Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 5, the FTC Commissioners testified before the Senate Committee on Commerce, Science, and Transportation and discussed, among other things, the agency’s continued enforcement of the EU-U.S. Privacy Shield, despite the recent Court of Justice of the European Union (CJEU) invalidation of the framework, and their interest in federal data privacy legislation. As previously covered by InfoBytes, in July, the CJEU determined that because the requirements of U.S. national security, public interest and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the EU General Data Protection Regulation, and thus, declared the EU-U.S. Privacy Shield invalid.
In his opening remarks, Commissioner Simons emphasized that the FTC will “continue to hold companies accountable for their privacy commitments, including privacy promises made under the Privacy Shield,” which the FTC has also noted on its website. Additionally, Simons urged Congress to enact federal privacy and data security legislation, that would be enforced by the FTC and give the agency, among other things, the “ability to seek civil penalties” and “targeted [Administrative Procedures Act] rulemaking authority to ensure that the law keeps pace with changes and technology in the market.” Moreover, Commissioner Wilson agreed with a senator’s proposition that the enactment of a preemptive federal privacy framework would make “achieving a future adequacy determination by the E.U. easier.”
On July 21, the U.S. District Court for the Northern District of California issued an order approving a $117.5 million class action settlement, including $23 million in attorneys’ fees, with a global internet company to resolve multidistrict litigation concerning the exposure of class members’ sensitive information stemming from multiple data breaches. The settlement approval follows a fairness hearing, as the court originally denied preliminary approval due to several identified deficiencies (covered by InfoBytes here), including that the settlement inadequately disclosed the sizes of the settlement fund and class, as well as the scope of non-monetary relief, and “appear[ed] likely to result in an improper reverter of attorneys’ fees.” Last July, the court preliminarily signed off on a revised settlement, conditionally certifying a class of U.S. and Israeli residents and small businesses with accounts between 2012 and 2016 that were affected by the breaches. These class members have been certified in the final approved settlement, which requires the company to provide class members with either two years of credit monitoring services or alternative compensation for members who already have credit monitoring. Among other things, the company will allocate at least $66 million each year to its information security budget until 2022, will increase the number of full-time security employees from current levels, and will “align its information security program with the National Institute of Standards and Technology Cybersecurity Framework” and “undertake annual third-party assessments to ensure compliance” with the framework.
On July 22, NYDFS filed a statement of charges against a title insurer for allegedly failing to safeguard mortgage documents, including bank account numbers, mortgage and tax records, and other sensitive personal information. This is the first enforcement action alleging violations of NYDFS’ cybersecurity regulation (23 NYCRR Part 500), which took effect in March 2017 and established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) Charges filed against the company allege that a “known vulnerability” in the company’s online-based data storage platform was not fixed, which allowed unauthorized users to access restricted documents from roughly 2014 through 2019 by changing the ImageDocumentID number in the URL. Although an internal penetration test (i.e., an authorized simulated cyberattack) discovered the vulnerability in December 2018, NYDFS claims that the company did not take corrective action until six months later, when a well-known journalist publicized the problems.
The company allegedly violated six provisions of 23 NYCRR Part 500, including failing to (i) conduct risk assessments for sensitive data stored or transmitted within its information systems; (ii) maintain appropriate, risk-based policies governing access controls to sensitive data; (iii) limit user-access privileges to information systems providing access to sensitive data, or periodically reviewing these access privileges; (iv) implement a risk assessment system to sufficiently identify the availability and effectiveness of controls for protecting sensitive data and the company’s information system; (v) provide adequate data security training for employees and affiliated title agents responsible for handling sensitive data; and (vi) encrypt sensitive documents or implement suitable controls to protect sensitive data. Additionally, NYDFS maintains that, among other things, the company misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, failed to investigate the vulnerability within the timeframe dictated by the company’s internal cybersecurity policies, and did not conduct a reasonable investigation into the exposure or follow recommendations made by its internal cybersecurity team.
A hearing is scheduled for October 26 to determine whether violations occurred for the company’s alleged failure to safeguard consumer information.
