Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court: Company must face CCPA class action after ransomware attack

    Courts

    Earlier this summer, the U.S. District Court for the Central District of California denied a motion to dismiss a putative class action accusing a legal services company and its subsidiaries of failing to implement and maintain reasonable security procedures and practices to protect consumers’ data as required by the California Consumer Privacy Act (CCPA). Following a 2020 ransomware attack, class members claimed that sensitive information (including nonencrypted and nonredacted personal information) stored on the defendants’ network was compromised. The defendants countered that class members failed to establish that the defendants qualify as a “business” under the statute as opposed to a “service provider.”

    As previously covered by a Buckley Special Alert, the CCPA, which became effective January 1, 2020, defines a “business” as an entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information.” The CCPA defines a “service provider” as an entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.” While the CCPA provides a limited private right of action for actual or statutory damages against a business, actions against service providers can only be brough by the California attorney general. According to the court, class members adequately alleged that the defendants act as a business rather than a service provider based on allegations that they, among other things, collect consumers’ personal information from consumers (instead of receiving personal information from another business), and determine “the purposes and means of the processing of consumers’ personal information.” The court also rejected the defendants’ argument that class members failed to “plausibly” establish that their information was stolen because the ransomware attack merely encrypted the data on the defendants’ computer systems. “It may be that [p]laintiff’s personal information was not exfiltrated in a nonencrypted and nonredacted form,” the court stated, “[b]ut at this stage, especially when the bases for dismissal upon which [d]efendants rely do not appear in the complaint, the Court concludes that [p]laintiff’s allegations are sufficient to survive a motion to dismiss.”

    Courts Privacy/Cyber Risk & Data Security CCPA State Issues California Class Action

  • Soltani to head the California Privacy Protection Agency

    Privacy, Cyber Risk & Data Security

    According to sources, Ashkan Soltani, a former chief technologist at the FTC, has been named Executive Director of the California Privacy Protection Agency (CPPA). Among other things, Soltani was an architect of the California Consumer Privacy Act (CCPA). According to CPPA Chair Jennifer Urban, Soltani’s “background in technology and privacy, and his work on both the CCPA and the [California Privacy Rights Act (CPRA)] give him a thorough understanding of California privacy law and will stand him in good stead as he leads Agency staff and helps the Agency fulfill its privacy protection mandate.” As previously covered by InfoBytes, earlier this year, California’s governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.

    Privacy/Cyber Risk & Data Security State Issues CCPA CPPA CPRA California Consumer Protection State Regulators

  • District Court: Cloud computing company must face class action CCPA claims in data breach suit

    Courts

    On August 12, the U.S. District Court for the District of South Carolina issued a ruling in a consolidated putative class action against a cloud software company alleging several state consumer protection and data reporting law violations related to a 2020 data breach. The plaintiffs asserted that the data breach was a result of the company’s “deficient security program” and contended that the company “failed to comply with industry and regulatory standards by neglecting to implement security measures to mitigate the risk of unauthorized access, utilizing outdated servers, storing obsolete data, and maintaining unencrypted data fields.” They further claimed, among other things, that the company’s narrow internal investigation did not address the full scope of the ransomware attack (in which it was eventually revealed that Social Security numbers and other sensitive personal data were compromised) and that plaintiffs were not provided timely and adequate notice of the data breach.

    The court found that the plaintiffs failed to adequately plead their claims for violations of consumer protection laws in New Jersey, Pennsylvania, and South Carolina, but allowed certain claims to proceed, including plaintiffs’ allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to implement and maintain reasonable security procedures. The CCPA, which became effective January 1, 2020 (covered by a Buckley Special Alert), provides for a limited private right of action for actual or statutory damages to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]” The company countered, however, that it is not a “business” regulated under the CCPA.

    The court disagreed, writing that “the plain text of the statute is instructive” and that the plaintiffs had adequately alleged that the company qualified as a “business” under the statute because it (i) uses consumers’ personal data to provide, develop, improve, and test its services; (ii) “develops software solutions to process its customers’ patrons’ personal information”; (iii) has annual gross revenues of more than $25 million; and (iv) is allegedly registered as a “data broker” in California under a law that “provides that a ‘data broker’ is a ‘business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.’” The court also rejected the company’s contention that because it qualifies as a “service provider” under the CCPA it is not a “business.” The court further allowed claims under New York General Business Law Section 349 to proceed, finding the plaintiffs had sufficiently alleged that the company had misrepresented its security measures and the scope of the breach and had prevented consumers from protecting their data. The court also allowed the plaintiffs to seek declaratory and injunctive relief under Florida’s Deceptive and Unfair Trade Practices Act.

