Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 24, the European Court of Justice held that Europe’s “right to be forgotten” online privacy law — which allows individuals to request the deletion of personal information from online sources that the individual believes infringes on their right to privacy—can be applied only in the European Union. The decision results from a challenge by a global search engine to a 2015 order by a French regulator, Commission Nationale de l'Informatique et des Libertés (CNIL), requiring the search engine to delist certain links from all of its global domains, not just domains originating from the European Union. The search engine refused to comply with the order, and the CNIL imposed a 100,000 EUR penalty. The search engine sought annulment of the order and penalty, arguing that the “right to be forgotten” does not “necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engine’s domain names.” Moreover, the search engine asserted that the CNIL “disregarded the principles of courtesy and non-interference recognised by public international law” and infringed on the freedoms of expression, information, and communication.
The Court of Justice agreed with the search engine. Specifically, the Court noted that while the “internet is a global network without borders” and internet users’ access outside of the EU to a referencing link to privacy infringing personal information is “likely to have immediate and substantial effects on that person within the Union itself,” there is no obligation under current EU law for a search engine to carry out the requested deletion on all global versions of its network. The Court explained that numerous nations do not recognize “the right to be forgotten” or take an alternate approach to the right. Additionally, the Court emphasized that “the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” The Court concluded that, while the EU struck that balance within its union, “it has not, to date, struck such a balance as regards the scope of a de-referencing outside of the union.”
On September 18, the U.S. District Court for the Northern District of California dismissed with prejudice a class action suit brought against an online payments firm and associated entities and individuals (collectively, “defendants”) for allegedly misleading investors (plaintiffs) about a 2017 data breach. The court stated that the plaintiffs plausibly alleged the defendants’ November 2017 announcement about the data breach was misleading because it “disclosed only a security vulnerability, rather than an actual security breach that potentially compromised” 1.6 million customers, which the plaintiffs contended was not actually disclosed until a month later when a follow-up statement was released. However, the court argued that the plaintiffs failed to show under the loss-causation theory that the defendants knew the breach affected 1.6 million customers when the company made its first statement, and contended that confidential witness statements provided by the plaintiffs from three former employees did not credibly support allegations that the defendants and its executives knew the full extent of the breach when they warned of potential vulnerabilities or “used that knowledge (or recklessly disregarded it) to deceive the market.” Furthermore, the court determined that while both parties agreed that a plaintiff can support a securities fraud claim with expert opinions, the plaintiffs in this case failed to allege that the cybersecurity expert they hired was familiar with, or had knowledge of, the defendants’ specific security setup or that he actually talked to the defendants’ employees about the breach. According to the court, the expert provided an opinion on “what likely would have happened in the event of any breach.”
On September 12, the CFTC issued an order against an Illinois-based futures commission merchant imposing a $1.5 million fine for allegedly failing to protect its systems from cybersecurity threats and not alerting its customers in a reasonable timeframe after a breach occurred. According to the order, the CFTC claims the merchant failed to adequately implement and comply with cybersecurity policies and procedures as well as a written information systems security program, and “policies and procedures related to customer disbursements by its employees.” The CFTC contends that because of these failures the merchant’s email system was breached, which allowed access to customer information and convinced the merchant’s customer service specialist to mistakenly wire $1 million in customer funds. While the merchant approved reimbursement of the funds shortly after discovery, instituted measures to prevent additional fraudulent transfers, and notified regulators the same day, the CFTC alleges it failed to disclosure the breach or the fraudulent wire in a timely manner to current or prospective customers. Under the terms of the order, the merchant must pay a civil money penalty of $500,000 plus post-judgment interest, as well as restitution of $1 million. The merchant’s previous reimbursement of customer funds when the fraud was discovered was credited against the restitution amount.
Special Alert: California Legislature passes several amendments to the California Consumer Privacy Act and other privacy-related bills
Lawmakers in California last week amended the landmark California Consumer Privacy Act (CCPA or the Act), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers, and third parties. While the amendments, which California Governor Gavin Newsom must sign by October 13, leave the majority of the consumer’s rights intact, certain provisions were clarified — including the definition of “personal information” — while other exemptions were added or clarified regarding the collection of certain data that have a bearing on financial services companies.
This Special Alert provides an overview and status update of CCPA-related and other privacy bills that were recently considered by the California legislature.
* * *
Click here to read the full special alert.
If you have any questions about the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.