On July 16, the FCC issued an order adopting rules to further encourage phone companies to block illegal and unwanted robocalls and to continue the Commission’s implementation of the TRACED Act (covered by InfoBytes here). The rule establishes two safe harbors from liability for the unintended or inadvertent blocking of wanted calls: (i) voice service providers will not be held liable under the Communications Act and FCC rules on terminating voice service providers that block calls, provided “reasonable analytics,” such as caller ID authentication information, are used to identify and block illegal or unwanted calls; and (ii) voice service providers will not be held liable for blocking calls from “bad-actor upstream voice service providers that continue to allow unwanted calls to traverse their networks.” The FCC’s order also includes a Further Notice of Proposed Rulemaking seeking comments on, among other things, “whether to obligate originating and intermediate providers to better police their networks against illegal calls,” whether the “reasonable analytics” safe harbor should be expanded “to include network-based blocking without consumer opt-out,” and whether the Commission should adopt more extensive redress requirements, and require terminating providers to provide consumers information about blocked calls.
Court of Justice of the European Union invalidates EU-U.S. Privacy Shield; standard contractual clauses survive (for now)
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its opinion in the Schrems II case (Case C-311/18). In its opinion, the CJEU concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. However, the Court invalidated the EU-U.S. Privacy Shield. The ruling cannot be appealed.
In 2015, a privacy campaigner named Max Schrems filed a complaint with Ireland’s Data Protection Commissioner challenging a global social media company’s use of data transfers from servers in Ireland to servicers in the U.S. Schrems argued that U.S. laws did not offer sufficient protection of EU customer data, that EU customer data might be at risk of being accessed and processed by the U.S. government once transferred, and that there was no remedy available to EU individuals to ensure protection of their personal data after transfer to the U.S. Schrems sought the suspension or prohibition of future data transfers, which were executed by the company through standard data protection contractual clauses (a method approved by the Court in 2010 by Decision 2010/87). The social media company had utilized these standard contractual clauses after the CJEU invalidated the U.S. – EU Safe Harbor Framework in 2015.
Following the complaint, Ireland’s Data Protection Commissioner brought proceedings against the social media company in the Irish High Court, which referred numerous questions to the CJEU for a preliminary ruling, including questions addressing the validity of the standard contractual clauses and the EU-U.S. Privacy Shield.
CJEU Opinion – Standard Contractual Clauses (Decision 2010/87)
Upon review of the recommendations from the CJEU’s Advocate General published on December 19, 2019, the CJEU found the Decision approving the use of contractual clauses to transfer personal data valid.
The CJEU noted that the GDPR applies to the transfer of personal data for commercial purposes by a company operating in an EU member state to another company outside of the EU, notwithstanding the third-party country’s processing of the data under its own security laws. Moreover, the CJEU explained that data protection contractual clauses between an EU company and a company operating in a third-party country must afford a level of protection “essentially equivalent to that which is guaranteed within the European Union” under the GDPR. According to the CJEU, the level of protection must take into consideration not only the contractual clauses executed by the companies, but the “relevant aspects of the legal system of that third country.”
As for the Decision 2010/87, the CJEU determined that it provides effective mechanisms to, in practice, ensure contractual clauses governing data transfers are in compliance with the level of protection requirement by the GDPR, and appropriately requires the suspension or prohibition of transfers in the event the clauses are breached or unable to be honored. The CJEU specifically highlighted the certification required by the EU data exporter and the third-party country recipient to verify, prior to any transfer, (i) the level of data protection in the third-party country prior to any transfer; and (ii) abilities to comply with the data protection clauses.
CJEU Opinion - EU-U.S. Privacy Shield, (Decision 2016/1250)
The CJEU decided to examine and rule on the validity of the EU – U.S. Privacy Shield. The CJEU determined that because the requirements of U.S. national security, public interest and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR. Specifically, the CJEU held that the surveillance programs used by U.S. authorities are not proportionally equivalent to those allowed under the EU law because they are not “limited to what is strictly necessary,” nor, under certain surveillance programs, does the U.S. “grant data subjects actionable rights before the courts against the U.S. authorities.” Moreover, the CJEU rejected the argument that the Ombudsperson mechanism satisfies the GDPR’s right to judicial protection, stating that it “does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by [the GDPR],” and the Ombudsperson “cannot be regarded as a tribunal.” Thus, on those grounds, the CJEU declared the EU-U.S. Privacy Shield invalid.
