InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court rules apps’ terms of service hyperlinks were clear and conspicuous
On February 23, the U.S. District Court for the Eastern District of New York ruled that parties must arbitrate class claims concerning alleged fraudulent transactions on app users’ accounts. Plaintiffs—users of the defendants’ mobile payment platform who claimed that third parties fraudulently withdrew funds from their app accounts—alleged that the defendants’ inadequate dispute resolution process “improperly places the burden on the user to prove that a disputed transaction was unauthorized” in violation of the EFTA and N.Y. Gen. Bus. Law § 349. Defendants, however, countered that the plaintiffs agreed to arbitrate any disputes related to their app accounts, and moved to compel arbitration and dismiss the complaint. The court analyzed the applicable sign-up flows and ruled that in signing up for the apps, users agreed to unambiguous terms of service, which included an arbitration agreement presented in a clickable hyperlinked URL. The court rejected plaintiffs’ assertion that a reasonably prudent smartphone user would not think to click on the terms of service hyperlink, stating that the hyperlink for both apps provided reasonably clear and conspicuous interfaces. The court further found that the claims were subject to arbitration because plaintiffs’ specifically assented to the arbitration provisions and that the parties’ agreed to present any question of arbitrability to an arbitrator.
New York AG alerts companies on “credential stuffing” cyberattacks
On January 5, the New York attorney general issued a report, which highlights the results of an investigation into “credential stuffing.” The investigation discovered over 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. The report, Business Guide for Credential Stuffing Attacks, details attacks, which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services, and provides recommendations on how business can protect themselves. Through credential stuffing, which is one of the most common forms of cyberattacks, offenders utilize automated software to reuse stolen usernames and passwords, relying on the human tendency to reuse the same credentials to access various online accounts and platforms. The AG’s office launched the investigation “in light of the growing threat of credential stuffing,” and monitored several online communities dedicated to credential stuffing. According to the report, the office discovered thousands of posts that had customer login credentials that were tested by hackers in a credential stuffing attack and found that the information could be used to access other accounts. From these posts, the office compiled credentials to compromised accounts at seventeen companies, which consisted of online retailers, restaurant chains, and food delivery services, and collected credentials for over 1.1 million customer accounts, all of which seemed to have been compromised. After alerting the companies regarding the compromised accounts and urging them to investigate and take protective action, every company did so. The report recommended that businesses maintaining online accounts have a data security program, including effective safeguards for protecting customers from credential stuffing attacks in four areas: (i) defending against credential stuffing attacks; (ii) detecting a credential stuffing breach; (iii) preventing fraud and misuse of customer information; and (iv) responding to a credential stuffing incident. Specifically, three safeguards considered to be “highly effective” at defending against credential stuffing attacks were bot detection services, multi-factor authentication, and password-less authentication. The report also recommended that companies require reauthentication at the time of a purchase. Additionally, “[b]usinesses should have a written incident response plan that includes processes for responding to credential stuffing attacks” and notification to affected parties.
District Court temporarily halts enforcement of New York’s user data-sharing ordinances
On December 27, the U.S. District Court for the Southern District of New York issued a stipulation and order in a consolidated action, temporarily reprieving three delivery app companies from complying with New York City’s Administrative Code §§ 20-847.3 and 20-563.7 (collectively, “the ordinances”). The amended complaint contends that the ordinances “create an unconstitutional, privacy-infringing, data-disclosure requirement pursuant to which third-party food-ordering and delivery platforms. . . must divulge, against their will, sensitive, proprietary customer information,” including full names, phone numbers, email addresses, delivery addresses, and order contents to New York City restaurants “regardless of whether that restaurant maintains any security infrastructure, and regardless of whether the customer has expressly consented to their personal information being so shared.” According to the plaintiffs, the ordinances “state that customers are presumed to have consented to this dangerous flow of their information unless they specifically opt out for each and every order they place, contrary to the common view that opt-out requests should be valid for at least several months.” The plaintiffs allege, among other things, that the ordinances are preempted by New York State’s Right of Privacy and violate delivery app companies’ First Amendment rights.
Notably, while New York City “has agreed to stay enforcement of the Challenged Laws pending final determination by this Court resolving, or disposing of, this action in exchange for Plaintiff’s agreement not to file a motion for a preliminary injunction,” the stipulation and order is not an indefinite agreement to stop enforcement of the ordinances.
New York takes action on cryptocurrency lending platforms
On October 18, the New York attorney general ordered two unregistered cryptocurrency lending platforms to immediately cease their activities in the state and directed three additional platforms to provide information about their activities and products. The AG clarified that most virtual currency lending products “fall squarely within any of several categories of ‘security’ under the Martin Act,” and therefore platforms must comply with the Martin Act’s registration requirements unless exempt. According to the AG, the virtual currency lending products identified in these actions “promise a fixed or variable rate of return to investors, and claim to deliver those returns by, among other things, trading with, or further lending those virtual assets.” As such, the products are securities under the Martin Act, particularly those that accept virtual currencies in exchange for a rate of return. The press release provided a redacted version of a cease letter sent to one of the two unregistered platforms, which stated that platforms engaging in unregistered activity have committed a fraudulent practice under the Martin Act and may face civil remedies. The platform is ordered to cease the alleged activity within 10 days or explain why the AG should not take further action. A different redacted letter requested information about the recipient’s products, where it operates, how the platform uses deposited virtual currency, whether U.S. dollars can be deposited or withdrawn from the platform, all financial institutions that are used, and whether the companies accept tethers, among other things. The letter also requested examples of agreements, contracts, and risk disclosures, as well as due diligence policies and procedures. These letters follow other actions taken recently by the AG against cryptocurrency trading platforms and token issuers (see e.g. InfoBytes here and here).
New York enters judgment against crypto platform and CEO
On September 13, the New York attorney general announced a judgment against an unregistered virtual currency trading platform and its CEO (collectively, “defendants”) for allegedly defrauding thousands of investors across the country out of millions of dollars by converting investor funds without their consent. According to the AG, in June, the New York Supreme Court granted the AG’s motion for a preliminary injunction and the appointment of a temporary, court-appointed receiver with special powers to safeguard investments already made on the trading platform. The defendants failed to comply with the preliminary injunction by creating, offering, and selling a new virtual currency and failed to respond to the AG’s complaint. The judgment permanently appoints the court receiver to obtain, safeguard, and return all assets invested and traded through the trading platform and imposes a money judgment against the defendants of $3,061,511, both together and separately. In addition, the judgment requires the defendants to permanently cease their illegal and fraudulent operations and puts in place a permanent receiver to protect investors’ funds.