InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC orders prison contractor to fix security exposures after data breach
On November 16, the FTC issued a proposed order against an integrated technology services company finding a violation of Section 5(a) of the Federal Trade Commission Act. According to the order, the company offered various products and services to jails, prisons, and detention facilities. These products and services included means of communication between incarcerated and non-incarcerated individuals, and, among other things, allowed non-incarcerated individuals to deposit funds into the accounts of incarcerated individuals. According to the complaint, and due to the nature of its operations, the company collected individuals’ sensitive personally identifiable information, including names, addresses, passport numbers, driver’s license numbers, Social Security numbers, and financial account information, some of which was exposed as a result of a data breach in August 2020 due to a misconfiguration in the company’s cloud storage environment.
In its decision, the FTC ordered the company to, among other things, (i) implement a comprehensive data security program, including “change management” measures and multifactor authentication; (ii) notify users affected by the data breach, who had not yet received notice, and offer credit monitoring and identity protection products; (iii) inform consumers and facilities within 30 days of future data breaches; and (iv) notify the FTC within 10 days of reporting any security incident to local, state, or federal authorities.
District Court reimposes $5 million restitution award in FTC action
On September 13, the U.S. District Court for the Northern District of Illinois reimposed a more than $5 million restitution award in an action dating back to 2018, this time under Section 19 of the FTC Act. The court originally granted the FTC’s motion for summary judgment against a credit monitoring service and its sole owner in an action filed under Section 13(b) of the FTC Act, after concluding that no reasonable jury would find that the defendants’ scheme of using false rental property ads to solicit consumer enrollment in credit monitoring services without their knowledge could occur without engaging in unfair or deceptive practices (covered by InfoBytes here). However, as previously covered by InfoBytes, in 2019, the U.S. Court of Appeals for the Seventh Circuit held that Section 13(b) does not grant the FTC authority to order restitution—a position that the U.S. Supreme Court ultimately agreed with when issuing its decision in AMG Capital Management, LLC v. FTC (which unanimously held that Section 13(b) of the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement”—covered by InfoBytes here).
In its current ruling, the court agreed to reimpose the damages under the Restore Online Shopper Confidence Act (ROSCA) and Section 19. The court noted that because ROSCA incorporates all the enforcement tools of the FTC Act, the FTC could seek remedies using Section 19 of the FTC Act instead of relying on Section 18. Further, the court noted that the FTC indicated that the FTC may seek remedies under Section 19 when it brought the action under Section 5(a) of ROSCA, which the court ultimately agreed was correct. “The FTC has the better of this dispute,” the court wrote, adding, among other things, that “the court is unmoved by [the defendant’s] claims of unfair prejudice. Aside from the particular route to an award of restitution, nothing will materially change. The FTC seeks the same remedy, for the same reasons, and for the same victims under section 5(a) via section 19 as it did under section 13(b).”
7th Circuit overturns precedent, rejects restitution under Section 13(b) of FTC Act
On August 21, the U.S. Court of Appeals for the 7th Circuit held that Section 13(b) of the FTC Act does not give the FTC power to order restitution, overruling that court’s 1989 decision in FTC v. Amy Travel Service, Inc. As previously covered by InfoBytes, in June 2018, the U.S. District Court for the Northern District of Illinois granted the FTC’s motion for summary judgment against a credit monitoring service and its sole owner in an action filed under Section 13(b) of the FTC Act. The court concluded that no reasonable jury would find that the defendants’ scheme of using false rental property ads to solicit consumer enrollment in credit monitoring services without their knowledge could occur without engaging in unfair or deceptive practices. The FTC argued that the defendants’ scheme, which used the promise of a free credit report to enroll the consumers into a monthly credit monitoring program, violated the FTC Act’s ban on deceptive practices. The court agreed, holding that the ad campaign was “rife with material misrepresentations that were likely to deceive a reasonable consumer.” Additionally the court agreed with the FTC that the defendants’ website was materially misrepresentative because it did not give “the net impression that consumers were enrolling in a monthly credit monitoring service” for $29.94 a month, as opposed to defendants’ claim that consumers were obtaining a free credit report. The court also found that the defendants’ websites failed to meet certain disclosure requirements imposed by the Restore Online Shopper Confidence Act. The court entered a permanent injunction and ordered the defendants to pay over $5 million in “equitable monetary relief” to the FTC.