On July 8, the U.S. District Court for the Eastern District of New York allowed a consumer’s claim under New York’s consumer protection law (N.Y. G.B.L. § 349) to proceed against a national credit reporting agency (CRA) for grievances stemming from a 2017 data breach that compromised the consumer’s personal information. According to the opinion, the consumer alleged that the CRA, among other things, failed to “implement security and privacy measures to safeguard plaintiff’s sensitive information and misrepresented to him that his personal data would be protected from outside threats.” The CRA had previously entered into a class action settlement concerning the data breach and resolved hundreds of data breach cases brought against the company; however, the consumer opted out of that nationwide class action. The CRA moved to dismiss the consumer’s action, arguing, among other things, that data breach claims are not actionable under N.Y. G.B.L. § 349. While the court granted the CRA’s motion as to the consumer’s FCRA claim, the court denied the CRA’s request to dismiss the consumer’s claim under N.Y. G.B.L. § 349. Specifically, the court concluded that the consumer plausibly alleged the CRA misrepresented its ability to protect the consumer’s personal information, which “resulted in actual and pecuniary harm after [the consumer]’s identity was stolen and numerous unauthorized accounts were opened under his name.” The court distinguished this claim from the consumer’s FCRA claim, which asserted the CRA failed to “shield” the consumer’s information from the hackers, whereas the N.Y. G.B.L. § 349 claim rests on the CRA’s representations of protection.
The California attorney general recently published a set of frequently asked questions providing general consumer information on the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. Final proposed regulations were submitted by the AG last month as required under the CCPA’s July 1 statutory deadline (covered by InfoBytes here), and are currently with the California Office of Administrative Law for review. The FAQs—which will be updated periodically and do not serve as legal advice, regulatory guidance, or as an opinion of the AG—are intended to provide consumers guidance on exercising their rights under the CCPA.
- General CCPA information. The FAQs address consumer rights under the CCPA and reiterate that these rights apply only to California residents. This section also clarifies the definition of “personal information,” outlines businesses’ compliance thresholds, and states that the CCPA does not apply to nonprofit organizations and government agencies. The FAQs also remind consumers of their limited ability to sue businesses for CCPA violations and details the conditions that must be met before a consumer may sue a business for a data breach. The FAQs remind consumers that if they believe a business has violated the CCPA, they may file a complaint with the AG’s office.
- Right to opt-out of sale. The FAQs answer common questions related to consumers’ requests for businesses not to sell their personal information. The FAQs provide information on the steps for submitting opt-out requests, as well as explanations for why a business may deny an opt-out request. It also address circumstances where a consumer receives a response from a service provider that says it is not required to act on an opt-out request.
- Right to know. The FAQs discuss a consumer’s right to know what personal information is collected, used, shared, or sold, and clarifies what consumers should do to submit requests to know, how long a business may take to respond, and what steps should be taken if a business requests more information, denies a request to know, or claims to be a service provider that is not required to respond.
- Request to delete. The FAQs address several questions related to consumers’ right to delete personal information, including how to submit a request to delete, businesses’ responses to and denials of requests to delete, and why a debt collector may make an attempt to collect a debt or a credit reporting agency may provide credit information even after a request to delete has been made.
- Right to non-discrimination. Consumers are reminded that a business “cannot deny goods or services, charge. . .a different price, or provide a different level or quality of goods or services just because [a consumer] exercised [his or her] rights under the CCPA.”
- Data brokers. The FAQs set forth the definition of a data broker under California law and outline steps for consumers interested in finding data brokers that collect and sell personal information, as well as measures consumers can take to opt-out of the sale of certain personal information.
On June 30, the Oklahoma Department of Consumer Credit extended, for the third time, its interim guidance to regulated entities on working from home (see here, here, and here for previous coverage). The guidance sets forth data security standards that regulated entities must meet in order for the department to take no action with respect to employees conducting activities that would otherwise require licensure of their homes. The revised guidance also provides that the department will expedite and waive fees for change of address applications in the event that a licensed location is compromised by Covid-19 or is undergoing decontamination. The guidance was extended through September 30, 2020.
