Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 15, a putative class of financial institutions filed an unopposed motion for preliminary approval of a settlement in a multidistrict litigation stemming from a credit reporting agency’s (CRA) 2017 data breach. The class, comprised of financial institutions that issued credit or debit cards whose information was believed to have been breached, argued that the data breach was the result of the CRA’s alleged failure to implement the necessary precautions to safeguard consumers’ personally identifiable information (PII). The class further contended that financial institutions suffer the primary harm caused by identity theft, because they “bear the risk of loss when identity thieves use a customer’s PII to open accounts, transfer funds, take out loans, make fraudulent transactions, or obtain credit or debit cards in the customer’s name.”
The proposed settlement—pending approval from the U.S. District Court for the Northern District of Georgia—will require the CRA to pay $5.5 million to class members that submit valid claims, spend at least $25 million over a two-year period on “data security measures pertinent to the [financial intuitions] and their claims,” and cover settlement administration and notice costs, as well as agreed-upon attorney fees, expenses, and named-plaintiff service awards. The motion for preliminary approval states that the CRA will also, among other things, (i) adopt and/or maintain certain measures in order to identify “reasonably foreseeable threats” to PII; (ii) respond to identified vulnerabilities that may impact the confidentiality of PII; (iii) design safeguards to manage risks identified though data security risk assessments; (iv) implement a security control framework consistent with requirements for systems that “store, process, or transmit [p]ayment [c]ard [d]ata in connection with U.S. payment card transactions”; and (v) maintain a compliance program and submit annual certifications to class counsel.
On May 8, plaintiffs in a biometric privacy class action in the U.S. District Court for the Northern District of California filed a motion requesting preliminary approval of a $550 million settlement deal. The preliminary settlement, reached between a global social media company and a class of Illinois users, would resolve consolidated class claims that alleged the social media company’s face scanning practices violated the Illinois Biometric Information Privacy Act (BIPA). As previously covered by InfoBytes, last August the U.S. Court of Appeals for the 9th Circuit affirmed class certification and held that the class’s claims met the standing requirement described in Spokeo, Inc. v. Robins because the social media company’s alleged development of a face template that used facial-recognition technology without users’ consent constituted an invasion of an individual’s private affairs and concrete interests. According to the motion for preliminary approval, the settlement would be the largest BIPA class action settlement ever and would provide “cash relief that far outstrips what class members typically receive in privacy settlements, even in cases in which substantial statutory damages are involved.” If approved, the social media company must also provide “forward-looking relief” to ensure it secures users’ informed, written consent as required under BIPA.
On May 1, the FCC issued an order announcing the Commission will no longer send entities outside its jurisdiction warnings prior to commencing an enforcement action related to TCPA robocall violations. Specifically, the order, as mandated under Section 3 of the TRACED Act (covered by InfoBytes here), (i) removes provisions that previously required the FCC to issue a warning prior to imposing penalties for making robocalls; (ii) increases the maximum fine that the FCC can assess for robocall violations to $10,000 per intentional unlawful call, in addition to a forfeiture penalty amount; and (iii) extends the statute of limitations to four years for the FCC to investigate and take enforcement action against an entity that violates the TCPA. The order takes effect 30 days after publication in the Federal Register.
On April 30, the FFIEC released a statement on risk management principles for cloud computing security in the financial services sector. The FFIEC emphasizes that the statement does not contain new regulatory expectations, but rather highlights examples of risk management practices for the safe and sound use of cloud computing services, along with safeguards for protecting customers’ sensitive information from risks that may cause potential consumer harm. Among other things, the statement stresses that management should understand the division of responsibilities between a financial institution and a cloud service provider in order to assess and implement appropriate controls over operations to prevent the increased risk of operational failures or security breaches. The FFIEC also addresses the importance of protecting customer-sensitive information from unsafe or unsound practices by implementing “an effective risk management process for cloud computing commensurate with the level of risk and complexity of the financial institution’s operations residing in a cloud computing environment.” The statement provides a list of government and industry resources and references to assist financial institutions when using cloud computing services.
On April 23, the U.S. District Court for the District of Columbia approved a $5 billion settlement between the FTC and a global social media company, resolving allegations that the company violated consumer protection laws by using deceptive disclosures and settings to undermine users’ privacy preferences in violation of a 2012 privacy settlement with the FTC. The settlement, first announced last July (covered by InfoBytes here), requires the company to take a series of remedial steps, including (i) ceasing misrepresentations concerning its collection and disclosure of users’ personal information, as well as its privacy and security measures; (ii) clearly disclosing when it will share data with third parties and obtaining user express consent if the sharing goes beyond a user’s privacy setting restrictions; (iii) deleting or de-identifying a user’s personal information within a reasonable time frame if an account is closed; (iv) creating a more robust privacy program with safeguards applicable to third parties with access to a user’s personal information; (v) creating a new privacy committee and designating a dedicated corporate officer in charge of monitoring the effectiveness of the privacy program; (vi) alerting the FTC when more than 500 users’ personal information has been compromised; and (vii) undertaking reporting and recordkeeping obligations, and commissioning regular, independent privacy assessments. The order “resolves all consumer-protection claims known by the FTC prior to June 12, 2019, that [the company], its officers, and directors violated Section 5 of the FTC Act.” While the court acknowledged concerns raised by several amici opposing the settlement, the court concluded that the settlement and the proposed remedies were reasonable and in the public interest. On April 28, the FTC announced the formal approval of amendments to its 2012 privacy order to incorporate updated provisions included in the 2019 settlement.
