InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC settles with mortgage analytics company
On December 22, the FTC announced the final approval of a settlement with a mortgage industry data analytics firm (defendant) for allegedly failing to develop, implement, and maintain a comprehensive information security program and ensure third-party vendors are capable of implementing and maintaining appropriate safeguards for customer information in violation of the Gramm-Leach Bliley Act’s Safeguards Rule. As previously covered by InfoBytes, in December 2020, the FTC alleged that a vendor hired by the defendant stored the unencrypted contents of mortgage documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was improperly accessed approximately 52 times. The FTC claimed, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of its vendors.
The settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.
FTC Commissioner Rebecca Kelly Slaughter provided a lone dissenting statement.
6th Circuit affirms decision compelling arbitration in data breach case
On December 2, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s decision dismissing a nationwide putative class action against an e-commerce provider, holding that challenges raised to the validity of an agreement to arbitrate were for the arbitrator to decide, not the court. According to the opinion, the plaintiff class, including four minor individuals, filed suit after the defendant allegedly failed to protect millions of customers’ personal account information that was then obtained in a 2019 data breach. The opinion noted that the defendant’s Terms of Service contained an arbitration agreement, a delegation provision, a class action waiver, and instructions regarding how to opt-out of the arbitration agreement. The district court granted the defendant’s motion to dismiss and compel arbitration after rejecting the plaintiffs’ arguments that the arbitration clause is “invalid” and “unenforceable” as to the minor plaintiffs under the infancy doctrine.
On appeal, the plaintiffs argued that there was an issue of fact regarding whether four of the plaintiffs had agreed to the Terms of Service, and that the defenses of infancy and unconscionability rendered the Terms of Service invalid. According to the appellate court, though “a contract exists and . . . the delegation provision itself is valid, the arbitrator must decide in the first instance whether the defenses of infancy and unconscionability allow plaintiffs to avoid arbitrating the merits of their claims.” The appellate court further agreed with the district court that “[i]t’s not about the merits of the case. It’s not even about whether the parties have to arbitrate the merits. Instead, it’s about who should decide whether the parties have to arbitrate the merits.”
District Court approves e-commerce platform data breach settlement
On November 4, the U.S. District Court for the District of Massachusetts granted final approval to a settlement in a class action against an alcohol e-commerce platform stemming from a data breach that allegedly compromised customers’ personally identifiable information. The plaintiffs’ memorandum of law requested approval of the class action settlement, which included a settlement class of 2.5 million individuals whose information was compromised. Class members claimed that the company did not publicly report the data breach until July 2020, and that customers’ information was available for purchase on the dark web. A complaint was filed against the defendant asserting claims of negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of several state consumer protection statutes. The defendant moved to compel arbitration, citing a provision in its terms of service, as well as a class action waiver that required customers to arbitrate their claims individually. However, the parties entered into settlement discussions and agreed to mediate their dispute. Under the terms of the settlement, which is valued between $3.35 million and $7.1 million, the defendant has agreed to pay all associated administration costs, attorneys’ fees and expenses, and incentive awards. Class members will receive individual cash payments and will also receive a pro rata portion of a pool of up to $447,750 in the form of a credit against the cost of service fees for future orders on the defendant’s platform. The defendant will also implement certain data security measures for two years.
District Court dismisses data breach claims due to lack of jurisdiction
On November 8, the U.S. District Court for the Northern District of California dismissed a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor after determining that the court does not have jurisdiction over the companies. Plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of vendor customers. Plaintiffs contended that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach. Plaintiffs also alleged that an unauthorized third party gained access to the wallet provider’s e-commerce database and obtained the email addresses of one million customers as well as physical contact information for 9,500 customers. According to the plaintiffs, the wallet provider did not disclose that the attack on its website and the vendor’s data theft were connected, and it downplayed the seriousness of the attack. As a result, plaintiffs were allegedly subject to “phishing scams, cyber-attacks, and demands for ransom and threats.” Plaintiffs claimed that the companies failed to implement appropriate security measures to protect customer data, and brought claims against the companies for injunctive relief and other remedies under California’s unfair competition law, Georgia’s Fair Business Practices Act, and New York’s General Business Law. The defendant companies moved to dismiss, arguing that the court lacked personal jurisdiction and that plaintiffs failed to state a claim.
The court determined that it does not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The court further held that the fact that the vendor was headquartered in California at the time the breach occurred is not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the court wrote, dismissing the case with prejudice.