On June 24, the California Privacy Rights Act of 2020 (CPRA) ballot initiative was submitted to the California Country Clerk’s office as an initiative qualified for the November 2020 General Election ballot after receiving more than the 623,212 valid signatures required to qualify. The initiative was drafted by Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy, and would amend the CCPA in several significant ways. Notably, Mactaggart also drafted the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA). The ballot initiative would, among other things:
- Provide consumers with the right to require a business to correct inaccurate personal information;
- Revise the definition of “business” to: (i) clarify that the time period for calculating annual gross revenues is based on the prior calendar year; (ii) provide that an entity meets the definition of a “business” if the entity, in relevant part, alone or in combination, annually buys, sell, or shares the personal information of 100,000 or more consumers or households; (iii) include a joint venture or partnership composed of businesses in which each business has at least a 40 percent interest; and (iv) include a person who does not otherwise qualify as a “business” but voluntarily certifies to the California Privacy Protection Agency (described below) that it is in compliance with, and agrees to be bound by, the CPRA;
- Create the California Privacy Protection Agency, which would have the authority to implement and enforce the CCPA (powers that are currently vested in the attorney general). The agency would be governed by a five-member board, including a single Chair, with members being appointed by the governor, the attorney general, and the leaders of the senate and assembly; and
- Expand on the CCPA’s opt-out provisions and prohibit businesses from selling a consumers’ “sensitive personal information”—a new term introduced by the initiative— without affirmative authorization.
Additional details regarding the proposed changes are available in the September 2019 InfoBytes post announcing the initiative. Since originally filing the initiative in September 2019, Mactaggart has amended the initiative several times, without significant change.
On June 10, the FTC announced a settlement to resolve Fair Credit Reporting Act (FCRA) allegations against a Wisconsin-based retailer for failing to provide the proper transaction records to identify theft victims. According to the FTC, this is the first time the Commission has used its authority under Section 609(e) of the FCRA, which requires companies to provide identity theft victims with “‘application and business transaction records’ evidencing any transactions that the victim alleges to be the ‘result of identity theft’” within 30 days of being requested. The FTC’s complaint alleged that from February 2017 through March 2019, the retailer implemented several changes to its policy, which limited the information that identity theft victims could obtain. The retailer also allegedly refused to directly provide victims with detailed order information, stating it would only share information if the request came directly from law enforcement. Moreover, the FTC claimed that the retailer did not provide the information it was supplying within the 30-day window required by the FCRA, and on several occasions, failed to issue a denial of a victim’s request within 30 days. These unlawful actions, the FTC alleged, violated the FTC Act and the FCRA, and only ended six months after the retailer received a civil investigative demand from the FTC. Under the terms of the settlement, the retailer has agreed to pay a $220,000 civil penalty to settle the claims and must provide identify theft victims, within 30 days, valid verification of their identity and the identity theft, including business transaction records related to the theft. The retailer must also provide a notice on its website to provide identity theft victims information on how to obtain application and business records, and certify that it has provided all such records to victims who were previously denied access.
- Buckley Webcast: Going Negative … Legal issues to consider if the U.S. follows Europe into negative-interest territory
- APPROVED Webcast: Remote examinations and complaints — The “new normal”
- Sasha Leonhardt to discuss "Privacy laws clarified" at the National Settlement Services Summit (NS3)
- Amanda R. Lawrence to discuss "New privacy legislation: Preparing for a major source of class action and enforcement activity going forward" at the American Conference Institute Consumer Finance Class Actions, Litigation & Government Enforcement Actions
- Sherry-Maria Safchuk and Lauren Frank to discuss "New CFPB interpretation on UDAAP" at a California Mortgage Bankers Association Mortgage Quality and Compliance Committee webinar
- Daniel P. Stipano to discuss "High standards: Best practices for banking marijuana-related businesses" at the ACAMS AML & Anti-Financial Crime Conference
- Daniel P. Stipano to discuss "Wait wait ... do tell me! Where the panelists answer to you" at the ACAMS AML & Anti-Financial Crime Conference
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute