Privacy and Data Security Resource Center
Introduction
Buckley provides regulatory, strategic advice and litigation advocacy to financial services clients on matters involving the full spectrum of privacy and data security issues affecting their business operations. Our attorneys assist clients in addressing privacy and data security issues by proactively identifying and managing risks to the organization and its customers, aggressively addressing data security incidents, and responding to regulatory examinations, enforcement actions and litigation involving privacy or data security compliance.
Members of the group frequently speak at privacy and data security and financial institutions conferences including those of the International Association of Privacy Professionals, the RSA Conference, the American Conference Institute, the Practising Law Institute, the Information System Security Association, and the International Information Systems Security Certification Consortium. Group members also have authored articles and papers on privacy and data security topics.
Thought Leadership & Analysis
District Court grants final approval to grocery store data breach settlement
On July 21, the U.S. District Court for the Central District of Illinois granted final approval to a class action data breach settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The final settlement (which...
InfoBytesNew York expands definition of telemarketing to include text messages
On July 13, the New York governor signed S.3941 , which expands the state’s definition of telemarketing to include marketing by text message. A press release issued by the governor noted that expanding the definition closes a loophole in state law that previously limited the definition to phone...
InfoBytesConnecticut incentivizes businesses to adopt cybersecurity standards
On July 6, the Connecticut governor signed HB 6607 , which is intended to incentivize businesses to adopt cybersecurity standards. Among other things, the act provides a complete defense to punitive damages for a cause of action founded in tort claiming a business’ failure to “implement reasonable...
InfoBytesBiden orders federal agencies to evaluate banking, consumer protections
On July 9, President Biden issued a broad Executive Order (E.O.) that includes provisions related to the financial services industry. CFPB. The E.O. encourages the CFPB director to issue rules under Section 1033 of Dodd-Frank “to facilitate the portability of consumer financial transaction data so...
InfoBytesDistrict Court grants summary judgment for defendant in identity theft case
On June 30, the U.S. District Court for the Eastern District of Pennsylvania granted a motion for summary judgment in favor of a debt collection agency (defendant) with respect to a plaintiff’s FCRA and FDCPA allegations. The plaintiff alleged that the defendant, among other things, violated the...
InfoBytesSpecial Alert: Colorado enacts comprehensive consumer privacy law
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became...
InfoBytesSpecial Alert: Colorado enacts comprehensive consumer privacy law
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became...
Special AlertsFTC settles with app for violating COPPA
On July 1, the FTC announced a settlement with the operators of a coloring book app (collectively, “defendants”) for allegedly engaging in unfair or deceptive acts or practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). The DOJ, on behalf of the FTC, filed a complaint...
InfoBytesNYDFS issues ransomware guidance
On June 30, NYDFS announced new guidance for preventing ransomware attacks. In the guidance, NYDFS identified cybersecurity controls that decrease the risk of a ransomware attack. In examining ransomware incidents reported by its regulated entities over the past year and a half, NYDFS observed that...
InfoBytesFlorida issues telephone solicitation restrictions
On June 29, the Florida governor signed SB 1120 , which prohibits telephone solicitations and sales calls involving an “automated system for the selection or dialing of telephone numbers or the playing of a recorded message” without first receiving the prior express written consent of the called...
InfoBytes9th Circuit partially reverses lower court’s ruling based on tech company's misleading statements
On June 16, the U.S. Court of Appeals for the Ninth Circuit partially revived a securities fraud action brought by the state of Rhode Island on behalf of its employees’ retirement system against a California-based technology company, its holding company, and several individuals (collectively, “...
InfoBytesConnecticut amends data security breach provisions
On June 16, the Connecticut governor signed H.B. 5310 to establish new data breach notification requirements related to state residents. Among other things, the act updates the definition of “personal information” to also include (i) taxpayer identification numbers; (ii) IRS identity protection...
InfoBytesFTC settles with fertility-tracking app
On June 22, the FTC issued a decision and order against a company operating a fertility-tracking mobile app. The order resolved claims that the company shared user’s sensitive health data with various marketing and analytics service providers to the company. The FTC filed a complaint in January...
InfoBytesDistrict Court: Applying Michigan law is contrary to California’s interest in protecting citizens in data breach case
On June 15, the U.S. District Court for the Eastern District of Michigan denied an e-commerce company’s request to compel arbitration after reviewing whether Michigan or California state law applied to class claims concerning a 2019 data breach. After four actions against the company were...
