Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 26, the U.S. District Court for the Northern District of California granted final approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. The settlement resolves consolidated class action claims that the social media company violated the Illinois Biometric Information Privacy Act (BIPA) by allegedly developing a face template that used facial-recognition technology without users’ consent. A lesser $550 million settlement deal filed in May (covered by InfoBytes here), was rejected by the court in August due to “concerns about an unduly steep discount on statutory damages under the BIPA, a conduct remedy that did not appear to require any meaningful changes by [the social media company], over-broad releases by the class, and the sufficiency of notice to class members.” (See InfoBytes coverage here.) The final settlement requires the social media company to pay $650 million in a settlement fund, plus $97.5 million for attorneys’ fees and expenses and $5,000 service awards to each of the three named plaintiffs. The social media company is also required to provide nonmonetary injunctive relief by setting all default face recognition user settings to “off” and by deleting all existing and stored face templates for class members unless class members provide their express consent after receiving a separate disclosure on how the face template will be used. Face templates for class members who have not had any activity on the social media platform will also be deleted. The court called the settlement a “landmark result,” noting it is one of the largest settlements ever for a privacy violation, and will provide each claimant at least $345.
On February 19, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement in the U.S. District Court for the Eastern District of Pennsylvania to resolve data security incident claims. Class members—comprised of a nationwide group of consumers whose credit and debit card information was compromised in a 2019 data security incident affecting a nationwide convenience store chain—alleged that “despite the foreseeability of a data breach” the convenience store chain, among other things, “failed to implement adequate measures to protect the sensitive, non-public payment card information entrusted to it by its customers.” The claims also alleged that certain class members continued to experience fraudulent transactions on their payment cards, and that many class members spent time responding to the data security incident, spent money on protective measures, and may experience a heightened risk of future misuse of their payment card information.
Following mediation, the parties agreed to the preliminary settlement terms, which will provide monetary relief to class members through a three-tier system totaling up to $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards. The convenience store chain is also required to take additional measures for a period of two years to prevent future unauthorized intrusions, including (i) retaining a qualified security assessor; (ii) conducting annual tests of its cybersecurity protocols; (iii) operating payment systems that encrypt payment card information and comply with credit card issuers’ security procedures, including systems at point-of-sale fuel pump terminals; and (iv) maintaining information security programs, policies, and procedures.
On February 24, during the Nationwide Multistate Licensing System Annual Conference, the Conference of State Bank Supervisors (CSBS) released an updated cybersecurity examination tool designed for nonbank financial company supervision. The tool is intended for state regulators to use during examinations, and CSBS encourages companies to use it monitor cybersecurity health between examinations. The tool is the newest addition to state regulators’ ongoing efforts to help nonbank companies—including fintech and payment companies, money transmitters, and mortgage companies—protect, mitigate, and respond to cyber threats. While the current tool is “considered a baseline assessment for less complex and lower risk institutions,” CSBS notes that an additional tool is currently under development for release in Q2 2021 for more complex institutions.
NYDFS: Global social media company must prevent app developers from transmitting users’ sensitive data
On February 18, New York Governor Andrew M. Cuomo accepted a report detailing the findings of an NYDFS investigation into whether sensitive personal information, including medical and personal data, was shared with a global social media company by application and website developers without users’ consent or knowledge. In 2019, the governor directed NYDFS to perform an investigation into the company’s collection of sensitive personal data from smartphone apps after a media report emerged that claimed app developers regularly sent sensitive data to the company. According to the NYDFS press release, the report’s findings conclude, among other things, that inadequate controls at the company allowed sensitive data to be wrongfully shared, and that the company “did little to track whether app developers were violating its policies” and to date has taken “no real action against developers” that transmit the data. The report outlines various remedial measures the company has undertaken as a result of the investigation, including (i) building and implementing a screening system to identify and block sensitive information prior to entering the company’s system; (ii) enhancing app developer education to better inform developers that they are obligated to avoid transmitting sensitive data; and (iii) taking measures to provide users more control over data that is collected about them, including from off-company activity. The report also includes recommendations for the company to implement to better protect consumer privacy and ensure app developers “are fully aware of the prohibition” on transmitting sensitive data. The steps include that the company should “do more  to prevent developers from transmitting sensitive data in the first place rather than simply relying so heavily on a back-end screening system.” The report also urges the company to “undertake significant additional steps to police its own rules” by putting in place appropriate consequences for doing so.
