InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Sixth Circuit Holds Computer Hacking Losses Covered by Insurance
Last month, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court holding that the computer fraud rider to a retailer’s Crime Policy covered losses resulting from the theft of customers’ financial information by computer hackers. Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., No 10-4576/4608, 2012 WL 3608432 (6th Cir. Aug. 23, 2012). The retailer incurred millions of dollars in expenses and attorney fees related to a data breach in which computer hackers stole customers’ credit card and bank account information. The retailer submitted a claim for the losses under the computer fraud rider to its Blanket Crime Policy, which the insurer denied because the policy excluded third-party theft of “proprietary” or “confidential information.” The retailer filed suit and prevailed on summary judgment. On appeal, the court upheld the district court’s application of a proximate cause standard to determine that the losses were covered as losses sustained as a direct result of the theft. The court also rejected the insurer’s argument that the losses were excluded as losses of “proprietary or confidential information” because the retailer did not “own or hold single or sole right” to the stolen information and the information did not relate to the manner in which the business operated.
Privacy Challenge to Bank's Overseas Call Centers Dismissed
On August 28, the U.S. District Court for the District of Columbia dismissed a putative class action that claimed that a bank’s use of overseas call centers subjects private financial records to U.S. government review in violation of the Right to Financial Privacy Act (RFPA). The RFPA generally prohibits financial institutions from providing customer information to a government authority. Stein v. Bank of Am. Corp., No. 11-1400, 2012 WL 3671009 (D.D.C. Aug. 28, 2012). The bank customer plaintiffs claim that because foreign states and foreign nationals are not subject to U.S. privacy laws, including the RFPA, the bank’s transmission of account and other customer data to an overseas call center risks making that data available for potential review by federal national security authorities. The bank moved to dismiss for lack of subject matter jurisdiction and failure to state a claim. The court granted the bank’s motion, finding that the plaintiffs failed to allege a cognizable injury sufficient to establish standing. The court held that the bank customers do not allege that the bank actually provided any records to a government entity and therefore, the customers do not adequately plead “a concrete and particularized injury, free of conjecture or speculation.”
FTC Extends Comment Period for Children's Privacy Rule
On August 27, the FTC extended through September 24, 2012 the time period for comments on proposed changes to the Children’s Online Privacy Protection Rule. The comment period originally was due to close on September 10, 2012.
State Law Update: New York Bans Yield Spread Premiums, Expands Consumer Privacy Protections
On August 17, New York Governor Andrew Cuomo signed Senate Bill 886, which prohibits any compensation paid to a mortgage broker or lender that is based on the terms of a mortgage, except for compensation linked to the principal balance of the loan. This prohibition of so-called yield spread premiums is a change from existing state law that prohibited “abusive” yield spread premiums in connection with high-cost mortgages.
On August 14, New York enhanced consumer privacy protections when it enacted Assembly Bill 8992. Just as the Federal Privacy Act of 1974 applies to federal, state, and local government agencies, this bill prohibits private businesses from conditioning the provision of services on a consumer’s willingness to disclose his or her Social Security number upon request. The law provides several exceptions, including when the collection of the Social Security Number is (i) otherwise required by law, (ii) requested in connection with the opening of a deposit account or a credit transaction initiated by the consumer, or (iii) required for any business function allowed under the Gramm Leach Bliley Act.
FTC Finalizes Privacy Settlement with Facebook
On August 10, the FTC approved a final settlement to resolve charges that Facebook deceived customers by failing to meet stated privacy protections. The FTC alleged, among other things, that Facebook shared personal information with advertisers despite assurances that it would not do so. The agreement does not include any monetary penalty, but Facebook is prohibited from making any deceptive privacy claim, and it must obtain consumers' approval before changing the way it shares their data. For the next twenty years, Facebook also must obtain periodic assessments of its privacy practices by independent auditors. One Commissioner objected, stating that because the agreement includes a denial of the allegations, the Commission does not have sufficient grounds under the FTC Act to accept the consent agreement. Further, the dissenting Commissioner stated that the settlement is insufficient because it does not clearly extend to all representations made in the Facebook environment and specifically may not cover third-party applications.
FTC Announces Settlement With Google Over Privacy Violations
On August 9, the FTC announced that it obtained from Google a $22.5 million civil penalty to resolve allegations that the company misrepresented certain privacy protections to consumers. According to the FTC, Google violated a previous FTC settlement and order when it placed advertising tracking cookies on the computers of Apple’s Safari Internet browser users, despite Google specifically telling users that they would be opted out of such tracking by default. The FTC states that the penalty is the largest it has ever obtained for violation of a previous order.
FTC Considers Additional Revisions to Children's Online Privacy Protection Rule
On August 1, the FTC announced that it is seeking public comment on additional proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule). In September 2011, the FTC sought comments on certain proposed changes to its COPPA Rule. In response to the hundreds of comments received, as well as subsequent efforts to enforce the rule, the FTC now is proposing to modify certain definitions to enhance protections related to the online collection, use, or disclosure of children’s personal information. The revised definitions include: (i) “operator”, (ii) “website or online service directed to children”, and (iii) “personal information.” For example, with regard to “personal information”, the definition would be altered to include a persistent identifier where it can be used to recognize a user over time or across different websites. The FTC is accepting comments on the proposal through September 10, 2012.
House Members Seek Information from Data Brokers
On July 24, a bipartisan group of members of the House of Representatives, led by Representatives Barton (R-TX) and Markey (D-MA), sent letters to nine firms the members identified as “major data brokerage companies.” The letters ask each firm to provide information about how it collects, assembles, and sells consumer information. Among the series of specific inquiries, the letters seek information about collection processes and sources, data security measures, and consumer fees and notices. The House members asked each company to respond by August 15, 2012.
State Law Update: Hawaii and California Take Actions on Mortgages and Privacy
California AG Announces Privacy Enforcement Unit. On July 19, California Attorney General Kamala Harris announced the creation of the Privacy Enforcement and Protection Unit. The unit will combine the various existing privacy functions of the California Department of Justice to centrally enforce and protect consumer privacy. The unit will pursue civil prosecution of state and federal privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. These include laws relating to cyber privacy, financial privacy, identity theft, and data breaches, among others. The new unit will reside within the eCrime Unit, which was created in December 2011 to identify and prosecute identity theft crimes, cyber-crimes and other crimes involving the use of technology.
California Expands Servicemember Protections. On July 13, California enacted AB 2476, which expands the period of time during which servicemembers are protected from high interest rates. Under current law, a creditor cannot charge, during a servicemember’s period of military service, an interest rate in excess of 6% on any obligation or liability incurred by a servicemember before that person’s entry into service. The bill expands the interest rate protections to prevent an increase in any such rate on a mortgage, trust deed, or other security in the nature of a mortgage for one year after the period of military service.
Hawaii Enacts Multiple Mortgage-Related Bills and Legislation to Protect Personal Information. Recently, Hawaii enacted a set of bills related to mortgage origination and servicing. With regard to mortgage origination, S.B. 2763 amends the state SAFE Act to reflect changes to the federal law and to adjust originator registration fees. With regard to mortgage servicers, H.B. 2502 allows the Commissioner of Financial Institutions to require registration with the NMLS and makes it unlawful for a servicer to provide loan modifications without first complying with certain licensing requirements. Another bill, H.B. 1875 makes numerous changes to the state’s foreclosure laws, largely implementing recommendations from the Mortgage Foreclosure Task Force created by the state legislature in 2010. Finally, with regard to mortgages, H.B. 2375 establishes criminal penalties for certain violations of the state’s Mortgage Rescue Fraud Prevention Act. Hawaii also recently enacted S.B. 2419, which prohibits businesses from scanning a customer’s identification card or driver’s license with an electronic device capable of obtaining information electronically encoded on that identification card, except for specific purposes.
First Circuit Holds Bank May Be Liable For Customer Losses from Cyber Attacks
On July 3, the U.S. Court of Appeals for the First Circuit became the first federal appellate court to address the issue of bank liability for the loss of customer funds resulting from a breach of a bank’s cyber security, reversing a district court’s holding that the bank was not liable for such losses because its security protections were commercially reasonable. Patco Const. Co., Inc. v. People’s United Bank, No. 11-2031, 2012 WL 2543057 (1st Cir. Jul. 3, 2012). Patco Construction Company, a commercial banking customer suffered losses when cyber attackers gained electronic access to its account and made a series of unauthorized withdrawals. The customer sued the bank to recover the lost funds. The district court granted summary judgment in favor of the bank, holding that the customer should bear the loss from the fraudulent transfers because the bank’s cyber security protections were commercially reasonable, and the customer agreed that the procedures were reasonable when it signed the contract to add its electronic account. On appeal the customer argued that the procedures were not commercially reasonable, that it did not agree to the procedures, and that the bank did not comply with its own procedures. Specifically, the customer argued that the bank increased the risk of compromised security when it decided to lower the threshold that triggered account verification questions from $100,000 to $1, essentially requiring that the verification questions be answered for every transaction without considering the circumstances of the customer and the transaction. The First Circuit agreed. It found that the procedure change increased the risk of fraud through unauthorized use of compromised security answers. Moreover, after it had warning that fraud was likely occurring, the bank did not monitor the transaction or provide notice to the customer. The court held that the bank’s collective security failures, when compared to the security measures employed by other financial institutions and the bank’s capacity to implement more robust protections, rendered its security procedures commercially unreasonable. The court reversed the district court’s ruling in favor of the bank and remanded for further proceedings.