InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California fines cosmetics chain for privacy violations
On August 24, the California attorney general announced that following an investigative sweep into online retailers, it entered into a $1.2 million settlement with a cosmetics chain for its alleged failure to disclose to consumers that it was selling their personal information, failure to process user requests to opt-out of such sale via user-enabled global privacy controls, and failure to cure such violations within the 30-day period allowed by the California Consumer Privacy Act (CCPA). The action reaffirms the state’s commitment to enforcing the law and protecting consumers’ rights to fight commercial surveillance, AG Bonata said, emphasizing that “today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
According to a complaint filed in California Superior Court, third parties monitored consumers’ purchases and created profiles to more effectively target potential customers. The company’s arrangement with these third parties constituted a sale of consumer personal information under the CCPA, therefore triggering certain basic obligations, including telling consumers that it is selling their information and allowing consumers to easily opt-out of the sale of their information. According to the complaint, the company failed to take any of these measures.
Under the terms of the settlement, the company is required to pay a $1.2 million penalty and must disclose to California customers that it sells their personal data and provide a mechanism for consumers to opt out of a sale of their information, including through user-enabled global privacy controls like the Global Privacy Control (GPC). Additionally, the company must ensure its service provider agreements meet CCPA requirements and provide reports to the AG related to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.
The press release also announced that notices were sent to several businesses alleging non-compliance concerning their failure to process consumer opt-out requests made via user-enabled global privacy controls. The AG reiterated that under the CCPA, “businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link. Businesses that received letters today have 30 days to cure the alleged violations or face enforcement action from the Attorney General.”
District Court preliminarily approves data breach class action settlement
On August 24, the U.S. District Court for the Southern District of New York preliminarily approved a putative consolidated class action settlement that would reimburse members for out-of-pocket costs or expenditures actually incurred in connection with a February 2020 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach may have exposed the personal financial information (PFI) of approximately 10,300 individuals, including names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information. Class members alleged that defendants failed to adequately protect the PFI of current and former employees and their beneficiaries, and that the resulting data breach “was a direct result of defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect PFI.” If granted final approval, the settlement will provide each class member the opportunity to make a claim for up to $3,500 in reimbursements for out-of-pocket expenses actually incurred, and compensation for up to four hours of lost time spent remedying issues fairly traceable to the data breach at $18 per hour. Additionally, class members will be given 18 months of credit monitoring protections.
3rd Circuit overturns decision in WESCA suit
On August 16, the U.S. Court of Appeals for the Third Circuit overturned a district court’s decision in a Wiretapping and Electronic Surveillance Control Act (WESCA) suit against a retailer and third-party marketing company (collectively, “defendants”). According to the opinion, the plaintiff searched the retailer’s website while the “browser simultaneously communicated” with both the retailer and a third-party marketing service. The messages to the third party marketing service alerted it to how the plaintiff was interacting with the website, including which pages she visited, when she filled in an email address, and when she added an item to her cart. The plaintiff filed suit against the defendants for using a software that used a code that placed “cookies on the user’s browser so that her activity on the webpage had an associated visitor ID,” and “told the user’s browser to begin sending information to [the third party marketing service] as she navigated through the website, such as communicating that the user had clicked the ‘add to cart’ button or tabbed out of a form field,” in violation of WESCA. The district court dismissed the common law claim and subsequently granted summary judgment to the defendants on the WESCA claim, finding that the defendants were exempt from liability as direct parties to the electronic communications.
The 3rd Circuit reversed and remanded, stating that the district court “never addressed whether [the retailer] posted a privacy policy and, if so, whether that policy sufficiently alerted [the plaintiff] that her communications were being sent to a third-party company.” The appellate court further disagreed “with the District Court’s holding that [the third party marketing company] is exempt from liability because it was a direct party to [the plaintiff’s] communications and that interception only occurred at the site of [the third party marketing company] servers in Virginia.”
