Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 16, the U.S. Court of Appeals for the Ninth Circuit partially revived a securities fraud action brought by the state of Rhode Island on behalf of its employees’ retirement system against a California-based technology company, its holding company, and several individuals (collectively, “defendants”), reversing a district court’s dismissal. In 2018, investors sued the defendants after the technology company discovered a security glitch that same year on its now-defunct social network site that exposed hundreds of thousands of users’ private data. The suits were consolidated, with the state of Rhode Island as lead plaintiff, alleging the defendants deceived investors and caused the company’s shares to be traded at artificially inflated prices between the discovery of the software glitch and its disclosure. According to the plaintiffs, the defendants omitted material facts on Form 10-Qs filed with the SEC in 2018 by including statements such as “[t]here have been no material changes to our risk factors since our Annual Report on Form 10-K for the year ended December 31, 2017.” The defendants moved to dismiss for failure to state a claim, which the district court granted, stating, among other things, that the plaintiffs failed to adequately allege “falsity, materiality, and scienter” in statements made by the defendants in their April 2018 and July 2018 10-Qs.
On appeal, the 9th Circuit reviewed the challenged statements, concluded that two statements made by the parent company in its 10-Qs were materially misleading or had omitted facts regarding the software issues, and vacated the dismissal of the plaintiffs’ falsity, materiality, and scienter claims. The appellate court also found that the defendants’ claim that the software problem had been patched by the time the challenged statements were made in their 10-Qs was not enough. “Given that [the company’s] business model is based on trust, the material implications of a bug that improperly exposed user data for three years were not eliminated merely by plugging the hole in [the social network site’s] security,” the appellate court wrote, further concluding that “[t]he market reaction, increased regulatory and governmental scrutiny, both in the United States and abroad, and media coverage alleged by the complaint to have occurred after disclosure all support the materiality of the misleading omission.” The 9th Circuit also referenced a so-called “Privacy Bug Memo” that was supposedly circulated among some of the defendants’ leadership team, which warned that disclosing these security issues “would likely trigger ‘immediate regulatory interest’ and result in the defendants ‘coming into the spotlight[.]’”
Concerning the remaining 10-Q statements identified in the complaint, the 9th Circuit affirmed the district court’s dismissal of claims based on these statements after concluding that the plaintiffs did not plausibly allege that they were “misleading material misrepresentations.”
On June 16, the Connecticut governor signed H.B. 5310 to establish new data breach notification requirements related to state residents. Among other things, the act updates the definition of “personal information” to also include (i) taxpayer identification numbers; (ii) IRS identity protection personal identification numbers; (iii) passport and military identification numbers, as well as other government-issued identification numbers; (iv) medical information; (v) health insurance policy numbers or other identifiers used by health insurers; (vi) biometric information; and (vii) user names or email addresses combined with passwords or security questions and answers used to access an individual’s online account.
The act also requires businesses to notify residents whose personal information was breached or reasonably believed to have been breached within 60 days instead of 90 days after the discovery of the breach. Should a business identify additional affected residents after 60 days, it is required to provide notice as expediently as possible. Additionally, in the event that a resident’s login credentials are breached, a business may provide notice in electronic form (or another form) that directs the individual to take appropriate measures to protect the affected online account and all other online accounts. Businesses that furnish email accounts are also required to either verify that the affected individual received the data breach notice or provide notification through another method. The act also adds provisions related to compliance with privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, and specifies that information provided in response to an investigative demand connected to a data breach will be exempt from public disclosure, but the attorney general may make the information available to third parties in furtherance of the investigation. The act takes effect October 1.
On June 22, the FTC issued a decision and order against a company operating a fertility-tracking mobile app. The order resolved claims that the company shared user’s sensitive health data with various marketing and analytics service providers to the company. The FTC filed a complaint in January claiming, among other things, that the company repeatedly promised to protect users’ personal health data but instead disclosed the data to third parties for years and did not contractually limit how those third parties could use the data. These actions, the FTC claimed, violated the FTC Act as well as frameworks under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, which the company represented to users that it participated in, and require companies to provide notice, choice, and accountability for the transfer of personal data to third parties. Under the terms of the decision and order, the company is required to provide notice to users about the disclosure of their health data, obtain users’ affirmative express consent to share the information, and instruct any third party that received users’ health information to destroy the data. Additionally, the company is prohibited from misrepresenting: (i) the purposes for which it (or any entity to whom it discloses personal data) collects, maintains, uses, or discloses the data; (ii) the extent to which consumers can control the use of the data; (iii) its adherence to any privacy, security, or compliance program; and (iv) the extent to which it “collects, maintains, uses, discloses, deletes, or permits or denies access to any” users’ personal information. The FTC further noted in its announcement that it is “currently undertaking a review of the Health Breach Notification Rule and is actively considering public comments regarding the application of the Rule to mobile applications and other direct-to-consumer technologies that handle consumers’ sensitive health information.”
District Court: Applying Michigan law is contrary to California’s interest in protecting citizens in data breach case
On June 15, the U.S. District Court for the Eastern District of Michigan denied an e-commerce company’s request to compel arbitration after reviewing whether Michigan or California state law applied to class claims concerning a 2019 data breach. After four actions against the company were consolidated and transferred from California court to Michigan, a separate putative class action was filed in the U.S. District Court for the Northern District of California related to the data breach. Members in this putative class action brought claims against the company for allegedly failing to protect California residents’ confidential and personal information from the 2019 data breach. The class sought public injunctive relief under California’s Consumer Records Act (CRA) and Unfair Competition Law, arguing, among other things, that the potential for “future injury to the general public” remains because the company has not changed its practices.
On June 15, the SEC announced charges against a real estate settlement services company for its role in allegedly failing to disclose controls and procedures related to a cybersecurity vulnerability that exposed sensitive customer information. According to the SEC’s order, an independent cybersecurity journalist warned the company in May 2019 of a vulnerability concerning its system for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, the company allegedly issued a press release for inclusion in the cybersecurity journalist’s report published in May 2019 and furnished a Form 8-K to the Commission on May 28, 2019. However, according to the order, the company’s senior executives responsible for these kinds of releases “were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” Specifically, the order states that senior executives were not informed that the company’s information security personnel had identified a vulnerability several months earlier, in January 2019, but failed to remediate the vulnerability in accordance with the company’s policies. The order finds that the company “failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.” The SEC charged the company with violating Rule 13a-15(a) of the Exchange Act and ordered the company, who agreed to a cease-and-desist order, to pay a $487,616 penalty.
On June 2, the Nevada governor signed SB 260, which revises certain provisions under the state’s existing privacy law. Among other things, the act (i) adds “data broker” to the existing privacy framework; (ii) exempts certain persons and information collected about a consumer in the state from requirements imposed on operators, data brokers, and covered information, including consumer reporting agencies, personally identifying information regulated by the FCRA or the federal Driver’s Privacy Protection Act, information collected for the purposes of fraud information, publicly available information, and financial institutions; (iii) prohibits a data broker from selling covered information collected about a consumer in the state if so directed by the consumer, and revises provisions related to the sale of certain covered information about a consumer; (iv) requires data brokers to respond to a consumer’s verified request within 60 days after receipt (a data broker may extend this period by no more than 30 days if an extension is determined to be reasonably necessary); (v) provides data brokers and operators 30 days to remedy violations of the opt-out requirement (provided they have not previously failed to comply with the opt-out requirements); and (vi) updates the definition of “sale” to include “the exchange of covered information for monetary consideration by an operator or data broker to another person.” While existing law already provides the Nevada attorney general with the authority to seek injunctive relief and impose civil penalties of no more than $5,000 per violation, the act extends this authority to cover data brokers. Additionally, the act explicitly does not provide for a private right of action against operators. The act takes effect October 1.
On June 3, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s approval of a roughly $380.5 million settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (CRA), which resolved allegations arising from a 2017 cyberattack that caused a data breach of the CRA. (Covered by InfoBytes here.) The 11th Circuit’s opinion resolves challenges brought by objectors to the settlement who argued that plaintiffs lacked Article III standing because they did not have their identities stolen, and challenged, among other things, certain procedural requirements, the appropriateness of class certification given the possibility that some class members may have been able to recover state statutory damages, and the district court’s adoption of an approval order “ghostwritten” by plaintiffs’ counsel. The objectors also argued that the settlement was inadequate given the “unique risks associated with stolen social security numbers,” and disagreed with the award of $77.5 million in attorneys’ fees, as well as the district court’s decision to impose appeal bonds of $2,000 on each objector.
On appeal, the 11th Circuit rejected almost all of the objectors’ arguments after determining that class members—even if they were not victims of identity theft—faced a material risk of harm. The appellate court also held that the procedural requirements were not particularly burdensome given the roughly 147 million class members involved. Moreover, the appellate court concluded that the fact that class members in a couple of states could have argued for statutory damages did not make the named plaintiffs inadequate class representatives. Furthermore, the appellate court noted that (i) the settlement addressed the seriousness of the stolen social security numbers; (ii) attorneys’ fees (equal to 20.36 percent of the common fund) were within the reasonable range; (iii) objectors failed to show any “practice of uncritically adopting counsel’s proposed orders”; and (iv) the district court did not “abuse its discretion when it imposed the appeal bonds based on its finding that there was a ‘substantial risk that the costs of appeal will not be paid unless a bond is required.’” Moreover, the 11th Circuit noted that “[a]bsent the settlement, the class action could have faced serious hurdles to recovery, and now the class is entitled to significant settlement benefits that may not have even been achieved at trial,” adding that the FTC, CFPB, and state attorneys general for 48 states, the District of Columbia, and Puerto Rico all support the settlement.
