InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
EU Court of Justice says controllers of personal data must take reasonable steps to inform third parties when consumer consent is withdrawn
On October 27, the European Court of Justice (ECJ) held that controllers of personal data must take reasonable steps to inform other controllers when a data subject withdraws consent. The decision stems from a request made by a subscriber to a Belgian telecommunications provider to not have his information included in the public telephone directories and directory inquiry services published by the company and other third parties. The controller pulled the subscriber’s information from the public record, but re-added the information to the directories after it received an update to the subscriber’s data that was not noted as being confidential. The subscriber submitted multiple requests for his data to be removed and submitted a complaint with the Belgian Data Protection Authority. The Data Protection Authority ordered the company to take remedial action and fined it €20,000 for infringing several provisions of the General Data Protection Regulation (GDPR). The controller appealed, “arguing that the consent of the subscriber is not required for the purposes of the publication of his or her personal data in the telephone directories, rather the subscribers must themselves request not to be included in those directories under an ‘opt-out’ system. In the absence of such a request, the subscriber concerned may in fact be included in those directories.” The Data Protection Authority contended, however, that the privacy and electronic communications directive “requires the ‘consent of subscribers’ within the meaning of the GDPR in order for the providers of directories to be able to process and pass on their personal data.”
The Brussels Court of Appeal referred questions to the ECJ for a preliminary ruling after determining that there are no specific rules “concerning the withdrawal by a subscriber of his or her statement of wishes or of that ‘consent.’” The ECJ determined that controllers of personal data must get consumers’ informed consent before publishing their information in a public directory. Further, the ECJ determined that such consent can be extended to any subsequent processing of data by third parties, provided the data is processed for the same purpose to which the consumer consented. However, consumers can withdraw consent at any time, and controllers are required to make reasonable efforts to notify third parties, including search engine providers, that are making use of that subscriber’s information of the withdrawal. Notably, the ECJ concluded that if various controllers rely on the single consent of a data subject, “it is sufficient, in order for that person to withdraw such consent, that he or she contacts any one of the controllers.”
CISA releases new cybersecurity performance goals
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) released a new report outlining baseline cross-sector cybersecurity performance goals (CPGs) for all critical infrastructure sectors. The report follows a July 2021 national security memorandum issued by President Biden, which required CISA to coordinate with the National Institute of Standards and Technology (NIST) and the interagency community to create fundamental cybersecurity practices for critical infrastructure, primarily to help small- and medium-sized organizations improve their cybersecurity efforts. The CPGs were informed by existing cybersecurity frameworks and guidance, as well as real-world threats and adversary tactics, techniques, and procedures observed by the agency and its partners. CISA noted in the report that the CPGs are not comprehensive but instead “represent a minimum baseline of cybersecurity practices with known risk-reduction value broadly applicable across all sectors, and will be followed by sector-specific goals that dive deeper into the unique constraints, threats, and maturity of each sector where applicable.” Organizations may choose to voluntarily adopt the CPGs in conjunction with broader frameworks like the NIST Cybersecurity Framework. “The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques,” CISA said in its announcement.
FFIEC updates 2018 Cybersecurity Resource Guide for Financial Institutions
On October 27, the FDIC issued FIL-50-2022 related to recent updates made to the Federal Financial Institutions Examination Council’s (FFIEC) 2018 Cybersecurity Resource Guide for Financial Institutions. The FFIEC guide is designed to assist financial institutions in meeting their security control objectives and preparing to respond to cyber incidents. The FFIEC guide includes updates to certain references as well as new ransomware-specific resources to address the ongoing threat of ransomware incidents.
CFPB seeks additional public input on big tech payment platforms
On October 31, the CFPB announced it will reopen the public comment period for 30 days on a 2021 notice and request for comment related to the Bureau’s inquiry into big tech payment platforms. In October 2021, the Bureau issued orders to six large U.S. technology companies seeking information and data on their payment system business practices to inform the agency as to how these companies use personal payments data and manage data access to users (covered by InfoBytes here). The Bureau is inviting additional comments to broaden its understanding of the risks consumers face and potential policy solutions on topics related to, among other things, “companies’ acceptable use policies and their use of fines, liquidated damages provisions, and other penalties.” A notice will be published in the Federal Register with additional details on the public comment period in the coming days.