InfoBytesJeffrey P. Naimon quoted in American Banker article, “Banks, consumer advocates unite against tax reporting proposal”
The American Banker discussed in their article, “Banks, consumer advocates unite against tax reporting proposal,” that the financial industry is opposed to the Biden administration’s plan — which would require financial institutions to report customers’ account flow data to the Internal Revenue...
In The NewsSEC charges settlement company with cybersecurity disclosure violations
On June 15, the SEC announced charges against a real estate settlement services company for its role in allegedly failing to disclose controls and procedures related to a cybersecurity vulnerability that exposed sensitive customer information. According to the SEC’s order , an independent...
InfoBytesNevada updates consumer privacy framework
On June 2, the Nevada governor signed SB 260 , which revises certain provisions under the state’s existing privacy law. Among other things, the act (i) adds “data broker” to the existing privacy framework; (ii) exempts certain persons and information collected about a consumer in the state from...
InfoBytes11th Circuit affirms majority of $380 million data breach settlement
On June 3, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s approval of a roughly $380.5 million settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (CRA), which resolved allegations arising from a 2017 cyberattack that caused a...
InfoBytesFCC signs robocall enforcement MOU with Australia
On June 3, the FCC announced that it entered into a memorandum of understanding (MOU) with the Australian Communications and Media Authority (ACMA) on providing mutual assistance in the enforcement of laws on certain unlawful communications, such as robocall, robotexts, and “spoofing.” FCC Acting...
InfoBytesFTC alleges subscription service failed to provide access to paid-for services or secure personal data
On June 7, the FTC announced a complaint and proposed consent order against the operators of a movie subscription service to settle allegations that the respondents denied subscribers access to paid-for services and failed to secure subscribers’ personal information. The FTC alleges in its...
InfoBytesFinCEN to host workshop on privacy enhancing technologies
On May 26, the Financial Crimes Enforcement Network (FinCEN) announced it will host a special Innovations Hours Program in September “focusing on the important role of privacy-preserving principles in developing technical solutions that enhance financial services innovation while countering illicit...
InfoBytesNew York AG reaches agreement with online retailer to resolve data breach
On May 18, the New York attorney general announced an agreement with an online water filtration retailer to resolve an investigation into a 2019 data breach that allegedly compromised the sensitive personal information of roughly 324,000 customers. According to the AG, the data breach impacted the...
InfoBytesDistrict Court approves online marketplace data breach settlement
On May 13, the U.S. District Court for the Northern District California preliminarily approved a class action settlement , resolving allegations that a California-based online designer marketplace failed to protect customers’ personal information from a computer hacking group in a May 2020 data...
InfoBytesNYDFS, insurance company reach $1.8 million cyber breach settlement
On May 13, NYDFS announced a settlement with an insurance company to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to implement multi-factor authentication or reasonably equivalent or more secure access controls. Under Part 500.12(b...
InfoBytes6th Circuit affirms dismissal of FACTA credit card receipt suit
On May 11, the U.S. Court of Appeals for the Sixth Circuit affirmed dismissal of a putative class action for lack of subject matter jurisdiction, holding that while a merchant technically violated the Fair and Accurate Credit Transactions Act (FACTA) by including 10 credit card digits on a customer...
InfoBytesDefendant obligated to indemnify bank in data breach suit
On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data...
InfoBytesData breach claims against convenience store chain can proceed
On May 6, the U.S. District Court for the Eastern District of Pennsylvania ruled that a defendant nationwide convenience store chain must face certain claims filed by a group of financial institutions as a result of a 2019 data security incident that allegedly compromised consumers’ credit and...
InfoBytesFTC settles with photo app developer over its facial recognition technology
On May 7, the FTC announced a final settlement with the developer of a California-based photo app (defendant) for allegedly deceiving consumers concerning its use of facial recognition technology and its retention of the photos and videos of users who previously deactivated their accounts. The FTC...
InfoBytes2nd Circuit: No standing if PII is uncompromised
On April 26, the U.S. Court of Appeals for the Second Circuit affirmed a district court’s dismissal of a proposed class action settlement, concluding that although, “in the context of unauthorized data disclosures,” plaintiffs may establish Article III standing on the theory that a data breach...
InfoBytes9th Circuit: Company cannot compel minor children to arbitration
On April 23, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s refusal to compel arbitration against a technology company, concluding that children are not bound by arbitration provisions in their parents’ service contracts with the company. The appeals court held that the...
