Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Global tech corporation fined $888 million for GDPR violations

    Privacy, Cyber Risk & Data Security

    Recently, a global technology corporation disclosed a $746 million euro (approximately $888 million USD) fine issued by the Luxembourg National Commission for Data Protection (CNPD) for alleged violations of the EU’s General Data Protection Regulations (GDPR). The corporation’s Form 10-Q for second quarter 2021 states that on July 16, the CNPD issued a decision against the corporation’s European headquarters, claiming its “processing of personal data did not comply with the [GDPR].” In addition to the fine, the decision also requires corresponding practice revisions, the details of which were not disclosed. The corporation noted that the decision is “without merit” and stated it intends to defend itself “vigorously” in this matter. According to sources, the decision follows an investigation started in 2018 when a French privacy group claiming to represent the interests of Europeans filed complaints against several large technology companies to ensure European consumer data is not manipulated for commercial or political purposes.

    Privacy/Cyber Risk & Data Security EU Data Protection GDPR Of Interest to Non-US Persons

    Share page with AddThis
  • 5th Circuit overturns ruling that insurer must defend data breach

    Courts

    On July 21, the U.S. Court of Appeals for the Fifth Circuit reversed a lower court’s decision to grant summary judgement for a Houston-based insurer (defendant), finding that publication of material that violates a person’s right of privacy under the insurer’s policy can include making credit card information generally available. According to the opinion, a retail company (plaintiff) was sued by a branch of a national bank (bank) for alleged violations of an agreement that led to a $20 million data breach dispute. In response, the plaintiff filed a separate suit in Texas court against the defendant for breaching the insurance policy. The district court granted the defendant’s motion and dismissed all the claims. In doing so, “the district court held that the bank’s complaint did not allege a ‘publication’ of material that violated a person’s right to privacy because it asserted only that ‘[a] third party hacked into [the] credit card processing system and stole customers’ credit card information.’” Furthermore, the district court found that the complaint also did not allege a violation of a person’s right to privacy because the bank involves the payment processor’s contract claims, not the cardholders’ privacy claims.

    On appeal, the 5th Circuit adopted a broad definition of “publication” because such term was undefined, and found that the contract dispute brought by the bank against the plaintiff “plainly alleges” that hackers published the credit card information of the plaintiff customers in several ways. First, the bank accused the plaintiff of publishing its customers’ credit cards to hackers. Then, the hackers allegedly published the information by using it to make fraudulent purchases. The appellate court then examined whether the defendant “has a duty to defend [the plaintiff] in the [u]nderlying [bank] [l]itigation.” The appellate court applied Texas’s “eight-corners rule,” which compares the “four corners of the [p]olicy to the four corners of the [bank’s] complaint.” In doing so, the appellate court found that the bank’s “alleged injuries arise from the violations of customers' rights to keep their credit card data private,” and “[u]nder the eight-corners rule, [the defendant] must defend [the plaintiff] in the underlying [bank’s] litigation.”

    Courts Data Breach Appellate Fifth Circuit Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • District Court grants final approval to grocery chain data breach settlement

    Courts

    On July 21, the U.S. District Court for the Central District of Illinois granted final approval to a class action data breach settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The final settlement (which was preliminarily approved in January) allows class members representing consumers who used a payment card to make a purchase at an impacted point-of-sale device during the security incident to receive reimbursement of up to $225 for out-of-pocket expenses related to the breach, including (i) unreimbursed bank, overdraft, and late fees; (ii) telecommunication charges; (iii) payday loan interest; and (iv) costs related to credit monitoring, identity theft protection, and time spent replacing credit cards and addressing fraudulent charges. Additionally, class members may be awarded up to $5,000 for “extraordinary expenses” resulting from the compromise of personal information. The grocery chain also agreed to “establish and maintain security enhancements that are estimated to cost more than $20 million.” However, the court reduced the attorneys’ fees to $739,000 in the final settlement after determining the initial fee request was too high compared to the overall relief for class members.

    Courts Class Action Settlement Privacy/Cyber Risk & Data Security Data Breach

    Share page with AddThis
  • New York expands definition of telemarketing to include text messages

    State Issues

    On July 13, the New York governor signed S.3941, which expands the state’s definition of telemarketing to include marketing by text message. A press release issued by the governor noted that expanding the definition closes a loophole in state law that previously limited the definition to phone calls, including unwanted robocalls. “Electronic text messages to [] mobile devices have become the newest unwelcomed invasive marketing technique. Consumers should not be burdened with excessive and predatory telemarketing in any form, including text messages,” the press release stated. The act takes effect 30 days after becoming law.

    State Issues State Legislation Privacy/Cyber Risk & Data Security Robocalls Consumer Protection Telemarketing

    Share page with AddThis
  • District Court says retailer not an intended third-party beneficiary of a credit card arbitration provision

    Courts

    On July 8, the U.S. District Court for the Central District of California denied a retailer’s motion to compel arbitration in a consumer data sharing putative class action, ruling that the retailer was not an intended third-party beneficiary of an arbitration provision in a credit card agreement. The proposed class had filed an amended complaint accusing several national retailers of illegally sharing consumer transaction data in violation of the FCRA, the California Consumer Privacy Act, and California’s unfair competition law, among others. The motion at issue, filed by one of the retailers, addresses a named plaintiff’s opposition to compel arbitration. The retailer argued that as an “intended” third-party beneficiary of the contract, it had the right to enforce an arbitration clause contained in a credit card agreement purportedly signed by the plaintiff when she opened a retailer credit card account issued by an online bank.

    The court disagreed, finding that the contract’s arbitration provisions specifically referred to the bank, and that the contract did not clearly “express an intention to confer a separate and distinct benefit on [the retailer].” Moreover, the court noted the contract at issue instructed the plaintiff to send any arbitration demand notices to the bank, adding that “[i]t seems unlikely that the parties would expect a demand for arbitration solely against the [retailer]—that does not involve [the bank]—to be sent to [the bank].”

    Courts Arbitration Third-Party Credit Cards Class Action State Issues CCPA FCRA Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Connecticut incentivizes businesses to adopt cybersecurity standards

    State Issues

    On July 6, the Connecticut governor signed HB 6607, which is intended to incentivize businesses to adopt cybersecurity standards. Among other things, the act provides a complete defense to punitive damages for a cause of action founded in tort claiming a business’ failure to “implement reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.” The defense is available when an action is brought under Connecticut law or in Connecticut state court and where a business’ cybersecurity program conforms to an “industry recognized cybersecurity framework,” including the National Institute for Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity and the Payment Card Industry Data Security Standard. A business can also take advantage of the defense if it is regulated by the state or federal government and is subject to, and conforms its cybersecurity program to, current versions of the following federal laws: (i) HIPAA; (ii) Title V of the Gramm-Leach-Bliley Act; (iii) the Federal Information Security Modernization Act; or (iv) the Health Information Technology for Economic and Clinical Health Act. Additionally, should one of the identified frameworks or provided laws be amended, a business has six months after publication to conform to the revisions. The act requires a business’ cybersecurity program to, among other things, protect both “restricted information” and “personal information,” and be based on a business’ size and complexity, the nature and scope of its conducted activities, the sensitivity of the protected information, and the cost and availability of tools to improve information security measures and reduce vulnerabilities. The defense will not apply if a business’ “failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct.” The act takes effect October 1.

     

     

    State Issues State Legislation Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Biden orders federal agencies to evaluate banking, consumer protections

    Federal Issues

    On July 9, President Biden issued a broad Executive Order (E.O.) that includes provisions related to the financial services industry.

    • CFPB. The E.O. encourages the CFPB director to issue rules under Section 1033 of Dodd-Frank “to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products.” As previously covered by InfoBytes, last October, the Bureau issued an advanced notice of proposed rulemaking on Section 1033, seeking comments on questions related to consumers’ access to their financial records. The E.O. also instructs the Bureau to enforce Section 1031 of Dodd-Frank, which prohibits unfair, deceptive, or abusive acts or practices in consumer financial products or services, “to ensure that actors engaged in unlawful activities do not distort the proper functioning of the competitive process or obtain an unfair advantage over competitors who follow the law.”
    • Treasury Department. The E.O. calls on Treasury to submit a report within 270 days on the effects on competition of large technology and other non-bank companies’ entry into the financial services space.
    • FTC. The E.O. tasks the FTC with establishing rules to address concerns about “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.” The FTC already commenced that process on July 1, when it approved changes to its Rules of Practice to amend and simplify the agency’s procedures for initiating rulemaking proceedings. According to Commissioner Rebecca Kelly Slaughter, “[s]treamlined procedures for Section 18 rulemaking means that the Commission will have the ability to issue timely rules on issues ranging from data abuses to dark patterns to other unfair and deceptive practices widespread in our economy.”
    • Bank Mergers. The E.O. encourages the Attorney General, in consultation with the Federal Reserve Board, FDIC, and OCC, to “review current practices and adopt a plan, not later than 180 days after the date of this order, for the revitalization of merger oversight under the Bank Merger Act and the Bank Holding Company Act of 1956.”

    Federal Issues Biden CFPB FTC Dodd-Frank UDAAP Privacy/Cyber Risk & Data Security Consumer Finance Department of Treasury Federal Reserve FDIC OCC Agency Rule-Making & Guidance

    Share page with AddThis
  • Special Alert: Colorado enacts comprehensive consumer privacy law

    Privacy, Cyber Risk & Data Security

    On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became the first state to put in place significant consumer data privacy measures under the California Consumer Privacy Act (covered by a Buckley Special Alert), and earlier this year in March, Virginia enacted the Consumer Data Protection Act (covered by InfoBytes here).

    Highlights of the CPA include:

    Privacy/Cyber Risk & Data Security State Issues State Legislation Colorado Consumer Protection Special Alerts

    Share page with AddThis
  • FTC settles with app for violating COPPA

    Federal Issues

    On July 1, the FTC announced a settlement with the operators of a coloring book app (collectively, “defendants”) for allegedly engaging in unfair or deceptive acts or practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). The DOJ, on behalf of the FTC, filed a complaint claiming that the defendants, among other things, violated COPPA by collecting and disclosing personal information about children who utilized the app without notifying their parents and obtaining their consent. The FTC claimed that some children, including those under 13, were able to register for accounts and use the app’s social media features. The defendants allegedly received numerous complaints that children were using the app’s social media features, such as posting “selfies” on the app’s “gallery” for public viewing and interacting with other users, including adults. Under the terms of the proposed stipulated final order, the defendants must complete several steps to remedy the alleged violations, including deleting all personal information collected from children under the age of 13 within 60 days, unless parental consent is obtained. The defendants must also offer current paid subscribers a refund if they were under the age of 18 when they registered for the app. In addition, the defendants agreed to notify users about the alleged COPPA violations and the steps that users can take in response to the settlement. The proposed order provides for a $3 million civil money penalty that is suspended upon payment of $100,000 due to the defendants’ inability to pay the full amount. If the defendants sell the app within a year following the order, they are required to remit the net proceeds from the sale to the FTC after debts and other related expenses are paid.

    Federal Issues DOJ FTC COPPA Enforcement Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • NYDFS issues ransomware guidance

    Agency Rule-Making & Guidance

    On June 30, NYDFS announced new guidance for preventing ransomware attacks. In the guidance, NYDFS identified cybersecurity controls that decrease the risk of a ransomware attack. In examining ransomware incidents reported by its regulated entities over the past year and a half, NYDFS observed that incidents follow a similar pattern where “hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.” Following guidance from the Federal Bureau of Investigation, NYDFS recommended that companies avoid making ransomware payments if their networks are compromised. NYDFS also urged all regulated entities to prepare for a ransomware attack by implementing measures such as: (i) training employees in cybersecurity awareness; (ii) implementing a vulnerability and patch management program; (iii) utilizing multi-factor authentications and strong passwords; (iv) using monitoring and response to detect intruders; (v) and having a ransomware-specific incident response plan. NYDFS Superintendent Linda A. Lacewell noted that “[c]ybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry.”

    Agency Rule-Making & Guidance NYDFS Ransomware Privacy/Cyber Risk & Data Security State Issues State Regulators

    Share page with AddThis

Pages

Upcoming Events