Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
In the last three months, five class action cases filed in California under the state’s “Shine a Light” statute have alleged that online businesses, including Microsoft Corp., CBS Interactive Inc., and Time Inc., failed to properly label links to their privacy policies. The five suits, all filed by a single firm, claim $3,000 per violation plus additional damages (Boorstein v. CBS Interactive Inc., Cal. Super. Ct., No. 476015, complaint filed 12/28/11; Boorstein v. Men's Journal LLC, Cal. Super. Ct., No. 475697, complaint filed 12/22/11; Miller v. Hearst Communications, C.D. Cal., No. 12-733, complaint filed 1/27/12; Murray v. Time Inc., N.D. Cal., No. 12–431, notice of removal filed 1/26/12; Smith v. Microsoft Corp., Cal. Super. Ct., No. 476413, complaint filed 1/9/12). The "Shine a Light" statute, in effect since 2005, requires businesses that collect California residents’ personal data and then share that data for marketing purposes to disclose or allow consumers to opt out of that sharing. Each defendant company allegedly mislabeled links to their online privacy policies or otherwise failed to meet the statute’s requirements.
On February 22, California Attorney General Kamala Harris announced an agreement with six leading mobile platform companies to ensure that apps on those platforms have privacy policies. Privacy policies are already required under the California Online Privacy Protection Act, which governs commercial websites and online services that collect personal data from California residents. The new agreement also includes commitments from the six companies - Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion - to educate app developers about user privacy obligations.
On February 23, the White House released a report on consumer privacy, setting out a Consumer Privacy Bill of Rights. The proposed Bill of Rights consists of seven broad principles, including individual control, security, and transparency of data use. The report asks Congress to codify the recommendations as a statute enforceable by the Federal Trade Commission, and identifies FTC enforcement as critical to ensuring privacy protections. Pending or absent congressional action, the report promises that the administration will work with the private sector to adopt new protections on voluntary basis. The administration will hold stakeholder forums to develop legally enforceable codes of conduct. Finally, the report addresses the need for international interoperability and coordination of enforcement.
NIST Publishes Recommendations for Establishing Governance Structure for Implementation of National Trusted Identities Strategy
On February 7, the National Institute of Standards and Technology (NIST) published a report with recommendations for developing a governance system to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC directs the federal government to work with private sector stakeholders to establish and maintain an identity ecosystem for internet transactions aimed at promoting trust, privacy, and security. The report summarizes comments received in response to a June 2011 Notice of Inquiry (NOI) that sought public input regarding the establishment and structure of a private sector-led steering group to implement the NSTIC. Based on those comments, stakeholder workshops, and best practices from similar governance efforts, the report presents recommendations in four areas: (i) steering group initiation, (ii) steering group structure, (iii) stakeholder representation, and (iv) international coordination. The report also includes a recommended charter to establish the steering group and notes that, subject to public comment and finalization of the approach outlined in the report, NIST intends to initiate a competitive grant program to fund a secretariat responsible for convening the initial steering group.
On January 25, the European Union Commission officially released a proposed Regulation designed to update and replace the 1995 Data Protection Directive and national laws issued under that directive. This proposal is designed as a regulation rather than a directive, allowing it to take effect without national implementing legislation. Instead, the proposal will be submitted to the European Parliament and member states for adoption and would become effective two years after adoption. Notably, the proposed Regulation contains a "right to be forgotten" provision, which provides individuals the right, under certain circumstances, to seek the erasure of personal data and a halt to further dissemination of such data. Other provisions of the Regulation would (i) require explicit data subject consent for processing, where previously consent could be inferred in some cases; (ii) require data breaches to be reported to the national supervisory authority and, in certain cases, to the data subject; and (iii) provide data subjects the right to file complaints with national data protection authorities and seek judicial remedies, including damages, for violations of the Regulation. An earlier unofficial draft of this regulation was reported in InfoBytes, December 23, 2011. The two proposals are substantially similar, though the officially released version does lower the limits for penalties under the Regulation.
On January 26, the Financial Industry Regulatory Authority (FINRA) issued Regulatory Notice 12-05, notifying institutions of an increase in reports of customer funds being stolen through improper access to customer email accounts and unauthorized electronic instructions to transfer or withdraw funds. FINRA urged firms to review policies and procedures to ensure protection of customer funds, particularly in cases where the request for funds and transmittal are handled electronically. FINRA recommends that policies and procedures include methods for confirming the identity of the requestor, as well as a system to identify and respond to “red flags.” Concurrent with the regulatory notice, FINRA issued an alert to investors warning about the increased account breach activity and providing tips for protecting account information and funds.
On January 24, the U.S. Court of Appeals for the Third Circuit affirmed a district court holding that printing of partial expiration dates does constitute a Fair and Accurate Credit Transactions Act (FACTA) violation, but held that the merchant, in this case, did not willfully violate FACTA by printing a portion of credit card expiration dates on customer receipts. Long v. Tommy Hilfiger U.S.A., Inc., No. 11-1554, 2012 WL 180874 (3rd Cir. Jan. 24, 2012). The consumer alleged, on behalf of a putative nationwide class, that the merchant’s practice of printing receipts that included the expiration month, but not year, willfully violated FACTA’s prohibition against printing “more than the last five digits of a credit card number or the expiration date upon any receipt provided” at the time of a transaction. On appeal, the court considered two questions: (i) whether the consumer properly alleged a FACTA violation, and (ii) whether the merchant’s alleged conduct constituted a willful violation of FACTA. The court held that FACTA prohibits printing of partial expiration dates, and that therefore plaintiff did properly allege a FACTA violation. The court explained that “expiration date” is not defined in the law, and found that “the most natural reading of the phrase” prohibits merchants from printing any of the numbers that appear in the expiration date field on a credit or debit card. If Congress had intended to allow partial expiration dates, the court stated, it would have used language similar to that used with regard to partial credit card numbers. However, the court held that the consumer could not recover statutory damages of $100 to $1,000 per violation, punitive damages, and attorneys fees, because the merchant’s action was not willful. Relying on a standard set in Safeco Insurance Company of America v Burr, 551 U.S. 47 (2007), the court held that the merchant’s interpretation that the statute permits partial expiration dates was not “objectively unreasonable”, because the statute does not provide a definition for “expiration date” and the interpretation has some foundation in the statutory text. According to the court, although the merchant’s interpretation of FACTA was wrong, it did not constitute a willful violation of the law.
On January 20, the U.S. District Court for the Eastern District of California dismissed a putative class action brought on behalf of California residents against a company that lost multiple server drives containing personal and medical information. Whitaker v. Health Net of Cal., Inc. No. 11-910, 2012 WL 174961 (E.D. Cal. Jan. 20, 2012). The named plaintiff alleged that the loss of the drives and personal information violated California’s Confidentiality of Medical Information Act. Relying on Ninth Circuit decisions in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) and Ruiz v. Gap Inc., No. 09-15971, 380 F. Appx. 689 (9th Cir. May 28, 2010), the plaintiff argued that the threat of harm naturally stems from a loss of data alone. The court held, however, that there is a difference between theft and loss of data. Unlike those prior cases in which personal data was obtained by hacking or data breach, loss of data does not present any actual or immediate harm, only conjectural or hypothetical harm. The court held that the plaintiff lacked standing and dismissed the case with leave to amend because the possibility of harm is not sufficient to meet the constitutional injury-in-fact standard.
On January 6, the U.S. District Court for the District of Massachusetts found that a retailer’s collection of ZIP codes during a credit card transaction can constitute a violation of Mass. Gen. Laws ch. 93, §105(a) (the Act), but held that a plaintiff must allege actual harm. Tyler v. Michaels Stores, Inc., No. 11-10920, 2012 WL 32208 (D. Mass. Jan. 6, 2012). The complaint, filed on behalf of a putative class, alleged that a retailer’s request for customer ZIP codes when processing credit card transactions violates the Act because ZIP codes constitute protected personal identification information (PII). Noting that the plaintiff alleged only that she had received unwanted mail, not that the information was sold or otherwise exposed her to an increased risk of fraud, the court agreed with the retailer and held that the plaintiff failed to allege actual injury. However, the court found that ZIP codes are PII under the Act, and that plaintiff had alleged a per se statutory violation. The court warned that "[s]ince retailers so routinely request a customer's ZIP code at the point-of-sale in a credit card transaction, they ought note here that this Court holds [the retailer] potentially to have violated [the Act] if such request was made during a transaction in which the credit card issuer did not require such disclosure.” The court’s decision also distinguished the Act as "much narrower in scope” than California’s Song-Beverly Act, which is intended not only to prevent fraud like the Act, but also to "prevent retailers from directly or indirectly obtaining personal identification information for marketing purposes," which was the subject of the California Supreme Court’s holding in Pineda v. Williams Sonoma, Inc., 246 P.3d 612 (Cal. Sup. Ct. 2011). On January 13, plaintiff moved the court to certify the question of law at issue in this case to the Massachusetts Supreme Court.
On January 5, the FTC announced that Upromise had agreed to settle charges that its collection of consumers’ personal information was deceptive and an unfair practice, and that the collection violated federal law. Upromise’s website offered consumers a “TurboSaver Toolbar” download with a “Personalized Offers” feature to tailor savings opportunities to the consumer. The FTC alleged that the feature collected and transmitted, without encryption, the names of websites consumers visited, which links they clicked on, and information entered into webpages such as search terms, user names, and passwords. According to the FTC, the information collected also included credit card and financial account numbers, security codes and expiration dates, and Social Security numbers. Upromise’s privacy statement, however, stated that (i) the toolbar would only infrequently and inadvertently collect personal identifying information, (ii) personal information would be removed before the data was transmitted, and (iii) Upromise automatically encrypts users’ sensitive information. The proposed settlement requires in part that Upromise (i) destroy data collected, (ii) update its disclosures, (iii) notify consumers regarding the type of information collected and how to disable the toolbar, and (iv) obtain a biennial independent audit for the next twenty years. The proposed settlement is open for public comment through February 6.
- Daniel R. Alonso to discuss "The international compliance situation and new challenges" at the World Compliance Association Covid Compliance Conference
- Benjamin W. Hutten to discuss "Understanding OFAC sanctions" at a NAFCU webinar
- Garylene D. Javier to discuss "Navigating workplace culture in 2020" at the DC Bar Conference