CFPB launches rulemaking on consumers’ rights to their data
On October 27, the CFPB released a 71-page outline of proposals and alternatives under consideration related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts. The outline describes proposals under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” Emphasizing that “[c]lear data rights for consumers have the potential to give individuals more bargaining leverage,” the Bureau claimed that companies compiling vast amounts of personal data, including information about consumers’ use of financial products and services, are able to monopolize the use of this data, thereby blocking competition and stifling the development of competitors’ products and services.
Highlights from the outline include a series of discussion questions for small businesses and a list of topics, including:
- Data providers subject to the proposals under consideration. The proposals, if finalized, would impact data providers, including “depository and non-depository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution, as well as depository and non-depository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer.” Notably, “a financial institution would be a covered provider if it issues an ‘access device’ (as the term is defined in Regulation E § 1005.2(a)(1)), such as a digital credential storage wallet, and provides EFT services, even if it does not hold consumer accounts.” Additionally, “a card issuer would be a covered data provider if it issues a ‘credit card’ (as the term is defined in Regulation Z § 1026.2(a)(15)(i)), such as by issuing digital credential storage wallets, even if it does not hold consumer credit accounts.” The outline also defines covered accounts and states the Bureau is considering potential exemptions for certain data providers.
- Recipients of information. To be considered an authorized third party under the proposals, a third party must: (i) provide an “authorization disclosure” informing consumers of key terms of access; (ii) obtain consumers’ informed, express consent to the key terms of access contained within the authorization disclosure; and (iii) certify to consumers that it will abide by certain obligations related to the collection, use, and retention of a consumer’s information. The Bureau is considering proposals that would address “a covered data provider’s obligation to make information available upon request directly to a consumer (direct access) and to authorized third parties (third-party access).”
- Types of information covered data providers would need to make available. The outline proposes six categories of information data providers would have to make available with respect to covered accounts, including (i) periodic statement information; (ii) information on certain types of prior transactions and deposits that have not-yet-settled; (iii) information regarding prior transactions not typically shown on periodic statements or online account portals; (iv) online banking transactions that have not yet occurred; (v) account identity information; and (vi) other information, such as consumer reports, fees, bonuses, discounts, incentives, and security breaches that exposed a consumer’s identity or financial information.
- Exceptions to the requirement to make information available. The outline provides four exceptions to the requirement for making information available: (i) confidential commercial information; (ii) information obtained to prevent fraud, money laundering, or other unlawful conduct; (iii) information that is required to be kept confidential; and (iv) information a “data provider cannot retrieve in the ordinary course of business.”
- How and when information would need to be made available. The outline states the Bureau is considering ways to define the methods and the circumstances in which a data provider would need to make information available with respect to both direct access and third-party access.
- Third party obligations. The Bureau is examining proposals to limit authorized third parties’ collection, use, and retention of consumer information to that which “is reasonably necessary to provide the product or service the consumer has requested.” This includes (i) limiting duration, frequency, and retention periods; (ii) providing consumers a simple way to revoke authorization; (iii) limiting a third party’s secondary use of consumer-authorized information; (iv) requiring third parties to implement data security standards and policies and procedures to ensure data accuracy and dispute resolution; and (v) requiring third parties to comply with certain disclosure obligations, including a mechanism for consumers to request information about the extent and purposes of a third party’s access to their data.
- Record retention obligations. Proposals under consideration would establish requirements for data providers and third parties to demonstrate compliance with their obligations under the rule.
- Implementation period. The Bureau is seeking feedback on time frames to ensure consumers are able to benefit from a final rule, while also considering implementation factors for data providers and third parties.
