InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
South Carolina Supreme Court Holds Web-Based Emails Not Protected Under The Stored Communications Act
On October 10, the South Carolina Supreme Court held that emails opened and retained by the recipient in a web-based email system are not protected under the Stored Communications Act (SCA), because they are not stored for the purposes of backup protection. Jennings v. Jennings, No. 27177, 2012 WL 4808545 (S.C. Oct. 10, 2012). The plaintiff sued an individual that gained unauthorized access to the plaintiff’s web-based email system, alleging, among other things, that the hacker violated the SCA. The SCA proscribes the unauthorized accessing of an electronic communication while it is in “electronic storage,” which in relevant part means that it is stored by an electronic communication service for the purpose of backup protection. The state supreme court noted that the plaintiff had opened the emails and retained them, but had not made any other copy of them. The court held that such emails, therefore, were not in “electronic storage” for the purposes of “backup” protection, reasoning that the plain meaning of “backup” does not apply to a single copy of a communication, i.e. web-based emails that are not downloaded to a computer or stored elsewhere.
FTC Announces Two Privacy Events
On October 15, the FTC announced that it will host a workshop to examine the practices and privacy implications of comprehensive collection of consumers' online activities. On December 6, 2012, consumer protection organizations, academics, business and industry representatives, privacy professionals, and other stakeholders will review Internet data collection methods, identify those companies currently capable of comprehensive Internet data collection, consider what new legal protections are needed, and explore other related topics. The workshop is one step the FTC promised to pursue in a March 2012 report that urged companies to implement certain consumer privacy protections. On October 17, the FTC announced an upcoming forum on using enforceable industry codes of conduct to protect consumers in cross-border commerce. The forum will focus on the use of systems, like the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system which was created earlier this year, when information moves between countries with different privacy rules. The forum will bring together government officials, academics, industry members, and consumer groups to discuss the increasing use of such codes.
Federal District Court Allows Data Breach Class Action to Proceed Based On Risk Of Future Harm
On October 11, the U.S. District Court for the Southern District of California held that the plaintiffs in a consolidated data breach class action have plead sufficient harm to satisfy Article III's injury-in-fact requirement despite having not suffered any actual harm to date. In re Sony Gaming Networks & Customer Data Security Breach Litig., No. 11-md-2258, 2012 WL 4849054 (S.D. Cal. Oct. 11, 2012). The plaintiffs allege on behalf of a putative class that Sony Computer Entertainment America and a group of related entities (collectively Sony) failed to implement industry-standard practices to protect customers' personal information. The plaintiffs claim that as a result of Sony's failings they suffered an increased risk of future harm following a criminal theft of personal information from Sony's PlayStation computer network. The defendants moved to dismiss the plaintiffs' numerous claims, including on the grounds that the plaintiffs have suffered no real injury and therefore do not have standing to pursue the case. The court agreed with the plaintiffs that their claims are analogous to those sustained by the Ninth Circuit in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). As in Krottner, the court held that although none of the plaintiffs have suffered any actual loss, the increased threat of future injury is sufficient for standing and the plaintiffs sufficiently allege that such increased risk is causally connected to Sony's actions. However, the court held that plaintiffs' allegations do not show any cognizable injury necessary to sustain their claim of negligence under California law. The court dismissed the plaintiffs' negligence and other claims with leave to amend, and dismissed certain other claims with prejudice.
GAO Urges Federal Actions to Protect Mobile Device Users' Privacy
On October 11, the GAO released a report on its examination of how the mobile industry collects location data and the resulting impact on consumers. According to the report, privacy advocates expressed concerns that consumers are generally unaware of how location data is used by third-parties and that consumers could be subject to increased risk of surveillance by law enforcement, identity theft, and threats to personal safety. The GAO examined how companies have applied practices recommended by industry associations and privacy advocates to protect consumers' privacy while using mobile location data. The report reviews actions taken by federal agencies to provide consumer education and develop industry codes of conduct. The GAO recommends, among other things, that NTIA work with stakeholders to develop industry codes of conduct and that the FTC consider issuing guidance on mobile companies' appropriate actions to protect location data privacy.
FTC Settles Charges Related to Sale and Use of Consumer Mortgage Payment Data
On October 10, the FTC announced that a major consumer reporting agency (CRA) agreed to settle charges that it improperly sold lists of consumers who were late on their mortgage payments. The CRA will pay $393,000 to resolve allegations that it violated the FTC Act by failing to implement procedures to prevent the sale of lists of consumer information to firms that should not have received them. In a separate but related case, which the DOJ pursued under a referral from the FTC, a data reseller and its affiliates settled charges that the companies violated the FTC Act and FCRA by (i) obtaining prescreened lists without having a permissible purpose, (ii) reselling the reports without disclosing to the consumer reporting agency that provided them who the end users would be, (iii) failing to maintain reasonable procedures to ensure that prospective users had a permissible purpose to get them, (iv) to the extent that firm offers of credit were made, failing to maintain a record of the criteria used to select consumers for these offers, and (v) failing to control access to sensitive consumer financial information. The resellers agreed to pay a $1.2 million civil penalty and will be barred from using or selling prescreened lists without a permissible purpose, or in connection with solicitations for debt relief or mortgage assistance relief products or services.
Eleventh Circuit Holds Monetary Damages Caused by Identity Theft Present a Cognizable Injury
Recently, the U.S. Court of Appeals for the Eleventh Circuit, in a case of first impression, held that the named plaintiffs in a putative class action could pursue their claims for monetary loss from a health care company that allegedly failed to protect their personal information. Resnick v. AvMed Inc., No. 11-13694, 2012 WL 3833035 (11th Cir. Sep. 25, 2012). The plaintiffs allege that they became subject to identity theft several months after laptops containing their sensitive personal information were stolen from the company’s offices. The plaintiffs sued the health care company, alleging negligence, negligence per se under Florida law, breach of contract, unjust enrichment, breach of implied covenant of good faith and fair dealing, and breach of fiduciary duty. The district court dismissed all claims, holding that the complaint failed to state a cognizable injury. On appeal, the court of appeals reversed the district court on the majority of the claims. It held that because the complaint alleges financial injury, and because monetary loss is cognizable under Florida law, the plaintiffs have alleged a cognizable injury. The court found that the plaintiffs “have shown a sufficient nexus between the data breach and the identity theft beyond allegations of time and sequence” because the plaintiffs plead that they were careful in protecting their identities and had never been victims of identity theft. Finding that causation was sufficiently plead, the court of appeals reversed the district court with regard to the counts of negligence, breach of contract, and breach of fiduciary duty. The court affirmed dismissal of the claims of negligence per se and breach of implied covenant of good faith and fair dealing because failure to comply with the relevant state statute cannot serve as a basis for negligence per se, and because the health care company’s actions were not shown to be conscious and deliberate as necessary to support a claim of breach of implied covenant. Finally, the court held that the plaintiffs alleged sufficient facts to sustain a claim for unjust enrichment because they claim to have paid monthly premiums to the company, while alleging that the company failed to implement sufficient data management and security measures. The case was remanded for further proceedings.
NIST Finalizes Information Security Risk Assessment Guidelines
On September 18, the National Institute of Standards and Technology released a final version of its risk assessment guidelines, which are designed to advise all types of government and private organizations—including financial institutions—about information security risks and information technology infrastructures. The Guide for Conducting Risk Assessments provides guidance regarding (i) threats, (ii) vulnerabilities, (iii) impact to missions and business operations, and (iv) the likely threat of exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequence.
FBI Warns Financial Institutions About New Cyber Threats
On September 17, the FBI, together with the Financial Services Information Sharing and Analysis Center and the Internet Crime Complaint Center, issued a fraud alert to advise financial institutions of a new trend in which cyber criminals steal financial institution employee credentials for subsequent use in conducting wire fraud. The alert identifies spam and phishing emails as the primary method by which outsiders have obtained employee credentials, and notes that small and medium sized banks and credit unions have been the most targeted institutions to date. The fraudsters also have stolen administrative credentials to third-party services and have used those credentials to circumvent financial institutions’ authentication methods. Once obtained, the credentials have been used to conduct unauthorized wire transactions. The alert notes that in some instances the unauthorized transactions have been preceded by a denial of service attack against the institution’s public website, which may have served as cover for the illicit activity by distracting the institution’s personnel responsible for detecting unauthorized activity.
House Members Introduce Mobile Device Privacy Legislation
On September 12, Representatives Edward Markey (D-MA) and Diana DeGette (D-CO) unveiled new legislation to establish consumer privacy protections with regard to mobile applications. The Mobile Device Privacy Act (H.R. 6377) would direct the FTC to promulgate regulations that require upfront disclosure of (i) the existence of any monitoring software on a device, (ii) the types of information that could be collected, (iii) the identity of those with access to the collected information, and (iv) the expected use of the information. Prior consumer consent to the collection of information and procedures for enabling consenting device owners to stop such collection would also be required. In addition, the bill would mandate information security practices in connection with information collected from mobile device users, and establish an enforcement regime involving both the FTC and the FCC, as well as state attorneys general and private suits.
Federal Court Dismisses Consumer Privacy Action Brought Under California's Shine the Light Act
On August 24, the U.S. District Court for the Northern District of California dismissed a putative class action alleging that Time magazine failed to establish procedures to comply with California’s Shine the Light Act (SLA). Murray v. Time, Inc., No 12-00431, 2012 WL 3634387 (N.D. Cal. Aug. 24, 2012). The SLA requires businesses to disclose to California consumers upon request any information collected and shared with third-party direct marketers. Alternatively, businesses can adopt a policy of not sharing consumer information without first obtaining consumer consent. All businesses must make consumers aware of their SLA rights by (i) maintaining a disclosure on their website and providing contact information for consumers to make a request about information shared with direct marketers, (ii) requiring customer service agents to provide the contact information upon request, or (iii) making the contact information available at every place of business in the state. The named plaintiff contends that by the nature of its business Time only could provide the required information on its website, and that it failed to do so. The court dismissed the case, holding that the named plaintiff suffered no economic or informational injury and therefore lacked standing to pursue his claims. The court held that the plaintiff’s general allegations concerning the “inherent monetary value” of consumer data are presented without any facts regarding the value of his specific personal information and therefore could not prove any economic injury. With regard to informational injury, the court explained that the plaintiff does not claim that he was deprived any information in response to a request, but rather that he was deprived of the ability to make the request. Such a procedural violation of the SLA, the court held, does not equate to informational injury. The court allowed the plaintiff to re-plead additional facts in support of his claim, but he may not add other plaintiffs or defendants.