InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Biden signs $1.5 trillion omnibus package
On March 15, President Biden signed H.R. 2471 the “Consolidated Appropriations Act, 2022” (Act) into law. According to House Appropriations Committee Chair Rosa DeLauro’s press release, the Act is an omnibus spending measure that provides $1.5 trillion in discretionary resources across the 12 fiscal year 2022 appropriations bills. Among other things, the Act includes the “Cyber Incident Reporting for Critical Infrastructure Act of 2022,” which establishes requirements for reporting ransomware incidents on critical infrastructure to the DHS Cybersecurity and Infrastructure Security Agency (CISA). Specifically, Division Y Section 2242, establishes that companies must report incidents to CISA 72 hours after the covered entity reasonably believes that a cyber incident has occurred, or within 24 hours if a ransomware payment has occurred. If a company fails to meet the reporting requirements, the Act permits the cyber security director to “obtain information about the cyber incident or ransom payment by engaging the covered entity directly to request information about the cyber incident or ransom payment, and if the Director is unable to obtain information through such engagement, by issuing a subpoena to the covered entity, pursuant to subsection (c), to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred.” The Act also establishes that if CISA determines that the incident requires regulatory enforcement action or criminal prosecution, such information may be provided to the Attorney General or the appropriate regulator, who may utilize such information for a regulatory enforcement action or criminal prosecution. Within 24 months, CISA is directed to publish a notice of proposed rulemaking (NPRM) in the Federal Register to implement the Act, followed by the issuance of a final rule within 18 months of the NPRM. The final rule will outline the criteria of reporting and provide the effective dates for the reporting requirements. The Act also directs CISA to carry out an outreach and education campaign to inform covered entities about the rule’s requirements. Though the bill establishes that a court shall dismiss a cause of action against a person or entity for submitting a report, the liability protections “shall only apply to or affect litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to the [Sector Risk Management] Agency.”
The Act also includes the “Adjustable Interest Rate (LIBOR) Act,” which establishes “a clear and uniform process, on a nationwide basis, for replacing LIBOR in existing contracts the terms of which do not provide for the use of a clearly defined or practicable replacement benchmark rate, without affecting the ability of parties to use any appropriate benchmark rate in new contracts,” among other things. Additionally, the Act includes rental assistance programs and climate restoration grants, which, according to a statement by HUD Secretary Marcia L. Fudge, “provides funding to improve the energy efficiency of housing and increase resilience to climate impacts.”
Wyoming enacts genetic data privacy provisions
On March 8, the Wyoming governor signed HB 86, which requires businesses that collect genetic data to obtain consent from a consumer or a consumer’s authorized representative before collecting genetic data, performing genetic testing, or retaining or disclosing a consumer’s genetic data. To safeguard the privacy, confidentiality, security, and integrity of a consumer’s genetic data, businesses must, among other things, (i) provide clear, transparent information to consumers about the collection, use, or disclosure of genetic data before collecting it (including providing a publicly available privacy notice); and (ii) obtain express consent from a consumer before collecting genetic data, and receive separate express consent for transferring or disclosing genetic data to persons “other than the company’s vendors and service providers, or for using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses,” or for retaining genetic data after the initial testing service is completed. The Act outlines additional requirements and prohibitions on the disclosure and retention of genetic data and requires businesses to implement and maintain a comprehensive security program to protect genetic data from unauthorized access, use, or disclosure. Additionally, the Act provides consumers with the statutory right to access and request deletion of genetic data when it is no longer being used or needed for the purpose for which it was collected and provides consumers with a private right of action to seek damages from businesses who violate the Act. Under the Act, businesses have 60 days from the date of notice to cure any alleged violations. The Wyoming attorney general also has the authority to enforce the Act and may seek penalties of up to $2,500 for each violation, as well as actual damages for harmed consumers on whose behalf the action was brought and attorneys’ fees and costs.
Covered entities or business associates governed by the privacy, security, and breach notification rules issued by the Department of Health and Human Services that collect protected health information under HIPAA are exempt from the Act’s provisions. The Act takes effect July 1.
California clarifies that internally generated inferences are “personal information” under the CCPA
On March 10, the California Office of the Attorney General (OAG) issued an opinion on the question of whether, under the California Consumer Privacy Act (CCPA), a consumer’s right to know the specific pieces of personal information collected by a covered business about that consumer applies to internally generated inferences that the business holds about the consumer from either internal or external information sources. According to the OAG, the answer is yes—consumers have the right to know internally generated inferences about themselves, and a business must provide such information upon request, unless a business can demonstrate an applicable CCPA statutory exception. The CCPA, which was enacted in June 2018 and became effective January 1, 2020 (covered by a Buckley Special Alert), provides California consumers with new rights of control over the personal information held about them (with certain exceptions), including the right to know what information is being collected and how a business uses and shares that information, the right to delete personal information, and the right to opt out of certain transfers and sales of their personal information. The OAG noted that while the Consumer Privacy Rights Act of 2020 will become fully operative January 1, 2023, none of the act’s amendments to the CCPA will change the conclusions presented in the opinion.
The OAG’s opinion defines “inference” under the CCPA to mean “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” Example inferences such as “married,” “homeowner,” “online shopper,” or “likely voter,” the OAG explained, are derived from information collected by businesses such as online transactions, social network posts, or public records. OAG noted that some businesses also use proprietary methods to create inferences and “then sell or transfer the inferences to others for commercial purposes,” thus allowing, according to studies, “seemingly innocuous data points” to be combined with other data points “to deduce startlingly personal characteristics.” According to the OAG’s interpretation of the plain language of the CCPA, as well as legislative history, businesses are generally required “to disclose internally generated inferences to consumers” “regardless of whether the inferences were generated internally by the responding business or obtained by the responding business from another source.”
The OAG further explained that, inferences are “personal information” for purposes of the CCPA, and therefore must be disclosed provided two conditions exist: (i) “the inference is drawn ‘from any of the information identified”’ in subdivision (o) of Civil Code section 1798.140, which includes, among other things, personal identifiers such as names, addresses, account numbers, or identification numbers, customer records, age, gender, race, or religion, as well as inferences obtained from any of the provided items; and (ii) “the inference is used to ‘create a profile about a consumer,’ or in other words to predict a salient consumer characteristic.” For the purposes of responding to a consumer’s request to know, the OAG stated that “it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business’s own invention, or any combination thereof.” The business is required to disclose the personal information it holds to the consumer upon request. The OAG noted, however, that the CCPA does not require businesses to disclose protected trade secrets used to derive its inferences, provided the business demonstrates “that such inferences are indeed trade secrets under the applicable law.”
DFPI reminds financial institutions of their sanctions compliance obligations
On March 4, the California Department of Financial Protection and Innovation (DFPI) issued guidance, in light of the evolving situation in Ukraine, to remind financial institutions of their sanctions compliance obligations under state and federal law. Licensees are reminded that they are prohibited from participating in financial transactions with individuals and entities listed on the SDN List, and encouraged to review specific, more limited sanctions that have been placed on several Russian entities. This information can be found on OFAC's website.
Additionally, licensees are strongly encouraged to immediately ensure their systems, programs, and processes comply with OFAC regulations, and review and monitor all transactions (particularly trade finance transactions and funds transfers) to identify and block transactions subject to sanctions. Licensees should also follow OFAC directions related to blocked funds.
DFPI further warned that Russia’s invasion of Ukraine increases the risk that listed individuals and entities will attempt to evade sanctions by using virtual currency transfers, and encouraged licensees to review OFAC Guidance to protect against these risks. Licensees engaged in transactions involving virtual currencies are instructed to implement policies, procedures, and processes to protect against the unique risks posed by virtual currencies and should “consider virtual currency-specific control measures including sanctions lists, geographic screening, and any other measures appropriate to the licensee’s specific risk profile.”
Additionally, DFPI cautioned that the “Russian invasion significantly elevates the cyber risk for the U.S. financial sector,” and licensees are instructed to take measures to mitigate cybersecurity threats, including adopting core cybersecurity hygiene measures, eliminating any non-essential networking protocols, ensuring procedures are able to address a ransomware attack, and reevaluating “plans to maintain essential services, protect critical data, and preserve customer confidence considering the realistic threat of extended outages.” Licensees are encouraged to track alerts from the Cybersecurity and Infrastructure Security Agency.
Licensees conducting business in Ukraine and/or Russia should also “take increased measures to monitor, inspect, and isolate traffic from Ukrainian or Russian offices and service providers,” and “segregate networks for Ukrainian or Russian offices from the global network.”
NYDFS also recently issued similar guidance for New York state regulated entities on its cybersecurity and virtual currency regulations in response to the Russian invasion and recently imposed sanctions. (Covered by a Buckley Special Alert.)
CFPB investigates employer-driven debt and the sale of workers’ personal data
On March 9, the CFPB published findings from a recent roundtable event where worker organizations and labor unions shared their members’ financial hardships and challenges. According to the Bureau’s blog post, more workers are reporting that they are responsible for paying for employer-mandated training and equipment, causing workers to owe significant debt to their employers or third-party debt collectors and making it difficult for them to change jobs. The Bureau stated it will continue to analyze information about employer-driven debt and employer/third-party collection efforts to best determine how to address consumer harm and any potential violations of federal consumer financial law, and will participate in the Truck Leasing Task Force with the Departments of Transportation and Labor to investigate predatory financial arrangements.
Organizations also reported concerns related to surveillance technology and the sale of personal data, including how information is being “compiled and used for decision-making that may impact workers’ financial well-being far beyond their current employers.” One participant explained that workers may not be aware that tools designed to track hours worked across different platforms also have the capability to track them outside of working hours and are selling access to their data to financial institutions, insurers, and other employers. The Bureau also heard from participants about data firms that are collecting and selling workers’ data that “may not be following the appropriate protocols for privacy and transparency.” The Bureau emphasized that it will “closely monitor and better understand this emerging market along with our federal partners and assess where provisions of the Fair Credit Reporting Act and other consumer protection laws may protect workers.”
SEC proposes amendments to cybersecurity risk management
On March 9, the SEC announced proposed amendments to its standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed amendments would require, among other things, “current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.” Specifically, firms would be required to describe their policies and procedures for the identification and management of cyber risks, provide information about the board’s oversight of and management’s role in cybersecurity risk, and disclose if a member of the board has expertise in cybersecurity. According to the SEC, “[t]he proposed amendments are intended to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.” Comments are due 60 days after publication in the Federal Register.
The same day, the SEC published a fact sheet clarifying, among other things, how the amendments are applied and what is required. SEC Chair Gary Gensler issued a statement stating he was “pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” According to a dissenting statement issued by SEC Commissioner Hester M. Peirce, the proposed amendments “flirt[] with casting us as the nation’s cybersecurity command center, a role Congress did not give us,” and argued that the “precise disclosure requirements look more like a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate.”
Biden calls for coordinated approach to digital asset innovation
On March 9, President Biden issued an Executive Order (E.O.) on digital assets outlining the first “whole-of-government” strategy to coordinate a comprehensive approach for ensuring responsible innovation in digital assets policy. (See also White House fact sheet here.) The White House highlighted that “non-state issued digital assets reached a combined market capitalization of $3 trillion” last November (up from $14 billion five years ago) and noted that many countries are currently exploring, or in certain cases introducing, central bank digital currencies (CBDC). The Executive Order on Ensuring Responsible Development of Digital Assets stressed that “we must take strong steps to reduce the risks that digital assets could pose to consumers, investors, and business protections,” and mitigate “illicit finance and national security risks posed by misuse of digital assets,” including money laundering, cybercrime and ransomware, terrorism and proliferation financing, and sanctions evasion. The E.O. cautioned that future digital assets systems must also promote high standards for transparency, privacy, and security.
The E.O. outlined several principal policy objectives, including that:
- Federal agencies are directed to coordinate policy recommendations to address the growth in the digital asset sector.
- Federal agencies are directed to explore the need for a potential U.S. CBDC. Treasury, along with heads of other relevant agencies, are ordered to submit “a report on the future of money and payment systems, including the conditions that drive broad adoption of digital assets; the extent to which technological innovation may influence these outcomes; and the implications for the United States financial system, the modernization of and changes to payment systems, economic growth, financial inclusion, and national security.” The Federal Reserve Board is also encouraged to continue researching, developing, and assessing efforts for a CBDC, including developing a broad government action plan for a potential launch. The E.O. also directed an assessment of whether legislative changes would be necessary in order to issue a CBDC.
- The Secretary of the Treasury will work with relevant agencies to produce a report on the future of money and payment systems, which will include implications for economic growth, financial growth and inclusion, national security, and the extent to which technological innovation may influence these areas. The approach to digital asset innovation must also address the risk of disparate impact, the E.O. stressed, adding that any approach should ensure equitable access to safe and affordable financial services.
- The Attorney General, FTC, and CFPB are “encouraged to consider what, if any, effects the growth of digital assets could have on competition policy.” The agencies are also “encouraged to consider the extent to which privacy or consumer protection measures within their respective jurisdictions may be used to protect users of digital assets and whether additional measures may be needed.” Additional federal agencies are also encouraged to consider the need for investor and market protections.
- The Financial Stability Oversight Council and Treasury are directed to identify and mitigate systemic financial risks posed by digital assets and develop policy recommendations to fill any regulatory gaps.
- Federal agencies are directed to work with allies and partners to ensure international frameworks, capabilities, and partnerships are aligned and responsive to risks posed by the illicit use of digital assets. Agencies should also explore “the extent to which technological innovation may impact such activities,” and explore “opportunities to mitigate these risks through regulation, supervision, public‑private engagement, oversight, and law enforcement.”
- Federal agencies are directed to establish a framework for interagency international engagement with foreign counterparts to adopt global principles and standards for how digital assets are used and transacted, and to promote digital asset and CBDC technology development.
CFPB Director Rohit Chopra and Treasury Secretary Janet Yellen issued statements following Biden’s announcement. “Today’s Executive Order recognizes that the dramatic growth in digital asset markets has created profound implications for financial stability, consumer protection, national security, and energy demand,” Chopra said. “The [CFPB] is committed to working to promote competition and innovation, while also reducing the risks that digital assets could pose to our safety and security. We must make sure Americans in all financial markets are protected against errors, theft, or fraud.” Yellen stated that in addition to partnering with interagency colleagues to produce a report on the future of money and payment systems, Treasury will also work with international partners to promote robust cross-border standards and a level playing field. “As we take on this important work, we’ll be guided by consumer and investor protection groups, market participants, and other leading experts. Treasury will work to promote a fairer, more inclusive, and more efficient financial system, while building on our ongoing work to counter illicit finance, and prevent risks to financial stability and national security,” she said.
Treasury also recently announced that the Financial Literacy and Education Commission (led by Yellen and Chopra and comprised of the heads of 21 federal agencies and entities, including the OCC, Fed, FDIC, SEC, FTC, and HUD, among others) is forming a new subgroup on digital asset financial education to analyze the impact of digital assets on consumer and investor protections. “History has shown that, without adequate safeguards, forms of private money have the potential to pose risks to consumers and the financial system,” U.S. Under Secretary of the Treasury for Domestic Finance Nellie Liang said.
CARU orders app company to correct violations of children’s privacy rules
On March 8, the Children’s Advertising Review Unit (CARU) announced that a smart watch phone operator has agreed to take actions to correct alleged violations of the Children’s Online Privacy Protection Act (COPPA) and CARU’s Self-Regulatory Guidelines for Children’s Online Privacy Protection. According to the press release, CARU is the nation’s first FTC-approved COPPA Safe Harbor Program and is tasked with monitoring online services for compliance with COPPA and CARU’s privacy guidelines to make sure the collection of children’s data is handled responsibly. CARU examined the company’s data handling and sharing practices and found that the company, among other things, “failed to provide clear and complete, and non-confusing, notice of its children’s information collection practices in its privacy policy and failed to provide any notice that would constitute a direct notice to parents as required by COPPA.” The company also failed to offer a method for parents to provide verifiable consent to its data gathering practices prior to its collection of information from children, CARU stated, adding that the company’s privacy policy, terms of service, and other online disclosures also included “inconsistent, confusing and/or contradictory statements about its collection, use, or disclosure of children's personal information.”
CARU noted that the company submitted a “detailed plan” outlining measures to remedy the concerns and agreed to correct the violations in order to comply with CARU’s privacy guidelines and COPPA. The company will also update its privacy policy to include information on how parents can prohibit the use of their child’s data or have it deleted and will obtain verifiable parental consent prior to completing the registration process. CARU also recommended that the company revise its website and app to provide parents with “direct notice of what personal information the operator can collect from children through their use of the service, both passively and actively, and how such personal information can be used and disclosed, together with a clear and prominent link to its privacy policy.”
District Court preliminarily approves $4.75 million data breach settlement
On March 3, the U.S. District Court for the Western District of Texas preliminarily approved a $4.75 million class action settlement resolving claims between a pharmacy benefits manager and consumers in six different proposed class actions filed in Texas and California. The court also conditionally certified a nationwide settlement class and a California settlement subclass. According to the memorandum in support of the plaintiffs’ motion for preliminary approval of the settlement, plaintiffs claimed the company acted negligently by failing to implement reasonable safeguards for protecting customers’ personally identifiable information and preventing a 2021 data breach, which exposed their sensitive, protected health information. The plaintiffs also alleged that the company breached California privacy and consumer protection laws. If the settlement is granted final approval, the company will be required to create a $4.75 million settlement, and “develop, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security, integrity and confidentiality” of customers’ personal data. The company may also be responsible for a portion of attorneys’ fees, costs, and service awards.
Virginia passes additional VCDPA amendments
On March 7, the Virginia House and Senate passed HB 714, which amends Sections 59.1-575 and 59.1-584 and repeals Section 59.1-585 of the Virginia Consumer Data Protection Act (VCDPA). Specifically, the amendments expand the definition of a nonprofit organization to include political and certain tax-exempt 501(c)(4) organizations, thus exempting them from the VCDPA’s provisions. The bill also abolishes the Consumer Privacy Fund and provides that all civil penalties, expenses, and attorney fees collected from enforcement of the VCDPA shall be deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. Under Section 59.1-584, the attorney general has exclusive authority to enforce the law and seek penalties of no more than $7,500 per violation should a controller or processor of consumer personal data continue to violate the VCDPA following a 30-day cure period, or breach an express written statement provided to the attorney general that the alleged violations have been cured.
As previously covered by InfoBytes, the VCDPA was enacted last year to establish a framework for controlling and processing consumers’ personal data in the Commonwealth. The VCDPA, which explicitly prohibits a private right of action, allows consumers to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill now heads to the governor, and if enacted, will take effect January 1, 2023.