An appendix to the highlights provides examples of ways the proposals would apply to hypothetical transactions involving consumer-authorized data access to an authorized third party.
The Bureau’s rulemaking process will include panel convenings, as mandated under the Small Business Regulatory Enforcement Fairness Act of 1996, after which the panel will prepare a report for the Bureau to consider as it develops the proposed rule. “Dominant firms shouldn’t be able to hoard our personal data and appropriate the value to themselves,” CFPB Director Rohit Chopra said in announcing the rulemaking outline. Chopra further elaborated on the rulemaking’s purposes during an industry event earlier in the week (covered by InfoBytes here) where he said the Bureau plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing as a way to “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.”
District Court approves data scrape settlement
On October 20, the U.S. District Court for the Northern District of California granted final approval to a class action settlement resolving claims that a social media platform (defendant) scraped consumer data for advertising purposes. According to the plaintiffs’ motion for preliminary approval, the defendant allegedly scraped a group of mobile company users’ call and text logs without consent by exploiting a vulnerability in the permission settings for the defendant’s message application. In its third amended complaint, the plaintiffs argued that consumers granted the defendant permission to access their phones’ contact lists, but did not consent to scraping their call and text logs, which included the date and time of phone calls, the phone numbers dialed, the names of the individuals called and the duration of each call, as well as whether each call was incoming, outgoing or missed. The plaintiffs further alleged that the defendant did not explicitly notify them that their data was being collected prior to the vulnerability being patched in October 2017, when the defendant ceased its scraping practice. The settlement requires the defendant to delete all call and text history data that it is not legally obligated to preserve, and provides for a $1.08 million attorney fee request and $1,500 incentive awards for class representatives.
Chopra previews Section 1033 rulemaking on consumers’ rights to data
On October 25, CFPB Director Rohit Chopra spoke before an industry event where he announced that the Bureau will soon release a discussion guide for small businesses to further the agency’s Section 1033 rulemaking efforts with respect to consumer access to financial records. As announced in the Bureau’s Spring 2022 rulemaking agenda, Section 1033 of Dodd-Frank provides that, subject to Bureau rulemaking, covered entities such as banks must make certain product or service information, including transaction data, available to consumers. The Bureau is required to prescribe standards for promoting the development and use of standardized formats for information made available to consumers under Section 1033. In 2020, the Bureau issued an advanced notice of proposed rulemaking seeking comments to assist in developing the regulations (covered by InfoBytes here).
Chopra explained that, before issuing a proposed rule, the Bureau must first convene a panel of small businesses that represent their markets to solicit input on proposals the CFPB is considering. Chopra said the Bureau plans to “hear from small banks and financial companies who will be providers of data, as well as the small banks and financial companies who will ingest the data,” and will also gather input from intermediary data brokers that facilitate data transfers (“fourth parties”). He noted that a report will be published in the first quarter of 2023 based on comments received during the process, which will be used to inform a proposed rule that is slated to be issued later in 2023. Chopra said the Bureau hopes to finalize the rule in 2024, stating “[w]hile not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition.”
Chopra also expressed plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing. He stressed that doing so would “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.” He further noted that the Bureau is planning to assess ways to prevent incumbent institutions from improperly restricting access when consumers try to control and share their data, including by developing requirements for limiting misuse and abuse of personal financial data, fraud, and scams. Chopra said staff has been directed to consider alternatives to the “notice-and-opt out” regime that has been the standard for financial data privacy and to explore safeguards to prevent excessive control or monopolization by one or a handful of firms.