On appeal, the 7th Circuit affirmed the district court’s liability determination, and affirmed the issuance of the permanent injunction. However, the appellate court took issue with the restitution award ordered pursuant to Section 13(b) of the FTC Act. The appellate court noted that the FTC has long viewed Section 13(b) as authorizing awards of restitution, and even acknowledged that the 7th Circuit agreed with the FTC’s position in its decision in Amy Travel. However, subsequent to the Amy Travel decision, the Supreme Court, in Meghrig v. KFC W., Inc., clarified that “courts must consider whether an implied equitable remedy is compatible with a statute’s express remedial scheme.” Applying Meghrig, the 7th Circuit noted that “nothing in the text or structure of the [FTC Act] supports an implied right to restitution in section 13(b), which by its terms authorizes only injunctions.” The panel emphasized that the FTC Act has two other provisions that expressly authorize restitution if the FTC follows certain procedures, but the current reading of Section 13(b), based on Amy Travel, allows the FTC “to circumvent these elaborate enforcement provisions and seek restitution directly through an implied remedy.” Therefore, based on the Supreme Court precedent in Meghrig, the panel concluded that Section 13(b)’s grant of authority to order injunctive relief does not implicitly authorize an award of restitution, overturning its previous decision in Amy Travel and vacating the district court’s award of restitution.
Credit reporting agency agrees to multi-agency settlement over 2017 data breach
On July 22, the CFPB, FTC, and 48 states, the District of Columbia and Puerto Rico announced a settlement of up to $700 million with a major credit reporting agency to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. According to the complaints (see here and here) filed in the U.S. District Court for the Northern District of Georgia, the company allegedly engaged in unfair and deceptive practices by, among other things, (i) failing to provide reasonable security for the sensitive personal information stored within its network; (ii) deceiving consumers about its data security program capabilities; and (iii) failing to patch its network after being alerted in 2017 to a critical security vulnerability.
Under the terms of the proposed settlements (see here and here), pending final court approval, the company will pay up to $425 million in monetary relief to consumers and provide credit monitoring to affected individuals, as well as six free credit reports each year for seven years to all U.S. consumers. The company must also pay $175 million to 48 states, the District of Columbia and Puerto Rico, and a $100 million civil money penalty to the Bureau. The $425 million fund will also compensate consumers who bought credit- or identity-monitoring services from the company and paid other expenses as a result of the breach. The company must also, among other things, implement a comprehensive information security program that will require annual assessments of security risks and safeguard measures, obtain third-party information security assessments, and acquire annual certifications from the board of directors that the company has complied with the settlements.
FTC finalizes rule providing free credit monitoring for servicemembers
On June 24, the FTC finalized the “Free Electronic Credit Monitoring for Active Duty Military Rule,” which implements the Economic Growth, Regulatory Relief, and Consumer Protection Act requirement for nationwide consumer reporting agencies (CRAs) to provide free electronic credit monitoring services for active duty military consumers. The proposed rule, issued in November 2018 (covered by InfoBytes here), defined the term “electronic credit monitoring service” as a service through which the CRAs provide, at a minimum, electronic notification of material additions or modifications to a consumer’s file and requires CRAs to notify active duty military consumers within 24 hours of any material change. The proposal noted that CRAs may require that active duty military provide contact information, proof of identity, and proof of active duty status in order to use the free service and outlines how a servicemember may prove active duty status, such as with a copy of active duty orders. Additionally, the proposal prohibited CRAs from requiring active duty military consumers to purchase a product in order to obtain the free service.
In response to comments on the proposal, the final rule refers to the definition of “active duty military consumer” in the FCRA, which requires that the servicemember be assigned to service away from their usual duty station, or be a member of the National Guard, regardless of whether the National Guard member is stationed away from their normal duty station. The FTC noted that commenters requested the requirement that the servicemember be stationed away from their normal duty station be eliminated but “the statutory language limit[ed] the Commission’s discretion on [the] topic.” However, the FCRA does not apply the same duty station requirement to the National Guard. Additionally, the final rule, among other things (i) requires CRAs to provide free access to a credit file when it notifies an active duty military consumer about a material change to the file; (ii) extends the amount of time the CRAs have to notify an active duty military consumer of a material change from 24 hours to 48 hours; and (iii) prohibits CRAs from requiring that active duty military consumers agree to terms or conditions as a requirement to obtain their free credit file, unless the terms or conditions are necessary to comply with certain legal requirements.
While the final rule goes into effect three months after publication in the Federal Register, CRAs will be allowed to comply with certain portions of the final rule by offering existing credit monitoring services to active duty military consumers for free, for a period of up to one year from the effective date.
