InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC amends cyber-related sanctions regulations
On September 2, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced that it is amending, and reissuing in their entirety, the Cyber-Related Sanctions Regulations. OFAC noted that this administrative action replaces regulations that were published in abbreviated form on December 31, 2015, with a more comprehensive set of regulations that includes additional interpretive and definitional guidance, general licenses, and other regulatory provisions that will provide further guidance to the public. As previously covered by InfoBytes, the regulations prohibited all transactions described in Executive Order (E.O.) 13694, including dealing in the property or interests in property, that come within the United States, of blocked persons. Among other things, under E.O. 13694, a party may be blocked if the U.S. government finds the party “to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the U.S. that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States” and that have one of the purposes or effects enumerated in the order. The sanctions became effective September 6.
Additionally, OFAC noted that “the publication of this final rule has triggered an automatic administrative update to a number of sanctions entries.” OFAC listed unique identifier numbers (UIDs) for the affected entries as part of the administrative update and provided FAQs to clarify UIDs.
3rd Circuit vacates dismissal of data breach suit
On September 2, the U.S. Court of Appeals for the Third Circuit vacated the dismissal of a class action alleging that a defendant pharmaceutical research company’s negligence led to a data breach. According to the opinion, the plaintiff, who is a former employee of the defendant’s subsidiary, provided her sensitive personal and financial information in exchange for the defendant’s agreement, pursuant to the plaintiff’s employment agreement, to “take appropriate measures to protect the confidentiality and security” of this information. After plaintiff ended her employment with the company, a hacking group accessed the defendant’s servers through a phishing attack and stole sensitive information pertaining to current and former employees. In addition to exfiltrating the data, the hackers installed malware to encrypt the data stored on the defendant’s servers and held the decryption tools for ransom. The defendant informed current and former employees of the breach and encouraged them to take precautionary measures. To mitigate potential harm, the plaintiff took immediate action by conducting a review of her financial records and credit reports for unauthorized activity, among other things. As a result of the breach, the plaintiff alleged that she has sustained a variety of injuries—primarily the risk of identity theft and fraud—in addition to the investment of time and money to mitigate potential harm. The district court granted the defendant's motion to dismiss based on lack of Article III standing, concluding “that [the plaintiff's] risk of future harm was not imminent, but ‘speculative,’ because she had not yet experienced actual identity theft or fraud.”
On the appeal, the 3rd Circuit noted that the district court “erred in dismissing [the plaintiff’s] contract claims, which are raised in Counts III (breach of implied contract) and IV (breach of contract),” arising from her employment agreement. The appellate court wrote that the plaintiff “has alleged an injury stemming from the breach—the risk of identity theft or fraud—that is sufficiently imminent and concrete,” because the defendant “expressly contracted to ‘take appropriate measures to protect the confidentiality and security’ of plaintiff’s information in [the plaintiff’s] employment agreement.” The appellate court also noted that in an “increasingly digitalized world, an employer's duty to protect its employees’ sensitive information has significantly broadened.” The 3rd Circuit vacated the judgment on all counts and remanded the dispute to the district court for consideration of the merits of the claims.
Pelosi cites preemption concerns in federal privacy bill
On September 1, Speaker of the House Nancy Pelosi (D-CA) released a statement commending the House Energy and Commerce Committee’s work on advancing the American Data Privacy and Protection Act (ADPPA) to the House floor (covered by InfoBytes here). However, Pelosi also recognized preemption concerns raised by the California governor, the California Privacy Protection Agency, and other top state leaders. “With so much innovation happening in our state, it is imperative that California continues offering and enforcing the nation’s strongest privacy rights,” Pelosi said. “California’s landmark privacy laws and the new kids age-appropriate design bill, both of which received unanimous and bipartisan support in both chambers, must continue to protect Californians—and states must be allowed to address rapid changes in technology.” Praising measures in the ADPPA that would give consumers the right, for the first time, to seek damages in court for violations of their privacy rights, Pelosi said the House “will continue to work with Chairman Pallone to address California’s concerns.” As previously covered by InfoBytes, the ADPPA also received criticism from several state attorneys general who argued, among other things, that “Congress should adopt a federal baseline, and continue to allow states to make decisions about additional protections for consumers residing in their jurisdictions,” instead of preempting areas of state privacy regulation.
Temporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023
The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1, 2023. The legislature proposed several bills throughout the legislative session that would have extend the exemptions, but all of them stalled. In a last-ditch effort, a California assembly member proposed amendments to AB 1102 that would have extended the exemptions to January 1, 2025 if adopted during the August 31 floor session.
According to the amendments, the CPRA recognized that various rights afforded to consumers under the CCPA and CPRA are not suited to the employment context, and as such, clarified that the CPRA “does not apply to personal information collected by a business about a natural person in the course of the natural person acting within the employment context, including emergency contact information, information necessary to administer benefits, or information collected in the course of business to business communications or transactions.” The amendments attempted to extend the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” Although the amendments did not address the reason for the extension for the business exemption, they stated that while the legislature and advocates continue to engage in discussions concerning the enactment of “robust and implementable privacy protections tailored to the employment context,” extending the exemptions would provide temporary protections around worker monitoring while giving businesses more time to enact these protections. However, the amendments were not adopted, and the exemptions will expire as originally intended on January 1, 2023.
As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the CCPA. In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here). CPPA Executive Director Ashkan Soltani said he expects the rulemaking process to extend into the second half of the year.
11th Circuit says one-year statutory notice period cannot be varied
On August 26, the U.S. Court of Appeals for the Eleventh Circuit vacated and remanded a district court’s summary judgment in favor of a bank after determining that the plaintiff-appellants’ claim for statutory repayment is not time-barred. Plaintiffs (Venezuelan citizens residing in Venezuela) maintained personal and commercial bank accounts at a Florida branch of the bank. According to the plaintiffs, a bank employee changed the email account associated with the bank accounts to a new fraudulent email. Identity thieves were later able to bypass security measures on the account, gave correct answers to security questions, and sent documents with signatures that matched ones the bank had on file, resulting in roughly $850,000 being transferred out of one of the accounts. Plaintiffs contended they were locked out of their accounts and struggled to contact the bank for months without success. After eventually regaining access to their accounts, plaintiffs discovered the stolen money and sued for a variety of claims, including fraud, negligence, and breach of contract. They also claimed that the bank was required to refund them for the fraudulent wire transfers under Florida Statutes § 670.202. The bank argued, among other things, that the plaintiffs’ claims were time-barred because they failed to notify the bank about the alleged fraud within 30 days of receiving a bank statement. Plaintiffs responded that the Florida Statutes provide a one-year time period to notify a bank of an unauthorized wire transfer and stated that the time-period could not be modified by agreement. The district court entered summary judgment for the bank, concluding “that the one-year period was modifiable and that the parties had modified it.” The district court also determined that because the bank’s procedures were “commercially reasonable” and followed “in good faith” it was not liable to the plaintiffs to repay the wire transfers.
On appeal, the 11th Circuit held that the plaintiffs were still within their statutory one-year notification period when they notified the bank of the fraudulent wire transfers, and rejected the bank’s argument that it could shorten the notification period to 30 days. The 11th Circuit, in rejecting the bank’s argument determined that it cannot “shift the loss of an unauthorized order to the customer during the statutorily determined period,” adding that “if the one-year statutory notice period could be varied, then banks could insist that customers sign contracts that make the time to demand a refund of a fraudulent payment a day (or even less). That would impair the account holder’s right to a refund and defeat Florida’s intent that banks—not account holders— bear the risk of a fraudulent transfer for the first year following the transfer. And there’s no limiting principle in the text for how short banks could make the statutory refund period.” Pointing out that the bank was unable to identify a limiting principal at oral argument, the appellate court concluded that “if banks could modify the one-year period, there’s no principled way to draw the line as to how short of a refund period is too short.” On remand, the 11th Circuit also instructed the district court to review whether the bank’s security procedures are “commercially reasonable.”
District Court dismisses ransomware suit alleging negligence
On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020 ransomware attack caused it to incur expenses that were compensable injuries. According to the opinion, the nonprofit, which possesses personally identifiable information (PII) records, executed two contracts with the defendant “to help consolidate its existing databases into one system of records and protect this sensitive data.” According to the first agreement, the defendant agreed to maintain servers holding the health nonprofit’s donor and patient data, including PII. In the second agreement, the defendant agreed to, among other things, comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations.
According to the plaintiffs’ complaint, a third party allegedly hacked into the defendant’s systems and deployed ransomware in February 2020, which gained access to the PII that the health nonprofit stored with the defendant; however, the cybercriminals were unable to block the defendant from accessing its own systems. The defendant was said to have learned about the cyber-attack May 2020 and waited until July 2020 to notify the nonprofit. The plaintiffs alleged that the data breach occurred because of the defendant’s failure to reasonably safeguard their database of PII. The plaintiffs also claimed that “’had [the defendant] maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.’” Following the breach, the plaintiffs alleged that they incurred remediation damages that included “various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services.” The plaintiffs filed suit, alleging breach of contract, negligence, gross negligence, negligent misrepresentation, fraudulent misrepresentation, and breach of fiduciary duty. The defendant argued that the plaintiffs do not adequately explain how the breach caused their remediation damages, warranting dismissal.
