InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York AG sues national coffee chain over data breach
On September 26, the New York attorney general announced a lawsuit against a national franchisor of a coffee retail chain for allegedly failing to protect thousands of customer accounts from a series of cyberattacks. According to the complaint, the attorney general asserts that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in almost 20,000 compromised accounts and “tens of thousands” of dollars stolen. The attorney general alleges that, following the attacks, the company failed to take steps to protect the affected customers, such as notifying them of the unauthorized access, resetting account passwords, or freezing the stored value cards. The complaint also alleges that the retailer failed to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. In addition, according to the complaint, in 2018, a vendor notified the company of another attack that resulted in the unauthorized access of over 300,000 customer accounts, and the company’s response included inaccurate representations to customers. The complaint asserts violations of New York’s data breach notification statute and violations of New York’s consumer protection laws. The attorney general is seeking injunctive relief, restitution, disgorgement, and civil money penalties.
Ballot initiative seeks to expand CCPA, create new enforcement agency
On September 25, Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy and the drafter of the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA), announced a newly filed ballot measure to further expand the CCPA (currently effective on January 1, 2020), titled the “California Privacy Rights and Enforcement Act of 2020” (the Act) (an additional version of the Act is available with comments from McTaggart’s team). The Act would result in significant amendments to the CCPA, including the following, among others
- Sensitive personal information. The Act sets forth additional obligations in connection with a business’s collection, use, sale, or disclosure of “sensitive personal information,” which is a new term introduced by the Act. “Sensitive personal information” includes categories such as health information; financial information (stated as, “a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account”); racial or ethnic origin; precise geolocation; or other data collected and analyzed for the purpose of identifying such information.
- Disclosure of sensitive personal information. The Act expands on the CCPA’s disclosure requirements to include, among other things, a requirement for businesses to specify the categories of sensitive personal information that will be collected, disclose the specific purposes for which the categories of sensitive personal information are collected or used, and disclose whether such information is sold. In addition, the Act prohibits a business from collecting additional categories of sensitive personal information or use sensitive personal information collected for purposes that are incompatible with the disclosed purpose for which the information was collected, or other disclosed purposes reasonably related to the original purpose for which the information was collected, unless notice is provided to the consumer.
- Contractual requirements. The Act sets forth additional contractual requirements and obligations that apply when a business sells personal information to a third party or discloses personal information to a service provider or contractor for a business purpose. Among other things, the Act obligates the third party, service provider, or contractor to provide at least the same level of privacy protection required by the Act. The contract must also require the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligation to protect the personal information as required by the Act.
- Eligibility for financial or lending services. The Act would require a business that collects personal information to disclose whether the business is profiling consumers and using their personal information for purposes of determining eligibility for, among other things, financial or lending services, housing, and insurance, as well as “meaningful information about the logic involved in using consumers’ personal information for this purpose.” Additionally, the business appears required to state in its privacy policy notice if such profiling had, or could reasonably have been expected to have, a significant, adverse effect on the consumers with respect to financial lending and loans, insurance, or any other specific categories that are enumerated. Notably, while Mactaggart has expressed heightened concern with sensitive personal information, such as health and financial information, the Act appears to retain the CCPA’s current exemptions under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.
- Advertising and marketing opt-out. The Act includes a consumer’s right to opt-out, at any time, of the business’s use of their sensitive personal information for advertising and marketing or disclosure of personal information to a service provider or contractor for the same purposes. The Act requires that businesses provide notice to consumers that their sensitive personal information may be used or disclosed for advertising or marketing purposes and that the consumers have “the right to opt-out” of its use or disclosure. “Advertising and marketing” means a communication by a business or a person acting on the business’s behalf in any medium intended to induce a consumer to buy, rent, lease, join, use, subscribe to, apply for, provide, or exchange products, goods, property, information, services, or employment.
- Affirmative consent for sale of sensitive personal information. The Act expands on the CCPA’s opt-out provisions and prohibits businesses from selling a consumer’s sensitive personal information without actual affirmative authorization.