    Courts CCPA Privacy/Cyber Risk & Data Security Data Breach Class Action State Issues

  • District Court says retailer not an intended third-party beneficiary of a credit card arbitration provision

    Courts

    On July 8, the U.S. District Court for the Central District of California denied a retailer’s motion to compel arbitration in a consumer data sharing putative class action, ruling that the retailer was not an intended third-party beneficiary of an arbitration provision in a credit card agreement. The proposed class had filed an amended complaint accusing several national retailers of illegally sharing consumer transaction data in violation of the FCRA, the California Consumer Privacy Act, and California’s unfair competition law, among others. The motion at issue, filed by one of the retailers, addresses a named plaintiff’s opposition to compel arbitration. The retailer argued that as an “intended” third-party beneficiary of the contract, it had the right to enforce an arbitration clause contained in a credit card agreement purportedly signed by the plaintiff when she opened a retailer credit card account issued by an online bank.

    The court disagreed, finding that the contract’s arbitration provisions specifically referred to the bank, and that the contract did not clearly “express an intention to confer a separate and distinct benefit on [the retailer].” Moreover, the court noted the contract at issue instructed the plaintiff to send any arbitration demand notices to the bank, adding that “[i]t seems unlikely that the parties would expect a demand for arbitration solely against the [retailer]—that does not involve [the bank]—to be sent to [the bank].”

    Courts Arbitration Third-Party Credit Cards Class Action State Issues CCPA FCRA Privacy/Cyber Risk & Data Security

  • District Court approves online marketplace data breach settlement

    Courts

    On May 13, the U.S. District Court for the Northern District California preliminarily approved a class action settlement, resolving allegations that a California-based online designer marketplace failed to protect customers’ personal information from a computer hacking group in a May 2020 data breach. The plaintiffs asserted negligence and brought claims under California’s Consumer Privacy Act and Unfair Competition Law after plaintiffs launched an investigation into the cybersecurity incident. The preliminary settlement requires the company to establish a $5 million settlement fund, which would “provide for an estimated $43 payment per participating class member, two years of credit monitoring, and identity restoration services.” The company must also implement several business practice changes to enhance security, including enhancing password protection and implementing a policy regarding minimizing the retention of customers’ personally identifiable information. The settlement also notes that “members subject to identity theft can also obtain fraud resolution assistance to dispute transactions, mediate calls with merchants, and implement fraud alerts.” Class members who do not agree to the settlement may opt out of the settlement by September 16.

    Courts Data Breach Settlement Privacy/Cyber Risk & Data Security Class Action CCPA State Issues

  • California again modifies CCPA regs; appoints privacy agency’s board

    State Issues

    On March 15, the California attorney general announced approval of additional regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, 2020. According to the announcement, the newly-approved amendments strengthen the language of CCPA regulations approved by OAL last August (covered by InfoBytes here). Specifically, the new amendments:

    • Require businesses selling personal information collected in the course of interacting with consumers offline to provide consumers about their right to opt out via offline communications. Consumers must also be provided instructions on how to submit opt-out requests.
    • Provide an opt-out icon for businesses to use in addition to posting a notice of right to opt-out. The amendments note that the opt-out icon may not be used in lieu of requirements to post opt-out notices or “do not sell my personal information” links.
    • Require companies to use opt-out methods that are “easy” for consumers to execute and that require “minimal” steps to opt-out. Specifically, a “business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out.” Additionally, except as otherwise permitted by the regulations, companies are prohibited from requiring consumers to provide unnecessary personal information to implement an opt-out request, and may not require consumers to click through or listen to reasons as to why they should not submit an opt-out request. The amendments also state that businesses cannot require consumers “to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out.”

    The AG’s press release also notes that the California Privacy Rights Act (CPRA), which was approved by voters last November and sought to amend the CCPA, will transfer some of the AG’s responsibilities to the California Privacy Protection Agency (CPPA), covered by InfoBytes here; however, the AG will retain the authority to go to court to enforce the law. Enforcement of the CPRA will begin in 2023.

    Additionally, on March 17, the California governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.

    State Issues State Regulators CCPA State Attorney General Privacy/Cyber Risk & Data Security CPRA CPPA Consumer Protection

  • Court dismisses data breach claims citing lack of compromised sensitive information

    Privacy, Cyber Risk & Data Security

    On January 12, the U.S. District Court for the Central District of California dismissed a data breach lawsuit brought against a hotel chain, ruling the plaintiff lacked standing. The plaintiff claimed class members were victims of a data breach when hotel employees at a franchise in Russia allegedly accessed personal information without authorization, including guests’ names, addresses, phone numbers, email addresses, genders, birth dates and loyalty account numbers. The plaintiff’s suit alleged, among other things, violations of the California Consumer Privacy Act and the state’s Unfair Competition Law. While the hotel disclosed the incident last March and admitted that class members’ personal information was compromised, the court determined that the plaintiff lacked standing to bring claims after the hotel’s investigation found that “no sensitive information, such as social security numbers, credit card information, or passwords, was compromised.” The court determined that the plaintiff failed to plausibly plead that any of the class members’ more sensitive data had fallen into the wrong hands, and that “[w]ithout a breach of this type of sensitive information, Plaintiff has not suffered an injury in fact and cannot meet the constitutional requirements of standing.”

