Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform text recognition scanning on tens of thousands of mortgage documents was adequately securing consumers’ personal data. The FTC’s complaint alleges that the vendor stored the unencrypted contents of these documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. The data contained sensitive personal information, including “names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, or other personal and financial information of borrowers, as well as of family members and others whose information was included in the mortgage application.” According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was accessed approximately 52 times. The FTC claims, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of all of its vendors as required by the Safeguards Rule.
The proposed settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.
On September 6, the FTC voted 5-0 to approve a final settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in violation of the FTC Act and the Standards for Safeguarding Customer Information Rule, issued pursuant to the Gramm-Leach-Bliley Act.
As previously covered by InfoBytes, in its complaint, the FTC alleged the company’s failure to, among other things, (i) implement an organization information security policy; (ii) implement reasonable guidance or training for employees; (iii) use readily available security measures to monitor systems; and (iv) impose reasonable data access controls, which resulted in a hacker gaining unauthorized access to the company’s database containing the personal information of approximately 12.5 million consumers. The approved settlement requires the company to, among other things, implement and maintain a comprehensive information security program designed to protect the personal information it collects, including implementing specific safeguards related to the FTC’s allegations. Additionally, the settlement requires the company to obtain third-party assessments of its information security program every two years and have a senior manager certify compliance with the order every year.
On June 27, the FTC held its fourth annual PrivacyCon, which hosted research presentations on a wide range of consumer privacy and security issues. Following opening remarks by FTC Chairman Joseph Simons, the one-day conference featured four plenary sessions covering a number of hot topics:
- Session 1: Privacy Policies, Disclosures, and Permissions. Five presenters discussed various aspects of privacy policies and notices to consumers. The panel discussed current trends showing that privacy notices to consumers have generally become lengthier in recent years, which helps cover the information regulators require, but often results in information overload for consumers more generally. One presenter advocated the concept of a condensed “nutrition label” for privacy, but acknowledged the challenge of distilling complicated activities into short bullets.
- Session 2: Consumer Preferences, Expectations, and Behaviors. This panel addressed research concerning consumer expectations and behaviors with regard to privacy. Among other anecdotal information, the presenters noted that many consumers are aware that personal data is tracked, but consumers are generally unaware of what data collectors ultimately do with the personal data once collected. To that end, one presenter advocated prescriptive limits on data collection in general, which would take the onus off consumers to protect themselves. Separately, with regard to the Children’s Online Privacy Protection Act (COPPA), one presenter noted that the law generally aligns with parents’ privacy expectations, but the implementing regulations and guidelines are too broad and leave too much room for implementation variations.
- Session 3: Tracking and Online Advertising. In the third session, five presenters covered various topics, including privacy implications of free versus paid-for applications to the impact of the EU’s General Data Protection Regulation (GDPR). According to the presenters, current research suggests that the measurable privacy benefits of paying for an app are “tenuous at best,” and consumers cannot be expected to make informed decisions because the necessary privacy information is not always available in the purchase program on a mobile device such as a phone. As for GDPR, the panel agreed that there are notable reductions in web use, with page views falling 9.7 percent in one study, although it is not clear whether such reduction is directly correlated to the May 25, 2018 effective date for enforcement of GDPR.
- Session 4: Vulnerabilities, Leaks, and Breach Notifications. In the final presentation, presenters discussed new research on how companies can mitigate data security vulnerabilities and improve remediation. One presenter discussed the need for proactive identification of vulnerabilities, noting that the goal should be to patch the real vulnerabilities and limit efforts related to vulnerabilities that are unlikely to be exploited. Another presenter analyzed data breach notifications to consumers, noting that all 50 states have data breach notification laws, but there is no consensus as to best practices related to the content or timing of notifications to consumers. The presenter concluded with recommendations for future notification regulations: (i) incorporate readability testing based on standardized methods; (ii) provide concrete guidelines of when customers need to be notified, what content needs to be included, and how the information should be presented; (iii) include visuals to highlight key information; and (iv) leverage the influence of templates, such as the model privacy form for the Gramm-Leach-Bliley Act.
