Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Key Considerations in Drafting Mobile Disclosures

    Fintech

    Recent developments at the FTC and CFPB provide some guidance on how regulators may approach disclosures on smartphones and other mobile devices.

    The recent CFPB Remittance Rule on international remittance transfers indicates some flexibility in the provision of disclosures in the remittances context via a mobile device. Additionally, the FTC’s recent report on best practices in consumer data privacy notes the difficulty in providing privacy notices on the smaller screens of mobile devices and encourages shorter, more effective privacy policies as a result.

    These developments raise a series of questions for corporate counsel to consider when advising on the drafting and delivery of mobile disclosures. Specifically, questions include:

    1. Is the length of the mobile disclosure document as brief and succinct as it can be? Does it use concrete, everyday words and the active voice? Do the disclosures avoid multiple negatives, technical jargon and ambiguous language?
    2. Are the mobile disclosures presented in a logical sequence? Are they laid out in clear, concise sentences, paragraphs and sections? Are they placed in equal prominence to each other, absent any other specific regulatory format or placement requirements? Is the content placed on a particular page appropriate for the sizing of the page on the mobile screen? If not, are textual or visual cues used to encourage scrolling?
    3. Does the mobile disclosure "call attention to itself?" Is it on a screen the mobile user must access or will likely access frequently? If not, is it behind a hyperlink on an introductory screen that is clearly labeled so as to convey the importance of the linked disclosure? Is it presented with a clear, visible heading and an easy-to-read typeface and typesize?
    4. Have various technical and other applicable industry standards been consulted in the process of designing, developing and displaying mobile disclosures?

     

    Payment Systems Mobile Banking Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Federal District Court Holds Allegations of Failure to Protect Data Insufficient to Support Stored Communications Act Claim

    Fintech

    Last month, the U.S. District Court for the Northern District of Illinois held that a company’s failure to protect personal information does not violate the Stored Communications Act (SCA) because the company did not knowingly divulge the personal information. Worix v. MedAssets Inc., No. 11-8088, 2012 WL 787210 (N.D. Ill. Mar. 8, 2012). In this case, a computer hard drive belonging to the defendant, a firm that provides financial services for health care providers and as such handles the personal and confidential information of individuals, was stolen. The plaintiff, one of the individuals whose personal information was stored on the hard drive, alleged on behalf of a putative class that the defendant violated the SCA when it failed to adequately secure the protected personal information. The court held that the plaintiff could only support allegations that the defendant knowingly failed to protect the data and  the plaintiff failed to offer the proof required by the SCA that the defendant knowingly divulged protected information. The court also dismissed the plaintiff’s common law negligence claims and statutory fraud claims, holding that the plaintiff failed to allege actual damages when claiming an increased risk of identity theft and monitoring costs.

    Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Washington Federal Court Allows Data Privacy Case Against IMDb to Proceed

    Fintech

    On March 28, the U.S. District Court for the Western District of Washington held that actress Huong Hoang’s lawsuit against website IMDb.com pled sufficient facts to move forward on her breach of contract and Washington Consumer Protection Act claims, based in part on the website’s privacy policy. Hoang v. Amazon.com, Inc., No. C11-1709MJP (W.D. Wash. Mar. 28, 2012). IMDb, a subsidiary of Amazon, moved to dismiss Ms. Hoang’s four claims. Although two claims were dismissed, the court found that the defendant did not show that Ms. Hoang gave IMDb permission to use her information provided when subscribing to the website to search public records for additional information about her. Plaintiff pointed to a statement in the IMDb privacy policy that it would “carefully and sensibly” manage how information about customers is used and shared, and that “[y]ou can choose not to provide certain information….” Plaintiff alleges that IMDb used the personal information she provided, including credit card information, to locate her date of birth, among other things. Ms. Hoang alleged that IMDb then added her date of birth and age to its website, causing her to lose roles and decrease her earnings.  Defendant’s motion to dismiss the remaining claims was denied.

    Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Supreme Court Holds Only Pecuniary Damages Available Under Federal Privacy Act

    Courts

    On March 28, the U.S. Supreme Court ruled 5-3 that the Privacy Act of 1974, which regulates how federal agencies handle personal information, does not unequivocally authorize damages for mental or emotional distress. Cooper v. FAA, No. 10-1024, 2012 WL 1019969 (U.S. Mar. 28, 2012). In this case, an airline pilot sued the Federal Aviation Administration (FAA) and other federal agencies for impermissibly exchanging information about his HIV status in connection with a criminal investigation. The pilot claimed to suffer emotional and mental distress due to the disclosure. The U.S. Court of Appeals for the Ninth Circuit held that the term “actual damages” in the Privacy Act is not ambiguous and includes damages for mental and emotional distress. The Supreme Court reversed, holding, as the district court originally held, that the term is ambiguous and therefore does not waive the government’s sovereign immunity from liability for nonpecuniary damages. The narrow ruling only directly impacts actions under the Privacy Act, and the court notes that “actual damages” can mean different things in different contexts. As such, the holding does not invalidate prior lower court rulings that “actual damages” under other statutes, including the Fair Credit Reporting Act and the Fair Housing Act, can include damages for emotional or mental distress.

    Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • FTC Finalizes Consumer Privacy Recommendations, Notes Mobile Issues

    Federal Issues

    On March 26, the FTC released an anticipated report on consumer privacy, calling on all companies to adopt certain practices to protect consumers’ private information. The final report outlines three basic principles: (i) “privacy by design”, (ii) simplified choice, and (iii) increased transparency. Though the report and recommended practices do not carry the force of law, the FTC encourages adoption of the recommendations to support innovation and commerce while improving consumer protection. The report also serves as a blueprint for what the FTC is seeking in federal privacy legislation. Pending congressional action, the FTC will continue to employ its existing enforcement authority to address unfair or deceptive practices, including practices that violate self-regulatory programs. Further, the FTC intends to support implementation of the framework by focusing on several substantive topics and stakeholder groups, including (i) do not track, (ii) mobile services, (iii) data brokers, (iv) large platform providers, and (v) industry codes of conduct. For example, the FTC will focus on mobile services by updating guidance about online advertising disclosures, including holding a workshop on model mobile disclosures on May 30, 2012. It also calls on mobile service providers to establish industry standards that address data collection, transfer, use, and disposal, particularly for location data.

    FTC Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • FTC Releases Survey on Consumer Reporting Agencies and FACTA

    Consumer Finance

    On March 12, the FTC released the results of a survey conducted to gauge consumer experiences in dealing with consumer reporting agencies (CRAs) following an identity theft. While the survey indicates that the majority of consumers were satisfied with their experiences, many consumers were unaware of their rights under the Fair and Accurate Credit Transactions Act (FACTA) before contacting a CRA. In response to concerns raised by consumers in the survey, the report recommends that (i) CRAs make it easier for consumers to reach a live person and (ii) the CFPB use its examination and rulemaking authority, and the FTC employ its enforcement authority, to address CRAs’ practice of attempting to sell identity theft products to consumers reporting identify thefts.

    CFPB FTC FACTA Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Facebook's Forum-Selection Clause Enforceable Against Plaintiff Minors

    Fintech

    On March 8, the U.S. District Court for the Southern District of Illinois ruled that minors who used Facebook are bound by the forum-selection clause contained in the website’s terms of service, to which they agreed when they signed up for Facebook. E.K.D. v. Facebook Inc., No. 11-461 (S.D. Ill. Mar. 8, 2012). The plaintiffs, a group of minors suing Facebook for improperly using their images in advertising, argued that because they were minors when they signed up, the forum selection clause could not be enforced. The court rejected this argument, holding that under California contract law the minor plaintiffs could not void the forum selection because they continued to use and benefit from Facebook after agreeing to the terms of service. The court further held that transferring the case to the Northern District of California would not unduly burden the plaintiffs and was permitted by 28 U.S.C § 1404.

    Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • First Circuit Upholds Dismissal of Claims Against Third-Party for Failure to Protect Personal Information

    Fintech

    On February 28, the U.S. Court of Appeals for the First Circuit upheld the dismissal of a putative class action brought against a securities clearing company for alleged failures to protect certain personal information. Katz v. Pershing, LLC, No. 11-1983, 2012 WL 612793 (1st Cir. Feb. 28, 2012). In this case, the plaintiff was the customer of a brokerage firm that used defendant Pershing LLC’s online clearing system, but the customer had no direct relationship with the defendant. The plaintiff alleged that Pershing had contractual and statutory obligations to encrypt and protect the personal information of brokerage firm customers. Specifically, the plaintiff alleged various contract claims, including one that Pershing’s failures constituted a breach of its contract with the brokerage. She also claimed that Pershing violated Massachusetts consumer protection laws. The First Circuit upheld the district court’s dismissal, holding that the agreement between the brokerage and the defendant clearing firm did not confer any benefits on the plaintiff – the brokerage’s customer. The court stated that the separate contractual agreements between the plaintiff and her brokerage on the one hand, and between the brokerage and the defendant clearing firm on the other, could not be mixed and matched. The court also held, with regard to claims that Pershing violated the state data protection law, that plaintiff’s claims of potential harm from unprotected data were purely theoretical and “simply do[] not rise to the level of a reasonably impending threat.” As such plaintiff lacked standing to bring the statutory claims. Because the court found that the plaintiff lacked standing, it did not reach the issue of whether the Massachusetts data privacy law provides a private right of action.

    Class Action Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • SEC and CFTC Propose Rules Regarding Detecting Identity Theft

    Fintech

    On February 28, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC, together with the SEC, the Commissions) jointly issued proposed rules that would require entities subject to the Commissions’ jurisdiction to address identity theft in two ways: (i) financial institutions and creditors would be required to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identify theft with either certain existing accounts or opening new accounts, and (ii) credit and debit card issuers subject to the Commissions’ jurisdiction would be required to assess the validity of change-of-address notifications under certain circumstances. Section 1088 of the Dodd-Frank Act transferred authority over certain parts of the Fair Credit Reporting Act from the Federal Trade Commission to the Commissions for entities they regulate. The Commissions’ proposed rules are substantially similar to rules adopted in 2007 by the FTC and other federal financial regulatory agencies that previously were required to adopt such rules. The proposed rules set out the four elements that regulated entities would be required to include in their identify theft prevention programs: (i) identify relevant red flags, (ii) detect the occurrence of red flags, (iii) respond appropriately to the detected red flags, and (iv) periodically update the program to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. The Commissions issued jointly proposed guidelines in an appendix to the proposed rules to assist regulated entities in formulating and maintaining a Program that would satisfy the proposed rule requirements. The Commissions are accepting comments on the proposal through May 7, 2012.

    Dodd-Frank FCRA Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • European Banking Authority Expresses Concerns Regarding New Financial Sector Domain Names

    Federal Issues

    On February 23, the European Banking Authority (EBA) released a letter it sent to the ICANN Board of Directors expressing concerns about ICANN’s June 2011 approval of a new program to allow additional generic top level domains, including “.bank” and “.fin”. The new domain names are expected to be available for use later this year. As the European umbrella organization comprised of the heads of each member state’s consumer credit regulator, the EBA is broadly tasked with European consumer financial protection. From that standpoint, the letter and an attached comment document ask ICANN to halt the use of the new domain names because they have the potential to increase consumer fraud and decrease data security. Further, the new names may require financial institutions to implement costly and complex legal and commercial initiatives to protect their trademarks from fraud. The EBA does not believe that ICANN’s proposals to mitigate these concerns, including a proposed new registration system for the domain names, are insufficient.

    Privacy/Cyber Risk & Data Security

    Share page with AddThis

Pages

Upcoming Events