InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Congressional Committees Review Data Breaches, Potential Federal Responses
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
FTC Actions Allege Violations Of International Safe Harbor Privacy Framework
On January 21, the FTC announced agreements with 12 companies to resolve allegations that the companies falsely claimed compliance with an international privacy framework. The FTC complaints explain that the U.S.-EU Safe Harbor Framework provides a method for U.S. companies to transfer personal data outside of the EU that is consistent with the requirements of the European Union Directive on Data Protection. The Directive sets forth EU requirements for privacy and the protection of personal data and requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the European Commission has made a determination that the recipient jurisdiction’s laws ensure the protection of such personal data. To participate in the Framework, a U.S. company must self-certify to the U.S. Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard. The FTC claimed that the companies indicated compliance with the Safe Harbor principles, for example through privacy policies or certification marks, when the companies had allowed their self-certifications to lapse. The FTC alleged that this conduct violated Section 5 of the FTC Act. The companies did not admit the allegations, and the FTC acknowledged that the allegations do not necessarily mean that the companies committed any substantive violations of the privacy principles of the Safe Harbor framework. The proposed settlement agreements would prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
FTC Announces Settlement Over In-App Purchases By Minors
On January 15, the FTC announced that a major mobile technology company agreed to resolve allegations that it violated Section 5 of the FTC Act by failing to inform account holders that entering their password on their mobile device would open a 15-minute window in which children could incur unlimited charges within certain mobile applications with no further action from the account holder (in-app purchases). The settlement is open to public comment through February 14, 2014. Once finalized, the proposed settlement will require the company to refund at least $32.5 million to consumers who allegedly were billed for accidental or unauthorized in-app purchases by minors. The company will manage the remuneration process, including by providing notice to consumers and providing refunds promptly upon consumer request. Any funds remaining after 12 months of the final agreement must be remitted to the FTC. The company also must alter its billing practices to ensure it obtains express, informed consent before charging accountholders for in-app purchases.
House Democrats Encourage FTC Scrutiny Of Consumer Reporting Agencies' Add-On Products Marketing
On December 18, a group of House Democrats sent a letter urging the FTC to focus on the online marketing of products and services by consumer reporting agencies (CRAs). The lawmakers assert that CRAs “often require consumers to jump through hurdles, presumably in an effort to generate additional revenue.” The lawmakers suggest that certain CRAs’ websites mislead and confuse consumers, particularly with regard to the marketing of “free” consumer products and services that are conditioned upon consumers signing up for “costly add-on services such as ongoing credit monitoring.” The letter identifies the following specific practices for FTC scrutiny: (i) marketing “free” products or services that automatically convert to a monthly subscription if the consumer does not cancel within a trial period; (ii) “prominent” advertising of discount packages without disclosing that the initial small dollar enrollment fee converts into a subscription service; and (iii) requiring consumers to set up accounts before being granted access to their credit score or reports, while “barrag[ing]” consumers with add-on product offerings during the account registration process.
FTC To Host Consumer Privacy Seminars
On December 2, the FTC announced a series of seminars to be held in 2014 dedicated to the privacy implications of: (i) mobile device tracking—tracking consumers in retail and other businesses using signals from their mobile devices; (ii) alternative scoring products—using predictive scoring to determine consumers’ access to products and offers; and (iii) consumer-generated and controlled health data—information provided by consumers to non-HIPAA covered websites, health applications, and devices. The first two topics will be examined in forums held in Washington, DC on February 19, 2014 and March 19, 2014, respectively. Details for the third event have not been finalized.
Senators Challenge CFPB On Indirect Auto Finance Guidance
On October 30, a bipartisan group of 22 Senators sent a letter to the CFPB raising concerns about CFPB guidance affecting the indirect auto financing market and auto dealers’ ability to negotiate retail margins with consumers. The guidance at issue, contained within CFPB Bulletin 2013-02, advised bank and nonbank indirect auto financial institutions about compliance with federal fair lending requirements in connection with the practice by which auto dealers “mark up” the financial institution’s risk-based buy rate and receive compensation based on the increased interest revenues.
In August, the CFPB responded to a similar inquiry from House members. The Senate letter asserts that the CFPB still has not explained a basis for alleging that discrimination under a “disparate impact” theory of liability exists in the indirect auto financing market. Nor, the letter continues, has the CFPB released the statistical methodology it uses to evaluate disparate impact in an indirect auto lender’s portfolio.
