Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Earlier this year, the Illinois governor signed HB 2553 to create the Protecting Household Privacy Act. Among other things, the act specifies when state law enforcement agencies may acquire and use data from household electronic devices. The act defines “household electronic data” as information or input provided by a person to a household electronic device that is capable of facilitating electronic communications. (A “household electronic device” excludes personal computing devices and digital gateway devices.) The act generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.” Exceptions to this prohibition include when a law enforcement agency first obtains a warrant, an emergency situation arises, or the owner of the household electronic device lawfully consents to the acquisition of the data. The act also states that it shall not “be construed to require a person or entity to provide household electronic data to a law enforcement agency,” except as provided under certain provisions outlined in Section 15. The act further requires entities disclosing household electronic data to “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.” Additionally, the act outlines information retention limits, which provide, among other things, that if a law enforcement agency obtains household electronic data and does not file criminal charges, it must destroy the data within 60 days unless subject to certain circumstances. The act is effective January 1, 2022.
On November 8, the New York governor signed measures to help prevent robocalls and increase consumer protections. The measures build upon federal actions to combat robocalls and “will enable telecom companies to prevent these calls from coming in in the first place, as well as empower our state government to ensure that voice service providers are validating who is making these calls so enforcement action can be taken against bad actors,” Governor Kathy Hochul stated.
S.6267a requires telecommunication companies to block certain calls, including those from (i) numbers that are not valid North American numbering plan numbers; (ii) numbers that are not allocated to a provider by the North American numbering plan administrator or the pooling administrator; and (iii) unused numbers that are allocated to a provider. According to the governor’s press release, the act codifies into state law the provisions of an FCC 2017 rule that took effect in June 2021 and allows telecommunications companies to proactively block calls from certain numbers. (Covered by InfoBytes here.) These types of numbers, the release states, “are indicative of ‘spoofing’ schemes in which the true caller identity is masked behind a fake, invalid number.” The act takes effect immediately.
The second act, S.4281a, requires voice services providers to authenticate calls using the STIR/SHAKEN call authentication framework. As previously covered by InfoBytes, in 2020, the FCC, pursuant to the TRACED Act, adopted new rules requiring providers to implement the STIR/SHAKEN framework by June 2021. Under New York’s new measure, providers have up to 12 months to implement this framework or an “alternative technology that provides comparable or superior capability to verify and authenticate caller identification in the internet protocol networks of voice service providers.” Violators face a fine of up to $100,000 for each offense per day that the framework is not in place. This act is also effective immediately.
On November 8, the New York governor signed S.2628, which requires employers to notify their employees in writing upon hiring of their intention to monitor or intercept telephone or email conversations or transmissions, or monitor the use or access of other electronic devices. Employers must receive acknowledgement from the employee either in writing or electronically and are also required to post the notice of electronic monitoring in a conspicuous area where it can be viewed by employees. The act applies to any individual, corporation, partnership, firm, or association with a place of business in New York, but does not include the state or political subdivisions of the state. Also exempt are processes “designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual, and that are performed solely for the purpose of computer system maintenance and/or protection.” The attorney general is authorized to enforce the act and fine employers found to be in violation of the provisions. The act takes effect in 180 days.
On November 1, the Kansas attorney general ordered three national companies that manage business documents to pay fines totaling nearly $500,000 for the alleged unlawful disposal of records containing consumers’ personal information. According to the Kansas AG, the companies violated the Kansas Consumer Protection Act and the Wayne Owen Act by repeatedly disposing of records in unsecured trash receptacles without “rendering the personal information unreadable or undecipherable.” By engaging in these actions, the AG stated, the companies failed to comply with the requirements that companies implement and maintain reasonable policies and procedures and exercise reasonable care to protect personal information from unauthorized access and use, and take reasonable steps to destroy records containing personal information when they are no longer needed. Under the terms of the consent judgments (see here, here, and here), the companies must pay the fine, implement measures to ensure the proper disposal of documents, conduct employee training on the proper handling and disposal of personal information, and evaluate their information security programs and policies to ensure personal information is protected.
On November 4, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims that a plasma donation center (defendant) unlawfully collected and stored the fingerprints of blood plasma donors. According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, the plaintiff filed the proposed class action in 2019, alleging the defendant violated the Illinois Biometric Information Privacy Act (BIPA) by collecting thousands of fingerprints through a finger-scanning donor identification system without providing proper disclosures or obtaining informed written consent. The plaintiff further alleged that the defendant required her (and thousands of Illinois blood plasma donors) to provide a fingerprint to donate plasma, which was later used for identification on subsequent visits. The plaintiff alleged that by not requiring her informed consent and by disclosing her information to a third party, the defendant’s practice violated BIPA. According to the plaintiff’s motion, the settlement (if approved) would establish a settlement class of 76,826 Illinois blood plasma donors who were required to scan their finger at the defendant’s Illinois facilities prior to donating plasma. The settlement would provide payouts of approximately $400 to $800 per class member, assuming a claims rate of 10 percent to 20 percent, and permit class counsel to file for up to 35 percent of the settlement fund for attorney fees.
On November 5, the CFPB published a notice in the Federal Register seeking public comments on recently issued orders to six large U.S. technology companies requesting information and data on their payment system business practices (covered by InfoBytes here). According to the notice, the Bureau invites comments from “any interested parties, including consumers, small businesses, advocates, financial institutions, investors, and experts in privacy, technology, and national security.” The notice is “one of many efforts within the Federal Reserve System to plan for the future of realtime payments and to ensure a fair and competitive payments system in our country.” Comments are due by December 6.
On November 3, the House Financial Services Subcommittee on Consumer Protection and Financial Institutions held a hearing titled “Cyber Threats, Consumer Data, and the Financial System.” The hearing examined cybersecurity and consumer data protection challenges for financial institutions, discussed agencies efforts to strengthen cyber defenses for financial institutions, and reviewed the current legal framework governing data security. According to a committee memorandum, cyberattacks on banks are increasing in number. In the first half of 2021, banks and credit unions saw a 1,318 percent increase in ransomware attacks. In written testimony, one of the witnesses expressed his concern regarding the technological disparity between minority depository institutions (MDI) and large banks, observing that “cultural shifts inside the financial services industry, including the core processors and regulators, are necessary to help MDIs better orient themselves to meet new customer demands.” Another witness discussed in his written testimony support for the NCUA to obtain data security and privacy authority over third-party vendors, which is an authority currently given to other federal agencies. Among other things, the hearing addressed several bills on cybersecurity and consumer protection: (i) Safeguarding Non-bank Consumer Information Act; (ii) Strengthening Cybersecurity for the Financial Sector; and (iii) Enhancing Cybersecurity of Nationwide Consumer Reporting Agencies Act. Specifically, one of the witnesses in his written testimony recommended that Congress revise the definition of “data aggregators” in the Safeguarding Non-bank Consumer Information Act to ensure that it covers non-financial institution entities and individuals.
Recently, NYDFS issued an industry letter to regulated entities advising that a covered entity may adopt the cybersecurity program of an affiliate. New York’s Cybersecurity Regulation (23 NYCRR Part 500) requires regulated entities (Covered Entities) to implement risk-based cybersecurity programs to protect their information systems as well as the nonpublic information maintained on them. (See continuing InfoBytes coverage on 23 NYCRR Part 500 here.) Specifically, 23 NYCRR Part 500 allows “Covered Entities to adopt ‘the relevant and applicable provisions’ of the cybersecurity program of an affiliate provided that such provisions satisfy the requirements of the Cybersecurity Regulation.” NYDFS is also permitted to fully examine the adopted portions of the affiliate’s cybersecurity program to ensure compliance, even if that affiliate is not covered or regulated by NYDFS otherwise. Covered Entities are reminded that while they may adopt an affiliate’s cybersecurity program in whole or in part, the Covered Entity may not delegate compliance responsibility to the affiliate, and is responsible for ensuring it cybersecurity program complies with 23 NYCRR Part 500, “regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate.” Additionally, a Covered Entity’s compliance obligations are the same whether it adopts an affiliate’s cybersecurity program or implements its own cybersecurity program. Among other things, Covered Entities are required to provide, upon request, all “documentation and information” related to their cybersecurity programs, including evidence that an adopted affiliate’s cybersecurity program meets the requirements of 23 NYCRR Part 500. At a minimum, NYDFS requires access to an affiliate’s “cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third party audits that relate to the adopted portions of the cybersecurity program of the affiliate.” NYDFS also explained that foreign bank branches and representative offices often have head offices located outside the U.S. that are not directly regulated by NYDFS. For these entities, all documentation and information relevant to the adopted portions of their head offices’ cybersecurity programs must be provided to NYDFS examiners to evaluate the Covered Entities’ compliance with 23 NYCRR Part 500.
On October 27, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims against an Illinois-based insurance provider and its subsidiary (collectively, defendants) for allegedly failing to adequately protect plaintiffs’ personal and private information when defendants were the targets of security breach incidents where an unauthorized user’s access to the defendants’ network and computer systems resulted in unauthorized access of personal, private information (PII). According to the memorandum of law in support of the plaintiffs’ motion for preliminary approval, the plaintiffs sued after learning that the defendants were targeted by hackers in December 2020, which affected over 5.8 million customers, and again in March 2021, which affected more than 324,000 customers. This conduct, the plaintiffs contended, violated the California Consumer Privacy Act, the California Consumers Legal Remedies Act, California’s Unfair Competition Law, and various state common laws. While the defendants denied allegations of wrongdoing and liability, and asserted defenses to the individual and class claims, the parties reached a proposed settlement, in which class members (defined as “all natural persons residing in the United States who were sent notice letters notifying them that their PII was compromised in the Data Incidents announced by Defendants on or about March 16, 2021 and on or about May 25, 2021”) will be provided automatic access to 18 months of credit monitoring and financial account protection. Additionally, every class member can make a claim for up to $10,000 in reimbursement for out-of-pocket losses. The preliminarily approved settlement also provides for class counsel fees and expenses not to exceed roughly $2.5 million and class representative service awards of $1,500.
On October 28, the U.S. District Court for the Northern District of Illinois denied a Delaware-based technology management service defendant’s motion to dismiss a putative class action that alleged it stored and collected biometric data from employees of companies that utilized the defendant’s timekeeping services. The court also granted the plaintiff’s motion to remand two of her three claims to state court because the plaintiff had not alleged an injury in fact sufficient to establish Article III standing in federal court for those claims.
The plaintiff alleged that the defendant violated the Illinois’ Biometric Information Privacy Act (BIPA) by selling time and attendance solutions to Illinois employers, including biometric-enabled hardware such as fingerprint and facial recognition scanners that collected and stored employee biometrics data. The plaintiff alleged that the defendant violated Section 15(a) of BIPA by failing to publish a retention schedule for the biometric data, violated Section 15(b) of BIPA by obtaining the plaintiff’s biometric data without first providing written disclosures and obtaining written consent, and violated section 15(c) of BIPA, by participating in the dissemination of her biometric data among servers. According to the district court, the plaintiff lacked standing regarding the Section 15(a) claim because the harm resulting from the defendant’s failure to publish a retention policy was not sufficiently particularized and the plaintiff had not otherwise alleged a concrete injury resulting from the violation. The district court concluded that the plaintiff’s Section 15(c) claim also lacked standing because, though she alleged that the defendant profits off its biometric data collection practices by marketing its biometric time clocks that utilize the software as “superior options” and “gains a competitive advantage”, the “complaint doesn't allege an injury in fact stemming from [the defendant’s] profiting off of [the plaintiff’s] biometric data.”
With regard to the Section 15(b) claim, the district court rejected the defendant’s argument that the requirement to inform clients regarding its biometric data collection and receiving written consent did not apply, noting that the defendant is right that it “doesn’t penalize mere possession of biometric information.” However, that does not help the defendant “because the complaint alleges that defendant did more than possess [the plaintiff’s] biometric information: it says that [the defendant] collected and obtained it.” Additionally, the district court rejected the defendant’s argument that it is not liable as a third-party vendor who lacks the power to obtain the required written releases from its clients’ employees. The district court stated that “while it’s probably true that [the defendant] wasn’t in a position to impose a condition of employment on its clients’ employees, the statutory definition of a written waiver doesn’t excuse vendors like [the defendant] from securing their own waivers before obtaining a person’s data.”
- Jeffrey P. Naimon to discuss “Section 1071: Small business data collection & fair lending” at the American Bar Association Consumer Financial Services Winter Meeting 2022
- Jonice Gray Tucker to discuss “Getting your company ready: Managing fair lending for IMBs” at the Mortgage Bankers Association Independent Mortgage Bankers Conference
- Jonice Gray Tucker to discuss “Be Your Compliance Best in 2022” at the California Mortgage Bankers Association webinar
- Lauren R. Randell to discuss “Significant legal developments in the Northeast” at the 37th Annual National Institute on White Collar Crime
- Jonice Gray Tucker to discuss “Small business & regulation: How fair lending has evolved & where it is heading?” at the Consumer Bankers Association Live program