    Privacy/Cyber Risk & Data Security Courts Data Breach CCPA State Issues

  • Court grants preliminary approval of CCPA class action settlement

    Courts

    On December 29, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed settlement in a class action alleging a children’s clothing company and cloud technology service provider (collectively, “defendants”) violated, among other things, the California Consumer Privacy Act (CCPA) after suffering a data breach and potentially exposing customers’ personal information (PII) used to purchase products from the company’s website. After the company issued a notice of the security incident in January 2020, the plaintiffs filed the class action alleging the company failed to (i) “adequately protect its users’ PII”; (ii) “warn users of its inadequate information security practices”; and (iii) “effectively monitor [the company]’s website and ecommerce platform for security vulnerabilities and incidents.”

    After mediation, the plaintiffs filed an unopposed motion for preliminary approval of class action settlement, which provides for a $400,000 settlement fund to cover approximately 200,000 class members who made purchases through the company’s website from September 16, 2019 to November 11, 2019. Class members have the option of claiming a cash payment of up to $500 for a Basic Award or of up to $5,000 for a Reimbursement Award, with amounts increasing or decreasing pro rata based on the number of claimants. Additionally, the company agreed to certain business practice changes, including conducting a risk assessment of its data assets and environment and enabling multi-factor authentication for all cloud services accounts. When granting preliminary approval, the court concluded that the agreement does “not improperly grant preferential treatment to any individual or segment of the Settlement Class and fall[s] within the range of possible approval as fair, reasonable, and adequate.”

    Courts CCPA State Legislation Privacy/Cyber Risk & Data Security Data Breach Class Action State Issues

  • California proposes modifying CCPA regs again

    State Issues

    On December 10, the California Department of Justice (Department) released a fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on October 12, the Department released a third set of proposed modifications to the regulations that went into effect on August 14. The Department noted that it received around 20 comments in response to the third set of proposed modifications and the fourth set of proposed modifications is to address those comments and/or to clarify and conform the proposed regulations to existing law. Highlights of the proposed modifications include:

    • Amending Section 999.306, subd. (b)(3), to clarify that a business that sells (previously proposed as “collects”) personal information collected from consumers in the course of interacting with them offline shall inform consumers of their right to opt-out of the sale of their personal information by an offline method.
    • The addition of Section 999.315, subd. (f), which identifies a uniform “opt-out button” to be used in addition to posting the notice of right to opt-out or used in conjunction with a  “Do Not Sell My Personal Information” link.

    Additionally, the Department provided notice that it added new documents and information to the rulemaking file, which was relied upon when adopting the proposed regulations.

    Comments on the proposed modifications are due on December 28 by 5:00 p.m.

    State Issues CCPA State Attorney General Consumer Protection Privacy/Cyber Risk & Data Security

  • California voters approve expanded privacy rights

    Privacy, Cyber Risk & Data Security

    On November 3, California voters approved a ballot initiative, the California Privacy Rights Act of 2020 (CPRA), that expands on the California Consumer Privacy Act (CCPA). While there are a number of differences between the CPRA and the CCPA, some key provisions include:

    • Adding expanded consumer rights, including the right to correction and the right to limit sharing of personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
    • Changing the definitions of various entities, including increasing the numerical threshold for being a business to 100,000 from 50,000 consumers and households and removing devices from this threshold.
    • Adding the category of sensitive personal information that is subject to specific rights.
    • Creating a new privacy agency, the California Privacy Protection Agency, to administer, implement, and enforce the CPRA.

    It is important to note that the Gramm-Leach-Bliley Act and Fair Credit Reporting Act exemptions are in the CPRA, and the act extends the employee and business-to-business exemption to January 1, 2023.

    Implementation deadlines

    The CPRA becomes effective January 1, 2023, with enforcement delayed until July 1, 2023. However, the CPRA contains a look-back provision (i.e., the CPRA will apply to personal information collected by a business on or after January 1, 2022). The new privacy agency also is required to begin drafting regulations starting on July 1, 2021, with final regulations to be completed one year later.

    Learn more

    Please refer to a Buckley article for further information on the differences between the CCPA and the CPRA: 6 Key Ways the California Privacy Rights Act of 2020 Would Revise the CCPA (Corporate Compliance Insights), as well a continuing InfoBytes coverage here.

    Privacy/Cyber Risk & Data Security CCPA CPRA California Consumer Protection Ballot Initiative

Pages

Upcoming Events