InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Security at Financial Institution Service Provider Scrutinized by Regulators
Recently, Fidelity National Information Services, Inc. (FIS), a company providing payment processing and other services to banks and other financial institutions, reportedly was the subject of a critical assessment by the FDIC. The FDIC report comes in the aftermath of a 2011 security breach at the company and a subsequent examination by the FDIC, OCC, and the Federal Reserve Bank of Atlanta. According to the report, the FDIC demanded that FIS immediately address eight issues, including risk management and information security issues. The FDIC allegedly also stated that actions taken by the company to date were insufficient given the regulatory concerns and weaknesses identified by the FDIC. The NCUA received the FDIC report and forwarded to credit unions with an advisory note to use the report in managing vendor relations with FIS. The report on FIS comes as regulators are placing enhanced scrutiny on financial institutions relationships with third party service providers. In April, the CFPB issued Bulletin 2012-03, providing guidance to regulated entities on the oversight of business relationships with service providers. The CFPB bulletin states that [t]he CFPB expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships and lists specific minimum steps that should be a part of service provider oversight.
Seventh Circuit Holds TCPA Prohibits Automated Calls to Cell Phones without Consent from Current Subscriber
On May 11, the U.S. Court of Appeals for the Seventh Circuit held that the Telephone Consumer Protection Act (TCPA) requires consent from a current cell phone subscriber to receive automated calls – even if a former subscriber to the same number had previously given consent to be contacted. Soppet v. Enhanced Recovery Company, LLC, No. 11-3819, 2012 WL 1650485 (7th Cir. May 11, 2012). The court affirmed a district court decision certifying a class of consumers who alleged that their cell phones were automatically dialed in violation of TCPA. The defendant debt collectors argued that it was not a violation of the TCPA to call a cell phone number if a previous subscriber to that number had given the consent required by the TCPA because the previous subscriber was the “intended recipient” of the call. The court rejected this argument because, even though the TCPA does not define who the “called party” is that must consent to be contacted, its use throughout the TCPA indicates that “called party" refers to the currently subscribed cell phone user, and not to any previous user.
FTC, CFPB, DOJ File Brief in Suit Challenging FCRA Constitutionality
On May 8, the FTC announced that it had joined the CFPB and the DOJ to file a brief supporting the constitutionality of the Fair Credit Reporting Act (FCRA). The brief was filed in a lawsuit in the U.S. District Court for the Eastern District of Pennsylvania in which a consumer alleged that a consumer reporting agency (CRA) violated FCRA by reporting on arrest records that were more than seven years’ old. Responding to these allegations, the CRA argued that the Supreme Court’s decision in Sorell v. IMS Health, Inc., 131 S. Ct. 2653 (2011), rendered FCRA’s seven-year limitation unconstitutional under the First Amendment. The federal entities’ brief counters that Sorell does not alter the test for commercial speech restrictions established in Central Hudson Gas and Electric Corp. v. Public Service Commission of New York, 447 U.S. 557 (1980). It goes on to argue that, under this test, the government has a substantial interest in protecting individuals’ privacy and that FCRA protects this interest while accommodating businesses’ competing interest in obtaining complete information about potential borrowers.
Tenth Circuit Permits Trade Group Challenge to New Mexico Fair Credit Reporting Act
On May 7, the U.S. Court of Appeals for the Tenth Circuit published an opinion that a trade group has standing to sue the Attorney General of New Mexico over that state’s credit reporting and identify theft requirements. Consumer Data Industry Assoc. v. King, No. 11-2085, 2012 WL 1573563 (10th Cir. May 7, 2012). In 2010, New Mexico enacted the Fair Credit Reporting and Identity Security Act, which, among other things, requires consumer reporting agencies (CRAs) to oblige a consumer’s request to remove credit report information resulting from identify theft until told otherwise by a court or the requesting consumer. The Consumer Data Industry Association challenged the law on behalf of its members, arguing that the state law is preempted by the federal Fair Credit Reporting Act (FCRA). Under FCRA, a CRA can deny a consumer request to remove information based on identify theft if the CRA reasonably determines that the request is fraudulent or erroneous. The district court held that the CDIA failed to prove redressability and therefore lacked constitutional standing to sue. The Tenth Circuit vacated the district court holding and ordered further proceedings. It found that federal courts consistently have found a case or controversy in suits between private parties subject to enforcement and the state entity responsible for enforcement and that if a plaintiff faces a credible threat of enforcement, redressability is established. Here, the court held, the threat of enforcement faced by the CDIA members is sufficient to provide standing to sue for both injunctive and declaratory relief.
FTC Settles Privacy Claims Against Myspace
On May 8, the FTC announced an agreement with Myspace to settle government allegations that the social networking service misrepresented the protections offered by its privacy policy. The policy promised consumers that Myspace would not share users personally identifiable information or use that information for purposes inconsistent with those for which the information was submitted without first giving notice to users and receiving their permission. The FTC alleged that the privacy policy was deceptive because, without user notice or consent, Myspace provided advertisers with certain user information that allowed the advertisers to identify additional personal information. Under the terms of the settlement, Myspace must (i) establish a comprehensive privacy program, (ii) obtain biennial independent privacy program assessments, and (iii) avoid misrepresenting the scope of its privacy policy protections.
Key Considerations in Drafting Mobile Disclosures
Recent developments at the FTC and CFPB provide some guidance on how regulators may approach disclosures on smartphones and other mobile devices.
The recent CFPB Remittance Rule on international remittance transfers indicates some flexibility in the provision of disclosures in the remittances context via a mobile device. Additionally, the FTC’s recent report on best practices in consumer data privacy notes the difficulty in providing privacy notices on the smaller screens of mobile devices and encourages shorter, more effective privacy policies as a result.