On September 18, the CFPB published a notice in the Federal Register seeking comments on the use of Tech Sprints—forums which gather “regulators, technologists, financial institutions, and subject matter experts from key stakeholders for several days to work together to develop innovative solutions to clearly-identified challenges”—as a means to encourage regulatory innovation and collaborate with stakeholders on forming solutions to regulatory compliance challenges. The Bureau notes that Tech Sprints have been successfully used by the U.K.’s Financial Conduct Authority, which has organized seven Tech Sprints since 2016, resulting in a pilot project on digital regulatory reporting. The Bureau is interested in using Tech Sprints to, among other things: (i) leverage cloud solutions and other developments that may reduce or modify the need for regulated entities to transfer data to the Bureau; (ii) continue to innovate the HMDA data submission process; (iii) identify new technologies and approaches that can be used by the Bureau to provide more cost-effective oversight of supervised entities; and (iv) reduce other unwarranted regulatory compliance burdens. Comments must be received by November 8.
On September 6, the National Institute of Standards and Technology (NIST) released a preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management to help organizations assess and reduce risks. The draft framework is designed to align with NIST’s Cybersecurity Framework (previously covered by InfoBytes here), which provides guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. The draft framework establishes three components to reinforce privacy risk management: (i) the “Core” describes a set of privacy activities and outcomes used to manage risks that arise from data processing or are associated with privacy breaches; (ii) “Profiles” cover an organization’s current privacy activities or desired outcomes that have been prioritized to manage privacy risk; and (iii) “Implementation Tiers” address how organizations see privacy risk, and whether they have sufficient processes and resources in place to manage that risk. According to NIST, “Finding ways to continue to derive benefits from data while simultaneously protecting individuals’ privacy is challenging, and not well-suited to one-size-fits-all solutions.” Public comments will be accepted through October 24.
On September 6, the Illinois Appellate Court, 5th District, vacated a circuit court’s $4.3 million settlement in a class action brought against a merchant for allegedly violating the Fair and Accurate Credit Transaction Act (FACTA) when it printed the first six and last four digits of customers’ 16-digit credit card account numbers on receipts. The appeals court held, among other things, that the “record is devoid of facts that would have permitted a reasoned judgment that the class settlement was fair, reasonable and in the best interests of all affected.” Under FACTA, merchants are prohibited from including on a receipt more than the last five digits of a consumer’s credit card number, and a credit card’s expiration date. A class action suit claiming the merchant violated the restriction was originally filed in New York federal court, but the preliminarily approved settlement was later dismissed after objectors argued that the plaintiffs lacked standing. The named plaintiff requested dismissal of the federal action and subsequently filed suit immediately after in Illinois state court, asking the court to adopt a settlement agreement identical to the one that had been preliminarily approved by the federal court. The objector appealed once again, challenging, among other things, (i) the named plaintiff’s ability to adequately represent the settlement class; (ii) the original class notice, which she argued was insufficient to cover the state court settlement; and (iii) the “fairness, reasonableness, and adequacy of the ‘coupon settlement,’” in which class members received $12 merchant gift cards, while the named plaintiff received $4,000 and class counsel was awarded $500,000.
On appeal, the appeals court disagreed with the objector’s contention that the named plaintiff lacked standing to represent the class because he kept his receipt and therefore had not been injured under FACTA, but found “a number of red flags” regarding the sub-class of more than 350,000 members of the merchant’s loyalty program, questioning whether the named plaintiff was an adequate representative for those class members since there was nothing in the record indicating whether he was a member of the program. Moreover, the appeals court agreed with the objector that the original class notice provided under the federal settlement did not sufficiently protect the due process rights of the settlement class, and that “due process requires the giving of notice anew of the pending state court settlement to absent class members so that they have the opportunity to protect their own interests.” The appeals court remanded the case to allow the trial court to more carefully scrutinize the terms of the settlement, stating that “we are unable to determine whether the trial court evaluated the merits of the cause of action, the prospects and problems of litigating the cause or the fairness of the terms of compromise.” The appeals court also ordered the trial court to further explain its findings that the $500,000 attorneys’ fee award and $4,000 lead plaintiff award are reasonable given the possibility that not every class member will use the coupon.
District Court allows majority of privacy invasion class action claims to proceed against social media company
On September 9, the U.S. District Court for the Northern District of California granted in part and denied in part a social media company’s motion to dismiss a multidistrict class action alleging the company failed to prevent third parties from accessing and misusing private data of its users, in violation of the Stored Communications Act (SCA), the Video Privacy Protection Act (VPPA), and various state laws. In the consolidated action, the plaintiffs allege that the company (i) made sensitive user information—including basic facts such as gender, age, and address; and substantive content such as photos, videos, and religious and political views—available to third parties without user consent; and (ii) failed to prevent those same third parties from selling or otherwise misusing the information. The company moved to dismiss the action, arguing, among other things, that “people have no legitimate privacy interest in any information they make available to their friends on social media.”