On February 15, the Florida legislature filed HB 969, which would, among other things, regulate the sale and sharing of consumers’ personal data. Highlights of the bill include:
- Applicability. The bill will apply to for profit businesses that do business in the state, collect consumers’ personal information (“or is the entity on behalf of which such information is collected”), and (i) have global annual gross revenues exceeding $25 million; (ii) annually buy, receive, sell, or share for commercial purposes, personal information of at least 50,000 consumers, households, or devices; or (iii) derive 50 percent or more of its gross revenue from the sale of personal information. Notably, data governed by certain federal regulations and specified protected health information are exempt from coverage.
- Consumer rights. Under the bill consumers will be able to, among other things, access their personal data; have available at least two methods for requesting personal information free of charge within a certain timeframe; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of third-party disclosure of their personal information collected by businesses. Businesses will also be prohibited from selling or disclosing the personal information of minor consumers, except in certain circumstances, and will be prohibited from taking certain discriminatory actions against consumers who exercise certain rights. Additionally, the bill will provide that contracts or agreements that waive or limit certain consumer rights are void and unenforceable.
- Security. Under the bill, businesses will be required “to implement reasonable security procedures and practices” to protect consumers’ personal information. The definition of “personal information” will also be revised “to include additional specified information to data breach reporting requirements.”
- Private cause of action. The bill will provide “a private right of action for consumers whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access,” and will allow consumers to bring a civil action for injunctive or declaratory relief, as well as damages that must be at least $100 but not more than $750 per consumer per incident or actual damages, whichever is greater. The Department of Legal Affairs is also authorized to seek civil penalties of no more than $2,500 for each unintentional violation or $7,500 for each intentional violation. However, fines may be tripled if a violation involves consumers 16 years of age or younger.
- Right to cure. Upon notification of any alleged violation of the law, businesses have 30 days to cure the alleged violation.
If enacted in its current form, the bill would take effect January 1, 2022. Florida is just one of several states that have recently introduced or advanced privacy legislation (continuing InfoBytes coverage available here).
On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. NYDFS states that it has received reports from several regulated entities of “successful or attempted data theft” from websites providing instant rate quotes such as auto insurance rates, noting that even if NPI is redacted, “hackers have shown that they are adept at stealing the full unredacted NPI.” NYDFS advises regulated entities to review security controls for public-facing websites that display or transmit NPI (even redacted NPI), and reminds entities of their obligations under the state’s cybersecurity regulation to promptly report the theft of consumers’ NPI. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) The cybersecurity fraud alert furthers NYDFS’ commitment to improving cybersecurity protections for both consumers and the industry, and follows an enforcement action taken last year alleging cybersecurity regulation violations (see InfoBytes coverage of NYDYS’ complaint against a title insurer for allegedly failing to safeguard mortgage documents here), as well as the regulator’s recently issued cybersecurity insurance framework (covered by InfoBytes here).
On February 8, the U.S. District Court for the District of Minnesota granted defendant’s motion for summary judgment, ruling that an insurance company is not obligated to indemnify a national retailer (plaintiff) for settlements paid to multiple banks to resolve claims over the costs of canceling and reissuing customers’ compromised credit and debit cards after a 2013 data breach. After the data breach, the banks sued the plaintiff for the costs associated with cancelling and reissuing the cards (payment card claims). The plaintiff notified the defendant of its potential liability for payment card costs associated with the data breach, claiming that the payment card claims were covered under the defendant’s commercial general liability policies. The defendant denied coverage under the policies, and the plaintiff filed a breach-of-contract action seeking both declaratory judgment that its liability for the payment-card claims was covered under the policies, as well as judgment against the defendant for the settlement payments related to the payment card claims. In granting the defendant’s motion for summary judgment, the court determined, among other things, that the plaintiff failed to “establish a connection between the damages incurred for settling claims related to replacing the payment cards and the value of the use of those cards, either to the payment-card holders or issuers.” As such, “the connection between the damages claimed and the loss of use of the payment cards is insufficiently direct and, therefore, the damages claimed are not loss-of-use damages covered under the policies,” the court stated, noting that the defendant’s policies only allowed for indemnification when the plaintiff had a legal obligation to pay damages because of a “loss of use” of “tangible property that is not physically injured.”
On February 4, the U.S. Court of Appeals for the Eleventh Circuit affirmed dismissal of a class action complaint, which raised several claims against a restaurant following a data breach that exposed customers’ financial information, for the named plaintiff’s lack of standing. According to the opinion, a restaurant chain suffered a data breach when hackers gained access to customers’ credit and debit card information through an outside vendor’s remote connection tool. The restaurant chain provided notice to customers that their information “‘may’ have been accessed.” A consumer, who made two purchases during the data breach period, cancelled the credit cards he used and filed a class action two weeks after the announcement of the breach, alleging the company was negligent in failing to safeguard the credit card data, and violated the Florida Unfair and Deceptive Trade Practices Act (FUDTPA), among others. The district court dismissed the action for lack of standing, concluding that the consumer failed to identify a “single specific, concrete injury in fact that he or anyone else  suffered as a result of any misuse of customer credit card information.”
On appeal, the 11th Circuit affirmed the district court’s holding. The appellate court rejected the consumer’s theories of standing, which were predicated on (i) a threatened “future injury” of identity theft, and (ii) the consumer’s alleged suffering of “mitigation injuries” (i.e., lost time, lost rewards points, and loss of access to accounts). The appellate court explained that in data breach cases like this, to have Article III standing the consumer must show a “substantial risk” of harm or that harm (e.g., identity theft) is “certainly impending.” The appellate court noted that despite the consumer still carrying “some risk of future harm involving identify theft,” that risk “is not substantial and is, at best, speculative” because the consumer “immediately cancelled his credit cards following disclosure [of the breach], effectively eliminating the risk of credit card fraud in the future.” Moreover, according to the appellate court, the consumer did not sufficiently allege an actual, present injury, through “inflicting injuries on himself to avoid an insubstantial, non-imminent risk of identity theft.” The appellate court reasoned that “[t]o hold otherwise would allow an enterprising plaintiff to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”
On February 4, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance. The new Cyber Insurance Risk Framework provides guidance for effectively managing cyber insurance risk and is the first guidance released by a U.S. regulator on this topic. In recognizing the growing risk and the challenges insurers face when trying to manage that risk, NYDFS advised insurers to “establish a formal strategy for measuring cyber insurance risk that is directed and approved by its board or other governing entity[.]” According to the guidance, the insurer’s strategy should be proportionate to the insurer’s risk and take into account “the insurer’s size, resources, geographic distribution, and other factors.” NYDFS also advised insurers to:
- Eliminate exposure to “silent” cyber insurance risk resulting from a cyber incident that an insurer is obligated to cover even though its policy “does not explicitly mention cyber incidents.”
- Evaluate systemic risk, including how catastrophic cyber events impact third-party vendors.
- Measure and assess potential cybersecurity gaps and vulnerabilities through a data-driven approach.
- Educate insureds and insurance producers on the value of cybersecurity measures, as well as the uses and limitations of cyber insurance.
- Recruit and hire employees with cybersecurity experience.
- Include a requirement in cyber insurance policies that victim-insureds notify law enforcement when a cyber attack occurs.
Recently, the Virginia Senate and House advanced identical bills (see SB 1392 and HB 2307), which would establish a framework for controlling and processing consumers’ personal data in the Commonwealth. Highlights of the bill include:
- Applicability. The bill will apply to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” Notably, financial institutions, data governed by federal regulations, nonprofit organizations, and certain protected health information are exempt from coverage.
- Consumers’ rights. Under the bill, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
- Controllers’ responsibilities. Data controllers under the bill will be responsible for (i) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (ii) not processing data for reasons incompatible with the specified purpose; (iii) securing personal data from unauthorized access; (iv) not processing data in violation of state or federal anti-discrimination laws; (v) obtaining consumer consent in order to process sensitive data; (vi) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (vii) providing clear and meaningful privacy notices.
- Data processing agreements/data protection assessments. The bill requires controllers to enter into data processing agreements with data processors that outline instructions for processing personal data and require the deletion or return of personal data once a service is concluded. Controllers must also conduct data protection assessments for all processing activities that involve targeted advertising, the sale of personal data, certain profiling activities, sensitive data, and any processing activities that present a heightened risk of harm to consumers.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law and seek penalties of no more than $7,500 per violation. The attorney general may also recover reasonable expenses, including attorney fees, for any initiated action.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the data controller written notice. The data controller then has 30 days to cure the alleged violation before the attorney general can file suit.
The two bills next move to a reconciliation process, and if passed and signed into law, the bill will take effect January 1, 2023.
- Jeffrey P. Naimon to provide “Fair lending update” at the Colorado Mortgage Lenders Association Operational and Compliance Forum
- Jonice Gray Tucker to discuss “Justice for all: Achieving racial equity through fair lending” at CBA Live
- Warren W. Traiger to discuss “On the horizon for CRA modernization” at CBA Live
- APPROVED Webcast: Strategy & Technology: A dynamic duo for successful regulatory exams
- Daniel R. Alonso to discuss “Primer on cross-border prosecutions in Argentina, Brazil, Colombia, and Mexico for U.S. criminal lawyers” at a New York City Bar Association webinar
- Jonice Gray Tucker to discuss "Fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss “State law regulatory and enforcement trends” at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute