InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Top "Smart TV" Manufacturer Agrees to Pay $2.2M to Settle FTC Smart TV Tracking Investigation
On February 6, the Federal Trade Commission (FTC) and the New Jersey Attorney General (NJAG) announced that they had entered into a $2.2 million settlement to resolve claims that a “smart” television manufacturer secretly gathered users’ viewing data and sold it to third parties who used the data for targeted advertising purposes. The settlement, which was approved by the FTC by a unanimous 3-0 vote, includes a payment of $1.5 million to the FTC and $700,000 to the New Jersey Division of Consumer Affairs, with an additional $300,000 in penalties to New Jersey suspended. The settlement also requires that the TV maker not misrepresent its data collection and sharing practices, prominently disclose its data collection and sharing practices and obtain permission from each consumer prior to collecting viewing data, delete most of the viewing data it already collected, implement a comprehensive privacy program, and undergo biennial third-party privacy assessments.
Notably, in a concurring statement, acting FTC Chairman Maureen K. Ohlhausen emphasized that this settlement marks “the first time the FTC has alleged in a complaint that individualized television viewing activity falls within the definition of sensitive information.” Previously, the FTC had limited the definition of sensitive information to “financial information, health information, Social Security Numbers, information about children, and precise geolocation information.” Chairman Ohlausen noted “the need for the FTC to examine more rigorously what constitutes ‘substantial injury’ in the context of information about consumers” and indicated her intention to “launch an effort to examine this important issue further.”
NY Attorney General Announces Data Breach Settlement with Computer Manufacturer
On January 29, New York Attorney General Eric T. Schneiderman announced a settlement with a foreign computer manufacturer over allegations of a data breach of customer data. The AG’s office claims the security vulnerabilities allowing for the breach lasted almost a full calendar year. In addition to a $115,000 penalty, the manufacturer is required to “maintain [both] reasonable security policies designed to protect consumer personal information. . .[and] data security standards required by the credit card industry.”
President Trump Appoints Maureen Ohlhausen Acting FTC Chairman
On January 25, the FTC announced that President Trump has appointed Maureen K. Ohlhausen to serve as Acting Chairman of the FTC by a White House order. Commissioner Ohlhausen became an FTC commissioner in April 2012 and her current term is set to expire in 2018. In addition to the Acting Chairman, the FTC is headed by Commissioner Terrell McSweeny and fellow-democrat Edith Ramirez who steps down early next month and previously served as Chairwoman. The FTC also has two commissioner vacancies. “I am deeply honored that President Trump has asked me to serve as acting chairman of the FTC and to preserve America’s true engine of prosperity: a free, honest, and competitive marketplace,” Ohlhausen said in a statement. She added further that “[i]n pursuit of that mission” she “will ensure the Commission minimizes the burdens on legitimate business as we carry out this vital work.”
European Commission Publishes Draft ePrivacy Regulation
Commission announced the release of its Proposal for a Regulation of the European Parliament and of the Council on Privacy and Electronic Communications (Proposed Regulation), which is set to repeal Directive 2002/58/EC (ePrivacy Directive). The Proposed Regulation as discussed previously on InfoBytesis intended to update the current rules to keep up with technical developments and adapting them to the General Data Protection Regulation (GDPR). Among other things, the Proposed Regulation will expand the scope of the ePrivacy rules to include internet-based voice and internet-messaging services, and to cover the content of communications, including metadata such as the time and location of a call. Furthermore, with regards to cookies, the Proposed Regulation does not require the consent of the user for non-privacy intrusive cookies, which either improve internet experience or measure the number of visitors to a specific website. The proposed Regulation also includes an opt-in requirement for telemarketing calls, unless national laws provide the recipient with a right to object. The Proposed Regulation also contains language extending the remedies currently provided under the GDPR. Once passed, the Proposed Regulation would become effective on May 25, 2018. Links to other related documents and information may be accessed through the following links:
FTC Hosts Its Second Annual PrivacyCon Event
On January 12, the FTC hosted its second annual “PrivacyCon”—a public forum promoted by the regulator in order to “expand collaboration among leaders from academia, research, consumer advocacy, and industry on the privacy and security implications of emerging technologies.” Throughout the day, speaker panels presented research and opened the floor to discussions addressing five major topic areas: (i) the Internet of Things (IoT) and big data; (ii) mobile privacy; (iii) consumer privacy expectations; (iv) online behavioral advertising; and (v) information security. Among other things, panelists discussed the possibility of using machine learning to automatically block or permit user tracking and information collection by applications and websites based on the user’s past practices. Many panelists also examined data “leakage” from devices and the possible privacy and security issues that are raised by such leakage.
A full version of the agenda, including links to abstracts of the research being presented, as well as a video recording of the event, is available online. Additional research not present but submitted without a request for confidential treatment is also available here.
FTC Files Complaint Against Device Maker Concerning Alleged Failures to Reasonably Secure Routers and Internet Protocol (IP) Cameras
On January 5, the FTC announced that it was initiating and enforcement action against a Taiwanese computer networking equipment manufacturer and its U.S. subsidiary. In a complaint filed with the Northern District of California, the FTC charged that the device-manufacturer failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. Specifically, the FTC alleged that hackers could exploit these vulnerabilities using any of several “simple methods.”
According to its press release, the complaint filed today is part of broader FTC’s efforts to protect consumers’ privacy and security in the “Internet of Things” (IoT), which includes cases the agency has brought against a computer hardware manufacturer, and a marketer of video cameras. In a statement, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, explained “[h]ackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information.” Accordingly, Ms. Rich explained further, “[w]hen manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.” The FTC has provided guidance to IoT companies on how to preserve privacy and security in their products while still innovating and growing IoT technology.
Special Alert: Revised NYDFS Cybersecurity Rule
On December 28, 2016, the New York Department of Financial Services (DFS) issued a revised version (Revised Proposed Rule) of its cybersecurity rule for financial institutions issued on September 13, 2016 (Proposed Rule). The revision came after DFS received more than 150 comments in response to the Proposed Rule, as well as a hearing before New York State lawmakers. The Revised Proposed Rule retains the spirit of the original Proposed Rule, but offers covered entities somewhat more flexibility in implementing the requirements.
Background
The Proposed Rule marked the next step in a period of increased focus on cybersecurity by the agency. Between May 2014 and April 2015, DFS issued three reports relating to cybersecurity in the financial and insurance industries. In November 2015, DFS issued a letter to federal financial services regulatory agencies, which alerted the federal regulators to DFS’s proposed regulatory framework and invited comment from the regulators.
In the September release, DFS explained that the Proposed Rule is a response to the “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors.” As originally written, the Proposed Rule covered financial institutions operating under a charter or license issued by DFS, and set cybersecurity program, policy, training, and reporting requirements that are more stringent than the current federal requirements. The Proposed Rule gave a January 1, 2017 effective date, with a 180-day transitional period. Taking into consideration these concerns, on December 19, 2016, the New York State Assembly’s Standing Committee on Banks held a public hearing regarding cybersecurity and the Proposed Rule. Among the chief concerns expressed at the hearing and in the comment letters was the cost of compliance, especially for smaller banks, and that the Proposed Rule’s “one-size-fits-all” requirements do not consider the varying operational structures, business models, and risk profiles of financial institutions. There was also concern that the Proposed Rule was too different from the current federal requirements.
Click here to read full special alert
* * *
We will continue to monitor the DFS rulemaking process. If you have questions about the Revised Rule or other cybersecurity issues, visit our Privacy, Cyber Risk & Data Security practice for more information, or contact a Buckley Sandler attorney with whom you have worked in the past.
NYDFS to Revise Proposed Cybersecurity Regulation Following Public Hearing Before State Lawmakers
On December 19, the New York Assembly Standing Committee on Banks held a public hearing, receiving testimony about a recently proposed regulation intended to address cybersecurity risks to entities regulated by the New York Department of Financial Services (NYDFS). Previously covered by InfoBytes upon its initial release in September 2016, the proposed regulation has since been subject to a public comment period before final issuance.
The hearing before the NY State Assembly provided an opportunity for representatives from a variety of NYDFS-regulated entities to offer testimony and/or raise objections. Many of the witnesses cited the proposal’s “one-size-fits-all” approach as a source of concern, noting that the proposed regulation currently does not account for variations in the business models, IT system structures, or risk profiles of the institutions they affect. Other concerns raised by the witnesses included onerous reporting requirements, a lack of harmony between the proposal and federal regulations and guidance, high costs of compliance, and even reputational risk arising out of exposure through FOIA Laws. An archived video of the hearing can be accessed here.
Two days after the hearing in Albany, NYDFS indicated that it is now planning to release an updated version of the regulation on December 28—thereby pushing the effective date to March 1, 2017. InfoBytes will continue to monitor the status of the proposed regulation and will issue an update once NYDFS publishes its revised regulation.
EU Releases First Guidance on New Privacy Regulation
On December 16, the European Union’s (EU) data protection regulator, the Article 29 Working Party (WP29), released its first official guidance on the General Data Protection Regulation (GDPR), EU’s new privacy regime. Composed of three sets of guidelines and FAQs, the guidance covers a range of issues, including the qualification, appointment, and personal liability of data protection officers (DPOs). Links to the six guidance documents follow:
- (i) Guidelines & FAQs on the right to data portability;
- (ii) Guidelines & FAQs on DPOs; and
- (iii) Guidelines & FAQs on identifying the “lead supervisory authority” for cross-border activity.
The WP29 also announced that it is accepting additional comments on this guidance through the end of January 2017, and that it will release guidelines on Data Protection Impact Assessments and Certifications in 2017. The GDPR is set to take effect in May 2018.
OCC to Consider Fintech Charter Applications; Seeks Comment
On December 2, the OCC announced that it would move forward with considering applications from financial technology (Fintech) companies to become special-purpose national banks. In prepared remarks delivered at the Georgetown University Law Center, Comptroller of the Currency Thomas Curry explained, among other things, that “having a clear process, criteria, and standards for Fintechs to become national banks ensures regulators and companies openly vet risks and that the institutions that receive charters have a reasonable chance of success.”
Accompanying his decision, the OCC published a paper discussing the issues and conditions that the agency will consider in granting special purpose national bank charters. According to the paper, in order to apply for a special-purpose charter, a company must engage in fiduciary activities, or one of the three core banking functions: lending money, paying checks or receiving deposits. The paper is available on the agency’s website at www.occ.gov and comments may be submitted through January 15, 2017.