InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Federal District Court Allows Discovery in Class Action Concerning Internet Company’s Collection of Biometric Data
In a Memorandum Opinion and Order handed down on February 27, a District Court in the Northern District of Illinois declined to dismiss a putative class action alleging that a cloud-based photographic storage service offered by an Internet company (the Company) violated the Illinois Biometric Information Privacy Act (BIPA) by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent. Specifically, the Court rejected the Company’s argument that application of BIPA to facial geometry scanning by by an internet service located outside of Illinois is an improper extraterritorial application of Illinois law.
The Plaintiffs alleged that the Company failed to both (i) obtain the necessary authorization or consent to the creation and subsequent storing of “faceprints” by the photo storage service, or (ii) make publicly available a data retention and destruction schedule as required under the BIPA. In responding to these claims, the Company argued that the term “biometric identifier,” as defined in the BIPA, does not extend to “in-person scans of facial geometry” and does not cover photographs or information derived from photographs. The Company also sought to dismiss the case on jurisdictional grounds, arguing that under principles of federalism, pre-emption, and the extra-jurisdictional application of state law, the BIPA cannot properly regulate activity – such as the storage of data on the Company’s servers – that does not occur “primarily and substantially” within the state of Illinois.
In analyzing the Company’s argument, the Court looked to the following two definitions set forth in the Illinois law:
- “Biometric identifier,” which is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and explicitly “do[es] not include writing samples, written signatures, photographs. . . .”; and
- “Biometric information,” which is defined as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual,” and explicitly “does not include information derived from items or procedures excluded under the definition of biometric identifiers.”
Ultimately, the Court disagreed with the Company’s reading of “biometric data” because, among other reasons, “nothing in the text of [the BIPA] directly supports this interpretation.” The Court deferred deciding on the Company’s arguments that the claims would require extraterritorial application of the statute and/or would violate the Dormant Commerce Clause by reaching beyond state boundaries, because, among other reasons, “[d]iscovery is needed to determine whether there are legitimate extraterritoriality concerns.”
On March 9, the Company filed a motion seeking permission to file an interlocutory appeal to the Seventh Circuit, with a request for a stay of further proceedings pending the appellate court’s decision on the request for an appeal.
OFR Director Delivers “Reducing the Regulatory Reporting Burden” Remarks at the Financial Data Summit
On March 16, the Office of Financial Research (OFR) posted remarks made by Director Richard Berner at the third annual Financial Data Summit hosted by the Data Transparency Coalition. "Reducing the Regulatory Reporting Burden" outlines OFR’s mission to identify areas of “duplication, overlap, and inefficiency in regulatory reporting,” presents steps to be undertaken in partnership with the Financial Stability Oversight Council (and its member agencies) to “improve data quality and reduce the reporting burden [by] requiring standards, including precise and agreed-on definitions, identifiers, and formats; industry-regulator agreement on essential data elements; adherence to best practices in data collection; and more data sharing among regulators,” and seeks participation and input from the private sector.
FTC Enters Settlement Resolving Investigation into “Bogus Online Investment” Telemarketing Scheme
On March 13, the FTC announced a $25 million settlement with the operators of a national telemarketing scheme who allegedly stole millions of dollars from consumers in violation of the FTC Act and the Telemarketing Sales Rule. According to the complaint filed by the FTC in 2016, the defendants allegedly sold “bogus online investment opportunities” to consumers nationwide in the form of schemes such as opportunities to buy or invest in e-commerce related websites or credit card company/e-commerce website profit-sharing programs, and then pocketed the payments—some of which exceeded more than $20,000. The defendants did not admit or deny the facts alleged in the complaint in the stipulated final order with the FTC, which imposed a $25 million monetary judgment that was partially suspended. The order also prohibits the defendants from telemarketing, marketing investment opportunities, and selling or otherwise benefiting from consumers’ personal information.
FCC, FTC Issue Joint Statement on Broadband Data Security Regulation; Senate Resolution Introduced to Repeal FCC Privacy Rules
On March 1, FCC Chairman Ajit Pai and acting FTC Chairman Maureen K. Ohlhausen issued a Joint Statement announcing an FCC Order (Stay Order) staying the enactment of certain data security provisions (§ 64.2005) adopted by the Commission late last year as part of its Broadband Privacy Order while the Commission and Congress consider an appropriate resolution of the broader Net Neutrality proceeding. Absent a stay, the rule was set to go into effect on March 2. Separate and apart from explaining the Stay Order, the Joint Statement effectively serves as a commitment by both the FCC and FTC to return “jurisdiction over broadband providers’ privacy and data security practices … to the FTC, the nation’s expert agency with respect to these important subjects.” Moreover, the statement also highlights what might be considered a guiding principle behind the new leadership at both the FCC and the FTC – namely, that “[a]ll actors . . . should be subject to the same rules” and “[t]he federal government shouldn’t favor one set of companies over another.”
The Stay Order arose out of an October 2016 decision to amend the Broadband Privacy Order to include new “sector-specific privacy rules” that the FCC determined were “necessary to address the distinct characteristics of telecommunications services.” This final version, the Broadband Privacy Order – was published in the Federal Register (81 Fed. Reg. 87,274) on December 2, 2016.
This amendment marked a substantial change from the original language included in the order as proposed back in March 2016, where the Commission “propose[d] to apply the traditional privacy requirements of the Communications Act to . . . broadband Internet access service (BIAS).” Then-commissioner and current FCC Chairman Pai strongly disagreed with the amendment at the time, filing a dissenting statement in which he argued, that “it makes no sense” for the FCC to enact “rules that apply very different regulatory regimes based on the identity of the online actor” because, among other reasons, it will inhibit competition in the online advertising market and also “lead to consumer confusion about which online companies can and cannot use their data.” Thereafter, eleven separate timely petitions to reconsider the October 2016 Order were filed, along with a petition requesting that the Commission stay the effective date of the Order.
The decision to delay the enactment of the new privacy regulations relied on Chairman Pai’s earlier argument that the data security rule as amended is not consistent with current FTC privacy standards, and thus found the March 2 effective date to be based on the incorrect underlying assumption that “carriers should already be largely in compliance with these requirements because the reasonableness standard adopted in [the] Order . . . resemble[] the obligation to which they were previously subject pursuant to Section 5 of the FTC Act.” As made clear by Chairman Pai in the Joint Statement, “[t]he stay will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rule.”
Notably, shortly after the release of the Joint Statement, on March 7, Sen. Jeff Flake (R-Ariz), chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, introduced a joint resolution to formally provide for “congressional disapproval” of 81 Fed. Reg. 87,274, i.e., the Broadband Privacy Order referenced above, under the Congressional Review Act (CRA). The CRA is a 1996 law that empowers Congress to repeal federal regulations. According to a statement released by his office, Sen. Flake—who has long opposed the privacy regulations at issue—sent a letter back in January of last year to FCC Chairman Tom Wheeler expressing concerns that the FCC is “overreaching its authority” with its planned broadband regulations. The Arizona Senator thereafter, on May 11, 2016, chaired a Privacy, Technology and the Law Subcommittee hearing seeking “answers on the legality of the proposed FCC rules and the consequences for consumers and the future of the internet.” And, most recently, on March 1, Sen. Flake wrote a Wall Street Journal op-ed laying out his position on the matter.
FTC Issues New Top 10 Consumer Complaint Categories in Annual Summary
On March 3, the Federal Trade Commission (FTC) issued an annual summary of consumer complaints, highlighting trends in the various categories of consumer complaints received by the Commission over the past year. The agency released its overview in the form of the Consumer Sentinel Network Data Book for January - December 2016 (2016 Data Book)—which provides category breakdowns and state specific data extrapolated from the Consumer Sentinel Network (CSN)—a secure online database of millions of consumer complaints available only to law enforcement, including, but not limited to, the FTC. In compiling the 2016 Data Book, the CSN collected more than 3.1 million consumer complaints, which the FTC sorted into 30 top complaint categories.
Florida, Georgia and Michigan were (again) the top three states for fraud and other complaints, while Michigan, Florida and Delaware were the top three states for identity theft complaints. The 2016 Data Book also reveals that debt-collection complaints remained the top category, comprising 28 percent of all complaints. The Commission attributes this “high number of reported debt collection complaints” to, among other things, “complaints submitted by a data contributor who collects complaints via a mobile app.” The Commission also identifies “imposter scams” as a “serious and growing problem.” In response to this trend, Acting Director of the FTC’s Bureau of Consumer Protection, Thomas Pahl, indicates that the agency “will use all the tools at its disposal to address it,” including “law enforcement actions against scammers and consumer education to help consumers avoid losing money.”
Another category that saw some movement was identity theft. While overall complaints in this category declined from 16 percent to 13 percent, 29 percent were consumers reporting that their data was used to commit tax fraud. Furthermore, there was a jump in those who reported “that their stolen data was used for credit card fraud. . .[a number that] rose from nearly 16 percent in 2015 to more than 32 percent in 2016.” And, rounding out the “Top Ten” consumer complaints for 2016 after debt-collection, imposter scams, and identify theft, were: telephone and mobile services, banks and lenders, prizes/sweepstakes/lotteries, shop-at-home/catalog sales, auto-related complaints, credit bureaus/information furnishers/report users, and television and electronic media complaints.
More information about the Consumer Sentinel Network and Data Book is available through www.FTC.gov/sentinel.
Industry Groups Submit Letters in Response to CFPB’s Request for Input on Comment Letter
As previously covered in InfoBytes, on November 17 the CFPB launched an inquiry into the benefits and risks associated with consumers authorizing third-parties to access their financial and account information held by financial service providers. In response to the Bureau’s Request for Information (Dkt No. CFPB-2016-0048), consumer and industry groups have offered their thoughts and positions concerning the issue. A summary of several comment letters is included below:
American Bankers Association (ABA). The ABA submitted a comment letter in which it noted that “technology is fundamentally changing the way financial services are being delivered,” but urged the CFPB, subject to certain enumerated regulatory limitations, to “fairly address[] both the opportunities and risks” in order to “give consumers innovative services that they can trust.” Among other things, the ABA discussed the need for the Bureau to clarify data aggregator responsibility for maintaining the privacy and security of consumer financial data. Specifically, the ABA recommended that the CFPB: (i) impose breach notification obligations; (ii) confirm liability assignments under Regulation E; (iii) subject larger data aggregators to supervisory oversight; and (iv) educate consumers about the choices, responsibilities, and risks presented.
Financial Services Roundtable (FSR). FSR and its technology policy division responded with a letter highlighting the importance of innovation and collaboration and outlining five core elements the group believes should be considered in assessing this "evolving ecosystem." These elements are: (i) security and privacy; (ii) data access and use transparency; (iii) clarity of liability; (iv) customer choice and control; and (v) technology neutrality. FSR also encouraged the CFPB to avoid unnecessary rulemaking or standard-setting that would “blunt innovation.”
Independent Community Bankers of America (ICBA). The ICBA urged the CFPB, subject to certain enumerated regulatory limitations, to carefully consider the privacy, regulatory burden, data security, and legal implications posed by third-party account access. Among other things, the ICBA expressed concern that “non-bank entities” do not take the same care in protecting consumer privacy and data as community banks and stated that community banks “must be able to protect customer data without having to meet new regulatory mandates which increase the risk of breach and/or consumer loss.” ICBA’s letter also stated that consumers’ rights to have access to their own information should be balanced with ensuring that consumer privacy is not needlessly threatened.
Americans for Financial Reform (AFR). AFR and a coalition of consumer groups set forth the organizations’ position that “the digital economy should ensure consumers can access and use records about themselves, and that consumers can choose to authorize third-parties to access such data on their behalf to support their financial health and facilitate competition among financial services providers.” Among other things, the letter stressed the need for “standards to enforce compliance with Section 1033 to benefit consumers who utilize online data aggregation and other applications.” Additionally, the letter urged the CFPB to confirm that consumers “retain their legal protections vis-a-vis account-holding institutions if unauthorized charges are made to their accounts when they use data aggregation services.”
Financial Innovation Now (FIN). FIN expressed the organization’s belief that regulation of permissioned access to consumer financial account data is “not necessary at this time.” Rather, FIN argued for “standards for permissioned access to consumer financial account data,” which could be “developed by industry, regularly reviewed and updated.” Ultimately, FIN pushed for consumer access to consumer financial account data “securely and easily, using whatever secure application or technology they wish, without charges or restrictions that unreasonably favor any one application or technology over another.”