District Court grants $5 million settlement for alleged data breach
On November 5, the U.S. District Court for the Northern District of California granted preliminary approval of a class action settlement resolving claims against a grocery store chain after a data breach allegedly compromised personal information in its software. According to the plaintiffs’ notice of motion and motion for preliminary approval of class action settlement, a software vendor notified its clients, including the grocery store, that its software had been breached. As a result of the breach, hackers accessed personally identifiable information (PII) of approximately 3.82 million of the grocery store’s pharmacy customers and employees. Under the preliminary settlement, claimants may choose to receive either (i) a cash payment, with an estimated value between $18 and $91 for non-California residents and between $36 and $182 for California residents; (ii) two years of credit monitoring and insurance services; or (iii) reimbursement of any documented losses of up to $5,000. The proposed settlement also contains “robust injunctive relief,” including requirements that the grocery store chain (i) confirm that class members’ sensitive PII is secured; (ii) monitor the dark web for five years for fraudulent activity related to class members' PII; and (iii) enhance its third-party vendor risk management program. The district court also noted that any class member can appear at the fairness hearing to object to any aspect of the settlement, and that class members have 75 days after being notified of the deal to file their written objections or opt out of the settlement. The proposed settlement would not resolve any claims against the software vendor. Additionally, the court issued an order denying a motion to intervene by a group of objectors finding that they failed to “identify a protectable interest that will be impaired if they are unable to intervene.”
District Court approves CCPA class action settlement
On October 27, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims against an Illinois-based insurance provider and its subsidiary (collectively, defendants) for allegedly failing to adequately protect plaintiffs’ personal and private information when defendants were the targets of security breach incidents where an unauthorized user’s access to the defendants’ network and computer systems resulted in unauthorized access of personal, private information (PII). According to the memorandum of law in support of the plaintiffs’ motion for preliminary approval, the plaintiffs sued after learning that the defendants were targeted by hackers in December 2020, which affected over 5.8 million customers, and again in March 2021, which affected more than 324,000 customers. This conduct, the plaintiffs contended, violated the California Consumer Privacy Act, the California Consumers Legal Remedies Act, California’s Unfair Competition Law, and various state common laws. While the defendants denied allegations of wrongdoing and liability, and asserted defenses to the individual and class claims, the parties reached a proposed settlement, in which class members (defined as “all natural persons residing in the United States who were sent notice letters notifying them that their PII was compromised in the Data Incidents announced by Defendants on or about March 16, 2021 and on or about May 25, 2021”) will be provided automatic access to 18 months of credit monitoring and financial account protection. Additionally, every class member can make a claim for up to $10,000 in reimbursement for out-of-pocket losses. The preliminarily approved settlement also provides for class counsel fees and expenses not to exceed roughly $2.5 million and class representative service awards of $1,500.
FTC updates Safeguards Rule for financial institutions
On October 27, the FTC announced a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. The final rule follows a 2019 notice of proposed rulemaking (covered by InfoBytes here) and makes the following modifications to the existing rule:
- Adds specific criteria financial institutions must undertake when conducting a risk assessment and implementing an information security program, including provisions related to access controls, data inventory and classification, authentication, encryption, disposal procedures, and incident response, among others. The final rule also adds measures to ensure employee training and service provider oversight are effective.
- Requires financial institutions to designate a single qualified individual to oversee the information security program. Periodic reports must also be made to an institution’s board of directors or governing bodies.
- Provides an exemption from requirements related to written risk assessments, incident response plans, and annual reporting to the board of directors, for financial institutions that collect information on fewer than 5,000 consumers.
- Expands the definition of “financial institution” to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” Included in the definition are “finders” (i.e. companies that bring together buyers and sellers of products or services that fall within the scope of the Safeguards Rule).
- Adds several definitions and related examples into the Safeguards Rule itself instead of incorporating them through a reference from a related FTC rule.
Provisions of the final rule under Section 314.5 are effective one year after the date of publication in the Federal Register. The remainder of the provisions are effective 30 days following publication.
Additionally, the FTC issued a supplemental notice of proposed rulemaking seeking comments on a proposal to further amend the Safeguards Rule to require financial institutions to report security events to the Commission where a determination has been made that consumer information has been misused, or is reasonably likely to be misused, in an event affecting at least 1,000 consumers. Comments are due 60 days after publication in the Federal Register.
