InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fourth Circuit Holds TCPA Disclosure Requirements Constitutional
On August 28, the U.S. Court of Appeals for the Fourth Circuit published an opinion, previously under seal, in which it held that provisions of the Telephone Consumer Protection Act (TCPA) requiring all automated telephone messages to disclose the entity initiating the call and its telephone number are constitutional. State of Maryland v. Universal Elections, Inc., No. 12-1791 (4th Cir. July 29, 2013). In affirming the district court’s judgment, the court identified three important government interests served by the disclosure requirements: (i) protecting residential privacy, by providing call recipients the information needed to stop future calls; (ii) promoting disclosure to avoid misleading recipients of recorded calls, by enabling call recipients to better evaluate the veracity of such messages; and (iii) promoting effective law enforcement by assisting the government in detecting violations.
Illinois Criminalizes Electronic Vehicle Tracking With Limited Exceptions
Recently, Illinois enacted HB 1199, which makes it illegal for any person or entity in Illinois to use an electronic vehicle tracking device to determine the location or movement of a person. The law provides an exception for telematics services that were installed by a vehicle manufacturer, or installed by or with the consent of the owner or lessee of the vehicle and to which the owner or lessee has subscribed. Telematics include, but are not limited to, automatic airbag deployment and crash notification, remote diagnostics, navigation, stolen vehicle location, remote door unlock, transmitting emergency and vehicle location information to public safety answering points, and any other service integrating vehicle location technology and wireless communications. The bill takes effect on January 1, 2014.
Banking Trade Group Objects To CFPB Consumer Complaint Data Collection
Last week, the American Bankers Association submitted a letter in response to the CFPB’s notice and request for comment on certain information collection activities, namely its request for a generic clearance covering its consumer complaint and information collection system. The letter opposes the CFPB’s clearance request, maintaining that such action by the CFPB would present substantive and policy issues that “mandate a level of public engagement and accountability not available pursuant to a generic clearance process.” The comment period closed on August 26, 2013.
White House Outlines Potential Cybersecurity Incentives
On August 6, the White House released proposed incentives to drive participation in the cybersecurity program framework under development by the National Institute of Standards and Technology. Both the framework and the incentives were directed by an Executive Order (EO) issued earlier this year by President Obama. The administration notes that while some of the proposed incentives can be adopted soon after the voluntary framework is established, others will require legislative action. The policy options under consideration include, among others, (i) encouraging cybersecurity insurance, (ii) offering critical infrastructure grants, (iii) limiting liability of participating companies, (iv) streamlining regulations, and (v) providing public recognition.
Federal Privacy Stakeholder Meeting Addresses Mobile Application Transparency
Recently, the multi-stakeholder process established in connection with the White House’s February 2012 privacy report met to discuss mobile application transparency, including a voluntary code of conduct for mobile application developers. The code covers mobile application short form notices intended to provide consumers enhanced transparency about data collection and sharing practices. Application developers that choose to adopt the voluntary code would employ short form notices that describe (i) the collection of types of certain data – including biometrics, browser history, phone or text log, financial information, location, and more – whether or not consumers know that it is being collected, (ii) a means of accessing a long form privacy policy, if any exists, (iii) the sharing of user-specific data, if any, with certain third parties – e.g. consumer data resellers, data analytics providers, ad networks, and government entities, and (iv) the identity of the entity providing the application. In addition to being voluntary, the code exempts common application collection and sharing activities for operational purposes.
DOJ Announces Five Indictments in Largest Known Data Breach Case
On July 25, the DOJ announced the indictment of five individuals accused of conspiring in a worldwide hacking and data breach scheme that targeted major corporate networks, stole more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses. The DOJ believes the defendants and others conspired to use a “SQL injection attack” to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world. Once started, the attacks could last months while the defendants worked to steal user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders, and subsequently sell the data to end-users who used the data to make fraudulent ATM withdrawals or credit card purchases. The DOJ’s action was based on the findings of an extensive Secret Service investigation.
Ninth Circuit Holds FAA Preempts Montana's Public Policy Against Enforcing Contracts of Adhesion
On July 15, the U.S. Court of Appeals for the Ninth Circuit held that the Federal Arbitration Act (FAA) preempts Montana’s public policy invalidating adhesive agreements running contrary to the reasonable expectations of a party. Mortensen v. Bresnan Comms. LLC, No. 11-35823, 2013 WL 3491415 (9th Cir. Jul. 15, 2013). In this case, the plaintiffs filed a putative class action against an internet service provider (ISP) that participated in a trial program in which the ISP’s customer’s personal information allegedly was passed on to an advertising company in violation of the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and state privacy and property laws. The ISP moved to compel arbitration, arguing that the welcome kit’s its service technicians delivered included mandatory arbitration provisions that required application of New York law to any disputes. The court vacated a trial court’s order declining to enforce arbitration, holding that AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740 (2011), requires that the FAA preempt Montana’s reasonable expectations/fundamental rights rule, despite the state’s interest in protecting its consumers from unfair agreements, because that rule has a disproportionate impact on arbitration agreements. As a result, the court also held that the district court erred in not applying New York law because a state’s preempted public policy was an impermissible basis on which to reject the parties’ choice-of-law selection. The court vacated the district court’s order declining to enforce the arbitration clause and choice-of-law clause and remanded with instructions to apply New York law to the arbitration agreement.
NIST Releases Draft Outline of Cybersecurity Framework
On July 2, the National Institute of Standards and Technology (NIST) released a draft outline of a framework to improve the cybersecurity of certain critical infrastructure. It proposes a core structure for the framework and includes a user's guide and an executive overview that describes the purpose, need, and application of the framework in business. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. It solicited and recently analyzed public comments about the voluntary framework. Based on certain comments that emphasized the importance of executive involvement in managing cyber risks, the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts. NIST also released a draft compendium of existing standards, practices, and guidelines to reduce cyber risks to critical infrastructure industries. It plans to publish the official draft Cybersecurity Framework for public comment in October 2013.
California AG Releases Data Breach Report, Proposes Data Security Policy Changes
On July 1, California Attorney General Kamala Harris (AG) released a report analyzing data breaches reported to her office in 2012, the first year companies were required to report to the AG any breach involving more than 500 state residents. The report identifies 131 data breach incidents that put the personal information of 2.5 million individuals at risk. The AG noted that the report is not required by the law, but provides support for the AG’s recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved. Those policy recommendations focus on (i) data encryption, (ii) information security, (iii)notice letters, and (iv) the definition of personal information.
Specifically, the AG claimed that the information for 1.4 million Californians would have been protected if companies had encrypted data, and urges companies to encrypt digital personal information when moving or sending it out of their secure network. The AG pledged to prioritize enforcement investigations of breaches involving unencrypted personal information. The AG’s report notes that a large percentage of breaches surveyed resulted from the failure of information security controls and references requirements under state law to protect the personal information of California residents.
The AG also stated that companies should make their data breach notices to consumers easier to read, and that the state legislature should consider expanding breach notice requirements to cover breaches involving passwords. The AG highlighted a pending bill, SB 46, that would revise the notice requirement’s definition of personal information to require reporting of breaches involving information that would permit access to an online account - user name or email address, in combination with a password or security question and answer. That bill has already passed the state Senate and was approved by the Assembly’s Judiciary Committee. It is scheduled to be considered by the Assembly’s Appropriations Committee on July 3, 2013.
NIST Issues Mobile Device Security Guidelines
On June 25, the National Institute of Standards and Technology (NIST) released a mobile device management guide to help federal agencies centrally manage the security of mobile devices. While the NIST document was developed for use by federal agencies, the device management principles may be applicable to other organizations facing similar security concerns. The guide focuses on smart phones and tablets and provides recommendations for selecting, implementing, and using centralized management technologies. It also explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The recommendations aim to address security issues related to both organization-provided and personally-owned (“bring your own device”) mobile devices.