Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 19, the U.S. Chamber of Commerce sent FOIA requests to the FTC seeking, among other things, communications on consumer data privacy policies the FTC has discussed or considered as ordered by President Biden’s broad July 9 executive order, which tasked the FTC with establishing rules to address concerns about “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.” (Covered by InfoBytes here.) The Chamber is seeking all communications between FTC Chair and Commissioner Lina Khan and former commissioner Rohit Chopra related to the FTC’s Penalty Offense Authority and/or enforcement policy statements addressing privacy-related topics, as well as communications with the Center on Privacy and Technology at Georgetown Law. As previously covered by InfoBytes, the Center’s founder, Alvaro Bedoya, was nominated in September by President Biden to serve as an FTC commissioner. With respect to the requests for records related to the FTC’s Penalty Offense Authority, over the past few months the FTC has issued several warnings using its Penalty Offense Authority related to false money-making claims, misleading online endorsements, and unlawful for-profit education institution practices. (Covered by InfoBytes here, here, and here.) Among other things, the FOIA letters also request all records related to artificial intelligence, including communications between the FTC and the White House Office of Science and Technology Policy and/or the CFPB.
On November 17, the U.S. Court of Appeals for the Eleventh Circuit vacated an opinion in Hunstein v. Preferred Collection & Management Services, ordering an en banc rehearing of the case. The order vacates an 11th Circuit decision to revive claims that the defendant’s use of a third-party mail vendor to write, print, and send requests for medical debt repayment violated privacy rights established in the FDCPA. As previously covered by InfoBytes, in April, the 11th Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” According to the order issued sua sponte by the 11th Circuit, an en banc panel of appellate judges will convene at a later date to rehear the case.
On November 18, the FDIC, Federal Reserve Board, and the OCC issued a final rule intended to enhance information sharing about cyber incidents that may affect the U.S. banking system. The final rule, among other things, requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place. The final rule notes that notification is required for incidents that have affected, in certain circumstances: (i) the viability of a banking organization’s operations; (ii) its ability to deliver banking products and services; or (iii) the stability of the financial sector. Additionally, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially dispute or degrade, a banking organization’s customers for four or more hours. The final rule further provides that the notification requirement for bank service providers is important since “banking organizations have become increasingly reliant on third parties to provide essential services,” which may also experience computer-security incidents that could affect the support services they provide to banking organization customers, along with other significant impacts. The rule is effective April 1, 2022, and banking organizations are expected to comply with the final rule by May 1, 2022.
On November 4, the U.S. District Court for the District of Massachusetts granted final approval to a settlement in a class action against an alcohol e-commerce platform stemming from a data breach that allegedly compromised customers’ personally identifiable information. The plaintiffs’ memorandum of law requested approval of the class action settlement, which included a settlement class of 2.5 million individuals whose information was compromised. Class members claimed that the company did not publicly report the data breach until July 2020, and that customers’ information was available for purchase on the dark web. A complaint was filed against the defendant asserting claims of negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of several state consumer protection statutes. The defendant moved to compel arbitration, citing a provision in its terms of service, as well as a class action waiver that required customers to arbitrate their claims individually. However, the parties entered into settlement discussions and agreed to mediate their dispute. Under the terms of the settlement, which is valued between $3.35 million and $7.1 million, the defendant has agreed to pay all associated administration costs, attorneys’ fees and expenses, and incentive awards. Class members will receive individual cash payments and will also receive a pro rata portion of a pool of up to $447,750 in the form of a credit against the cost of service fees for future orders on the defendant’s platform. The defendant will also implement certain data security measures for two years.
On November 9, the U.S. District Court for the Northern District of California issued an order granting, among other things, a global technology company defendant’s motion to compel individual arbitration in a privacy class action and dismissing the action without prejudice. As outlined in a May order issued by the court, which granted in part and denied in part defendant’s motion to dismiss plaintiff’s first amended complaint, the plaintiff alleged that the defendant failed to disclose it was (i) monitoring and collecting Android smartphone users’ sensitive personal data while users interacted with apps not owned by the defendant; or (ii) generally collecting “sensitive personal data to obtain an unfair economic advantage.” While the court dismissed the plaintiff’s California Invasion of Privacy Act claims, it allowed claims brought under the California Consumers Legal Remedies Act (which “prohibits ‘unfair methods of competition and unfair or deceptive acts or practices’”) to proceed based on the reasoning that if the defendant had disclosed these material facts, the plaintiff would have acted differently.
The defendant moved to compel arbitration, claiming the plaintiff was using a smartphone that was bound by an arbitration provision. The plaintiff countered in both the complaint and first amended complaint, as well as in his initial disclosures, that the phone he originally purchased was never subject to an arbitration agreement. However, the court noted that account information later showed that the smartphone used by the plaintiff at the time he filed suit, as well as the smartphone he later switched to, both came with individual arbitration provisions and class waivers, subject to user opt out. The court stated that the plaintiff did not opt out of arbitration for either smartphone, and further denied the plaintiff’s motion for leave to file a second amended complaint, dismissing the action without prejudice.
On November 12, the FTC released a preliminary draft of the Strategic Plan for Fiscal Years 2022 to 2026 for public review and comment. Recognizing that protecting the public from unfair or deceptive acts or practices in the marketplace is a key FTC strategic goal, the draft Strategic Plan outlines several objectives guiding the Commission’s work in this area including (i) identifying, investigating, and taking enforcement action to deter these types of harm; (ii) providing consumers and businesses with guidance and tools to prevent harm; (iii) engaging in domestic and international collaboration efforts to enhance consumer protections, including those related to telemarketing, internet fraud, and privacy violations; and (iv) advancing measures to support underserved and marginalized communities. Recognizing that consumers cannot always identify whether unfair or deceptive practices have occurred, the FTC reports it will continue to identify consumer protection violations and collaborate with law enforcement partners to identify trends and targets and enforce consumer protection laws. These efforts will include safeguarding consumer privacy and litigating cases involving privacy risks.