District Court preliminarily approves data breach settlement
On October 24, the U.S. District Court for the District Court of Colorado granted preliminary approval of a class action settlement resolving claims that a defendant failed to safeguard personally identifiable information (PII) during a data breach. According to the plaintiffs’ unopposed motion for preliminary approval of class action settlement and supporting memorandum, in December 2021, the defendant determined that an unauthorized third party gained access to and gathered data from its computer network in June 2021. The plaintiffs further alleged that, “if [the defendant] ‘properly monitor[ed] … [its] computer network and systems that housed the … [PII],’ [the defendant] ‘would have discovered the intrusion sooner.’” Furthermore, the plaintiffs alleged that the defendant failed to provide “timely and adequate notice” to the plaintiff class, and filed claims for negligence, breach of implied contract, and invasion of privacy by intrusion. The settlement also includes a provision for the defendant to pay directly for credit monitoring and identity theft protection services, not limited by the $475,000 cap, along with about $51,000 for settlement administration costs. The plaintiffs would also be able to seek up to $210,000 for attorney fees and costs, and a total $5,000 for service awards to the named plaintiffs.
FTC’s proposed breach order would apply personally to CEO
On October 24, the FTC announced an action against a company operating an online alcohol marketplace and its CEO related to a data breach that allegedly exposed the personal information of roughly 2.5 million consumers. The FTC alleged in its complaint that the respondents were alerted to problems with the company’s data security procedures following an earlier security incident in 2018, which involved hackers accessing company servers to mine cryptocurrency until the company changed its cloud computing account login information. According to the FTC, the company failed to take appropriate measures to address its security problems, but publicly claimed it had appropriate security protections in place. Two years later, an employee account was breached, thus allowing a hacker to gain access to login information, hack into the company’s database, and steal customers’ information. Among other things, the respondents allegedly violated the FTC Act by (i) failing to implement basic security measures or put in place reasonable safeguards to secure the personal information it collected and stored; (ii) storing critical database information, including login credentials, on an unsecured platform; (iii) failing to monitor its network for security threats or unauthorized attempts to access or remove personal data; and (iv) exposing customers to hackers, identity thieves, and malicious actors who use personal information to open fraudulent lines of credit or commit other fraud.
Under the terms of the proposed decision and order, the respondents will be required to take several measures to prevent further violations, including destroying unnecessary personal data, limiting future data collection to what is necessary for specifically outlined purposes, and implementing a comprehensive information security program. As part of these requirements, the respondents must establish security safeguards to protect against the identified security incidents, such as providing employees security training, designating a high-level employee to oversee the company’s information security program, implementing controls on who is able to access personal data, and requiring multi-factor authentication in order to access databases and other assets containing consumer data.
Notably, the FTC said in its announcement that the proposed order applies personally to the individual respondent who presided over the company’s insufficient data security practices. The FTC explained that the proposed order will follow the individual respondent even if he leaves the company, and that he “will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals” where the individual respondent “is a majority owner, CEO, or senior officer with information security responsibilities.”
France fines facial recognition company €20 million for GDPR violations
On October 20, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €20 million penalty against a facial recognition company for violating the EU’s General Data Protection Regulation (GDPR). In 2020, CNIL opened an investigation after receiving complaints from individuals about the company’s facial recognition software. CNIL stated in its announcement that it cooperated with its European counterparts to share the results of the investigations, as each authority is permitted to act on its own territory since the company has no establishment in Europe. The investigations identified several violations of the GDPR, including that the company allegedly unlawfully processed personal biometric data without a legal basis (a breach of article 6 of the GDPR), and failed to take into account an individual’s rights in an “effective and satisfactory way”—particularly with respect to requests for access to their data (a breach of articles 12, 15 and 17 of the GDPR). A formal notice was issued to the company last year requiring it to stop collecting and using data belonging to persons on French territory without a legal basis. The company was also ordered to “facilitate the exercise of individuals’ rights and to comply with requests for erasure.” CNIL contended that after the company failed to respond to the formal notice, it referred the matter to a restricted committee for sanctions.
The restricted committee imposed the maximum financial penalty (€20 million) under article 83 of the GDPR, and ordered the company “to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it has already collected, within a period of two months.” Failure to comply within this time frame will result in a €100,000 penalty per day of delay. The restricted committee also cited the company for breaching its obligation to cooperate with CNIL.