InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York Investigates Insurance Companies' Cyber Security
On May 28, New York Governor Andrew Cuomo announced an inquiry into the measures employed by insurance companies to protect their customers and companies from cyber threats. The state’s Department of Financial Services sent letters to 31 insurers seeking an array of information, including information about (i) any cyber attacks the company has been subject to in the past three years; (ii) the cyber security safeguards the company has put in place; (iii) the company’s information technology management policies; (iv) the amount of funds and other resources dedicated to cyber security at their company; and (v) the company’s governance and internal control policies related to cyber security. The governor explained that the state already is focused on ensuring that banks have appropriate protections in place, but that insurers also should be scrutinized because the “extraordinarily sensitive health, personal, and financial information that New Yorkers entrust to their insurance companies is a virtual treasure trove for hackers.”
FTC Releases Agenda for Mobile Security Forum
On May 24, the FTC released the agenda for its June 4, 2013 forum on mobile security issues. The forum will address mobile malware, how it spreads, its impact on U.S. consumers, and the role of mobile platforms and others in the mobile ecosystem – from chipmakers to app developers – in securing mobile devices and data.
Digital Advertising Group Revises Code of Conduct for Interest-Based Advertising
On May 16, the Network Advertising Initiative (NAI), a self-regulatory body governing over 90 third-party digital advertising companies, released a revised Code of Conduct designed to (i) ensure that NAI member companies continue to implement, honor, and maintain strong standards with respect to the collection and use of data for online advertising, (ii) adapt the code to accommodate all companies in the advertising technology field, and (iii) incorporate changes in the regulatory and self-regulatory landscape, including principles of the FTC's Self Regulatory Principles for Online Behavioral Advertising, the FTC's final privacy report, and the White House privacy report.
FTC Sends COPPA Update Educational Letters
On May 15, the FTC announced that it sent letters to businesses to help them comply with new requirements under the revised Children’s Online Privacy Protection Act (COPPA) rule. The letters went to 90 businesses whose online services or mobile applications appear to collect personal information from children under 13, as defined by the revised rule. The letters differ depending on whether the business is domestic or foreign, and whether the business collects images or sounds of children, or collects persistent identifiers.
Court Dismisses California AG's First Suit Against Mobile Application Provider Under Online Privacy Protection Act
On May 9, the Superior Court of California dismissed California Attorney General Kamala Harris’ first suit against a company for allegedly failing to comply with the state’s Online Privacy Protection Act. California v. Delta Air Lines Inc., No. 12-526741, Order (Cal. Sup. Ct. May 9, 2013). The state alleged that since at least 2010, Delta Airlines operated a mobile application that allows customers to, for example, check-in online for an airplane flight, view reservations for air travel, or rebook cancelled or missed flights. The AG claimed that the Delta application collects substantial personally identifiable information without providing a privacy policy. The suit sought an injunction and penalties of up to $2,500 for each violation. Reportedly, the court determined that the suit was preempted by the federal Airline Deregulation Act, which prohibits states from regulating certain airline functions, including, according to Delta and the court, the mobile application at issue in this case. The suit against Delta was filed after the AG sent letters to Delta and numerous other mobile application developers and providers advising those entities of their alleged noncompliance with state privacy law, and forms part of a broader enforcement effort by the AG with regard to online and mobile privacy.
State Attorneys General Look Into Recent Data Breach Incident
On May 1, the Connecticut Attorney General, George Jepsen, and the Maryland Attorney General and NAAG President, Douglas Gansler, sent a letter to representatives of a “daily deals” website that recently disclosed a data security incident, seeking additional information about the event. The company publicly reported the incident and stated that no financial information was obtained by the hackers. Nevertheless, the AGs presented numerous information requests, including requests for (i) a detailed timeline of the incident, (ii) the number of individuals affected in each state, (iii) the categories and types of compromised information, (iv) a description of how the company determined that no financial information was compromised, and (v) information about how the company stores, connects, protects, and monitors the various customer data in its possession. Although those experiencing a security breach are often required under state laws to provide this type of information to a state AG, the public release of an AG information request and the joint issuance of a request by multiple state AGs has been less common.
FTC Approves Order Settling Data Breach Charges
On May 3, the FTC approved a final order settling charges against a California-based cord blood bank firm alleged to have violated the FTC Act by failing to use reasonable and appropriate procedures for handling customers’ personal information, despite its privacy policy claims to the contrary. Further, the FTC alleged that the firm created unnecessary risks to personal information by transporting portable data storage devices containing personal information in a manner that made the information vulnerable to theft, and failed to prevent, detect and investigate unauthorized access to computer networks. According to the FTC, these practices resulted in a data breach in which certain portable devices were stolen from an employee’s personal vehicle and the personal information of nearly 300,000 customers was compromised. The settlement requires the company to establish a comprehensive information security program and submit to security audits by independent auditors every other year for 20 years, and prohibits the company from misrepresenting the privacy and security of information collected from consumers.
FTC Sharpens Focus on Data Brokers
On May 7, the FTC released letters it sent to 10 data brokers warning that certain of the brokers’ practices could violate FCRA privacy protections. The announcement states that data broker companies that collect, distribute or sell information about consumers’ creditworthiness, eligibility for insurance, or suitability for employment are subject to FCRA, and as such, have an obligation to reasonably verify the identities of their customers and make sure that customers have a legitimate purpose for receiving consumer information. The letters were issued pursuant to an FTC “test-shopping” operation as part of an international privacy practice transparency sweep conducted by the Global Privacy Enforcement Network. The operation and subsequent warnings letters are the latest move by the FTC to address data broker compliance with FCRA. Last year, the FTC ordered certain data brokers to produce information about their collection and use of consumer data and announced at least one settlement with a data broker regarding FCRA compliance. However, the letters do not constitute an official notice that the companies are subject to FCRA or act as formal complaints, but rather “remind” the companies to review their practices to determine whether they are consumer reporting agencies subject to FCRA.
California Federal Court Holds Online Purchase Transactions for Shipped Merchandise Not Covered by Song-Beverly Credit Card Act
On April 30, the U.S. District Court for the Central District of California held that Section 1747.08 of the Song-Beverly Credit Card Act, which prohibits retailers from requiring personal information as a condition to completing credit card transactions, does not apply to online purchase transactions in which the merchandise is shipped or delivered to the customer. Ambers v. Buy.com, No. 13-196, slip op. (C.D. Cal. Apr. 30, 2013). The ruling extends a recent holding by the California Supreme Court in Apple Inc. v. Sup. Ct. Los Angeles, which held that the Song-Beverly provisions do not apply when the item purchased is downloaded via the Internet. In this case, the customer claimed on behalf of a putative class whose claims could total $500 million that Apple created a standard that applies the Song-Beverly protections whenever the retailer has “some mechanism” to verify the customer’s identity. The plaintiff argued that the retailer’s request as part of the purchase transaction for a phone number in addition to the shipping address violated the statutory privacy protection. The court reasoned that as explained in Apple, the state legislature intended to allow retailers to verify that a person making a card purchase is authorized to do so, and stated that the shipping address alone would not work as an anti-fraud mechanism because a person who buys merchandise online may direct shipments to addresses not related to the credit card billing address. As such, the court held that Song-Beverly privacy protection does not apply to online purchases where the merchandise is being shipped or delivered, and granted the retailer’s motion to dismiss.
CFPB, FTC Announce Roundtable on Data Integrity in Debt Collection
On May 1, the FTC and the CFPB announced a roundtable to “examine the flow of consumer data throughout the debt collection process” and discuss (i) the amount of documentation and other information currently available to different types of collectors and at different points in the debt collection process, (ii) the information needed to verify and substantiate debts, (iii) the costs and benefits of providing consumers with additional disclosures about their debts and debt-related rights, and (iv) information issues relating to pleading and judgment in debt collection litigation. The event will be held on June 6, 2013 in Washington, DC and is open to the public.