Additional goals outlined within the draft Strategic Plan focus on marketplace competition, anticompetitive mergers, antitrust issues, resource management and workforce protections, and climate readiness. The draft Strategic Plan notes the importance of “cross-training staff on both consumer protection and competition issues” and of “grasping market realities” as “the economy becomes increasingly digitized.” According to the FTC, the “agency plans to be especially attentive to next-generation technologies, innovations, and nascent industries across sector.” Comments on the draft plan may be submitted through November 30.
U.S. and Israel form partnership to combat ransomware; U.S. enters cybersecurity initiative with France
On November 14, the U.S. Treasury Department announced the establishment of a bilateral partnership with the Israeli Ministry of Finance as part of the Biden Administration’s efforts to crackdown on ransomware. The partnership is part of the U.S.-Israeli Task Force on Fintech Innovation and Cybersecurity, which was launched the same day. During the launch of the partnership, Treasury Department Deputy Secretary Wally Adeyemo and Israeli counterparts affirmed their commitment for encouraging robust fintech innovation and reinforced the importance of working together to combat cyber threats posed by nation-state and criminal actors to the global economy. The Task Force will take several measures, including immediately developing a Memorandum of Understanding that will support “(1) permissible information sharing related to the financial sector, including cybersecurity regulations and guidance, cybersecurity incidents, and cybersecurity threat intelligence; (2) staff training and study visits to promote cooperation in the area of cybersecurity and the financial system; and, (3) competency-building activities such as the conduct of cross-border cybersecurity exercises linked to global financial institutions financial and investment flows.” The Task Force also plans to launch a series of expert technical exchanges to support fintech innovation and examine ways cyber-analytics firms and fintech/regtech innovations are developing new measures to combat illicit finance risk and enhance public sector analytical and enforcement activities. According to Adeyemo, international cooperation is vital for addressing virtual currency abuses and disrupting the ransomware business model.
Separately, on November 10, Vice President Kamala Harris announced, among other initiatives, an international cybersecurity initiative with France to combat cyber threats. Harris stated that the U.S. will support the Paris Call for Trust and Security in Cyberspace, which the White House described as “a voluntary commitment to work with the international community to advance cybersecurity and preserve the open, interoperable, secure, and reliable internet.” According to the announcement, the U.S. “looks forward to continued partnership with France and other governments, private sector, and civil society around the world to advance and promote norms of responsible behavior in cyberspace.” Harris’ announcement builds on recent counter-ransomware actions taken to increase international cooperation to combat cybercrime. (Covered previously by InfoBytes here.)
On November 10, the Maryland governor announced the appointments of a new chief privacy officer and chief data officer, both of which are newly-created roles, as part of the state’s commitment to cybersecurity and data privacy. The chief privacy officer will lead state initiatives with respect to data privacy and will assume responsibility for “monitoring program compliance, investigation and tracking of incidents and potential breaches, and ensuring citizens’ rights.” The chief data officer will spearhead Maryland’s data governance program and will promote the use of technology and data analytics. “Public officials have no higher responsibility than keeping the American people safe, and there is no greater threat to their safety than the cyber vulnerabilities of the systems that support our daily lives,” Governor Hogan said in the statement.
On November 8, the U.S. District Court for the Northern District of California dismissed a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor after determining that the court does not have jurisdiction over the companies. Plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of vendor customers. Plaintiffs contended that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach. Plaintiffs also alleged that an unauthorized third party gained access to the wallet provider’s e-commerce database and obtained the email addresses of one million customers as well as physical contact information for 9,500 customers. According to the plaintiffs, the wallet provider did not disclose that the attack on its website and the vendor’s data theft were connected, and it downplayed the seriousness of the attack. As a result, plaintiffs were allegedly subject to “phishing scams, cyber-attacks, and demands for ransom and threats.” Plaintiffs claimed that the companies failed to implement appropriate security measures to protect customer data, and brought claims against the companies for injunctive relief and other remedies under California’s unfair competition law, Georgia’s Fair Business Practices Act, and New York’s General Business Law. The defendant companies moved to dismiss, arguing that the court lacked personal jurisdiction and that plaintiffs failed to state a claim.
The court determined that it does not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The court further held that the fact that the vendor was headquartered in California at the time the breach occurred is not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the court wrote, dismissing the case with prejudice.
On November 4, the Department of Defense (DoD) announced the completion of an internal assessment of its Cybersecurity Maturity Model Certification (CMMC) program and enhancements to that program. While CMMC 2.0 remains focused on safeguarding sensitive national security information, it updates CMMC 1.0 (see DoD guidance here) by streamlining compliance rules, strengthening cyber protection standards for companies operating in the defense industrial base, and encouraging a collaborative culture of cybersecurity and cyber resilience. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements,” Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, stated. Among other things, CMMC 2.0: (i) simplifies CMMC standards and provides further clarity on cybersecurity regulatory, policy, and contracting requirements; (ii) focuses the most advanced cybersecurity standards and third-party assessment requirements on companies that support the highest priority programs; and (iii) “increase[es] DoD oversight of professional and ethical standards in the assessment ecosystem.” Changes reflected in CMMC 2.0 will be implemented through future rulemaking, and companies are not required to comply with CMMC requirements until the forthcoming rules take effect. DoD will also suspend a current CMMC pilot program and “will not approve inclusion of a CMMC requirement in any DoD solicitation” during this period.