California Privacy Protection Agency opposes federal privacy bill
On August 15, the California Privacy Protection Agency (CPPA) sent a letter to House Speaker Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) opposing H.R.8152, the American Data Privacy and Protection Act (ADPPA). The CPPA expressed concerns that the proposed legislation “could nearly eliminate” the agency’s ability to fulfill its responsibility to protect Californians’ privacy rights and claimed that the bill’s provisions are “substantively weaker” than the California Privacy Rights Act. “ADPPA represents a false choice, that the strong rights of Californians and others must be taken away to provide privacy rights federally,” the CPPA stressed in its letter. “Americans deserve, and the Agency could support, a framework that offers both: a floor of federal protections that preserves the ability of the states to continue to improve protections in response to future threats to consumer privacy.”
Last month the U.S. House Committee on Energy and Commerce voted 53-2 to send the ADPPA to the House floor with amendments that would enable the California agency to enforce the federal law (covered by InfoBytes here). However, the CPPA noted that “the language in the bill still raises significant uncertainties for the Agency were it to seek to enforce the federal measure.” Additionally, the bill, which has been revised from its initial draft (covered by a Buckley Special Alert), would preempt the current patchwork of five state privacy laws—which “would be an anomaly,” the CPPA said, given that current federal privacy laws such as the Health Information Portability and Accountability Act, the Gramm Leach Bliley Act, and the FCRA all contain language allowing states to adopt stronger protections. Pointing out that the bill’s “preemption language is especially concerning given the rate at which technology continues to advance and evolve,” the CPPA stressed the importance of states being able to build on their existing laws and allowing voters to seek out additional protections.
Dem chairs request info on agency data use
On August 16, Chairman of the Committee on the Judiciary Jerrold Nadler (D-NY) and Chairman of the Committee on Homeland Security Bennie Thompson (D-MS) sent a letter to multiple government agency leaders, requesting information on their purchases and use of personal data from data brokers. According to the chairmen, “[c]ompanies participating in the data market acquire user information for package and sale through social media, mobile applications, web hosts, and other sources,” and such products “can include precise details on individuals’ location history, internet activity, and utilities information, to name a few.” The letter further noted that, “improper government acquisition of this data can thwart statutory and constitutional protections designed to protect Americans’ due process rights.” The letter also pointed out that the agencies receiving the letter “have contracts with numerous data brokers, who provide detailed information on millions of Americans.” The chairmen requested a briefing from the agencies, in addition to documents and communications related to contracts the government has had with data brokers, legal analyses on the use of personal data, and parameters and limitations set on the use of the data by the end of August.
SEC files charges in brokerage hacking case
On August 15, the SEC filed a complaint against 18 individuals and entities (collectively, “defendants”) in the U.S. District Court for the Northern District of Georgia for allegedly engaging in a fraudulent scheme in which online retail brokerage accounts were hacked and improperly used to purchase microcap stocks. According to the SEC, the defendants collectively acquired substantial shares of the common stock of two public microcap companies. After obtaining the shares, some defendants conspired with other unknown parties to subject various retail brokerage accounts, held by third-party investors, to online account takeover attacks. The hacked accounts then were forced to make large purchases of the companies’ common stock, thereby artificially inflating the trading price and volume of the stocks. The defendants then sold the shares they had acquired at the inflated prices, generating approximately $1.3 million in proceeds and creating substantial profits for the defendants. The complaint also noted that throughout the scheme, some defendants repeatedly took steps to conceal their beneficial ownership of the company’s shares by, among other things, failing to file with the Commission certain beneficial ownership reports required by law. The SEC’s complaint alleges violations of anti-fraud and beneficial ownership reporting provisions of the federal securities laws, specifically, the Securities Act of 1933 and the Securities Exchange Act of 1934. The complaint seeks a permanent injunction against the defendants, disgorgement of ill-gotten gains, plus interest, penalties, bars, and other equitable relief. According to the SEC Director of Division of Enforcement, the case “illustrates the critical importance of cybersecurity and of our ongoing efforts to protect retail investors from cyber fraud.”
New York proposes new cybersecurity reporting requirements for financial institutions
Recently, NYDFS released proposed second amendments to New York’s Cybersecurity Regulation (23 NYCRR Part 500), which would, if adopted, require a financial institution’s senior officer or board of directors to approve the entity’s cybersecurity policy. Entities would also be required to disclose whether their directors have expertise in overseeing security risks or whether they rely on third-party cyber consultants. Among other things, the proposed amendments would require cybersecurity executives to provide directors timely alerts of significant cyber issues or events and provide annual reports to the board on cyber risks and defenses as well as on plans for remediating identified inadequacies. Additional requirements include: (i) multi-factor authentication for all privileged accounts (except for service accounts), as well as for “remote access to the network and enterprise and third-party applications from which nonpublic information is accessible”; (ii) limitations on asset and data retention management; (iii) training and monitoring of email to prevent unauthorized access; and (iv) incident response, business continuity, and disaster recovery plans.
The proposed amendments also contain provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a “material” part of the entity’s information system. Entities would also be directed to alert the Department within 24 hours of making a ransom payment to a hacker—similar to a ransomware payment disclosure mandate included within the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” covering critical infrastructure (covered by InfoBytes here). Within 30 days, entities would also be required to explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations including federal sanctions implications.
Comments on the proposed amendments are due August 18.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.
District Court grants final approval of data breach settlement
On August 9, the U.S. District Court for the Western District of North Carolina granted final approval of a class action settlement resolving allegations that two hemp companies (collectively, “defendants”) were involved in data breaches. According to the plaintiffs’ unopposed motion for final approval of the class action settlement, the defendants notified the SEC, various states’ attorneys general, and thousands of affected customers about two data breaches that occurred through their website on two different occasions. The plaintiffs alleged that the incident allowed hackers to “scrape[]” many of the defendants’ consumers’ names from the website by infecting the ecommerce platform with a “malicious code,” and stole the personally identifiable information of approximately 40,000 customers. According to the settlement, the deal will provide that class members can receive as much as $210 for out-of-pocket expenses such as card replacement fees, overdraft fees, interest, and up to $80 in costs for obtaining credit monitoring and identity theft protection, among other things. The district court also approved $2,500 payments to the lead plaintiffs as service awards.
Chopra considers banking to be “under threat”
On August 10, CFPB Director Rohit Chopra discussed the digital market before the 2022 National Association of Attorneys General Presidential Summit. In his remarks, Chopra first discussed the evolution of advertising models over time, describing how the persuasion of advertising continues to be used to target an individual based on “voluminous amounts of personal data.” Chopra also discussed HUD’s 2019 complaint against a social media platform, stating that it “illustrates the stark differences between traditional advertising and today’s digital marketing.” According to Chopra, the social media platform “helped advertisers limit the audience for ads and enabled advertisers to target specific groups of people to the exclusion of protected classes.” Chopra further noted that “state attorneys general have already begun to recognize that these platforms are not passive advertisers.” Chopra also noted that the CFPB recently issued an interpretive rule explaining that the service provider exemption for “time or space” will typically not apply to the digital marketing services offered by major platforms (covered by InfoBytes here). Chopra described that though “they may be providing space for ads, these firms are commingling many other features that go well beyond the exemption.” To conclude, Chopra expressed that “banking is under threat.” He described that “sensitive data is viewed as more valuable to firms than our actual selves,” and that “advances in technology should help our economy and society advance, rather than incentivizing a rush to seize our sensitive financial data and to allow tech giants to evade existing laws that other firms must comply with.”
FTC seeks feedback on commercial surveillance and data security rulemaking
On August 11, the FTC announced that it issued an advanced notice of proposed rulemaking (ANPR) on a wide range of concerns about commercial surveillance practices. According to the FTC, it is exploring “rules to crack down on harmful commercial surveillance and lax data security.” The FTC described that commercial surveillance is the business of collecting, analyzing, and profiting from information about individuals. The FTC also noted that “[m]ass surveillance has increased the risks and stakes of data breaches, deception, manipulation, and other abuses.” The ANPR solicits public comment regarding “the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.” The ANPR also noted that there is increasing evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms. The FTC also released a Fact Sheet on the FTC’s Commercial Surveillance and Data Security Rulemaking and a Fact Sheet on Public Participation in the Section 18 Rulemaking Process. Comments are due 60 days after publication in the Federal Register.