The appellate court, however, did reverse the district court’s award of incentive payments to class representative and remanded the case solely for the purpose of vacating the awards.
FTC alleges subscription service failed to provide access to paid-for services or secure personal data
On June 7, the FTC announced a complaint and proposed consent order against the operators of a movie subscription service to settle allegations that the respondents denied subscribers access to paid-for services and failed to secure subscribers’ personal information. The FTC alleges in its complaint that the respondents violated the FTC Act by employing multiple tactics to prevent subscribers from using the advertised services, including by (i) invalidating subscribers’ passwords while deceptively claiming to have “detected suspicious activity or potential fraud” on the subscribers’ accounts; (ii) imposing a deceptive ticket verification program, which required subscribers to submit photos of physical movie ticket stubs within a certain timeframe in order to view future movies or risk having their subscriptions cancelled; and (iii) using undisclosed financial thresholds known as “trip wires” to block certain subscribers after they reached certain viewing thresholds based on their monthly cost to the company. The FTC also alleged the respondents violated the Restore Online Shoppers’ Confidence Act, by failing to (i) disclose all material terms before obtaining consumers’ billing information; or (ii) obtain consumers’ express informed consent before charging them. Furthermore, the respondents allegedly failed to take reasonable measures to protect subscribers’ personal information, including storing personal data such as financial information and email addresses in unencrypted form and failing to restrict who could access the data, which lead to a data breach in 2019.
An analysis of the FTC’s proposed consent order notes that the respondents are prohibited from misrepresenting their services and must establish a comprehensive information security program that requires them—and any businesses controlled by the respondents —to implement and annually test and monitor safeguards and take steps to address security risks. The respondents must also obtain biennial third-party assessments of its information security program, notify the FTC of any future data breaches, and annually certify that it is complying with the order’s data security requirements. The FTC noted that because certain respondents have filed for bankruptcy, the order does not include monetary relief.
On May 26, the Financial Crimes Enforcement Network (FinCEN) announced it will host a special Innovations Hours Program in September “focusing on the important role of privacy-preserving principles in developing technical solutions that enhance financial services innovation while countering illicit activity and national security risks that undermine the integrity and opportunity of the U.S. financial system.” Fintech and regulatory technology (regtech) companies, venture capital firms, and financial institutions interested in providing a demonstration should highlight how their innovative solutions work and how these solutions “may support private- and public-sector efforts to enhance financial integrity, while protecting national security and personal privacy.” Interested companies should submit requests here no later than July 23. As previously covered by InfoBytes, the Innovation Hours Program was announced in 2019 to provide opportunities for fintech/regtech companies and financial institutions to showcase new and emerging approaches to combating money laundering and terrorist financing and to demonstrate how financial institutions could use such technologies.
On May 18, the New York attorney general announced an agreement with an online water filtration retailer to resolve an investigation into a 2019 data breach that allegedly compromised the sensitive personal information of roughly 324,000 customers. According to the AG, the data breach impacted the retailer’s website for nearly a year, and compromised information including credit card holders’ names, billing addresses, expiration dates, and security codes. The data breach occurred after attackers exploited a known vulnerability in the retailer’s online checkout process that the retailer had not patched. After a credit card payment system management company notified the retailers of suspicious activity, the retailer conducted an internal investigation that “erroneously concluded” that no breach had occurred. After additional reports of compromise, a credit card company asked the retailer to hire a forensic investigator to review the retailer’s systems, and it was this forensic investigation that ultimately discovered “conclusive evidence” of the breach.
Under the terms of the assurance of discontinuance, the retailer is required to pay a $200,000 fine, half of which is suspended unless the retailer is found to have “materially misstated its financial condition.” In addition, the retailer is required to adopt several security measures, including (i) creating a comprehensive information security program; (ii) designing an incident response and data breach notification plan to encompass “preparation, detection and analysis, containment, eradication, and recovery”; (iii) incorporating personal information safeguards and controls, “including encryption, segmentation, penetration testing, logging and monitoring, virus protection policy, custom application code change reviews, authentication policy and procedures, management of service providers, and patch management”; and (iv) agreeing to conduct third-party security assessments over the next five years.
- Jeffrey P. Naimon to provide “Fair lending update” at the Colorado Mortgage Lenders Association Operational and Compliance Forum
- Jonice Gray Tucker to discuss “Justice for all: Achieving racial equity through fair lending” at CBA Live
- Warren W. Traiger to discuss “On the horizon for CRA modernization” at CBA Live
- APPROVED Webcast: Strategy & Technology: A dynamic duo for successful regulatory exams
- Daniel R. Alonso to discuss “Primer on cross-border prosecutions in Argentina, Brazil, Colombia, and Mexico for U.S. criminal lawyers” at a New York City Bar Association webinar
- Jonice Gray Tucker to discuss "Fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss “State law regulatory and enforcement trends” at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute