Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court granted final approval of a $63 million data breach settlement

    Privacy, Cyber Risk & Data Security

    On June 7, the U.S. District Court for the District of Columbia granted final approval of a class action settlement resolving claims that a government agency and its contractor (collectively, defendants) did not detect hackers because they failed to establish reasonable safeguards that led to a data breach. According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, a data breach occurred in June 2015 that compromised financial records, Social Security numbers, and other personal information of anyone who underwent a background check at the agency since 2000. The agency allegedly controlled numerous electronic systems without valid authorizations, failed to implement multi-factor authentication for accessing systems, failed to patch, segment, and continuously monitor systems, and failed to implement centralized data security protocols. According to the plaintiff’s motion, the settlement (if granted final approval) would require the U.S. government to pay $60 million of the settlement fund and the contractor to pay $3 million. The settlement agreement provides that “[e]ach valid claim will be paid at $700, except that if the actual amount of documented loss exceeds $700, the claim will be paid in that amount, up to $10,000.”

    Privacy/Cyber Risk & Data Security Courts Data Breach Class Action Settlement

  • Senate Banking Committee sends letter to Yellen on consumer data activities

    Privacy, Cyber Risk & Data Security

    On June 7, Chairman of the Senate Committee on Banking, Housing, and Urban Affairs, Senator Sherrod Brown sent a letter to Treasury Secretary Janet Yellen requesting that the Financial Stability Oversight Council conduct a review on the effect of the collection and sale of consumer data by financial institutions to determine whether such activities pose a systemic threat to U.S. financial stability and security. The letter raised concerns that such data could be used for nefarious purposes including "glean[ing] consumers’ tolerance for price hikes, or using certain people’s spending patterns to target them for blackmail or ransomware.”

    Privacy/Cyber Risk & Data Security Senate Banking Committee Consumer Finance Department of Treasury FSOC

  • District Court: Company must face data breach claims

    Courts

    On June 1, the U.S. District Court for the District of Arizona ruled that a health care company must face a proposed class action related to claims that its failure to implement cybersecurity safeguards led to a data breach that compromised individuals’ personal health information. In granting in part and denying in part defendant’s motion to dismiss, the court declined to dismiss several of the plaintiffs’ claims for negligence, ruling that the second amended complaint sufficiently alleged that the defendant employed inadequate data security and that plaintiffs suffered an actual injury as a result of the data breach because the monitoring services offered by the defendant were insufficient and offered for too short of time causing certain plaintiffs to purchase additional identity protection products and/or services. However, other negligence claims were dismissed after the court determined that some of the plaintiffs failed to allege any actual damages or out-of-pocket expenses. Additionally, while the court allowed several state law claims to proceed, it dismissed claims brought under the California Consumer Protection Act due to the plaintiff’s failure to provide the requisite pre-suit notice within the 30-day time period as required by law, finding the failure could not be cured by the passage of time. Other state law claims, involving violations of the Wisconsin Deceptive Trade Practices Act and Pennsylvania Unfair Trade Practices and Consumer Protection Law, were also dismissed due to a failure to articulate cognizable losses.

    Courts State Issues California Privacy/Cyber Risk & Data Security Class Action Data Breach

  • California’s privacy agency posts CPRA proposal

    Privacy, Cyber Risk & Data Security

    Recently, in advance of its June 8 board meeting, the California Privacy Protection Agency (CPPA) Board posted draft regulations to implement the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the February meeting that the rulemaking process will extend into the second half of the year. An updated formal rulemaking timeline may be released during the June 8 meeting.

    The draft regulations, which were introduced outside of the rulemaking process, set forth a working draft of the regulations to implement the CPRA and modify certain provisions and propose new regulations, including:

    • Adding, amending, and striking certain definitions. The CPRA draft regulations modify the definitions in the CCPA regulations. Specifically, the amendments strike “affirmative authorization” and “household” from its list of definitions, but adds new terms such as “disproportionate effect,” “first party,” “frictionless manner,” “notice of right to limit,” “opt-out preference signal,” as well as terms related to a consumer’s right to request to correct, opt-in to sale/sharing, delete, know, or limit.
    • Outlining restrictions on the collection and use of personal information. The draft regulations state that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be “reasonably necessary and proportionate,” and “must be consistent with what an average consumer would expect when the personal information was collected.” Businesses also must obtain a consumer’s explicit consent prior to collecting, using, retaining, and/or sharing the personal information for any purpose that is unrelated or incompatible with the original purpose for which the personal information was collected or processed.
    • Providing disclosure and communications requirements. Disclosures and communications are required to be easy to read and understandable to consumers, be available in languages in which the business ordinarily provides information, and be reasonably accessible to consumers with disabilities. The draft regulations also stipulate requirements for website and mobile application links.
    • Describing requirements for submitting CCPA requests and obtaining consumer consent. The draft regulations set forth methods for submitting CCPA requests and obtaining consumer consent, including requirements regarding the manner in which such requests and consents may be obtained. For example, the requests and consents must be easy to understand, must include symmetry in choice, and avoid confusing and manipulative language. Methods that do not comply with these requirements may be considered a “dark pattern” and will not constitute consumer consent.
    • Amending requirements related to a business’s privacy notice. The draft regulations would amend the requirements related to the information that must be included in a privacy notice related to a business’s online and offline practices regarding the collection, use, sale, sharing, and retention of personal information; and an explanation of CPRA rights conferred on consumers regarding their personal information, how they can exercise their rights, and what they can expect from this process.
    • Amending notices required by the CCPA. The draft regulations set forth additional requirements related to the notice at collection, the notice of right to opt-out of sale/sharing, and the “Do Not Sell or Share My Personal Information” link, such as updates to the content of the notices, location of the notices/links, and the effects of certain requests (e.g. “clicking the business’s ‘Do Not Sell or Share My Personal Information’ link will either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice”).  The draft regulations would also amend the notice of financial incentive.
    • Providing instructions for the Notice of Right to Limit Use of Sensitive Personal Information. The draft regulations outline requirements for businesses to comply with a consumer’s rights to limit the use of sensitive personal information. They also provide businesses the option to use an alternative opt-out link to allow “consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate…links.”
    • Amending methods for handling consumer requests to delete, correct, and know. The draft regulations outline additional documentation requirements, as well as guidance on responding to consumer requests, including explanations for denying a request. Notably, in response to a request to know, “a business shall provide all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort.” Additionally, a company that intends to collect additional categories of information that are “incompatible” with the originally disclosed purpose must provide a new notice at collection and obtain new consent.
    • Opt-out preference signals. The draft regulations set forth requirements for opt-out preference signals and how businesses should respond to such preferences. Specifically, the draft regulations provide that processing an opt-out preference must be done in a “frictionless manner” and includes examples.
    • Addressing consumer requests for limiting the use and disclosure of sensitive personal information. Businesses will be required to provide two or more designated methods for submitting requests to limit and must, among other things, comply with a request to limit “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” All service providers, contractors, and third parties must comply as well. The regulations set forth exceptions to the limitations for using and disclosing sensitive personal information.
       

    The draft regulations also amend provisions related to contract requirements for service providers/contractors/third parties, verification of requests, authorized agents, minor consumers, discriminatory practices, requirements for businesses collecting large amounts of personal information, and investigations and enforcement.

    Privacy/Cyber Risk & Data Security State Issues California CCPA CPRA CPPA Consumer Protection

  • Maryland amends security procedures standards

    Privacy, Cyber Risk & Data Security

    On May 29, Maryland HB 962 was enacted under Article II, Section 17(c) of the Maryland Constitution - Chapter 502, which amends the Maryland Personal Information Protection Act. The bill, among other things, expands the types of businesses that are required to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized use. The bill also decreases the period within which certain businesses must provide required notifications to consumers after a data breach. Violation of the bill’s provisions are considered to be an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act (MCPA), subject to MCPA’s civil and criminal penalty provisions. The law is effective October 1.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Maryland

  • NAAG establishes cyber training center to help states understand emerging and evolving technologies

    Privacy, Cyber Risk & Data Security

    Recently, the National Association of Attorneys General (NAAG) established a new center dedicated to the development of programs and resources for supporting states’ understanding of emerging and evolving technologies. The Center on Cyber and Technology will also assist with cybercrime investigations and prosecutions and “serve as an information clearinghouse for the attorney general community on trending technology issues.” Faisal Sheikh will serve as the Center’s first director, and “will be responsible for developing programming on cybersecurity, cybercrime, and new and emerging technologies, as well as forming strategic partnerships with other government agencies, academic institutions, nonprofit organizations, and private sector entities that focus on these issues.” According to NAAG Executive Director Chris Toth, “digital evolution has highlighted the need for a sustained approach to addressing cyber and technology issues.”

    Privacy/Cyber Risk & Data Security State Issues State Attorney General Enforcement National Association of Attorneys General

  • Brainard discusses central bank digital currency at House hearing

    Federal Issues

    On May 25, Fed Governor Lael Brainard spoke before the U.S. House Financial Services Committee in a virtual hearing titled “Digital Assets and the Future of Finance: Examining the Benefits and Risks of a U.S. Central Bank Digital Currency.” According to the Committee’s memorandum regarding the hearing, the Fed defines a central bank digital currency (CBDC) as a “digital liability of a central bank that is widely available to the general public,” and though definitions vary, “understanding what distinguishes cryptocurrency from fiat government-issued currency is fundamental.” The memorandum also discussed the Fed’s publication of a discussion paper in January, Money and Payments: The U.S. Dollar in the Age of Digital Transformation, which calls for public comments on questions related to the possibility of a U.S. CBDC (covered by InfoBytes here). In Brainard’s prepared statement, she noted that the “rapid ongoing evolution” of digital assets “should lead us to frame the question not as to whether there is a need for a central bank-issued digital dollar today, but rather whether there may be conditions in the future that may give rise to such a need.” Brainard also stated that “there are risks of not acting, just as there are risks of acting.” While there has not been a decision on creating a U.S. CBDC, Brainard stated that “it is important to undertake the necessary work to inform any such decision and to be ready to move forward should the need arise.” Additionally, Brainard pointed to recent pressure on two widely used stablecoins and resulting market turmoil that “underscore the need for clear regulatory guardrails to provide consumer and investor protection, protect financial stability, and ensure a level playing field for competition and innovation across the financial system.” Brainard further stated that a U.S. CBDC could be a potential “way to ensure that people around the world who use the dollar can continue to rely on the strength and safety of the U.S. currency to transact and conduct business in the digital financial system.”

    Federal Issues House Financial Services Committee Privacy/Cyber Risk & Data Security Digital Assets Cryptocurrency Federal Reserve Bank Regulatory CBDC Fintech

  • Social media company to pay $150 million to settle FTC, DOJ data security probe

    Federal Issues

    On May 25, the DOJ filed a complaint on behalf of the FTC against a global social media company for allegedly misusing users’ phone numbers and email addresses uploaded for security purposes to target users with ads. (See also FTC press release here.) According to the complaint, the defendant deceived users about the extent to which it maintained and protected the security and privacy of users’ nonpublic contact information. Specifically, from May 2013 to September 2019, the defendant asked users to provide either a phone number or an email address to improve account security. The defendant, however, allegedly failed to inform the more than 140 million users who provided phone numbers or email addresses that their information would also be used for targeted advertising. The FTC claimed the defendant used the collected information to allow advertisers to target specific ads to specific users by matching the phone numbers or email addresses with data they already had or obtained from data brokers. DOJ’s complaint alleged that the defendant’s conduct violated the FTC Act and the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which require participating countries to adhere to certain privacy principles in order to legally transfer data from EU countries and Switzerland. This conduct also allegedly violated a 2011 FTC consent order with the defendant stemming from claims that the defendant deceived users and put their privacy at risk by failing to safeguard their personal information. According to DOJ’s complaint, the 2011 order “specifically prohibits the company from making misrepresentations regarding the security of nonpublic consumer information.”

    Under the terms of the proposed order, the defendant would be required to pay a $150 million civil penalty and implement robust compliance measures to improve its data privacy practices. According to the FTC and DOJ announcements, these measures would (i) “allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers”; (ii) require the defendant to “notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about [its] privacy and security controls”; (iii) require the defendant to implement and maintain a comprehensive privacy and information security program, including conducting “a privacy review with a written report prior to implementing any new product or service that collects users’ private information,” regularly testing its data privacy safeguards, and obtaining regular independent assessments of its data privacy program; (iv) limit employee access to users’ personal data; and (v) require the defendant to notify the FTC should it experience a data breach, and provide reports after any data privacy incident affecting 250 or more users. Additionally, the defendant would be banned from profiting from deceptively collected data.

    Federal Issues Privacy/Cyber Risk & Data Security FTC DOJ Enforcement UDAP Deceptive FTC Act EU-US Privacy Shield Swiss-U.S. Privacy Shield Settlement

  • Hsu is self-described “crypto skeptic”

    On May 24, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the 2022 DC Blockchain Summit focusing on the vulnerabilities in the cryptocurrency framework and recent volatility with stablecoins. In his remarks, Hsu described that he has “been a crypto skeptic,” and that it has become clear to him that the crypto economy depends on “hype” to “generate the interest and investment that are key to creating the ‘flywheel’ of growth that crypto projects seem to need to get off the ground.” In his speech, he discussed his three high level observations surrounding recent events from the perspective of a bank regulator. First, Hsu described “deep vulnerabilities in the crypto system,” noting that “[c]rypto is highly fragmented and prone to hacks,” and that “[c]ontagion risks are real.” He also argued that ownership rights are underdeveloped for the size, scope, and ambitions of the industry, explaining that “[f]or a technology and industry so focused on promoting an ‘ownership society,’ the lack of clarity on ownership rights, modes of ownership, and custody of digital assets seems like a fundamental problem that needs to be solved.” Second, Hsu observed that “recent events have shown the value of the OCC’s ‘careful and cautious’ approach to banks seeking to engage in crypto activities.” Hsu explained that there has been no contagion from cryptocurrencies to traditional banking and finance, stating that “[n]o banks are under stress or even rumored to be under stress due to crypto exposure.” Lastly, he warned “that hype is not harmless.” Hsu noted that a hype-driven economy has challenges for individuals interested in truly productive innovation and in protecting consumers. He recognized the possibility “for positive and transformative change with digital assets,” but warned that “the hype and the associated vulnerabilities noted above make the crypto space very dangerous for investors of modest means.” Hsu stated that while he remains a “a crypto skeptic,” he sees “its potential and understand[s] why there is excitement around it.” He also stated that the agency “will continue to take a careful and cautious approach to crypto in order to ensure that the national banking system is safe, sound, and fair.”

    Bank Regulatory Fedral Issues Digital Assets OCC Privacy/Cyber Risk & Data Security Cryptocurrency Fintech

  • FTC addresses importance of effective incident response and breach disclosure

    Privacy, Cyber Risk & Data Security

    On May 20, the FTC’s Team CTO and the Division of Privacy and Identity Protection published a blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures. The blog noted that the FTC Act creates a de facto data breach notification requirement because failure to disclose can increase the likelihood that affected parties will suffer harm. The post outlines effective security breach detection and response programs, which can: (i) permit an organization time to take remedial actions to counter, prevent, or mitigate an attack; (ii) prevent and minimize consumer harm from breaches; (iii) provide valuable information to the prevention function of a security team; and (vi) remove an attacker and allow for post-breach remedial measures. According to the FTC, failure to maintain such practices could indicate a lack of competition in the marketplace. The post stated that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” Listing recent cyber-related FTC enforcement actions, the post explained that deceptive statements can limit consumers’ ability to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts. Looking at these cases together, the post further noted that “companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.”

    Privacy/Cyber Risk & Data Security Federal Issues FTC FTC Act Data Breach Consumer Protection

Pages

Upcoming Events