The district court disagreed, concluding that most of the plaintiffs’ claims should survive, and that the company “could not be more wrong” in its argument that its users lose all privacy interest in the information they share with their friends on social media. The court asserted that when a user shares information with a limited audience, they “retain privacy rights and can sue someone for violating them.” The court also rejected the company’s argument that the plaintiffs did not have standing to sue in federal court because they could not show “tangible negative consequences from the dissemination of [the] information.” The court noted that privacy invasion is a redressable injury in itself and does not need a secondary economic injury to confer standing. Additionally, while the court recognized that the company’s argument that the users consented to this practice has “some legal force,” it cannot “defeat the lawsuit entirely, at least at the pleading stage.” Therefore, the court denied the motion as to the VPPA and narrowed certain claims under the SCA and California state laws, mostly with regard to claims on behalf of users who signed up for the service after 2009, who purportedly authorized the company to share information through their friends with app developers.
On September 6, the FTC voted 5-0 to approve a final settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in violation of the FTC Act and the Standards for Safeguarding Customer Information Rule, issued pursuant to the Gramm-Leach-Bliley Act.
As previously covered by InfoBytes, in its complaint, the FTC alleged the company’s failure to, among other things, (i) implement an organization information security policy; (ii) implement reasonable guidance or training for employees; (iii) use readily available security measures to monitor systems; and (iv) impose reasonable data access controls, which resulted in a hacker gaining unauthorized access to the company’s database containing the personal information of approximately 12.5 million consumers. The approved settlement requires the company to, among other things, implement and maintain a comprehensive information security program designed to protect the personal information it collects, including implementing specific safeguards related to the FTC’s allegations. Additionally, the settlement requires the company to obtain third-party assessments of its information security program every two years and have a senior manager certify compliance with the order every year.
On September 4, the FTC and the New York Attorney General announced (see here and here) a combined $170 million proposed settlement with the world’s largest online search engine and its video-sharing site subsidiary concerning alleged violations of the Children’s Online Privacy Protection Act (COPPA). According to the complaint, the video-sharing site allegedly collected personal information in the form of “persistent identifiers” from viewers of child-directed channels without first obtaining verifiable parental consent. The persistent identifiers allegedly generated millions of dollars in revenue by delivering targeted ads to viewers. The FTC and New York AG allege, among other things, that the defendants knew the video-sharing site hosted numerous child-directed channels but told advertisers that the video-sharing site contains general audience content, even informing one advertising company that it did not have users younger than 13 on its platform and therefore channels on its platform did not need to comply with COPPA.
Under COPPA, operators of websites and online services directed at children are prohibited from collecting personal information of children under the age of 13—including through the use of persistent identifiers for targeted advertising purposes—unless the company has explicit parental consent. Furthermore, third parties—such as advertising networks—must also comply with COPPA where they have actual knowledge that personal information is being collected directly from users of child-directed websites and online services.
While neither admitting nor denying the allegations, except as specifically stated within the settlement, the defendants will, among other things, (i) pay a $136 million penalty to the FTC and a $34 million penalty to New York; (ii) change their business practices to comply with COPPA; (iii) maintain a system for channel owners to designate their child-directed content on the video-sharing site; and (iv) disclose their data collection practices and obtain verifiable parental consent prior to collecting personal information from children. According to the FTC, the $136 million penalty is “by far the largest amount the FTC has ever obtained in a COPPA case since Congress enacted the law in 1998.”
- Melissa Klimkiewicz to discuss "Private flood insurance updates" at the Mortgage Bankers Association Servicing Solutions Conference & Expo
- Jonice Gray Tucker and H Joshua Kotin to discuss regulatory compliance issues in the fintech industry at Protiviti's Risk & Compliance Innovation Roundtable
- APPROVED Checkpoint Webcast: CFL overview
- Amanda R. Lawrence and Sherry-Maria Safchuk to discuss "California privacy rule" on an NAFCU webinar
- Sasha Leonhardt to discuss "MLA & SCRA" on a NAFCU webinar
- Daniel P. Stipano to discuss "Pathway of the SARs: Tracking trajectories of suspicious activity reports from alerts to prosecution" at the ACAMS International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Which bud’s for you? A deep-dive into evolving marijuana laws" at the ACAMS International AML & Financial Crime Conference
- Brandy A. Hood to discuss "RESPA 8 (TRID applied compliance)" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- John P. Kromer to discuss "Navigating the multi-state fintech regulatory regime" at the American Conference Institute Legal, Regulatory and Compliance Forum on Fintech & Emerging Payment Systems
- Jonice Gray Tucker to discuss "Leveraging big data responsibly" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Hank Asbill to discuss "Critique of direct examination; Questions and answers" at the American Bar Association Section of Litigation Anatomy of a Trial: Murder Trial of Ziang Sung Wan
- Hank Asbill to discuss "What judges want from trial lawyers" at the American Bar Association Section of Litigation Anatomy of a Trial: Murder Trial of Ziang Sung Wan
- Steven R. vonBerg to speak at the "Conference super session" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference