Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 9, the U.S. District Court for the Northern District of California issued an order granting, among other things, a global technology company defendant’s motion to compel individual arbitration in a privacy class action and dismissing the action without prejudice. As outlined in a May order issued by the court, which granted in part and denied in part defendant’s motion to dismiss plaintiff’s first amended complaint, the plaintiff alleged that the defendant failed to disclose it was (i) monitoring and collecting Android smartphone users’ sensitive personal data while users interacted with apps not owned by the defendant; or (ii) generally collecting “sensitive personal data to obtain an unfair economic advantage.” While the court dismissed the plaintiff’s California Invasion of Privacy Act claims, it allowed claims brought under the California Consumers Legal Remedies Act (which “prohibits ‘unfair methods of competition and unfair or deceptive acts or practices’”) to proceed based on the reasoning that if the defendant had disclosed these material facts, the plaintiff would have acted differently.
The defendant moved to compel arbitration, claiming the plaintiff was using a smartphone that was bound by an arbitration provision. The plaintiff countered in both the complaint and first amended complaint, as well as in his initial disclosures, that the phone he originally purchased was never subject to an arbitration agreement. However, the court noted that account information later showed that the smartphone used by the plaintiff at the time he filed suit, as well as the smartphone he later switched to, both came with individual arbitration provisions and class waivers, subject to user opt out. The court stated that the plaintiff did not opt out of arbitration for either smartphone, and further denied the plaintiff’s motion for leave to file a second amended complaint, dismissing the action without prejudice.
On November 12, the FTC released a preliminary draft of the Strategic Plan for Fiscal Years 2022 to 2026 for public review and comment. Recognizing that protecting the public from unfair or deceptive acts or practices in the marketplace is a key FTC strategic goal, the draft Strategic Plan outlines several objectives guiding the Commission’s work in this area including (i) identifying, investigating, and taking enforcement action to deter these types of harm; (ii) providing consumers and businesses with guidance and tools to prevent harm; (iii) engaging in domestic and international collaboration efforts to enhance consumer protections, including those related to telemarketing, internet fraud, and privacy violations; and (iv) advancing measures to support underserved and marginalized communities. Recognizing that consumers cannot always identify whether unfair or deceptive practices have occurred, the FTC reports it will continue to identify consumer protection violations and collaborate with law enforcement partners to identify trends and targets and enforce consumer protection laws. These efforts will include safeguarding consumer privacy and litigating cases involving privacy risks.
Additional goals outlined within the draft Strategic Plan focus on marketplace competition, anticompetitive mergers, antitrust issues, resource management and workforce protections, and climate readiness. The draft Strategic Plan notes the importance of “cross-training staff on both consumer protection and competition issues” and of “grasping market realities” as “the economy becomes increasingly digitized.” According to the FTC, the “agency plans to be especially attentive to next-generation technologies, innovations, and nascent industries across sector.” Comments on the draft plan may be submitted through November 30.
U.S. and Israel form partnership to combat ransomware; U.S. enters cybersecurity initiative with France
On November 14, the U.S. Treasury Department announced the establishment of a bilateral partnership with the Israeli Ministry of Finance as part of the Biden Administration’s efforts to crackdown on ransomware. The partnership is part of the U.S.-Israeli Task Force on Fintech Innovation and Cybersecurity, which was launched the same day. During the launch of the partnership, Treasury Department Deputy Secretary Wally Adeyemo and Israeli counterparts affirmed their commitment for encouraging robust fintech innovation and reinforced the importance of working together to combat cyber threats posed by nation-state and criminal actors to the global economy. The Task Force will take several measures, including immediately developing a Memorandum of Understanding that will support “(1) permissible information sharing related to the financial sector, including cybersecurity regulations and guidance, cybersecurity incidents, and cybersecurity threat intelligence; (2) staff training and study visits to promote cooperation in the area of cybersecurity and the financial system; and, (3) competency-building activities such as the conduct of cross-border cybersecurity exercises linked to global financial institutions financial and investment flows.” The Task Force also plans to launch a series of expert technical exchanges to support fintech innovation and examine ways cyber-analytics firms and fintech/regtech innovations are developing new measures to combat illicit finance risk and enhance public sector analytical and enforcement activities. According to Adeyemo, international cooperation is vital for addressing virtual currency abuses and disrupting the ransomware business model.
Separately, on November 10, Vice President Kamala Harris announced, among other initiatives, an international cybersecurity initiative with France to combat cyber threats. Harris stated that the U.S. will support the Paris Call for Trust and Security in Cyberspace, which the White House described as “a voluntary commitment to work with the international community to advance cybersecurity and preserve the open, interoperable, secure, and reliable internet.” According to the announcement, the U.S. “looks forward to continued partnership with France and other governments, private sector, and civil society around the world to advance and promote norms of responsible behavior in cyberspace.” Harris’ announcement builds on recent counter-ransomware actions taken to increase international cooperation to combat cybercrime. (Covered previously by InfoBytes here.)
On November 10, the Maryland governor announced the appointments of a new chief privacy officer and chief data officer, both of which are newly-created roles, as part of the state’s commitment to cybersecurity and data privacy. The chief privacy officer will lead state initiatives with respect to data privacy and will assume responsibility for “monitoring program compliance, investigation and tracking of incidents and potential breaches, and ensuring citizens’ rights.” The chief data officer will spearhead Maryland’s data governance program and will promote the use of technology and data analytics. “Public officials have no higher responsibility than keeping the American people safe, and there is no greater threat to their safety than the cyber vulnerabilities of the systems that support our daily lives,” Governor Hogan said in the statement.
On November 8, the U.S. District Court for the Northern District of California dismissed a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor after determining that the court does not have jurisdiction over the companies. Plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of vendor customers. Plaintiffs contended that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach. Plaintiffs also alleged that an unauthorized third party gained access to the wallet provider’s e-commerce database and obtained the email addresses of one million customers as well as physical contact information for 9,500 customers. According to the plaintiffs, the wallet provider did not disclose that the attack on its website and the vendor’s data theft were connected, and it downplayed the seriousness of the attack. As a result, plaintiffs were allegedly subject to “phishing scams, cyber-attacks, and demands for ransom and threats.” Plaintiffs claimed that the companies failed to implement appropriate security measures to protect customer data, and brought claims against the companies for injunctive relief and other remedies under California’s unfair competition law, Georgia’s Fair Business Practices Act, and New York’s General Business Law. The defendant companies moved to dismiss, arguing that the court lacked personal jurisdiction and that plaintiffs failed to state a claim.
The court determined that it does not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The court further held that the fact that the vendor was headquartered in California at the time the breach occurred is not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the court wrote, dismissing the case with prejudice.
On November 4, the Department of Defense (DoD) announced the completion of an internal assessment of its Cybersecurity Maturity Model Certification (CMMC) program and enhancements to that program. While CMMC 2.0 remains focused on safeguarding sensitive national security information, it updates CMMC 1.0 (see DoD guidance here) by streamlining compliance rules, strengthening cyber protection standards for companies operating in the defense industrial base, and encouraging a collaborative culture of cybersecurity and cyber resilience. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements,” Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, stated. Among other things, CMMC 2.0: (i) simplifies CMMC standards and provides further clarity on cybersecurity regulatory, policy, and contracting requirements; (ii) focuses the most advanced cybersecurity standards and third-party assessment requirements on companies that support the highest priority programs; and (iii) “increase[es] DoD oversight of professional and ethical standards in the assessment ecosystem.” Changes reflected in CMMC 2.0 will be implemented through future rulemaking, and companies are not required to comply with CMMC requirements until the forthcoming rules take effect. DoD will also suspend a current CMMC pilot program and “will not approve inclusion of a CMMC requirement in any DoD solicitation” during this period.
On November 10, the UK Supreme Court issued a judgment in an appeal addressing whether a claimant can bring data privacy claims in a representative capacity against a global technology company in a class action suit. The claimant sought compensation on behalf of a class under section 13 of the Data Protection Act 1998 (DPA 1998) for damages suffered when the tech company allegedly tracked millions of iPhone users’ internet activity in England and Wales over a period of several months between 2011 and 2012, and used the collected data without users’ knowledge or consent for commercial purposes. The DPA 1998 was replaced by the UK General Data Protection Regulation and the Data Protection Act 2018 but was in force at the time of the alleged breaches and is applicable to this claim, the Court explained in a press summary. The Court also noted that, except in antitrust cases, UK legislation does not allow class actions and Parliament has not yet legislated to establish a class action regime related to data protection claims. The Court noted that the claimant sought to use “same interest” precedent, which allows a claim to be brought “by or against one or more persons who have the same interest as representatives of any other persons who have that interest.”
The Court reasoned that the case was “doomed to fail” because “the claimant seeks damages under section 13 of the DPA 1998 for each individual member of the represented class without attempting to show that any wrongful use was made by [the tech company] of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by [the tech company].” The Court added that users’ “loss of control” over personal data did not constitute “damage” under section 13 of the DPA 1998 because the users were not shown to have lost money or suffer distress. If the case had been allowed to proceed, the tech company could have faced a £3 billion damages award.
On November 8, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a private Israeli company’s motion to dismiss claims based on foreign sovereign immunity. The Israeli company (defendant) designs and licenses surveillance technology to governments and government agencies for national security and law enforcement purposes. According to the opinion, the defendant markets and licenses a product that allows law enforcement and intelligence agencies to covertly intercept messages, take screenshots, or extract information such as a mobile device’s contacts or history. The plaintiffs (a messaging company and global social media company) sued the defendant claiming it sent malware through the messaging company’s server system to approximately 1,400 mobile devices to gather users’ information in violation of state and federal law, including the Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act. The defendant moved to dismiss, claiming foreign sovereign immunity protected it from the suit. The defendant further contended that even if the plaintiffs’ allegations were true, it was “acting as an agent of a foreign state, entitling it to ‘conduct-based immunity’—a common-law doctrine that protects foreign officials acting in their official capacity.” The district court disagreed, ruling that common-law foreign official immunity does not protect the defendant in this case because the defendant “failed to show that exercising jurisdiction over [the defendant] would serve to enforce a rule of law against a foreign state.”
Although the 9th Circuit agreed with the district court that the defendant, as a private company, is not entitled to immunity, the panel affirmed on separate grounds. The 9th Circuit based its determination instead on the fact that “the Foreign Sovereign Immunity Act (FSIA or Act) occupies the field of foreign sovereign immunity as applied to entities and categorically forecloses extending immunity to any entity that falls outside the FSIA’s broad definition of ‘foreign state.’” Among other things, the 9th Circuit rejected the defendant’s claim that because governments use its technology it is entitled to the immunity extended to sovereigns. “Whatever [the defendant’s] government customers do with its technology and services does not render [the defendant] an ‘agency or instrumentality of a foreign state,’ as Congress has defined that term,” the appellate court wrote. In contrast to the district court, the 9th Circuit rejected the defendant’s argument that it could claim foreign sovereign immunity under common-law immunity doctrines that apply to foreign officials (i.e., natural persons), finding that “Congress [had] displaced common-law sovereign immunity doctrine as it relates to entities.”
On November 5, the U.S. District Court for the Northern District of California granted preliminary approval of a class action settlement resolving claims against a grocery store chain after a data breach allegedly compromised personal information in its software. According to the plaintiffs’ notice of motion and motion for preliminary approval of class action settlement, a software vendor notified its clients, including the grocery store, that its software had been breached. As a result of the breach, hackers accessed personally identifiable information (PII) of approximately 3.82 million of the grocery store’s pharmacy customers and employees. Under the preliminary settlement, claimants may choose to receive either (i) a cash payment, with an estimated value between $18 and $91 for non-California residents and between $36 and $182 for California residents; (ii) two years of credit monitoring and insurance services; or (iii) reimbursement of any documented losses of up to $5,000. The proposed settlement also contains “robust injunctive relief,” including requirements that the grocery store chain (i) confirm that class members’ sensitive PII is secured; (ii) monitor the dark web for five years for fraudulent activity related to class members' PII; and (iii) enhance its third-party vendor risk management program. The district court also noted that any class member can appear at the fairness hearing to object to any aspect of the settlement, and that class members have 75 days after being notified of the deal to file their written objections or opt out of the settlement. The proposed settlement would not resolve any claims against the software vendor. Additionally, the court issued an order denying a motion to intervene by a group of objectors finding that they failed to “identify a protectable interest that will be impaired if they are unable to intervene.”
Treasury and DOJ announce sanctions and charges in ransomware attacks, FinCEN updates ransomware guidance
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13694 as amended against two ransomware operators and a virtual currency exchange network. According to OFAC, the virtual currency exchange, and its associated support network, are being designated for allegedly facilitating financial transactions for ransomware actors. OFAC is also designating two individuals allegedly associated with perpetuating ransomware incidents against the U.S., and who are part of a cybercriminal group that has engaged in ransomware activities and has received over $200 million in ransom payments. As a result of the sanctions, “all property and interests in property of the designated targets that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them” and “any entities 50 percent or more owned by one or more designated persons are also blocked.” According to OFAC, the sanctions are a part of a set of actions focused on disrupting criminal ransomware actors and virtual currency exchanges that launder the proceeds of ransomware, which “advance the Biden Administration’s counter-ransomware efforts to disrupt ransomware infrastructure and actors and address abuse of the virtual currency ecosystem to launder ransom payments.” Additionally, the DOJ announced charges against the sanctioned individuals under OFACs designations, seizing approximately $6.1 million in alleged ransomware payments.
The same day, FinCEN issued an advisory, which updated and replaced its October 1, 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (covered by InfoBytes here). The updated advisory is in response to the recent increase in ransomware attacks against critical U.S. infrastructure. The updated advisory also reflects information released by FinCEN in its Financial Trend Analysis Report, which discusses ransomware trends and includes information on current trends and typologies of ransomware and associated payments as well as recent examples of ransomware incidents. Additionally, the updated advisory describes financial red flag indicators of ransomware-related illicit activity to assist financial institutions in identifying and reporting suspicious transactions related to ransomware payments, consistent with obligations under the Bank Secrecy Act.
- Jeffrey P. Naimon to discuss “Section 1071: Small business data collection & fair lending” at the American Bar Association Consumer Financial Services Winter Meeting 2022
- Jonice Gray Tucker to discuss “Getting your company ready: Managing fair lending for IMBs” at the Mortgage Bankers Association Independent Mortgage Bankers Conference
- Jonice Gray Tucker to discuss “Be Your Compliance Best in 2022” at the California Mortgage Bankers Association webinar
- Lauren R. Randell to discuss “Significant legal developments in the Northeast” at the 37th Annual National Institute on White Collar Crime
- Jonice Gray Tucker to discuss “Small business & regulation: How fair lending has evolved & where it is heading?” at the Consumer Bankers Association Live program