On March 5, the FTC released proposed amendments to two rules that protect the privacy and security of customer data held by financial institutions. The agency seeks comments on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule requires financial institutions to develop, implement, and maintain comprehensive information security programs, whereas the Privacy Rule requires financial institutions to notify customers about information-sharing practices, as well as enable customers to opt out of sharing their information with certain third parties. The FTC’s proposed amendments to the Safeguards Rule would, among other things, add more detailed requirements for financial institutions, including mandatory encryption of customer data and the use of multi-factor authentication to prevent unauthorized access to customer information. The proposed amendments to the Privacy Rule would change the rule to account for statutory changes in the Dodd-Frank Act, which gave the majority of the FTC’s rulemaking authority for the Privacy Rule to the CFPB with the exception of certain motor vehicle dealers. The agency plans to remove examples of financial institutions that do not apply to motor vehicle dealers, as well as clarify when annual customer privacy notices must be provided. In addition, the FTC proposes to expand the definition of “financial institution” in both rules to include “finders,” which include persons or entities that charge a fee to introduce consumers to a lender.
On February 6, the CFPB announced a settlement with an Indiana-based payday retail lender and affiliates (companies) in seven states to resolve alleged violations of the Consumer Financial Protection Act (CFPA), Truth in Lending Act (TILA), and Gramm-Leach-Bliley Act (GLBA) privacy protections. The CFPB alleges that the companies engaged in unfair acts or practices, failed to properly disclose annual percentage rates, and failed to provide consumers with required initial privacy notices.
Specifically, the Bureau alleges that the companies violated CFPA’s UDAAP provisions by, among other things, (i) failing to implement processes to prevent unauthorized charges, including those resulting from unauthorized draws on borrowers’ bank accounts; (ii) requiring loan applicants to provide contact information for their employers, supervisors, and four personal references, and then repeatedly calling employers to seek payments when borrowers became delinquent; (iii) disclosing the borrower’s financial information during those calls and, in certain instances, asking the third party to make payments on the loan; (iv) misusing personal references for marketing purposes; and (v) advertising check-cashing and telephone reconnection services they were no longer providing.
While the companies have not admitted to the allegations, they have agreed to pay a $100,000 civil money penalty and are prohibited from continuing the illegal behavior.
On October 17, as part of its fall 2018 rulemaking agenda, the FTC announced that it plans to review potential updates to federal privacy rules on how banks protect consumer data. The planned recommendation—scheduled to be presented to FTC commissioners at the end of November—will incorporate recommendations by staff and the public on changing the Gramm-Leach-Bliley Act Safeguard Rules (the Rule) given the potential conflict between the Rule and state, local, or other federal laws or regulations. As previously covered by InfoBytes, the FTC requested comments on the Rule in 2016, seeking feedback on several specific questions relating to the Rule’s economic impact and benefits, potential conflicts, and how technological, economic, or other industry changes will affect the Rule.
Among other things, the FTC’s regulatory agenda will also address (i) 2016 amendments to the Telemarking Sales Rule; (ii) the periodic review of identity theft rules; (iii) issues related to the privacy of consumer financial information concerning vehicle disclosures; and (iv) credit monitoring for active duty military as required by the Economic Growth, Regulatory Relief, and Consumer Protection Act.
On August 10, the CFPB issued final amendments to Regulation P, which implements the Gramm-Leach-Bliley Act and provides, among other things, exemptions for financial institutions from sending annual privacy notices to consumers provided they meet certain conditions. The final rule—originally proposed in July 2016 (as previously covered in InfoBytes here)—implements a December 2015 statutory change in Section 75001 of the “Fixing America’s Surface Transportation Act,” which permits certain exemptions provided a qualifying financial institution (i) has not changed its privacy notice from the one previously delivered to its customer, and (ii) limits its sharing of a customer’s nonpublic personal information with nonaffiliated third parties so that a customer does not have the right to opt out, as otherwise afforded under the statute and Regulation P. The final rule will not affect the collection or use of a customer’s nonpublic personal information, and all financial institutions are still required to deliver initial privacy notices to customers. Moreover, the final rule establishes requirements for alternative delivery methods and provides deadlines for financial institutions that lose the exception and are required to resume delivery of annual privacy notices.
The amendments to Regulation P will take effect 30 days after publication in the Federal Register.