The district court found that the plaintiffs failed to adequately plead causation for each of their claims, noting that “without any allegations explaining why they had to spend these amounts, the court is left to speculate how [the defendant’s] breaches caused [the health nonprofit’s] remediation damages.” The district court additionally determined that the plaintiffs’ negligence and contract claims must also fail because “harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft did not constitute a compensable injury under either a negligence claim or a contract claim brought pursuant to Indiana law.” The district court also found that the plaintiffs’ negligence claims are barred under Indiana’s economic loss rule because it did not point to an independent duty outside of contract. The plaintiffs were, however, given leave to amend their complaint and attempt to remedy its deficiencies.
SEC releases draft regulatory strategic plan
Recently, the SEC released its draft FY 2022-2026 strategic plan, which focuses on goals related to protecting families against fraud and misconduct, supporting a diverse and inclusive workforce, and developing a regulatory framework that keeps pace with ever-evolving markets, business models, and technologies. The SEC noted that it plans to continue to update its disclosure framework to meet investors’ demands for information related to issuers’ climate risks and cybersecurity hygiene policies to ensure informed investment decisions are made. The draft strategic plan also discussed market risks associated with cybersecurity threats and cross-border challenges, and called on the SEC to coordinate with foreign financial regulators. The SEC also stated it plans to update existing rules and approaches to better “reflect evolving technologies, business models, and capital markets,” and intends to examine strategies for addressing systemic and infrastructure risks faced by capital markets and market participants.
FTC sues data broker for unfair sale of sensitive data
On August 29, the FTC announced an action taken against a data broker accused of allegedly selling precise geolocation data from hundreds of millions of mobile devices that can be used to trace individuals’ movements to and from sensitive locations. According to the complaint, the defendant purchases location information from other data brokers and packages it into customized data feeds that match unique mobile device advertising identification numbers with timestamped latitude and longitude locations. These data feeds allow purchasers to identify and track specific mobile device users with no restrictions on usage and puts consumers at significant risk, the FTC claimed, noting that by failing to adequately protect its data from public exposure, consumers may be identified and face substantial injury. Moreover, people are often unaware that their location data is being purchased and shared by the defendant and have no control over its sale or use, the FTC said in its announcement. The complaint alleges the defendant’s unfair sale of sensitive data violates the FTC Act, and seeks a permanent injunction and any additional relief deemed just and proper.
District Court approves class action settlement against securities trading platform and broker-dealer
On May 16, the U.S. District Court for the Northern District of California granted final approval of a settlement in a class action against a securities trading platform and broker-dealer (defendant) for allegedly allowing unauthorized users access to customers’ accounts. As described in plaintiffs’ motion for preliminary approval of settlement, class members alleged the defendant “lacked security measures used by other broker-dealer online systems,” which allowed “thousands of [the defendant’s] customer accounts [to be] accessed by unauthorized users.” Based on these allegations, class members brought claims for negligence, breach of contract, and violations of various state consumer privacy, competition, and advertising laws. Under the terms of the settlement, the defendant must provide cash payments of up to $260 each to settlement class members who submit a claim, up to a total amount of $500,000. Additionally, among other things, the defendant must “provide two years of credit monitoring and identity theft protection services to those who elect to receive it,” must “maintain improvements to its security protocols and policies to decrease the risk of unauthorized access to its customers’ accounts,” and must “respond effectively to instances of potential unauthorized access” in the future.
Treasury announces MOU with Israel
On August 25, the U.S. Treasury Department announced a bilateral Memorandum of Understanding (MOU) on Cybersecurity Cooperation with the Ministry of Finance of the State of Israel (MOF). According to Treasury, the MOU “builds on U.S. Deputy Secretary of the Treasury Wally Adeyemo’s visit to Israel in November 2021 that established a bilateral partnership to protect critical infrastructure in the financial sector and recognized the importance of deepening cooperation on cybersecurity to protect the integrity of the international financial system.” While noting that Treasury has a “long-standing cybersecurity information sharing relationship” with MOF, the announcement stated that the MOU “formalizes and strengthens the close partnership between both agencies.” Specifically, the MOU enhanced collaboration in: (i) information sharing relating to the financial sector including cybersecurity information on incidents and threats; (ii) staff training and study visits to promote cooperation in the area of cybersecurity; and (iii) competency-building activities such as the conduct of cross-border cybersecurity exercises.