InfoBytes Blog

House Financial Services Committee holds hearing on data security, breach notifications

On March 7, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime” to discuss data security and breach notification rules and cybersecurity supervision and examination standards for reporting agencies. Subcommittee Chairman Blaine Luetkemeyer, R-Mo., opened the hearing by stating that “[f]orty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted differing laws requiring private companies to notify individuals of breaches of personal information,” and emphasized the need for a “national solution” to create data security safeguards and responsible notification processes.

Legislation. The hearing discussed two legislative proposals sponsored by Representatives Luetkemeyer and Patrick McHenry, R-NC, respectively: the “Data Acquisition and Technology Accountability and Security Act” (DATAS Act) and the “Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017” (PROTECT Act). The DATAS Act would, among other things, (i) establish broad standards for data protection across industries; (ii) create new federal post-data breach notification requirements; and (iii) establish steps that covered entities must take to notify regulators, law enforcement, and victims after certain types of data breaches. Included within the PROTECT Act are provisions that would (i) subject large consumer reporting agencies to cybersecurity supervision and examination measures; (ii) amend the FCRA to allow consumers to request security freezes be placed, removed, or temporarily lifted on their credit reports; (iii) provide provisions for fees and exceptions from such fees; and (iv) prohibit consumer reporting agencies from including a consumer’s Social Security number in a credit report or being used as a method to identify a consumer.

Hearing Testimony. The hearing’s four witnesses provided testimony related to current issues with data beaches and protecting consumer information, and commented on the inconsistencies in data breach laws. Among the issues discussed were (i) the challenges of creating a “universal, unique identifier” separate from a Social Security number; (ii) efforts to establish streamlined, uniform, national data breach notification, security, and credit freeze standards; and (iii) the need for U.S. businesses that handle sensitive financial information to implement measures to protect the data and maintain consumers’ trust. Massachusetts Assistant Attorney General and Director of Data Privacy & Security for the Attorney General’s Consumer Protection Division, Sara Cable, stated in her written testimony and during the hearing that the proposed DATAS Act’s consumer notice provisions would “leave consumers in a worse position than the status quo.” She also expressed concern that the bill “allows entities to push the cost of the data security crisis onto consumers without providing any meaningful remedy, strips the state Attorneys General of the authority they are presently and actively using to protect their consumers from breaches, and hamstrings efforts of the States to enact laws in response to future risks in an era of increasing and rapidly evolving technology.” 

Privacy/Cyber Risk & Data Security House Financial Services Committee Data Breach FCRA Federal Legislation Security Freeze

Nebraska, South Dakota enact legislation relating to security breaches and credit freezes

On March 1, the governor of South Dakota signed House Bill 1078 to revise certain provisions addressing the removal of credit security freezes. The amended act states that a security freeze will remain in place until a consumer requests the removal from the consumer reporting agency. The consumer reporting agency is then required to remove the freeze within three business days. Separately, on February 27, the governor signed House Bill 1127 (HB 1127) to revise certain provisions concerning fees charged for security freezes. Among other things, HB 1127 prohibits consumer reporting agencies from charging a fee for placing or removing a security freeze, and stipulates that a consumer reporting agency may advise a third party that a consumer’s credit report has been frozen.

On February 28, the governor of Nebraska approved Legislative Bill 757 strengthening certain provisions of the state’s Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006. Among other things, the amendments state that (i) any individual or commercial entity in the state that possesses computerized data containing personal information of Nebraska residents must maintain reasonable security and disposal procedures and practices; (ii) nonaffiliated third-parties with access to personal information must also maintain reasonable security and disposal procedures; and (iii) consumer reporting agencies must provide services free-of-charge for the placement or removal of a credit security freeze. The legislation also outlines additional violations under which the Nebraska Attorney General can enforce protection of consumer privacy in the event of a data breach.

Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Security Freeze

Maryland issues bipartisan consumer protection recommendations

On January 26, the Maryland Financial Consumer Protection Commission (the “Commission”) and ranking officials from the Maryland legislature announced bipartisan “Interim Recommendations” of the Commission for State and local action in response to the federal government’s “efforts to change or weaken […] important federal consumer protections.” New legislation in response to the recommendations is expected to be released in the near future. Key recommendations include, among other things: (i) requiring credit reporting agencies to provide an alert of data breaches promptly and provide free credit freezes; (ii) adopting new financial consumer protection laws in areas where the federal government may be weakening oversight; (iii) addressing potential issues with Maryland’s current payday and lending statutes; (iv) adopting the Model State Consumer and Employee Justice Enforcement Act that addresses forced arbitration clauses; and (v) adopting new laws that address new risk, such as, virtual currencies and financial technology.

State Issues State Legislation Consumer Finance Data Breach Payday Lending Arbitration Virtual Currency Fintech Credit Reporting Agency Security Freeze

50-State Class Action Complaint Filed Against Credit Reporting Company in Response to September Data Breach Announcement

On November 10, plaintiffs, and the members of the class and subclasses they seek to represent, filed a complaint in the Northern District of Georgia against a major credit reporting company, consolidating individual suits filed against the company since September in each of the 50 states and the District of Columbia. The plaintiffs allege that the company’s data breach (covered previously in InfoBytes)—in which hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers—has led to, among other things, identity theft, unauthorized credit and debit card charges, and applications for unauthorized student loans.

The complaint alleges a series of missteps by the company before, during, and after the breach, including: (i) not applying a recommended security patch; (ii) failing to recognize the breach for over three months; (iii) not warning consumers for another month after discovering the breach, thus preventing timely credit freezes or other protection methods; (iv) sending confusing emails and notices to consumers about whose data was compromised and how to protect themselves after the breach; and (v) creating confusion as to whether an arbitration clause included in the terms of service for the company’s credit monitoring website would apply to consumers using the service.

The plaintiffs seek, among other things, class certification; permanent injunctive relief; disgorgement and restitutions of earnings; compensatory, consequential, general, statutory, and punitive damages; declaratory relief; and attorneys’ fees.

Privacy/Cyber Risk & Data Security Data Breach Consumer Finance Class Action State Issues Security Freeze

District of Columbia Mayor Signs Emergency Legislation Temporarily Prohibiting Credit Freeze Fees

On October 23, District of Columbia Mayor Muriel Bowser signed emergency legislation (Act 22 155) that prohibits credit reporting agencies (CRAs) from charging consumers fees for security credit freezes. The Credit Protection Fee Waiver Emergency Amendment Act of 2017 requires CRAs to provide security freeze services and one-time reissuances of passwords or PINs to consumers for free, but permits charging up to $10 for subsequent instances of password or PIN requests. The Act took effect immediately and will remain in effect for a maximum of 90 days.

As previously covered in InfoBytes, a coalition of state attorneys general recently petitioned two major CRAs to cease charging fees for credit freezes.

Privacy/Cyber Risk & Data Security Credit Reporting Agency Consumer Finance State Legislation Data Breach Security Freeze

Coalition of State Attorneys General Urge Credit Reporting Agencies to Offer No-Fee Credit Freeze

On October 10, a coalition of 37 state attorneys general sent letters (here and here) to the CEOs of two major credit reporting agencies (CRAs), urging them to stop charging fees to consumers seeking credit freezes as a measure to protect against identity theft in light of a third CRA’s massive data breach. On September 15, as previously reported in InfoBytes, 34 state attorneys general sent a letter to the breached CRA’s legal counsel requesting it disable fee-based credit monitoring services. The October 10 letters note that currently seven states prohibit CRAs from charging fees to consumers for credit freezes and at least two other states have proposed legislation that would require CRAs to offer free credit freezes.

Privacy/Cyber Risk & Data Security State Attorney General Consumer Finance Security Freeze

Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled

The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer concerns about arbitration and class-action waiver provisions in the Terms of Use applicable to its support package and regarding security freezes.

Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair or deceptive acts or practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.

NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo directed NYDFS to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.

State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.

Privacy/Cyber Risk & Data Security Credit Reporting Agency State Attorney General NYDFS Enforcement Data Breach Security Freeze 23 NYCRR Part 500