the risks associated with corruption; (ii) putting in place an effective legal framework to prevent corruption in our financial system; and (iii) implementing targeted measures, such as sanctions, to expose and hold accountable corrupt individuals and their facilitators. She noted that her office’s 2022 Money Laundering Risk Assessment “described the persistent themes of corrupt individuals engaging in fraud, embezzlement, bribery, extortion, and the misuse of companies and other legal entities.” (Covered by InfoBytes here.) Rosenberg also discussed strengthening global beneficial ownership standards at the intergovernmental Financial Action Task Force “to focus the body’s efforts on the effective implementation of the UN Convention on Corruption, on the misuse of citizenship-by-investment programs by corrupt individuals and their families, and on financial gatekeepers that get rich helping senior officials steal from their citizens.” She further described Treasury efforts, both public and non-public, to expose corrupt officials. She closed her prepared remarks by committing to continue both defensive and offensive strategies to counter corruption and to advance rules that are designed to “make our financial system more resilient and bring forward new analysis on vulnerabilities to corruption in our economy.”
SEC warns Chinese companies against switching auditors to avoid compliance
On September 6, SEC acting Chief Accountant Paul Munter issued a warning to Chinese companies that they may face enforcement actions if they switch auditing firms to remain listed in the U.S. that do not follow applicable standards. Munter pointed to instances of foreign issuers, especially those located in China or Hong Kong, “changing their lead auditor from a local registered public accounting firm to a registered public accounting firm located either in the U.S. or elsewhere, generally within the same network.” According to Munter, these types of arrangements create “special challenges that raise questions about whether the newly engaged registered public accounting firms—whether located in the U.S. or elsewhere—will be able to satisfy their responsibilities to serve as the lead auditor.” Munter noted that the U.S. Public Company Accounting Oversight Board (PCAOB), the China Securities Regulatory Commission, and the Ministry of Finance of the People’s Republic of China, recently signed a Statement of Protocol governing inspections and investigations of audit firms based in China or Hong Kong. He said, however, that certain issuers based in China and Hong Kong have started structuring audits with registered public accounting firms located either in the U.S. or elsewhere “to avoid the potential of consecutive PCAOB [Holding Foreign Companies Accountable Act] determinations and a potential resultant trading prohibition.” Issuers and firms looking to avoid compliance could result in investigations and enforcement actions by the PCAOB, the SEC, or both.