FTC proposes rule to implement free credit monitoring for servicemembers
On November 1, the FTC announced a proposed rule, which would implement the Economic Growth, Regulatory Relief, and Consumer Protection Act requirement for nationwide consumer reporting agencies (CRAs) to provide free electronic credit monitoring services for active duty servicemembers. The proposal defines the term “electronic credit monitoring service” as a service through which the CRAs provide, at a minimum, electronic notification of material additions or modifications to a consumer’s file and requires CRAs to notify servicemembers within 24 hours of any material change. The proposal notes that CRAs may require that servicemembers provide contact information, proof of identity, and proof of active duty status in order to use the free service and outlines how a servicemember may prove active duty status, such as with a copy of active duty orders. Additionally, the proposal prohibits CRAs from requiring servicemembers to purchase a product in order to obtain the free service or requiring the servicemember to agree to terms and conditions. Comments will be due 60 days after publication in the Federal Register.
FTC to review potential updates to federal privacy rules
On October 17, as part of its fall 2018 rulemaking agenda, the FTC announced that it plans to review potential updates to federal privacy rules on how banks protect consumer data. The planned recommendation—scheduled to be presented to FTC commissioners at the end of November—will incorporate recommendations by staff and the public on changing the Gramm-Leach-Bliley Act Safeguard Rules (the Rule) given the potential conflict between the Rule and state, local, or other federal laws or regulations. As previously covered by InfoBytes, the FTC requested comments on the Rule in 2016, seeking feedback on several specific questions relating to the Rule’s economic impact and benefits, potential conflicts, and how technological, economic, or other industry changes will affect the Rule.
Among other things, the FTC’s regulatory agenda will also address (i) 2016 amendments to the Telemarking Sales Rule; (ii) the periodic review of identity theft rules; (iii) issues related to the privacy of consumer financial information concerning vehicle disclosures; and (iv) credit monitoring for active duty military as required by the Economic Growth, Regulatory Relief, and Consumer Protection Act.
District Court agrees with FTC, enters $5 million judgment against credit monitoring scheme
On June 26, the U.S. District Court for the Northern District of Illinois granted the FTC’s motion for summary judgment, concluding that no reasonable jury would find that the defendants’ scheme of using false rental property ads to solicit consumer enrollment in credit monitoring services without their knowledge did not involve unfair or deceptive practices. The FTC argued that the defendants’ scheme, which used the promise of a free credit report to enroll the consumers into a monthly credit monitoring program, violated the FTC Act’s ban on deceptive practices. The court agreed, holding that the ad campaign was “rife with material misrepresentations that were likely to deceive a reasonable consumer.” Additionally the court agreed with the FTC that the defendants’ website was materially misrepresentative because it did not give “the net impression that consumers were enrolling in a monthly credit monitoring service” for $29.94 a month, as opposed to defendants’ claim that consumers were obtaining a free credit report.
The court entered a judgment ordering the defendants to pay over $5 million in equitable monetary relief to the FTC and prohibiting defendants from, among other things, charging consumers for any credit monitoring services and disclosing or using any collected consumer information. The defendants must also submit to compliance reporting and monitoring by the FTC.
FTC Settles Suit Against Credit Score Site Schemers
On October 26, the FTC agreed to a settlement of $760,000 with two affiliate marketers of a credit score business who allegedly committed deceptive acts to lure consumers into signing up for their monthly credit monitoring service for $30.00.
The settlement partly resolves a suit the FTC filed in January against the credit score company, the owner, and the company’s affiliate marketers. The FTC alleged that the defendants posted fake rental ads on Craigslist and required persons responding to the ads to obtain a purportedly “free” credit report from the company’s websites before viewing the property. The defendants, however, used the credit or debit card information consumers entered to obtain the credit report and enrolled consumers for a negative option credit monitoring service with a $30.00 monthly fee.
The order suspended the balance of the total $6.8 million judgment on the condition that the affiliate marketers pay the FTC the settled amounts. The claims against the company and the owner are ongoing.
FTC Halts Scheme to Enroll Consumers in Credit Monitoring Service
On January 10, the FTC filed a complaint against an online company that owns three “free credit report” websites as well as three individuals connected to the company with claims that they illegally lured consumers to their websites. The scheme, as alleged in the complaint, made use of Craigslist ads promoting non-existent or unauthorized apartments and houses for rent as the means of encouraging consumers to request additional information, which would then prompt them to click on a link to one of the three websites owned by the company to get a “free” credit check. The consumers allegedly were then enrolled in a credit monitoring service, supposedly without their knowledge or consent. The company has purportedly accrued millions of dollars using this method. On January 11, the U.S. District Court for the Northern District of Illinois entered a temporary restraining order against the defendants.