On February 23, the FTC announced a proposed settlement with a global online payments system company (company) to resolve a complaint filed in 2016 concerning allegations that its payment and social networking service (service) violated the FTC Act when it, among other things, failed to adequately disclose to consumers that transfers to external bank accounts were subject to review and that funds could be frozen or removed based on a review of the underlying transaction. According to FTC allegations, many consumers who relied on notifications from the service that funds were available for transfer found themselves unable to pay rent or other bills. In some instances, the service reversed transactions after initially notifying consumers the funds were available. Additionally, the service allegedly violated the Gramm-Leach-Bliley Act’s Privacy and Safeguard Rules (GLBA Rules) by misleading consumers about protections for their accounts when it claimed to use “bank-grade security systems” and failed to have a written security program or implement basic security safeguards. As a result, the FTC claims unauthorized users were able to, in certain cases, withdraw funds from consumer accounts or change passwords and/or associated email addresses without consumers being notified.
Under the proposed settlement, the company—which did not admit or deny liability and is not required to pay a fine—has agreed that it will not misrepresent any material restrictions on the use of its service, the extent of control provided by any privacy settings, and the extent to which it “implements or adheres to a particular level of security.” The company will also, among other things, make certain disclosures to consumers about its transaction and privacy practices, obtain biennial third-party assessments of its compliance with these rules for 10 years, and refrain from violating any provisions of the GLBA Rules.
FTC Announces Settlement with Operator of Online Tax Preparation Service Over Privacy and Security Allegations
On August 29, the FTC issued a press release announcing a settlement with the operator of a Georgia-based online tax preparation service to resolve allegations that the company failed to implement adequate security procedures to protect client information in violation of several federal privacy and security rules, including the Federal Trade Commission Act and the Gramm-Leach-Bliley Act’s Privacy Rule (Regulation P) and Safeguards Rule. In its complaint, the FTC alleged that the company violated the Safeguards Rule, which requires financial institutions under FTC jurisdiction toprotect customer information by developing, implementing, and maintaining a comprehensive information security program that satisfies certain requirements. The complaint alleged that, because the company failed to implement these requirements and did not have in place adequate risk-based authentication measures, hackers were able to conduct a “list validation attack” between October 2015 and December 2015, which gave them full access to nearly 9,000 customer accounts. Hackers then used the acquired information to engage in tax identity theft. In addition, the FTC alleges that the company failed to notify customers of the list validation attack or alterations until a user called in January 2016 to report suspicious activity, and failed to delivery privacy notices to customers as required by the Privacy Rule.
Under the terms of the decision and order, the company, among other things, is required for 10 years to obtain biennial independent third-party assessments to address the effectiveness of the company’s security programs and safeguard measures to “certify that [the company’s] security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 29, at which point the FTC will decide whether to make the proposed consent order final.
On August 29, the FTC announced that it is requesting public comment on its Standards for Safeguarding Customer Information Rule (the Safeguards Rule). As required by the Gramm-Leach-Bliley Act, the Commission promulgated the Safeguards Rule to require all “financial institutions” over which the FTC maintains authority to “develop, implement and maintain a comprehensive information security program for handling customer information” (emphasis added). The FTC seeks comments on several specific questions relating to (i) the Safeguards Rule’s economic impact and benefits; (ii) potential conflict between the Safeguards Rule and state, local, or other federal laws or regulations; and (iii) how technological, economic, or other industry changes will affect the Safeguards Rule. Comments are due by November 7, 2016.
- Jonice Gray Tucker to join CFPB panel at CBA’s Washington Forum
- Jonice Gray Tucker to moderate “Pandemic relief response and lasting impacts on access, credit, banking, and equality” at the American Bar Association Business Law Section Spring Meeting
- Jeffrey P. Naimon to discuss "Post-pandemic CFPB exam preparation" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Making fair lending work for you" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Reading the tea leaves of President Biden’s initial financial appointees" at LendIt Fintech
- Moorari K. Shah to discuss “CA, NY, federal licensing and disclosure” at the Equipment Leasing & Finance Association Legal Forum
- Jonice Gray Tucker to discuss "Compliance under Biden" at the WSJ Risk & Compliance Forum
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference