InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New Jersey settles CFA and HIPAA matter with fertility clinic
On October 12, the New Jersey attorney general and the Division of Consumer Affairs announced an action against a healthcare provider alleging that the defendant violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, and the HIPAA Security Rule by removing administrative and technological safeguards for protected health information (PHI) and electronic PHI (ePHI). The settlement resolves allegations that the defendant’s data breach allowed instances, between August 2016 and January 2017, of unauthorized access to the defendant’s network, which permitted at least one intruder to access consumer ePHI. Among other things, the defendant’s alleged violations include failing to: (i) ensure the confidentiality, integrity, and availability of ePHI; (ii) implement a mechanism to encrypt ePHI; (iii) review and modify security measures; (iv) implement proper procedures for creating, changing, and safeguarding passwords; and (v) implement verification procedures. According to the consent order, the defendant must pay $412,300 in civil penalties and $82,700 in investigative costs and attorney fees. The defendant is also required to implement extensive reforms to its data security system and encryption protocols to protect clients' PHI and prevent future breaches.
California expands consumer privacy rights to include genetic data
On October 6, the California governor signed SB 41, which requires direct-to-consumer genetic testing companies to provide consumers with information about the collection, use, maintenance, and disclosure of genetic data. Under the Genetic Information Privacy Act (GIPA), companies are required to honor a consumer’s revocation of consent and destroy a consumer’s biological sample within 30 days after the consent has been revoked. Companies must also obtain a consumer’s express consent for collection, use, or disclosure of an individual’s genetic data. GIPA also requires companies to comply with all applicable federal and state laws for disclosing genetic data without a consumer’s express consent, and companies must “implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified.” Violations of the law may result in civil penalties ranging from $1,000 to $10,000. Exempt from GIPA’s provisions is medical information governed by the Confidentiality of Medical Information Act, or medical information collected and used by business associates of a covered entity governed by the privacy, security, and data breach notification rules issued by the U.S. Department of Health and Human Services.
Earlier on October 5, the governor also signed AB 825, which expands the definition of “personal information” to include genetic data, regardless of its format. Under existing law, any agency that owns or licenses computerized data that includes personal information is required to immediately disclose a security breach upon discovery to California residents who may have been impacted. Agencies are also required to implement and maintain reasonable security procedures and practices.
Both bills take effect January 1, 2022.
Soltani to head the California Privacy Protection Agency
According to sources, Ashkan Soltani, a former chief technologist at the FTC, has been named Executive Director of the California Privacy Protection Agency (CPPA). Among other things, Soltani was an architect of the California Consumer Privacy Act (CCPA). According to CPPA Chair Jennifer Urban, Soltani’s “background in technology and privacy, and his work on both the CCPA and the [California Privacy Rights Act (CPRA)] give him a thorough understanding of California privacy law and will stand him in good stead as he leads Agency staff and helps the Agency fulfill its privacy protection mandate.” As previously covered by InfoBytes, earlier this year, California’s governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
FTC appoints consumer protection and competition directors
On September 28, FTC Chair Lina M. Khan appointed Samuel A.A. Levine as Director of the Bureau of Consumer Protection and Holly Vedova as Director of the Bureau of Competition. Levine—who served as an attorney advisor to Commissioner Rohit Chopra—previously worked for the Illinois attorney general where he prosecuted predatory for-profit colleges and engaged in rulemaking to expand income-driven repayment options for student borrowers. Vedova, who has a background in mergers and antitrust, most served recently as an attorney advisor to Chopra and previously served as counsel to the Director of the Bureau of Competition. “[A]s permanent directors of the FTC’s enforcement bureaus, their mission will be to guide this agency as we work to safeguard fair competition and check unfair or deceptive practices,” Khan stated.
Student loan servicer agrees to produce requested records
On September 28, the Colorado attorney general announced that a Pennsylvania-based student loan servicer responsible for handling the federal Public Service Loan Forgiveness (PSLF) program has agreed to comply with a state law requiring consumer protection oversight. As previously covered by InfoBytes, the AG sued the servicer in May for allegedly failing to comply with state law when asked to provide certain documentation related to the servicer’s handling of the PSLF program during the Covid-19 pandemic. The servicer allegedly refused to produce the requested materials and only provided certain limited documents regarding non-government owned loans related to its business line. Under the terms of the assurance of discontinuance, the servicer (while denying any liability) has agreed to produce the requested records in compliance with the Colorado Student Loan Equity Act.
FTC says health apps must comply with Health Breach Notification Rule
On September 15, the FTC warned health apps and connected devices collecting or using consumers’ health information that they must comply with the FTC’s Health Breach Notification Rule (Rule). The Rule requires companies to notify consumers and others if consumers’ health data is breached, and ensures that entities not covered by HIPAA are held accountable in the event of a security breach. Companies that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation per day. The FTC’s policy statement (approved by a 3-2 vote) clarifies the Rule’s scope and puts companies on notice of their reporting obligations. According to the FTC, health apps that are increasingly collecting sensitive and personal data from consumers have a responsibility to ensure the collected data is secured from unauthorized access. However, the FTC expressed concern that there are still few applicable privacy protections. “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” FTC Chair Lina M. Khan stated. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
FTC to use CIDs and subpoenas to streamline investigations
On September 14, the FTC voted 3-2, at the recommendation of the Bureau of Consumer Protection and Bureau of Competition, to approve a series of resolutions intended to streamline consumer protection and competition investigations in core FTC-priority areas over the next decade. At the recommendation of the Bureaus, the FTC authorized eight new compulsory process resolutions, which authorize the use of civil investigative demands and subpoenas when investigating the following areas: (i) acts or practices affecting U.S. servicemember and veterans; (ii) acts or practices affecting children under 18; (iii) algorithmic and biometric bias; (iv) deceptive and manipulative online conduct, including matters related to tech support scams, payment processing, marketing of goods and services, and user interface manipulation; (v) repair restrictions; (vi) intellectual property abuse; (vii) common directors and officers and common ownership; and (viii) monopolization offenses. According to the FTC, adopting these resolutions will enhance and streamline the ability of FTC investigators and prosecutors to obtain evidence in critical investigations relating to potential violations of the FTC Act. FTC Commissioner Rohit Chopra issued a statement following the vote, commenting that the adoption “will improve the agency’s ability to order documents and data in investigations and fills a notable gap in the Commission’s long list of enforcement authorizations developed over many years.”
FCC takes action against robocalls
On August 5, the FCC announced a “fair and consistent” process for reviewing actions regarding a voice service provider’s ability to comply with the FCC’s anti-spoofing caller ID authentication rules. FCC rules require broad implementation of the STIR/SHAKEN caller ID authentication framework on voice service providers’ IP networks. As previously covered by InfoBytes, the STIR/SHAKEN framework addresses, among other things, “unlawful spoofing by confirming that a call actually comes from the number indicated in the Caller ID, or at least that the call entered the US network through a particular voice service provider or gateway.” Since June 30, all major phone companies are using the STIR/SHAKEN caller ID authentication framework in their IP networks (covered by InfoBytes here). To combat illegal spoofing, the STIR/SHAKEN standards are considered a common digital language utilized by phone networks, which facilitates valid information to be passed from provider to provider. The standards also allow most caller ID information to be verified for providers and third-party consumer protection services to use that information to inform call blocking or warning services to protect customers. According to the FCC, “[t]he widespread implementation of STIR/SHAKEN is a major step forward in the FCC’s fight against malicious spoofing and scam robocalls.”
District Court: Online payment processor must face data collection class action claims
On July 28, the U.S. District Court for the Northern District of California granted in part and denied in part an online payment processor’s motion to dismiss class claims concerning several alleged violations of various state privacy and wiretapping laws and related claims. The plaintiffs alleged that the defendant “secretly track[ed], collect[ed], and stor[ed] the personal data and web activity of visitors to merchants’ website[s],” and created a software code allowing merchants to integrate the company’s payment platform into merchants’ applications. The complaint alleged that most consumers making online purchases were unaware that their transactions were processed by the defendant and instead believed to be communicating directly with the merchants. Specifically, the defendant allegedly (i) obtained or stored consumers’ sensitive information (such as financial information, location, IP addresses, and purchasing information); (ii) correlated all payments consumers made across the defendant’s entire payment processing platform and provided much of it to other merchant clients without informing the consumers; and (iii) installed cookies on consumers’ computers and mobile devices to track purchasing behavior across the defendant’s payment network. This allowed merchants to see a consumer’s purchasing history of all transactions processed by the defendant and obtain a transaction-level risk score from the defendant.
The court denied the motion to dismiss as to plaintiffs’ claims of invasion of privacy and intrusion under California’s Constitution and common law, finding that the plaintiffs have sufficiently alleged the plaintiffs did not consent to the defendant’s disclosure of their information to its merchants and customers. The court was precluded from finding that plaintiffs had no reasonable expectation of privacy because the language in the defendant’s privacy policy limited the sharing to information with third parties to assist with the prevention or detection of fraud or for processing services only.
In dismissing the wiretap claims, the court reviewed the “sign-in wrap” agreement presented to consumers at the purchase checkout page, which required plaintiffs to agree to the defendant’s terms of service and privacy policy whenever they placed an order. While the plaintiffs argued that the privacy policy “does not provide sufficient notice that [the defendant] would collect the information that it did,” the court pointed out that the policy contained provisions disclosing that third parties like the defendant “may obtain not only credit card data, but also ‘identifiers, demographic information, commercial information, relevant order information, internet activity, geolocation data, sensory information, and inferences,’” and that partners may also “use various technologies’ to ‘collect information about [consumer] online activity over time and across different websites or online services.’” Among other things, the court reasoned that the disclosures were binding on the consumers, even though they were provided by the defendant and not the merchants.
The court dismissed in part the plaintiffs’ claims under California’s Unfair Competition Law (UCL) and California Consumer Privacy Act (CCPA), in part because the CCPA “has no private right of action” and “consumers may not use the CCPA as a basis for a private right of action under any statute.” The court also dismissed the plaintiffs’ fraud prong of the UCL, but allowed the plaintiffs’ unfair competition prong under the UCL to proceed.
Commissioners discuss importance of restoring FTC’s authority
On July 28, the House Committee on Energy and Commerce’s Subcommittee on Consumer Protection and Commerce held a hearing titled “Transforming the FTC: Legislation to Modernize Consumer Protection” to discuss, among other things, the importance of restoring the Commission’s ability to secure monetary relief from companies and individuals that violate the law. Testifying before the subcommittee were FTC Chair Lina M. Khan and Commissioners Noah Joshua Phillips, Rohit Chopra, Rebecca Kelly Slaughter, and Christine S. Wilson. Khan and the Commissioners discussed pending federal legislation intended to modify the FTC’s authority and addressed severe resource constraints affecting the FTC’s attempts to address the increasing number of global mergers and acquisitions, as well as the large number of consumer complaints related to Covid-19 pandemic-related marketplace abuses. They noted that despite these challenges, “thanks in part to the civil penalty authority provided by this Subcommittee in the COVID-19 Consumer Protection Act,” (covered by InfoBytes here) “the Commission has successfully halted dozens of COVID-related scams.”
Khan and the Commissioners also discussed the importance of restoring the FTC’s ability to secure monetary relief from those that violate the law, which was limited following the U.S. Supreme Court’s recent decision in AMG Capital Management v. FTC (covered by InfoBytes here). “[P]ending cases today involve $2 billion in potential relief to victims, which is not available after AMG,” the testimony provided. “Unless the agency has clear authority to obtain monetary relief, this decision will continue to impede our ability to provide refunds to Americans harmed by deceptive, unfair, or anticompetitive conduct.” Moreover, a recent decision issued by U.S. Court of Appeals for the Third Circuit “held that the language in Section 13(b) of the FTC Act describing a company that ‘is engaged in, or is about to engage in’ illegal conduct means the FTC can initiate enforcement actions only when a violation is either ongoing or ‘impending’ at the time the suit is filed.” This decision, the FTC claimed, “limits the Commission’s ability to hold accountable entities who engaged in illegal conduct that occurred entirely in the past.