The FTC also announced a final rule adopting largely technical changes to its authority under the Privacy of Consumer Financial Information Rule (Privacy Rule) under the Gramm-Leach-Bliley Act, which requires financial institutions to inform consumers about their information-sharing practices and allow consumers the ability to opt out of having their information shared with certain third parties. The Privacy Rule is amended to revise the rule’s scope, modify the definitions of “financial institution” and “federal functional regulator,” and update requirements pertaining to annual customer privacy notices. The FTC noted that these changes align the Privacy Rule with changes made under Dodd-Frank and the FAST Act.
District Court partially denies company’s motion to dismiss in data breach class action
On October 19, the U.S. District Court for the District of South Carolina granted in part and denied in part a defendant software company’s motion to dismiss a putative class action, which alleged the company had a “deficient security program” in place that led to a ransomware attack. The plaintiffs alleged that the defendant failed to comply with industry and regulatory standards by neglecting to implement proper security measures. According to the plaintiffs, after the ransomware attack, the defendant “launched a narrow internal investigation into the attack that analyzed a limited number of [the defendant's] systems and did not address the full scope of the attack.” The plaintiffs contended that the defendant also failed to provide timely and adequate notice of the attack and the extent of the resulting data breach.
The court ordered various phases of motions practice, and addressed certain common law claims against the defendant for negligence, negligence per se, gross negligence, and unjust enrichment. With respect to the negligence and gross negligence claims, the court denied the defendant’s motion to dismiss, finding that plaintiffs alleged sufficient facts to show that the defendant owed them a duty to protect the information. The court, however, granted defendant’s motion to dismiss the plaintiffs’ negligence per se claims premised on defendant’s alleged violations of the FTC Act, HIPAA, and COPPA, finding that the plaintiff failed to state such a claim as applied under South Carolina law. Finally, the court granted the defendant’s motion to dismiss the plaintiffs’ unjust enrichment claim because plaintiffs failed to allege facts to show that they conferred a benefit on defendant to support a claim for unjust enrichment.
Financial Stability Board calls for uniformity in cyber-breach reporting
On October 19, the Financial Stability Board (FSB) released a report calling for a convergence in the reporting of cyber incidents given the digitalization of financial services and the growing use of third-party service providers. According to FSB’s report, Cyber Incident Reporting: Existing Approaches and Next Steps for Broader Convergence, financial institutions operating across borders or sectors are subjected to multiple reporting requirements for one cyber incident. Pointing out that “fragmentation exists across sectors and jurisdictions in the scope of what should be reported for a cyber incident; methodologies to measure severity and impact of an incident; timeframes for reporting cyber incidents; and how cyber incident information is used,” FSB cautioned that the lack of a common method for reporting cyber incidents “could undermine a financial institution's response and recovery actions.” FSB also warned that the dissemination of “heterogeneous information” concerning a cyber incident “underscores a need to address constraints in information-sharing among financial authorities and financial institutions.” Harmonizing regulatory reporting would promote financial stability by ensuring there is a common method for monitoring cyberattacks in the sector, supporting effective supervision of cyber-risks at financial institutions, and helping authorities share information between jurisdictions. FSB stated it plans to create a detailed plan by the end of the year to (i) develop best practices for authorities to consider when developing their cyber incident reporting regime; (ii) identify key types of information that should be shared across the financial sector; and (iii) create a common terminology for cyber-incident reporting.
New Jersey settles CFA and HIPAA matter with fertility clinic
On October 12, the New Jersey attorney general and the Division of Consumer Affairs announced an action against a healthcare provider alleging that the defendant violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, and the HIPAA Security Rule by removing administrative and technological safeguards for protected health information (PHI) and electronic PHI (ePHI). The settlement resolves allegations that the defendant’s data breach allowed instances, between August 2016 and January 2017, of unauthorized access to the defendant’s network, which permitted at least one intruder to access consumer ePHI. Among other things, the defendant’s alleged violations include failing to: (i) ensure the confidentiality, integrity, and availability of ePHI; (ii) implement a mechanism to encrypt ePHI; (iii) review and modify security measures; (iv) implement proper procedures for creating, changing, and safeguarding passwords; and (v) implement verification procedures. According to the consent order, the defendant must pay $412,300 in civil penalties and $82,700 in investigative costs and attorney fees. The defendant is also required to implement extensive reforms to its data security system and encryption protocols to protect clients' PHI and prevent future breaches.