NYDFS Landmark Cybersecurity Rule Set to Take Effect on March 1
On February 16, New York Governor Andrew Cuomo announced that with the New York Department of Financial Services’ (NYDFS) publication of a Final Regulation, New York’s “First-in-the-Nation Cybersecurity Regulation” is set to take effect on March 1. As discussed previously in InfoBytes, the regulation—which requires banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain a cybersecurity program designed to protect consumers’ private data—imposes broad and, in some cases proscriptive, data security and cybersecurity requirements on Covered Entities that venture into new territory for both state and federal financial regulators. Indeed, as described by Governor Cuomo, the regulation reflects New York’s efforts to “lead[] the nation” through “decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”
Moreover, as detailed in a follow-up InfoBytes Special Alert, NYDFS issued a updated proposed regulation on December 28 in response to over 150 comments and testimony presented at a hearing before New York State lawmakers. Though the updated proposed regulation did not differ drastically from the original, the revised proposed regulation provided for somewhat greater flexibility in how covered entities could go about implementing the requirements. Among other things, the December 28 revisions provided for: (i) longer timeframes for compliance with its requirements; (ii) more flexibility for compliance with certain requirements and acknowledgement that some requirements may not be applicable to all financial institutions; and (iii) clarifications to certain key definitions.
The newly released Final Regulation retains the revisions incorporated in the December 28 revision, but also contains the following notable revisions:
- Record retention requirements for audit trail materials relating to Cybersecurity Events were reduced from five years to three years.
- Clarification that Covered Entities’ policies and procedures for reporting by Third Party Service Providers of Cybersecurity Events only apply to the Covered Entity’s Nonpublic Information.
- The limited exemption for small businesses to certain requirements of the rule has been narrowed by including a Covered Entity’s New York affiliates when calculating its number of employees and annual revenue.
- Further clarification on the exemptions for companies regulated under New York’s Insurance Law.
With the expiration of the 30-day comment period and the publication of the Final Rule, New York’s Cybersecurity regulation is officially cleared to become effective upon publication in the New York State Register on March 1.
InfoBytes will continue to monitor the rollout of this pioneering regulation as it progresses.
U.S. Companies Settle FTC Charges that They Deceived Consumers About International Privacy Program Participation
On February 22, the FTC announced that it had reached settlements with three U.S. companies over charges that the companies falsely represented their participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) system in their online privacy policies. Participation requires an official review and certification, a process none of the three companies underwent according to the three complaints. The complaints alleged violations of the FTC Act due to deceptive statements made by the companies that they participated in the APEC CBPR system. The settlement terms bar the defendants from “misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.”
FDIC Releases 2016 Annual Report; Separately, FDIC’s OIG Issues Report Critical of Bank Service Provider Contracts
On February 15, the FDIC released its 2016 Annual Report–which includes, among other things, the audited financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund. The report also provides an overview of key FDIC initiatives, performance results and other aspects of FDIC operations.
Separately, on the same day, the FDIC’s Office of Inspector General (OIG) released an Audit Report (EVAL-17-004) on the adequacy of a small but random sample of contracts between FDIC-supervised institutions and their technology service providers (TSPs), in light of federal law and banking agency guidance on customer privacy-protection and how to properly manage third-party relationships. All sampled contracts had been designated as “critical” or “high” risk to the supervised institutions’ operations. The OIG specifically evaluated, and generally found insufficient, the clarity of contract provisions on TSP obligations regarding: (i) business continuity planning; and (ii) responding to and reporting on cybersecurity incidents. Despite the insufficiencies noted, the OIG acknowledged that because many contracts were negotiated before some of the relevant guidance was issued, “more time is needed to allow FDIC and FFIEC efforts to have a demonstrable” impact on contractual language.
As a result of these findings, the OIG recommended—and FDIC management agreed—that the agency, after allowing appropriate time for current guidance to be implemented, conduct a “full horizontal review to assess” any continued presence of the contractual insufficiencies noted in the report. The FDIC will “prepare” that horizontal review in 2018.
Federal Judge Sentences Hacker to Eight Years for Cyber Heists that Caused More than $55 Million in Losses
On February 10, the United States Attorney for the Eastern District of New York announced that the Honorable Kiyo A. Matsumoto levied an eight year prison sentence against a Turkish citizen charged with organizing and carrying out three cyber-attacks on global financial institutions between 2011 and 2013 which resulted in more than $55 million in losses. Last March, the defendant pleaded guilty to “computer intrusion conspiracy, access device fraud conspiracy, and effecting transactions with unauthorized access devices.” Specifically, the defendant and his associates were alleged to have repeatedly hacked into debit card processing systems, manipulated account balances, stole customers’ PINs, and transferred that information to associates who then encoded debit cards with the stolen data in order to make fraudulent ATM withdrawals. The DOJ further alleged that the hackers targeted databases companies maintained for prepaid debit cards and effectively eliminated the card accounts’ withdrawal limits in what are called “unlimited operations.” The defendant was also ordered to pay $55,080,226.14 in restitution as part of his sentence.