InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California Attorney General Files Suit Over Untimely Data Breach Notice
On January 24, the California Attorney General (AG) sued a health care company over its alleged failure to timely submit notice of a 2011 data breach. According to the complaint, the company learned of the breach at the end of September 2011, completed a preliminary investigation in December 2011, and subsequently continued the investigation through mid-February 2012. The company allegedly did not begin mailing notice letters to affected individuals until mid-March. The complaint alleges the company failed to provide such notice in the most expedient time possible, which the AG alleges could have commenced in December 2011. The complaint also includes allegations regarding the actual breach at issue. The AG is seeking statutory penalties of $2500 per violation. Among other things, the suit demonstrates the AG’s inclination to take privacy and data security actions beyond the California Online Privacy Protection Act.
CFPB Issues Advisory Regarding Recent Retailer Data Breaches; Congressional Activity Increases
On January 28, the CFPB issued a consumer advisory in response to recent reports of data breaches at several large retailers. In addition to providing tips for consumers in the wake of a retail breach, the advisory encourages card holders to submit complaints about debit and credit card issuers’ inadequate responses to consumer charge disputes related to data breaches.
The advisory is the first public response from the CFPB on data breach issues. It follows a request last month from Senator Chuck Schumer (D-NY), a member of the Senate Banking Committee, that the CFPB conduct an investigation of the data breach and issue a “full report on the findings of its investigation -- informing the public of how this breach occurred, how consumers can protect themselves from similar attacks, and any further recommendations the CFPB may have for retailers to minimize the occurrence of similar breaches.” Schumer also asked Director Cordray to “take a closer look at whether retailers systems should be required to transfer credit and debit card information as encrypted data. . . . The CFPB must ensure that necessary rules and standards for retailers are in place to validate consumers’ trust in the transaction process.”
Numerous congressional committees share jurisdiction over data breach issues. The Senate Banking Committee will be among the first to act with a hearing scheduled for February 3, 2014 that will feature governmental witnesses, as well as the views of the retailer and banking industries.
FTC Actions Allege Violations Of International Safe Harbor Privacy Framework
On January 21, the FTC announced agreements with 12 companies to resolve allegations that the companies falsely claimed compliance with an international privacy framework. The FTC complaints explain that the U.S.-EU Safe Harbor Framework provides a method for U.S. companies to transfer personal data outside of the EU that is consistent with the requirements of the European Union Directive on Data Protection. The Directive sets forth EU requirements for privacy and the protection of personal data and requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the European Commission has made a determination that the recipient jurisdiction’s laws ensure the protection of such personal data. To participate in the Framework, a U.S. company must self-certify to the U.S. Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard. The FTC claimed that the companies indicated compliance with the Safe Harbor principles, for example through privacy policies or certification marks, when the companies had allowed their self-certifications to lapse. The FTC alleged that this conduct violated Section 5 of the FTC Act. The companies did not admit the allegations, and the FTC acknowledged that the allegations do not necessarily mean that the companies committed any substantive violations of the privacy principles of the Safe Harbor framework. The proposed settlement agreements would prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
NIST Cybersecurity Framework Will Not Include Privacy Standards Appendix
On January 15, NIST updated the status of its efforts to finalize the voluntary Cybersecurity Framework directed by President Obama’s Executive Order 13636. According to the update, NIST expects to publish the final framework on February 13, 2014, but the initial final version will not include an appendix with specific privacy standards. Citing insufficient support from stakeholders, NIST instead will include an alternative methodology that it believes will better allow organizations to incorporate general privacy principles when implementing a cybersecurity program.
California Appeals Court Holds Injury Required For Standing Under State Shine The Light Law
Recently, the California Court of Appeals, Second District, held that a plaintiff must have suffered a statutory injury to have standing to pursue a cause of action under the state’s “Shine the Light Act” (SLA). Boorstein v. CBS Interactive, Inc., No. B247472, 2013 WL 6680796 (Cal. Ct. App. Dec. 19, 2013). The SLA requires businesses that collect California residents’ personal data and then share that data for marketing purposes to disclose or allow consumers to opt out of that sharing. Specifically, all businesses must make consumers aware of their SLA rights by (i) maintaining a disclosure on their website and providing contact information for consumers to make a request about information shared with direct marketers; (ii) requiring customer service agents to provide the contact information upon request; or (iii) making the contact information available at every place of business in the state. In recent years, consumers filed a series of class actions, including the instant case, alleging that companies failed to properly disclose their contact information on their websites. The class plaintiffs did not, however, allege that they had sought SLA disclosures or would have done so had contact information been available. Consistent with federal district courts that have considered these claims, the state appeals court here determined that a failure to timely, accurately, or completely respond to a disclosure request is a discrete event upon which a court could calculate a civil penalty for each violation, whereas a failure to post information on a website is a continuing event that cannot readily be quantified. The court held that such a continuing violation, without more, is not an actionable violation. The court rejected the plaintiff’s claim that he suffered an "informational injury” because he did not receive information to which he was statutorily entitled, and upheld the trial court’s holding that the alleged failure was merely a procedural injury insufficient to establish standing.
Italy's High Court Upholds Acquittal of Google Executives In Video Privacy Case
On December 17, Italy’s highest court, the Italian Supreme Court of Cassation, issued a landmark ruling upholding the acquittal of three Google senior executives by the Milan Court of Appeals. Initially, an Italian trial court convicted the executives of criminal violations of Italy’s privacy laws for allegedly allowing a controversial video to be uploaded to the precursor to YouTube by a user of the service without first screening the video. The Milan Court of Appeals rejected prosecutors’ contention that the company should be responsible for prescreening user-provided content, and agreed with the executives that requiring prescreening for such content would not only infringe on users’ freedom of expression, but would undermine websites’ functionality. The Court of Cassation will issue a written statement of its reasoning early next year. BuckleySandler attorneys Samuel Buffone and Ann Wiles represented two of the three Google executives.
Seventh Circuit Holds TCPA Does Not Preempt State Law Banning Robocalls
On November 21, the U.S. Court of Appeals for the Seventh Circuit held that the federal Telephone Consumer Protection Act (TCPA) does not preempt an Indiana statute that bans most robocalls without exempting calls that are not made for a commercial purpose. Patriotic Veterans, Inc. v. State of Indiana, No. 11-3265, 2013 WL 6114836 (7th Cir. Nov. 21, 2013). A not-for-profit Illinois corporation seeking to use automatically dialed interstate phone calls to deliver political messages to Indiana residents sought a declaration that the Indiana Automated Dialing Machine Statute (IADMS) violates the First Amendment, at least as it applies to political messages, and also is preempted by the TCPA, which expressly exempts non-commercial calls such as political calls from the TCPA’s regulation of autodialers. Overturning the district court’s decision, the Seventh Circuit found that the Indiana statute is not expressly preempted by the TCPA because the plain language of the TCPA’s savings clause states that the federal law does not preempt any state law that prohibits the use of automatic telephone dialing systems and, even if the IADMS is considered a regulation of, rather than a prohibition on, the use of autodialers, the savings clause does not at all address state laws that impose interstate regulations on their use. The court further found that the IADMS is not impliedly preempted by the TCPA because it is possible to comply with the state statute without violating the TCPA, the state statute furthers the TCPA’s purpose of protecting the privacy interests of residential telephone subscribers, and Congress did not intend to create field preemption when it enacted the TCPA. The court, however, remanded the case to the district court to consider whether the statute violates the First Amendment.
FTC To Host Consumer Privacy Seminars
On December 2, the FTC announced a series of seminars to be held in 2014 dedicated to the privacy implications of: (i) mobile device tracking—tracking consumers in retail and other businesses using signals from their mobile devices; (ii) alternative scoring products—using predictive scoring to determine consumers’ access to products and offers; and (iii) consumer-generated and controlled health data—information provided by consumers to non-HIPAA covered websites, health applications, and devices. The first two topics will be examined in forums held in Washington, DC on February 19, 2014 and March 19, 2014, respectively. Details for the third event have not been finalized.
Payment Card Group Refines Data Security Standards
On November 7, the PCI Security Standards Council (PCI SSC), an organization that develops standard for payment card security, released updated data security standards. One standard applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. The other standard applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. PCI SSC updates the standards every three years. This most recent update includes, among other things, requirements that payment card processors: (i) evaluate evolving malware threats for any systems not considered to be commonly affected; (ii) control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination; (iii) protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution; (iv) implement a methodology for penetration testing; (v) implement a process to respond to any alerts generated by the change-detection mechanism; and (vi) maintain information about which security requirements are managed by each service provider, and which are managed by the entity.
Senate Commerce Committee Continues Data Broker Inquiries
Recently, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) continued his committee’s examination of the way data brokers collect and share personal information. The Senator sent a letter to one data broker seeking additional information about the broker’s customer vetting practices and how it shares consumer information with those customers. As the basis for the letter, Senator Rockefeller cited news reports alleging that a company acquired in March 2012 by the data broker receiving the letter had sold data to an identity theft scheme. At least one report suggested that the alleged activity continued after the broker conducted its due diligence and completed the acquisition. The Senator’s letter also poses follow up questions based on the broker’s response to the Senator’s original October 2012 request to numerous data brokers, which the Senator expanded to include other industry participants in September 2013.