Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 31, the FCC adopted new rules that will require phone companies in the U.S. to deploy STIR/SHAKEN caller ID authentication framework by June 30, 2021. As previously covered by InfoBytes, the STIR/SHAKEN framework addresses “unlawful spoofing by confirming that a call actually comes from the number indicated in the Caller ID, or at least that the call entered the US network through a particular voice service provider or gateway.” FCC Chairman Ajit Pai endorsed the value of widespread implementation, stating the framework will “reduce the effectiveness of illegal spoofing, allow law enforcement to identify bad actors more easily, and help phone companies identify—and even block—calls with illegal spoofed caller ID information before those calls reach their subscribers.” The new rules also contain a further notice of proposed rulemaking, which seeks comments on additional efforts to promote caller ID authentication and implement certain sections of the TRACED Act. Among other things, the TRACED Act—signed into law last December (covered by InfoBytes here)—mandated compliance with STIR/SHAKEN for all voice service providers.
FINRA provides cybersecurity alert containing measures firms should consider in adjusting to Covid-19
On March 26, FINRA released a cybersecurity alert providing FINRA firms and associated persons with measures they can take to help strengthen their cybersecurity controls in areas where risks may increase in the current environment. The alert contains recommendations concerning the security of office and home networks, computers, and mobile devices. It also addresses common methods of scams and attacks during Covid-19. The alert recommends that firms provide staff with training regarding cybersecurity.
On March 19, the FDIC issued FIL-18-2020, which highlights frequently asked questions for bank customers and banks affected by Covid-19. The FAQs, are available on the FDIC’s Covid-19 webpage. Bank customer FAQs cover questions regarding (i) deposit insurance; (ii) customer access to money; (iii) tips for avoiding scams; and (iv) identity theft, among other things. The FAQs for financial institutions cover topics including working with borrowers affected by Covid-19 through payment accommodations, reporting delinquent loans, and operational issues affecting institutions.
On March 5, the Vermont governor signed SB 110 to expand data privacy and consumer protection measures in the state. Among other things, SB 110 (i) expands the definition of personally identifiable information (PII) subject to the Security Breach Notice Act to also include taxpayer identification numbers, passport numbers, military identification card numbers, other government-originated identification numbers “commonly used to verify identity for a commercial transaction,” unique biometric data, and health records; (ii) provides that if a data breach is limited to the unauthorized acquisition of login credentials, data collectors are only required to provide notice to the state attorney general or the Department of Financial Regulation “if the login credentials were acquired directly from the data collector or its agent”; (iii) establishes requirements to ensure consumers are provided notice of a data breach; (iv) adopts online privacy protections for students, including prohibitions on the use of targeted advertising and the sale or rent of student information, as well as responsibilities for operators of online services or mobile applications; and (v) requires that consumer contracts clearly disclose any automatic renewal provisions and allow consumers to easily terminate contracts. SB 110 takes effect July 1.
On March 18, the Maine Bureau of Consumer Credit Protection provided interim guidance to MLOs, allowing employees to work from home as long as data security provisions are in place, and physical business records are stored only at the licensed main office. The guidance will be effective through May 1, 2020.
On March 11, the California attorney general released a second set of draft modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications follow the initial proposed regulations published last October and the first set of draft modifications published last month (covered by Buckley Special Alerts here and here). According to a notice issued by the California Department of Justice, these changes are in response to roughly 100 comments received by the Department to the proposed February modifications and are intended “to clarify and conform the proposed regulations to existing law.”
Key modifications are as follows:
- Personal Information. In the February modifications, a section was added to provide guidance regarding the interpretation of CCPA definitions and specifically defined the term “personal information” and provided an example of when IP addresses were not considered “personal information.” In the recent modifications, the Attorney General (AG) struck this section of the regulations.
- Indirectly Receiving Personal Information. The modifications clarify that a business that does not collect personal information directly from a consumer is not required to provide a consumer with a notice at collection if it does not sell the consumer’s personal information.
- “Opt-Out Button” Button. The modifications strike a provision that previously provided a model for the opt-out button that companies could include on their websites as an additional way for consumers to opt out of selling their information, as well as information about when the button should be used.
- Responding to Requests to Know. While the regulations have made clear that there are certain types of data that a business must never disclose in response to a request to know, such as Social Security number, driver’s license or government ID number, biometric data, etc., the modifications clarify that when responding to a request to know, businesses must inform consumers “with sufficient particularity” that they have collected that type of information. The modifications provide the following example – the business must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
- Responding to Requests to Delete. The modifications provide that if a business denies a consumer’s request to delete, the business sells personal information, and the consumer has not already made a request to opt out of the sale, then the business must ask the consumer if he/she would like to opt out and include either the contents of, or a link to, the notice of right to opt-out.
- Service Providers. The modifications clarify that a service provider may not retain, use, or disclose personal information obtained while providing services unless the information is used to “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information” and complies with the CCPA’s requirements for a written contract for services. The modifications also add that while the service provider may use the personal information to build or improve the quality of it services, it may not build or modify household or consumer profiles to use in providing services to another business.
- Training: Record-Keeping. The modifications clarify that information retained for record-keeping purposes may not be shared with third parties “except as necessary to comply with a legal obligation.”
- Authorized Agent. The modifications clarify that businesses shall not require consumers, or a consumer’s authorized agent, to pay a fee to verify requests to know or to delete.
- Calculating the Value of Consumer Data. The modifications provide that for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons in the United States and not just consumers.
Comments on the second set of proposed modifications are due by March 27. As a reminder, the CCPA became effective January 1.
On February 25, California Attorney General Xavier Becerra sent a letter to the chairmen and ranking members of the Senate Committee on Commerce, Science and Transportation and the House Committee on Energy and Commerce, asking lawmakers to not preempt state laws as they draft federal privacy legislation. While Becerra expressed his appreciation for Congress’ efforts to address consumer privacy issues through legislation, he stated, “I encourage Congress to favor legislation that sets a federal privacy-protection floor rather than a ceiling, allowing my state—and others that may follow—the opportunity to provide further protections tailored to our residents.” To emphasize his position, Becerra provided an update on the California Consumer Privacy Act (CCPA), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers, and third parties. The CCPA took effect January 1 but will not be enforced until July 1 following promulgation of the attorney general’s CCPA regulations. (See continuing InfoBytes coverage on the CCPA here.)
Becerra outlined several criteria for Congress to consider when drafting privacy legislation, encouraging Congress to “develop a final bill that builds on the rights afforded by [the] CCPA” as well as the additional guidance within the proposed regulations. These include the right for consumers to (i) “access, correct, and delete personal information that has been collected”; (ii) “minimize data collection, processing, and retention”; (iii) “data portability among services”; and (iv) “know what data is collected and processed and for what reasons.” In addition, Becerra stated that Congress should make clear that state attorneys general have “parallel enforcement authority” and that consumers are granted a private right of action to protect their rights.
On February 25, the FTC released its annual report highlighting the agency’s privacy and data security work in 2019. Among other items, the report highlights consumer-related enforcement activities in 2018, including:
- A $5 billion penalty—the largest consumer privacy penalty to date—against a global social media company to resolve allegations that the company violated its 2012 FTC privacy order and mishandled users’ personal information. (Covered by InfoBytes here.)
- A $170 million penalty against a global online search engine and its video-sharing subsidiary to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA). (Covered by InfoBytes here.)
- A proposed settlement in the FTC’s first case against developers of “stalking” apps that monitor consumers’ mobile devices and allegedly compromise consumer privacy in violation of the FTC’s Act prohibition against unfair and deceptive practices and COPPA.
- A global settlement of up to $700 million issued in conjunction with the CFPB, 48 states, the District of Columbia and Puerto Rico, to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. (Covered by InfoBytes here.)
The report also discusses the FTC’s enforcement of the EU-U.S. Privacy Shield framework, provides links to FTC congressional testimony on privacy and data security, and offers a list of relevant rulemaking, including rules currently under review. In addition, the report highlights recent privacy-related events, including (i) an FTC hearing examining consumer privacy as part of its Hearings on Competition and Consumer Protection in the 21st Century; (ii) the fourth annual PrivacyCon event, which hosted research presentations on consumer privacy and security issues (covered by InfoBytes here); (iii) a workshop examining possible updates to COPPA; and (iv) a public workshop that examined issues affecting consumer reporting accuracy.
On February 21, the U.S. District Court for the District of Maryland denied an international hospitality company’s motion to dismiss multidistrict litigation resulting from its 2018 data breach. As previously covered by InfoBytes, the court also recently denied the company’s motion to dismiss in a suit brought by the city of Chicago as well as in a suit brought by a group of banks, both based on the same data breach of the company. The plaintiffs in this instance filed suit following the data breach, which exposed personal information including passport numbers and payment card numbers. The company argued, however, that the plaintiffs lacked standing and that they did not state a claim for which relief could be granted.
In the opinion, the court determined that the plaintiffs had successfully established injury-in-fact by claiming, among other things, that (i) plaintiffs’ personal information was targeted in the data breach and some plaintiffs were victims of identity theft, which “makes the threatened injury sufficiently imminent”; (ii) plaintiffs had spent time and money to mitigate harm from the data breach; and (iii) plaintiffs’ personal information lost value. The court also found that the company’s failure to properly secure the plaintiffs’ personal data could be traced to fraudulent accounts opened in certain plaintiffs’ names. In addition, the court denied the company’s motion to dismiss state negligence claims, contract claims, tort claims, and statutory claims in California, Florida, Georgia, Maryland, Michigan, New York, and Oregon. The court did, however, dismiss the plaintiffs’ negligence claims under Illinois law.
On February 14, four trade groups filed suit against Maine in the U.S. District Court for the District of Maine, alleging that a recently enacted state privacy law (covered by InfoBytes here) infringes the rights of Internet Service Providers (ISPs). The complaint claims that L.D. 946 “imposes unprecedented and unduly burdensome restrictions on ISPs’, and only ISPs’, protected speech,” and is “not remotely tailored to protecting consumer privacy.” Among other things, the trade groups claim that because the law only stifles the use of consumer data by ISPs and not by other similarly situated companies, it violates their First Amendment protected speech rights. The groups also argue that the Maine law is much stricter to ISPs than other state privacy laws which “provide opt-out rights for most consumer data and reserve opt-in consent for a narrow subset of sensitive personal information,” whereas L.D. 946 uses an opt-in system. L.D. 946 also restricts the ISPs’ use of non-sensitive information that is not personally identifying and prohibits the ISPs from providing customer discounts or rewards programs to consumers who opt-in to sharing information.
- Daniel R. Alonso to discuss "The international compliance situation and new challenges" at the World Compliance Association Covid Compliance Conference
- Benjamin W. Hutten to discuss "Understanding OFAC sanctions" at a NAFCU webinar
- Garylene D. Javier to discuss "Navigating workplace culture in 2020" at the DC Bar Conference