- Right to correct inaccurate information. The Act provides consumers with the right to require a business to correct inaccurate personal information.
- Definition of business. The Act revises the definition of “business” to:
- Clarify that the time period for calculating annual gross revenues is based on the prior calendar year;
- Provide that an entity meets the definition of “business” if the entity, in relevant part, alone or in combination, annually buys the personal information of 100,000 or more consumers or households;
- Include a joint venture or partnership composed of business in which each business has at least a 40% interest; and
- Provides a catch-all for businesses not covered by the foregoing bullets.
- The “California Privacy Protection Agency.” The Act creates the California Privacy Protection Agency, which would have the power, authority, and jurisdiction to implement and enforce the CCPA (powers that are currently vested in the attorney general). The Act states that the Agency would have five members, including a single Chair, and the members would be appointed by the governor, the attorney general, and the leaders of the senate and assembly.
If passed, the Act would become operative on January 1, 2021 and would apply to personal information collected by a business on or after January 1, 2020.
As previously covered by a Buckley Special Alert, on September 13, lawmakers in California passed numerous amendments to the CCPA, which are awaiting Governor Gavin Newsom’s signature, who has until October 13 to sign. The amendments leave the majority of the consumer’s rights intact, but certain provisions were clarified — including the definition of “personal information” — while other exemptions were clarified regarding the collection of certain data that have a bearing on financial services companies.
House passes one marijuana banking bill while state AGs urge passage of another
On September 25, the U.S. House passed the SAFE Banking Act (H.R. 1595) by a vote of 321-103. As previously covered by InfoBytes, in March, the House Financial Services Committee passed the bipartisan measure, which would provide a safe harbor for depository institutions that provide a financial product or service to a covered business in a state that has implemented laws and regulations that ensure accountability in the marijuana industry.
Additionally, on September 23, a bipartisan group of 21 state attorneys general wrote to members of Congress to urge the advancement of a different piece of legislation that would allow banks to serve marijuana-related businesses in states and territories that have legalized certain uses of marijuana. Specifically, the letter expresses support for the Strengthening the Tenth Amendment Through Entrusting States Act (STATES Act), which “would allow each [s]tate and territory to determine, for itself, the best approach to marijuana legalization within its borders, while at the same time creating protections to ensure that such regulation does not impose negative externalities on those states and territories that choose other approaches.” The AGs emphasize that neither the SAFE Act (S.B. 1028 and H.R. 2093) nor the letter serve as an endorsement of any “particular approach to cannabis policy,” but rather are intended to prevent residents of states and territories that have legalized some form of marijuana from being subjected to “a confusing and dangerous regulatory limbo.” The STATES Act would effectively exempt marijuana from the Controlled Substances Act (CSA) in states where the drug has been legalized. In addition to providing an exemption from the CSA, the STATES Act would reduce businesses’ reliance on cash-only models—which, the AGs argue, make it more difficult to track revenue for tax and regulatory compliance purposes—and provide certain protections for states that choose to operate in this industry.
28 state AGs argue CFPB’s debt collection proposal “falls far short”
On September 18, 28 state attorneys general filed a comment letter in response to the CFPB’s Notice of Proposed Rulemaking (NPRM) amending Regulation F to implement the Fair Debt Collection Practices Act (FDCPA) (the “Proposed Rule”), urging the Bureau to reconsider the proposal. As previously covered by InfoBytes, on May 7, the CFPB issued the Proposed Rule, which covers debt collection communications and disclosures and addresses related practices by debt collectors. The comment letter argues that, “on the most critical issues, the Proposed Rule falls far short.” Specifically, the AGs assert that the bright-line call limit would not meaningfully reduce calls for the majority of consumers because the limit is placed on the debt, not on the consumer, which “renders any benefits to consumers illusory.” Moreover, because there is no restriction on the number of electronic communications a debt collector can send, the AGs argue that the Proposed Rule would result in a “barrage of emails and texts, and even social media contacts.” In addition to the concerns on contact, the letter, among other things, argues that the Proposed Rule: (i) should require affirmative consent for contact methods outside of phone or mail, as opposed to the opt-out requirements; (ii) should only allow for electronic delivery of validation notices with E-SIGN Act compliance; (iii) should have a strict-liability standard for collections on time-barred debt; and (iv) should apply to first-party creditors, as well as third-party creditors. Lastly, the letter notes the Proposed Rule fails to address a number of other topics, including the substantiation of debt prior to litigation, debt payment allocation, and the additional challenges faced by servicemembers.
FTC lawsuits allege student loan scams
On September 12, the FTC announced two separate suits filed in the U.S. District Court for the Central District of California against various entities and individuals who allegedly engaged in deceptive practices when promoting student loan debt relief schemes.
In the first complaint, filed jointly with the Minnesota attorney general, a debt relief company and its owners (collectively, the “Minnesota defendants”) were alleged to have violated the FTC Act, TILA, the Telemarketing Sales Rule (TSR), and various state laws, by charging consumers who sought student loan payment reduction programs an advance fee of over $1,300 while falsely representing that the payment would go toward their student loans. The advance fee, the FTC contends, was allegedly financed through high-interest loans from a third-party finance company identified as a co-defendant in both complaints. The stipulated order entered against the Minnesota defendants prohibits them from, among other things: (i) making material misrepresentations related to their financial products and services, or any other kind of product or service; (ii) making unsubstantiated claims about their financial products and services; (iii) engaging in unlawful telemarketing practices; or (iv) collecting payments on accounts sold prior to the order’s date. The stipulated order also requires the Minnesota defendants to notify its customers that none of their prior payments have gone towards a Department of Education repayment program or towards their student loans, and orders the payment of $156,000, with the total judgment of approximately $4.2 million suspended due to inability to pay.
The FTC filed a second complaint against a separate student loan debt relief operation for allegedly engaging in deceptive and abusive practices through similar actions, including charging consumers advance fees of up to $1,400 and enrolling consumers in the same finance company’s high-interest loan program. The action against the second student loan debt relief operation is ongoing.
Both complaints also charge the finance company with violating the assisting and facilitating provision of the TSR by providing substantial assistance to both sets of defendants even though it knew, or consciously avoided knowing, that they were engaging in deceptive and abusive telemarketing practices. The FTC also alleges that the finance company violated TILA when it failed to clearly and conspicuously make certain required disclosures concerning its closed-end credit offers. Separate stipulated orders were entered by the FTC in each case (see here and here) against the finance company. The orders’ terms require the finance company to pay a combined $1 million out of a nearly $28 million judgment, with the rest suspended due to inability to pay, as well as relinquish its rights to collect on any outstanding loans. Among other things, the orders also permanently ban the finance company from engaging in transactions involving secured or unsecured debt relief products and services or making misrepresentations regarding financial products and services.
CFPB and state regulators launch American Consumer Financial Innovation Network
On September 10, the CFPB, in conjunction with state regulators, announced the American Consumer Financial Innovation Network (ACFIN) to enhance coordination among federal and state regulators to facilitate financial innovation. ACFIN has three stated objectives in its charter: (i) “[e]stablish coordination between Members to benefit consumers by facilitating innovation that enhances competition, consumer access, or financial inclusion”; (ii) “[m]inimize unnecessary regulatory burdens and bolster regulatory certainty for innovative consumer financial products and services”; and (iii) “[k]eep pace with the evolution of technology in markets for consumer financial products and services in order to help ensure those markets are free from fraud, discrimination, and deceptive practices.” The initial state members of ACFIN are Alabama, Arizona, Georgia, Indiana, South Carolina, Tennessee, and Utah, but the Bureau notes that all state regulators, including financial regulatory agencies, have been invited to join.
Video-sharing site reaches $170 million settlement with FTC and New York AG
On September 4, the FTC and the New York Attorney General announced (see here and here) a combined $170 million proposed settlement with the world’s largest online search engine and its video-sharing site subsidiary concerning alleged violations of the Children’s Online Privacy Protection Act (COPPA). According to the complaint, the video-sharing site allegedly collected personal information in the form of “persistent identifiers” from viewers of child-directed channels without first obtaining verifiable parental consent. The persistent identifiers allegedly generated millions of dollars in revenue by delivering targeted ads to viewers. The FTC and New York AG allege, among other things, that the defendants knew the video-sharing site hosted numerous child-directed channels but told advertisers that the video-sharing site contains general audience content, even informing one advertising company that it did not have users younger than 13 on its platform and therefore channels on its platform did not need to comply with COPPA.
Under COPPA, operators of websites and online services directed at children are prohibited from collecting personal information of children under the age of 13—including through the use of persistent identifiers for targeted advertising purposes—unless the company has explicit parental consent. Furthermore, third parties—such as advertising networks—must also comply with COPPA where they have actual knowledge that personal information is being collected directly from users of child-directed websites and online services.
While neither admitting nor denying the allegations, except as specifically stated within the settlement, the defendants will, among other things, (i) pay a $136 million penalty to the FTC and a $34 million penalty to New York; (ii) change their business practices to comply with COPPA; (iii) maintain a system for channel owners to designate their child-directed content on the video-sharing site; and (iv) disclose their data collection practices and obtain verifiable parental consent prior to collecting personal information from children. According to the FTC, the $136 million penalty is “by far the largest amount the FTC has ever obtained in a COPPA case since Congress enacted the law in 1998.”
New York restores Martin Act’s six-year statute of limitations
On August 26, the New York governor signed S 6536, which returns the statute of limitations within which the state’s attorney general must bring financial fraud claims under the Martin Act to six years. As previously covered by InfoBytes, in 2018 the New York Court of Appeals issued a ruling that claims brought under the Martin Act are governed by a statute of limitations of three years, not six. According to the majority in that court decision, the three-year period applied because the Martin Act “expands upon, rather than codifies, the common law of fraud” and “imposes numerous obligations—or ‘liabilities’—that did not exist at common law,” which justified the imposition of a three-year statute of limitations. However, Governor Andrew Cuomo noted that “[b]y restoring the six-year statute of limitations under the Martin Act, we are enhancing one of the state’s most powerful tools to prosecute financial fraud so we can hold more bad actors accountable, protect investors and achieve a fairer New York for all.” Effective immediately, S 6536 will amend Section 213 of the state’s Civil Practice Law and Rules to include Martin Act cases among those that must be brought within six years.
State AGs and VSPs to collaborate on robocalls
On August 22, North Carolina Attorney General Josh Stein announced a bipartisan agreement between 51 state attorneys general and 12 voice service providers, adopting eight principles for fighting illegal robocalls and preventing consumer fraud. Under the principles, the voice providers will: (i) offer no-cost call-blocking technology, including easy-to-use call blocking and labeling tools; (ii) implement STIR/SHAKEN call authentication (as previously covered by InfoBytes, in June the FCC adopted a Notice of Proposed Rulemaking requiring voice providers to implement the caller ID authentication framework); (iii) analyze and monitor high-volume voice network traffic for robocall patterns; (iv) investigate suspicious calls and calling patterns and take appropriate action; (v) confirm identities of new commercial customers; (vi) require traceback cooperation in new and renegotiated contracts; (vii) provide for timely and comprehensive law enforcement efforts through cooperation in traceback investigations; and (viii) communicate with state attorneys general about recognized robocall scams and trends and potential solutions. AG Stein noted that the principles will also “make it easier for attorneys general to investigate and prosecute bad actors.”
Illinois requires companies to report data breaches to attorney general
On August 9, the Illinois governor signed SB 1624, which requires that a single data breach involving the personal information of more than 500 Illinois residents must be reported to the state attorney general. The notice must include: (i) a description of the nature of the breach of security or unauthorized acquisition or use; (ii) the number of Illinois residents affected by such incident at the time of notification; and (iii) any steps the data collector has taken or plans to take relating to the incident. Notification is required to be made “in the most expedient time possible and without unreasonable delay,” but no later than when the data collector informs consumers of the breach under current law. The bill is effective January 1, 2020.