These developments raise a series of questions for corporate counsel to consider when advising on the drafting and delivery of mobile disclosures. Specifically, questions include:
- Is the length of the mobile disclosure document as brief and succinct as it can be? Does it use concrete, everyday words and the active voice? Do the disclosures avoid multiple negatives, technical jargon and ambiguous language?
- Are the mobile disclosures presented in a logical sequence? Are they laid out in clear, concise sentences, paragraphs and sections? Are they placed in equal prominence to each other, absent any other specific regulatory format or placement requirements? Is the content placed on a particular page appropriate for the sizing of the page on the mobile screen? If not, are textual or visual cues used to encourage scrolling?
- Does the mobile disclosure "call attention to itself?" Is it on a screen the mobile user must access or will likely access frequently? If not, is it behind a hyperlink on an introductory screen that is clearly labeled so as to convey the importance of the linked disclosure? Is it presented with a clear, visible heading and an easy-to-read typeface and typesize?
- Have various technical and other applicable industry standards been consulted in the process of designing, developing and displaying mobile disclosures?
Federal District Court Holds Allegations of Failure to Protect Data Insufficient to Support Stored Communications Act Claim
Last month, the U.S. District Court for the Northern District of Illinois held that a company’s failure to protect personal information does not violate the Stored Communications Act (SCA) because the company did not knowingly divulge the personal information. Worix v. MedAssets Inc., No. 11-8088, 2012 WL 787210 (N.D. Ill. Mar. 8, 2012). In this case, a computer hard drive belonging to the defendant, a firm that provides financial services for health care providers and as such handles the personal and confidential information of individuals, was stolen. The plaintiff, one of the individuals whose personal information was stored on the hard drive, alleged on behalf of a putative class that the defendant violated the SCA when it failed to adequately secure the protected personal information. The court held that the plaintiff could only support allegations that the defendant knowingly failed to protect the data and the plaintiff failed to offer the proof required by the SCA that the defendant knowingly divulged protected information. The court also dismissed the plaintiff’s common law negligence claims and statutory fraud claims, holding that the plaintiff failed to allege actual damages when claiming an increased risk of identity theft and monitoring costs.
Washington Federal Court Allows Data Privacy Case Against IMDb to Proceed
On March 28, the U.S. District Court for the Western District of Washington held that actress Huong Hoang’s lawsuit against website IMDb.com pled sufficient facts to move forward on her breach of contract and Washington Consumer Protection Act claims, based in part on the website’s privacy policy. Hoang v. Amazon.com, Inc., No. C11-1709MJP (W.D. Wash. Mar. 28, 2012). IMDb, a subsidiary of Amazon, moved to dismiss Ms. Hoang’s four claims. Although two claims were dismissed, the court found that the defendant did not show that Ms. Hoang gave IMDb permission to use her information provided when subscribing to the website to search public records for additional information about her. Plaintiff pointed to a statement in the IMDb privacy policy that it would “carefully and sensibly” manage how information about customers is used and shared, and that “[y]ou can choose not to provide certain information….” Plaintiff alleges that IMDb used the personal information she provided, including credit card information, to locate her date of birth, among other things. Ms. Hoang alleged that IMDb then added her date of birth and age to its website, causing her to lose roles and decrease her earnings. Defendant’s motion to dismiss the remaining claims was denied.
Supreme Court Holds Only Pecuniary Damages Available Under Federal Privacy Act
On March 28, the U.S. Supreme Court ruled 5-3 that the Privacy Act of 1974, which regulates how federal agencies handle personal information, does not unequivocally authorize damages for mental or emotional distress. Cooper v. FAA, No. 10-1024, 2012 WL 1019969 (U.S. Mar. 28, 2012). In this case, an airline pilot sued the Federal Aviation Administration (FAA) and other federal agencies for impermissibly exchanging information about his HIV status in connection with a criminal investigation. The pilot claimed to suffer emotional and mental distress due to the disclosure. The U.S. Court of Appeals for the Ninth Circuit held that the term actual damages in the Privacy Act is not ambiguous and includes damages for mental and emotional distress. The Supreme Court reversed, holding, as the district court originally held, that the term is ambiguous and therefore does not waive the governments sovereign immunity from liability for nonpecuniary damages. The narrow ruling only directly impacts actions under the Privacy Act, and the court notes that actual damages can mean different things in different contexts. As such, the holding does not invalidate prior lower court rulings that actual damages under other statutes, including the Fair Credit Reporting Act and the Fair Housing Act, can include damages for emotional or mental distress.
FTC Finalizes Consumer Privacy Recommendations, Notes Mobile Issues
On March 26, the FTC released an anticipated report on consumer privacy, calling on all companies to adopt certain practices to protect consumers’ private information. The final report outlines three basic principles: (i) “privacy by design”, (ii) simplified choice, and (iii) increased transparency. Though the report and recommended practices do not carry the force of law, the FTC encourages adoption of the recommendations to support innovation and commerce while improving consumer protection. The report also serves as a blueprint for what the FTC is seeking in federal privacy legislation. Pending congressional action, the FTC will continue to employ its existing enforcement authority to address unfair or deceptive practices, including practices that violate self-regulatory programs. Further, the FTC intends to support implementation of the framework by focusing on several substantive topics and stakeholder groups, including (i) do not track, (ii) mobile services, (iii) data brokers, (iv) large platform providers, and (v) industry codes of conduct. For example, the FTC will focus on mobile services by updating guidance about online advertising disclosures, including holding a workshop on model mobile disclosures on May 30, 2012. It also calls on mobile service providers to establish industry standards that address data collection, transfer, use, and disposal, particularly for location data.