On April 17, the Massachusetts attorney general announced a settlement with a credit reporting agency (CRA) to resolve a state investigation into a 2017 data breach that reportedly compromised the personal information of nearly three million Massachusetts residents. According to the AG’s 2017 complaint (covered by InfoBytes here), the CRA ignored cybersecurity vulnerabilities for months before the breach occurred and failed to take measures to implement and maintain reasonable safeguards. Under the terms of the proposed settlement, pending final court approval, the CRA will pay Massachusetts $18.2 million and is required to take significant measures to strengthen its security practices to ensure compliance with Massachusetts law. These measures include (i) implementing a comprehensive information security program; (ii) minimizing the collection of sensitive personal information; (iii) managing and implementing specific technical safeguards and controls; (iv) providing consumer-related relief, such as credit monitoring services and security freezes; and (iv) allowing third-party assessments of its data safeguards.
Earlier, on April 14, the Indiana attorney general also announced that the CRA will pay the state $19.5 million to resolve allegations that it failed to protect Indiana residents whose personal information was exposed in the 2017 data breach. Under the terms of the final judgment and consent decree, in addition to paying $19.5 million in restitution, the CRA must take measures similar to those outlined in the Massachusetts settlement.
Massachusetts and Indiana were the only two states that chose not to participate in the 2017 multi-agency settlement that resolved federal and state investigations into the data breach and required the company to pay up to $700 million (covered by InfoBytes here).
Separately, on April 7, the City of Chicago announced a $1.5 million settlement to resolve allegations that the CRA’s failure to employ adequate data-security measures led to the breach.
On April 17, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s access-device fraud and aggravated identity theft convictions, finding that there was sufficient evidence to support the court’s factual findings on both charges. According to the opinion, the defendant applied for a debit card for his great-grandfather’s bank account without authorization and used the card to pay for his own expenses. The defendant was also seen multiple times on bank security cameras withdrawing money from an ATM using this card. The district court also heard testimony that the defendant opened accounts and applied for loans under his own name but used his great-grandfather’s social security number. The district convicted the defendant on one count of access-device fraud and two counts of aggravated identity theft. The defendant appealed, arguing that the district court failed to make adequate findings of fact and that the government failed to present sufficient evidence to support the charges for which he was convicted.
On appeal, the 6th Circuit reviewed the factual findings underlying the convictions, and first concluded that, with respect to the count of access-device fraud, the government proved each element: that the defendant (i) knowingly used an access device assigned to another individual; (ii) possessed an intent to defraud; (iii) obtained a thing or things with an aggregate value of $1,000 or more within a year using the access device; and (iv) affected interstate or foreign commerce in using the access device. The appellate court explained that there was ample circumstantial evidence to support lack of authorization from the proper owners of the accounts at issue, and that the card was issued in Kentucky and the bank issuing the card was headquartered in Minnesota. The appellate court next considered whether evidence supported the district court’s finding that the defendant committed aggravated identity theft under the bank-fraud statute by opening a checking account and applying for a loan using his great-grandfather’s social security number. The appellate court held that the defendant’s use of his great-grandfather’s social security number properly supported the district court’s finding that the defendant knowingly used, without lawful authority, another person’s means of identification and that the defendant committed a predicate felony under the bank-fraud statute.
On April 21, according to reports, the Small Business Association (SBA) acknowledged that it notified almost 8,000 applicants of the Economic Injury Disaster Loan (EIDL) program that their information may have been exposed as part of a data breach. Specifically, the agency stated that on March 25, the personal information of business owners applying for the EIDL program was potentially exposed to other applicants on the SBA’s website. The information exposed included names, social security numbers, birth dates, certain financial information, email addresses, and phone numbers. According to the SBA, there is no evidence that the exposed information has been misused. Notably, the breach only effected the applicants of the EIDL program, not the Paycheck Protection Program, which did not begin accepting applications until April 3.
On April 16, the Missouri Department of Health extended the duration of a prior “Stay Home Missouri” order to May 3, 2020, unless extended or modified. Relying on the Cybersecurity and Infrastructure Security Agency (CISA) advisory memorandum, financial services are considered essential.
- Jeffrey P. Naimon to provide a "Washington update" at the Mortgage Bankers Association Live: Legal Issues and Regulatory Compliance Conference
- Brandy A. Hood to discuss "Ongoing challenges of TRID compliance" at the Mortgage Bankers Association Live: Legal Issues and Regulatory Compliance Conference
- Daniel R. Alonso to discuss "Resisting temptation in a crisis: How to make sure ethics and compliance don't get diluted under financial strain" at a New York City Bar webcast
- Daniel P. Stipano to discuss "BSA for BSA seasoned officers" at an NAFCU webinar
- Jon David D. Langlois to discuss "LIBOR transition: Preparations for legal professionals" at a Mortgage Bankers Association webinar
- Garylene D. Javier to discuss "Navigating workplace culture in 2020" at the DC Bar Conference