Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Recently, a global technology corporation disclosed a $746 million euro (approximately $888 million USD) fine issued by the Luxembourg National Commission for Data Protection (CNPD) for alleged violations of the EU’s General Data Protection Regulations (GDPR). The corporation’s Form 10-Q for second quarter 2021 states that on July 16, the CNPD issued a decision against the corporation’s European headquarters, claiming its “processing of personal data did not comply with the [GDPR].” In addition to the fine, the decision also requires corresponding practice revisions, the details of which were not disclosed. The corporation noted that the decision is “without merit” and stated it intends to defend itself “vigorously” in this matter. According to sources, the decision follows an investigation started in 2018 when a French privacy group claiming to represent the interests of Europeans filed complaints against several large technology companies to ensure European consumer data is not manipulated for commercial or political purposes.
On July 21, the U.S. Court of Appeals for the Fifth Circuit reversed a lower court’s decision to grant summary judgement for a Houston-based insurer (defendant), finding that publication of material that violates a person’s right of privacy under the insurer’s policy can include making credit card information generally available. According to the opinion, a retail company (plaintiff) was sued by a branch of a national bank (bank) for alleged violations of an agreement that led to a $20 million data breach dispute. In response, the plaintiff filed a separate suit in Texas court against the defendant for breaching the insurance policy. The district court granted the defendant’s motion and dismissed all the claims. In doing so, “the district court held that the bank’s complaint did not allege a ‘publication’ of material that violated a person’s right to privacy because it asserted only that ‘[a] third party hacked into [the] credit card processing system and stole customers’ credit card information.’” Furthermore, the district court found that the complaint also did not allege a violation of a person’s right to privacy because the bank involves the payment processor’s contract claims, not the cardholders’ privacy claims.
On appeal, the 5th Circuit adopted a broad definition of “publication” because such term was undefined, and found that the contract dispute brought by the bank against the plaintiff “plainly alleges” that hackers published the credit card information of the plaintiff customers in several ways. First, the bank accused the plaintiff of publishing its customers’ credit cards to hackers. Then, the hackers allegedly published the information by using it to make fraudulent purchases. The appellate court then examined whether the defendant “has a duty to defend [the plaintiff] in the [u]nderlying [bank] [l]itigation.” The appellate court applied Texas’s “eight-corners rule,” which compares the “four corners of the [p]olicy to the four corners of the [bank’s] complaint.” In doing so, the appellate court found that the bank’s “alleged injuries arise from the violations of customers' rights to keep their credit card data private,” and “[u]nder the eight-corners rule, [the defendant] must defend [the plaintiff] in the underlying [bank’s] litigation.”
On July 21, the U.S. District Court for the Central District of Illinois granted final approval to a class action data breach settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The final settlement (which was preliminarily approved in January) allows class members representing consumers who used a payment card to make a purchase at an impacted point-of-sale device during the security incident to receive reimbursement of up to $225 for out-of-pocket expenses related to the breach, including (i) unreimbursed bank, overdraft, and late fees; (ii) telecommunication charges; (iii) payday loan interest; and (iv) costs related to credit monitoring, identity theft protection, and time spent replacing credit cards and addressing fraudulent charges. Additionally, class members may be awarded up to $5,000 for “extraordinary expenses” resulting from the compromise of personal information. The grocery chain also agreed to “establish and maintain security enhancements that are estimated to cost more than $20 million.” However, the court reduced the attorneys’ fees to $739,000 in the final settlement after determining the initial fee request was too high compared to the overall relief for class members.
On July 13, the New York governor signed S.3941, which expands the state’s definition of telemarketing to include marketing by text message. A press release issued by the governor noted that expanding the definition closes a loophole in state law that previously limited the definition to phone calls, including unwanted robocalls. “Electronic text messages to  mobile devices have become the newest unwelcomed invasive marketing technique. Consumers should not be burdened with excessive and predatory telemarketing in any form, including text messages,” the press release stated. The act takes effect 30 days after becoming law.
District Court says retailer not an intended third-party beneficiary of a credit card arbitration provision
On July 8, the U.S. District Court for the Central District of California denied a retailer’s motion to compel arbitration in a consumer data sharing putative class action, ruling that the retailer was not an intended third-party beneficiary of an arbitration provision in a credit card agreement. The proposed class had filed an amended complaint accusing several national retailers of illegally sharing consumer transaction data in violation of the FCRA, the California Consumer Privacy Act, and California’s unfair competition law, among others. The motion at issue, filed by one of the retailers, addresses a named plaintiff’s opposition to compel arbitration. The retailer argued that as an “intended” third-party beneficiary of the contract, it had the right to enforce an arbitration clause contained in a credit card agreement purportedly signed by the plaintiff when she opened a retailer credit card account issued by an online bank.
The court disagreed, finding that the contract’s arbitration provisions specifically referred to the bank, and that the contract did not clearly “express an intention to confer a separate and distinct benefit on [the retailer].” Moreover, the court noted the contract at issue instructed the plaintiff to send any arbitration demand notices to the bank, adding that “[i]t seems unlikely that the parties would expect a demand for arbitration solely against the [retailer]—that does not involve [the bank]—to be sent to [the bank].”
On July 6, the Connecticut governor signed HB 6607, which is intended to incentivize businesses to adopt cybersecurity standards. Among other things, the act provides a complete defense to punitive damages for a cause of action founded in tort claiming a business’ failure to “implement reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.” The defense is available when an action is brought under Connecticut law or in Connecticut state court and where a business’ cybersecurity program conforms to an “industry recognized cybersecurity framework,” including the National Institute for Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity and the Payment Card Industry Data Security Standard. A business can also take advantage of the defense if it is regulated by the state or federal government and is subject to, and conforms its cybersecurity program to, current versions of the following federal laws: (i) HIPAA; (ii) Title V of the Gramm-Leach-Bliley Act; (iii) the Federal Information Security Modernization Act; or (iv) the Health Information Technology for Economic and Clinical Health Act. Additionally, should one of the identified frameworks or provided laws be amended, a business has six months after publication to conform to the revisions. The act requires a business’ cybersecurity program to, among other things, protect both “restricted information” and “personal information,” and be based on a business’ size and complexity, the nature and scope of its conducted activities, the sensitivity of the protected information, and the cost and availability of tools to improve information security measures and reduce vulnerabilities. The defense will not apply if a business’ “failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct.” The act takes effect October 1.
On July 9, President Biden issued a broad Executive Order (E.O.) that includes provisions related to the financial services industry.
- CFPB. The E.O. encourages the CFPB director to issue rules under Section 1033 of Dodd-Frank “to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products.” As previously covered by InfoBytes, last October, the Bureau issued an advanced notice of proposed rulemaking on Section 1033, seeking comments on questions related to consumers’ access to their financial records. The E.O. also instructs the Bureau to enforce Section 1031 of Dodd-Frank, which prohibits unfair, deceptive, or abusive acts or practices in consumer financial products or services, “to ensure that actors engaged in unlawful activities do not distort the proper functioning of the competitive process or obtain an unfair advantage over competitors who follow the law.”
- Treasury Department. The E.O. calls on Treasury to submit a report within 270 days on the effects on competition of large technology and other non-bank companies’ entry into the financial services space.
- FTC. The E.O. tasks the FTC with establishing rules to address concerns about “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.” The FTC already commenced that process on July 1, when it approved changes to its Rules of Practice to amend and simplify the agency’s procedures for initiating rulemaking proceedings. According to Commissioner Rebecca Kelly Slaughter, “[s]treamlined procedures for Section 18 rulemaking means that the Commission will have the ability to issue timely rules on issues ranging from data abuses to dark patterns to other unfair and deceptive practices widespread in our economy.”
- Bank Mergers. The E.O. encourages the Attorney General, in consultation with the Federal Reserve Board, FDIC, and OCC, to “review current practices and adopt a plan, not later than 180 days after the date of this order, for the revitalization of merger oversight under the Bank Merger Act and the Bank Holding Company Act of 1956.”
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became the first state to put in place significant consumer data privacy measures under the California Consumer Privacy Act (covered by a Buckley Special Alert), and earlier this year in March, Virginia enacted the Consumer Data Protection Act (covered by InfoBytes here).
Highlights of the CPA include:
On July 1, the FTC announced a settlement with the operators of a coloring book app (collectively, “defendants”) for allegedly engaging in unfair or deceptive acts or practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). The DOJ, on behalf of the FTC, filed a complaint claiming that the defendants, among other things, violated COPPA by collecting and disclosing personal information about children who utilized the app without notifying their parents and obtaining their consent. The FTC claimed that some children, including those under 13, were able to register for accounts and use the app’s social media features. The defendants allegedly received numerous complaints that children were using the app’s social media features, such as posting “selfies” on the app’s “gallery” for public viewing and interacting with other users, including adults. Under the terms of the proposed stipulated final order, the defendants must complete several steps to remedy the alleged violations, including deleting all personal information collected from children under the age of 13 within 60 days, unless parental consent is obtained. The defendants must also offer current paid subscribers a refund if they were under the age of 18 when they registered for the app. In addition, the defendants agreed to notify users about the alleged COPPA violations and the steps that users can take in response to the settlement. The proposed order provides for a $3 million civil money penalty that is suspended upon payment of $100,000 due to the defendants’ inability to pay the full amount. If the defendants sell the app within a year following the order, they are required to remit the net proceeds from the sale to the FTC after debts and other related expenses are paid.
On June 30, NYDFS announced new guidance for preventing ransomware attacks. In the guidance, NYDFS identified cybersecurity controls that decrease the risk of a ransomware attack. In examining ransomware incidents reported by its regulated entities over the past year and a half, NYDFS observed that incidents follow a similar pattern where “hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.” Following guidance from the Federal Bureau of Investigation, NYDFS recommended that companies avoid making ransomware payments if their networks are compromised. NYDFS also urged all regulated entities to prepare for a ransomware attack by implementing measures such as: (i) training employees in cybersecurity awareness; (ii) implementing a vulnerability and patch management program; (iii) utilizing multi-factor authentications and strong passwords; (iv) using monitoring and response to detect intruders; (v) and having a ransomware-specific incident response plan. NYDFS Superintendent Linda A. Lacewell noted that “[c]ybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry.”
- Jeffrey P. Naimon to provide “Fair lending update” at the Colorado Mortgage Lenders Association Operational and Compliance Forum
- Jonice Gray Tucker to discuss “Justice for all: Achieving racial equity through fair lending” at CBA Live
- Warren W. Traiger to discuss “On the horizon for CRA modernization” at CBA Live
- APPROVED Webcast: Strategy & Technology: A dynamic duo for successful regulatory exams
- Daniel R. Alonso to discuss “Primer on cross-border prosecutions in Argentina, Brazil, Colombia, and Mexico for U.S. criminal lawyers” at a New York City Bar Association webinar
- Jonice Gray Tucker to discuss "Fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss “State law regulatory and enforcement trends” at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute