InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Announces Settlement of More Than $104 Million with Company for Selling Sensitive Financial Information
On July 5, the FTC issued a press release announcing a settlement of more than $104 million with a lead generation company for allegedly misleading loan applicants with promises of matching consumers with lenders that could offer the best loan terms. Actually, the FTC asserts, defendants were selling the applications, including sensitive personal information such as Social Security numbers and bank account numbers, to anyone who would pay for them “without regard for how the information would be used or whether it would remain secure.”
The proposed order accompanying the settlement states that defendants used deceptive and unfair acts or practices in the course of their lead generation activities, and permanently prohibits defendants from misrepresenting financial products or services to consumers. It also enjoins defendants from selling or transferring a consumer’s personal information unless the consumer has provided consent and provides that defendants may not benefit from any consumer information collected before the entry of the order. Further, defendants must destroy all personal consumer information in any form within 30 days after the order.
In addition to the above settlement terms, the defendants agreed to (i) compliance monitoring, (ii) creating certain records for ten years after the date of entry of the order, and (iii) compliance reporting
Although defendants have filed for bankruptcy, they agreed that the amount owed to the FTC in the settlement will not be dischargeable.
Data Breach Lawsuit Settled for $115 Million
On June 23, one of the nation’s largest health insurers agreed to pay $115 million to settle a data breach class action suit pending in the U.S. District Court for the Northern District of California. In 2015, the insurer announced that it had been hacked and that customer information had been compromised. On June 23, Plaintiffs submitted to the court a memorandum in support of the settlement. The settlement, if approved by the court, will provide almost 80,000 proposed class members with extended credit monitoring for at least two years. Additionally, the settlement will require the insurer to “implement or maintain meaningful, specific changes to its data security practices that directly address the security elements that Plaintiffs believe contributed to the breach,” including hiring independent consultants to perform annual IT risk assessments and compliance reviews, and providing the results of those audits to Plaintiffs’ counsel.
FTC Releases Updates to COPPA Compliance Plan
On June 21, the FTC released updated guidance designed to assist businesses when complying with the Children’s Online Privacy Protection Rule (COPPA), which regulates what websites and online services are required to do to ensure the protection of children’s privacy and safety online. Specifically, the updates address the following issues: (i) the method by which companies monitor the collection of personal data as technology evolves in order to stay compliant; (ii) they ways COPPA impacts the “Internet of Things” as new “connected devices” continue to expand beyond websites and mobile apps; and (iii) new methods such as “ knowledge-based authentication questions and using facial recognition to get a match with a verified photo ID” to obtain parental consent. Additionally, the FTC revised its Six-Step Compliance Plan for Your Business to help companies determine whether they are covered by COPPA and how to comply with the rule.
Bipartisan Coalition of State Attorneys General File Petition to the FCC Seeking Broadband Consumer Protections
On June 19, New York Attorney General Eric T. Schneiderman announced a petition filed on behalf of a bipartisan coalition of 35 state attorneys general to jointly oppose a cable and telecommunications industry petition, which is intended to stop state and local authorities from enforcing state consumer protection laws and leave the regulating of broadband disclosure requirements to the authority of the FCC. In seeking a declaratory ruling from the FCC, the industry groups request confirmation and clarification on federal regulatory requirements governing broadband speed disclosures, and further assert that “national, uniform rules [are] particularly important” once the FCC launches procedures to implement a “national ‘light-touch framework.’” In response to the petition, the FCC filed a public notice for comment on May 17. The state attorneys general, in responding to the request, claim the petition “asks the FCC to convert a limited safe harbor from FCC’s own enforcement, into blanket federal and state immunity for fixed and wireless broadband companies from liability for false statements contained in advertisements and marketing.” Furthermore, they assert that the industry groups are seeking a ruling that exceeds the FCC’s authority, is “procedurally improper,” and would “upend the longstanding dual federal-state regulation of deceptive practices in the telecommunications industry—which would leave consumers across the country without the basic state protections from unfair and deceptive business practices.”