The Senators request details concerning the CFPB’s statistical methodology and also seek information about: (i) coordination among the CFPB, Federal Reserve Board, and FTC regarding the CFPB’s fair lending guidance to financial institutions; (ii) the decision to issue the guidance via a bulletin without public comment rather than employing the Administrative Procedures Act rulemaking process; and (iii) any cost-benefit analysis conducted into the affect that industry adoption of a flat-fee dealer compensation mechanism would have on the cost for consumers across the credit spectrum.
The letter comes on the heels of a related inquiry to the FTC last week, which urged the FTC to investigate, among other things, auto dealer practices regarding interest rate markups and requested information on the FTC’s auto dealer markup enforcement activity.
CFPB, FTC Join in FCRA Amicus Brief
On October 4, the CFPB and the FTC filed an amicus brief in a Fair Credit Reporting Act (FCRA) case pending in the Ninth Circuit. The brief argues that the seven-year period during which a criminal arrest can be reported starts on the date of the arrest and, contrary to the district court’s decision, is not extended by a subsequent dismissal of the charges. The brief notes that FCRA previously provided that the seven-year reporting period ran “from the date of disposition [i.e., dismissal], release, or parole,” but that Congress repealed that specific provision in 1998, replacing it with the general FCRA rule that the reporting period begins when the adverse event occurs. The brief notes that Congress prescribed a different rule from some categories of information—for example, the seven-year period for reporting that a delinquent account was placed with a collection agency begins 180 days after the commencement of the delinquency that immediately preceded the collection activity.
The brief relies heavily on the FTC’s summary of staff interpretations that it issued as part of its staff report, 40 Years of Experience with the Fair Credit Reporting Act (2011), just before the Dodd-Frank Act transferred primary enforcement authority for FCRA from the FTC and gave the CFPB general rulemaking powers under FCRA. The FTC and CFPB argue that the district court erroneously relied on the FTC’s 1990 Commentary on FCRA, which did not reflect the 1998 amendments. The extensive reliance on the 40 Years Report in the brief is significant because it reflects an endorsement of the authoritativeness of that report by the CFPB, at least as to the particular issue raised in this case.
Senator Expands Data Broker Investigation
On September 25, Senator Jay Rockefeller (D-WV) released letters he recently sent to 12 popular “personal finance, health, and family-focused websites” for assistance in an ongoing Senate Commerce Committee investigation into the way data brokers collect and share personal information. According to Senator Rockefeller, the letters were sent in part because “several data brokers have refused to disclose to the Committee specific sources of consumer data, preventing the Committee from fully understanding how the industry operates.” Senator Rockefeller began this investigation in October 2012 with letters to a number of data brokers. In connection with this latest round of letters, the Senator states that “hundreds of thousands of websites that gather information directly from consumers may be a source of consumer information for data brokers,” and that he believes some websites’ privacy policies “leave room for sharing a consumer’s information with data brokers or other third parties.” The Senate investigation parallels an investigation by members of the House of Representatives and the FTC’s ongoing activity with regard to data brokers.
FTC Files Amicus Brief in Tribal Payday Lending Case
On September 26, the FTC announced that it had filed an amicus brief in the U.S. Court of Appeals for the Seventh Circuit in a class action suit against a Native American payday lender. In that case, the putative class is challenging a payday lender’s practice of requiring borrowers to submit to arbitration at a Native American reservation in South Dakota. The FTC notes that it is pursuing its own action against the same lender, challenging its jurisdiction over borrowers who do not belong to the tribe and who do not reside on the reservation or in South Dakota. In its Seventh Circuit filing, the FTC argues that Native American tribes and tribal courts have legal authority over their own members and not over non-members, unless non-members conduct activities inside the reservation or enter into a commercial relationship with the tribe or a member of the tribe. The FTC claims that borrowers who take out payday loans from these companies via the Internet do not conduct business on the reservation and should not be subject to arbitration there.
FTC Announces Settlement of First Text Message Debt Collection Action
On September 25, the FTC announced the settlement of its first case against a debt collector for using text messaging to attempt to collect debts in an allegedly unlawful manner. The complaint, filed on August 23, alleged that an individual and the two debt collection companies he controlled violated the FDCPA and FTC Act when the companies failed to disclose in English- and Spanish-language text messages and phone calls that the companies were debt collectors and that they falsely portrayed themselves as law firms. The FTC also alleged that the defendants illegally revealed debts to the consumers’ family members, friends, and co-workers. To resolve the FTC’s claims, the companies agreed to pay a $1 million civil penalty, agreed not to send text messages omitting the disclosures required by law and agreed to obtain a consumer’s express consent before contacting them by text message. The defendants are also barred from falsely claiming to be law firms and from falsely threatening to sue or take any action – such as seizure of property or garnishment – that they do not actually intend to take.