FCC Proposes $120 Million Fine for Spoofed Robocalls
On June 22, the Federal Communications Commission (FCC) announced a proposed fine of $120 million against a telemarketer for violating the Truth in Caller ID Act. The agency claims that the individual made nearly 100 million calls in which he falsified caller ID information in order to display incorrectly the same area code and first three digits as the consumer he was calling. “Neighbor spoofing,” according to the FCC, is an illegal technique used to appear to be calling from the recipient’s own area. If the recipient answered the call, the caller would then offer travel packages falsely claiming to represent well-known hotel and travel companies. The citation and order provides the telemarketer with 30 days to respond to the FCC.
OCC to Host Operational Risk Workshop, Will Hold Innovation "Office Hours"
On July 25, the OCC will host an operational risk workshop in Charleston, WV for directors of national community banks and federal savings associations supervised by the OCC. The workshop will focus on the key components of operational risk, governance, third-party risk, vendor management, and cybersecurity.
Additionally, on July 24 through the 26, the OCC’s Office of Innovation will hold “Office Hours” in New York City for national banks, federal savings associations, and fintech companies to provide an opportunity for attendees to discuss matters related to financial technology, new products and services, bank or fintech partnerships, as well as other items related to financial innovation. Meeting requests are due by July 5.
15 State Attorneys General Clarify Data Breach Notification Laws
On June 5, 15 state attorneys general issued a joint letter to an e-commerce hosting company refuting the company’s assertion in its FAQ provided to online retailers that they are not obligated to notify customers of a data breach in situations where credit card CVV numbers were not disclosed. According to claims made by the attorneys general, the company erroneously stated that, pursuant to the identified states’ data breach notification laws, “there is no obligation to notify in those states . . . if your customers’ CVV data was not exposed.” The attorneys general argued that this is incorrect and stated, “[t]he CVV number does not have to be disclosed to trigger our states’ notification obligations.” The letter noted as an example, New York General Business Law § 899-aa(1)(b)(3), which stipulates that companies must provide notification of a data breach to affected customers when a credit or debit card number plus “any required security code, access code, or password” that would permit access to the account is obtained by an unauthorized party. The attorneys general stated that a CVV code is not a required access code because the card can be used without it. The company is required to provide clarification regarding its FAQ to affected client retailers.
BAFT Announces 2017 Global Payments Symposium; Will Highlight Advances in Payments Innovation, Blockchain, and Artificial Intelligence
On July 19 and 20, the Bankers Association for Finance and Trade (BAFT) will host its 2017 Global Payments Symposium in New York City. The symposium will help bankers and payments professionals understand the latest innovation trends affecting compliance, payments, blockchain, fintech, cybercrime, and artificial intelligence, among others. BAFT will also discuss methods to integrate innovations into the business lines and how global challenges and best practices impact the U.S.
Filipino National Sentenced for Running $9 Million Cybercrime Ring
On June 8, a U.S. District Court Judge sentenced a Filipino national to over five years in prison and two years of supervised release after pleading guilty to conspiracy to commit bank fraud last year. The defendant operated a $9 million international cybercrime operation that utilized stolen credit and debit accounts to process unauthorized financial transactions, according to an investigation led by the District of New Jersey U.S. Attorney’s Office. To obtain credit and debit card account information, the defendant engaged in computer hacking and ATM skimming, whereby millions of dollars were “monetized” through a “global network of ‘cashers’” who encoded the data onto counterfeit cards and then used the cards to withdraw money and make purchases.
FTC Announces Settlement with Operators of Tech Support Scam
On June 7, the FTC announced two settlements in a pending action brought against defendants who allegedly used pop-up internet ads to deceive consumers into believing their computers were infected and then sold unnecessary technical support services to fix the issues. Under the terms of the settlements (available here and here), the defendants (i) will relinquish assets combined at nearly $6 million to provide restitution to victims, and (ii) are banned from marketing, promoting, or misrepresenting technical support products or services in the future. The settlement is part of the FTC’s ongoing efforts to pursue tech support scams through its Operation Tech Trap initiative. (See previous InfoBytes coverage here.)