InfoBytesFCC issues $4.1 million fine for deceptive robocalls
On April 22, the FCC imposed a $4.1 million fine against a phone carrier for allegedly impersonating other carriers in telemarketing calls and deceiving consumers into changing carriers without consent. The FCC first proposed the fine in 2018 after the agency, state regulators, and the Better...
InfoBytesCourt rules software service provider did not eavesdrop when capturing website data for retailer
On April 15, the U.S. District Court for the Northern District of California dismissed class claims alleging a software-services provider for a clothing retailer wiretapped consumers’ communication with the retailer in violation of California’s Invasion of Privacy Act and the California...
InfoBytesCourt certifies two classes in restaurant chain data breach
On April 15, the U.S. District Court for the Middle District of Florida certified a nationwide class and a California-only class of restaurant customers who claim the restaurant chain’s negligence led to a 2018 data breach that compromised their credit card information. The two classes of consumers...
InfoBytesNYDFS, insurance broker reach $3 million cyber breach settlement
On April 14, NYDFS announced a settlement with an insurance broker to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of two cyber breaches between 2018 and 2020. Under Part 500.17, regulated entities are...
InfoBytesFCC pushes on robocall blocking
On April 13, the FCC took several actions associated with blocking illegal and unsolicited robocalls, including sending cease and desist letters (see here and here ) to two carriers that “appear to be transmitting multiple unlawful robocall campaigns” and seeking updated information from all...
InfoBytesNYDFS updates cybersecurity fraud alert
On March 30, NYDFS issued an updated cybersecurity fraud alert that warns of other techniques used in a widespread cybercrime campaign targeting public-facing websites. As previously covered in InfoBytes , the update stems from NYDFS’ February 16 cybersecurity fraud alert sent to regulated entities...
InfoBytesUtah creates certain affirmative defenses for data breaches
On March 11, the Utah governor signed HB 80 , which provides entities an affirmative defense for a data breach if they follow certain cybersecurity industry standards. Among other things, a “person that creates, maintains, and reasonably complies with a written cybersecurity program” that meets...
InfoBytesSherry-Maria Safchuk quoted in Bloomberg Law article, “Additional bills introduced in Illinois, Massachusetts, Minnesota; Virginia law’s approval may up the ante in other states, federally”
Sherry-Maria Safchuk discussed in the Bloomberg Law article “Additional bills introduced in Illinois, Massachusetts, Minnesota; Virginia law’s approval may up the ante in other states, federally” how the recent Massachusetts privacy bill is different than Virginia’s Consumer Data Protection Act...
In The NewsCalifornia again modifies CCPA regs; appoints privacy agency’s board
On March 15, the California attorney general announced approval of additional regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended several times—became effective January 1, 2020. According to the...
InfoBytesStates reach data breach settlement with debt collector
On March 11, a coalition of 41 state attorneys general, led by the New York attorney general, announced a settlement with a bankrupt debt collection agency to resolve a multistate investigation into a 2019 data breach that allegedly exposed the personal information of more than 21 million...
InfoBytesNon-signatory may not arbitrate privacy claims
On March 9, the U.S. District Court for the Southern District of New York denied a global technology company’s motion to compel arbitration in a putative consumer privacy class action, ruling that the technology company is not party to a co-defendant telecommunications company’s terms and...
InfoBytesAmanda R. Lawrence and Sasha Leonhardt extensively quoted in Cybersecurity Law Report article, “Familiar and fresh mandates in Virginia’s new privacy law”
Amanda R. Lawrence and Sasha Leonhardt were extensively quoted in the Cybersecurity Law Report article, “Familiar and fresh mandates in Virginia’s new privacy law,” which reported on the recently enacted Virginia Consumer Data Protection Act and how it is similar to and yet differs from the...
In The NewsNYDFS, mortgage lender reach $1.5 million cyber breach settlement
On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide...
InfoBytesVirginia enacts comprehensive consumer data privacy framework
On March 2, the Virginia governor enacted the Consumer Data Protection Act (CDPA), which establishes a framework for controlling and processing consumers’ personal data in the Commonwealth. Virginia is now the second state in the nation to enact a comprehensive consumer privacy law. In 2018,...
InfoBytesCourt approves $650 million biometric privacy class action settlement
On February 26, the U.S. District Court for the Northern District of California granted final approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. The settlement resolves consolidated class action claims that the social media...
InfoBytes"Empire state of privacy: Recent developments in New York’s privacy and cybersecurity laws" by Elizabeth E. McGinn, Amanda R. Lawrence, Sasha Leonhardt, and Magda Gathani (New York Law Journal)
New York over the past few years has steadily raised the bar on privacy and cybersecurity standards for commercial enterprises, and, along with the European Union and California, is increasingly seen as a pacesetter in this fast-developing area of law. Proposed legislation before its General...
ArticlesConvenience store chain agrees to pay $12 million to resolve data security incident
On February 19, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement in the U.S. District Court for the Eastern District of Pennsylvania to resolve data security incident claims. Class members—comprised of a nationwide group of consumers whose...
InfoBytesCSBS announces new nonbank cybersecurity exam tool
On February 24, during the Nationwide Multistate Licensing System Annual Conference, the Conference of State Bank Supervisors (CSBS) released an updated cybersecurity examination tool designed for nonbank financial company supervision. The tool is intended for state regulators to use during...
InfoBytesNYDFS: Global social media company must prevent app developers from transmitting users’ sensitive data
On February 18, New York Governor Andrew M. Cuomo accepted a report detailing the findings of an NYDFS investigation into whether sensitive personal information, including medical and personal data, was shared with a global social media company by application and website developers without users’...
InfoBytesFlorida legislature introduces comprehensive privacy bill
On February 15, the Florida legislature filed HB 969 , which would, among other things, regulate the sale and sharing of consumers’ personal data. Highlights of the bill include: Applicability. The bill will apply to for profit businesses that do business in the state, collect consumers’ personal...
InfoBytesNYDFS announces cybersecurity fraud alert
On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits...
InfoBytes"What the new information security reporting standards mean for financial institutions" by Jeffrey P. Naimon and James C. Chou (Cybersecurity Law Report)
Regulators recently proposed new rules that would require banking institutions to notify their primary regulators of some computer-security incidents within 36 hours, and service providers to notify regulated entities as soon as possible of any incident affecting its operations for four hours or...
ArticlesInsurance company not obligated to indemnify retailer’s payment card claims following data breach
On February 8, the U.S. District Court for the District of Minnesota granted defendant’s motion for summary judgment, ruling that an insurance company is not obligated to indemnify a national retailer (plaintiff) for settlements paid to multiple banks to resolve claims over the costs of canceling...
InfoBytes11th Circuit: Future identity theft risk does not confer standing
On February 4, the U.S. Court of Appeals for the Eleventh Circuit affirmed dismissal of a class action complaint, which raised several claims against a restaurant following a data breach that exposed customers’ financial information, for the named plaintiff’s lack of standing. According to the...
InfoBytesNYDFS issues Cybersecurity Insurance Risk Framework
On February 4, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance. The new Cyber Insurance Risk Framework provides guidance for effectively managing cyber insurance risk and is the first guidance released by a U.S...
InfoBytesVirginia legislature advances privacy bill
Recently, the Virginia Senate and House advanced identical bills (see SB 1392 and HB 2307 ), which would establish a framework for controlling and processing consumers’ personal data in the Commonwealth. Highlights of the bill include: Applicability. The bill will apply to “persons that conduct...
InfoBytesCourt denies tech company's second request for COPPA claim dismissal
On February 2, the U.S. District Court for the District of New Mexico granted a technology company’s motion for reconsideration in part, but denied dismissal of the New Mexico attorney general’s action alleging the company designed and marketed mobile gaming applications (apps) targeted towards...
InfoBytesFTC finalizes settlement with video conferencing company
On February 1, the FTC finalized a settlement with a video conferencing provider, resolving allegations that the company violated the FTC Act by misleading users about the levels of encryption offered for securing communications during meetings. As previously covered by InfoBytes , in November 2020...
InfoBytesCourt addresses alternative theories of liability in BIPA class action
On January 28, the U.S. District Court for the Northern District of Illinois denied a motion to reconsider and a motion to certify questions for appeal and stay proceedings pending appeal in a matter concerning class claims that an auto leasing company and its parent company (collectively, “...
InfoBytesWashington Department of Financial Institutions once again extends “work from home” guidance
On January 29, the Washington Department of Financial Institutions issued interim regulatory guidance to licensed mortgage loan originators and companies that sponsor them relating to temporary remote work. The guidance extends earlier interim guidance (previously covered here , here , here , and...
InfoBytesWashington Department of Financial Institutions once again extends “work from home” guidance
On January 29, the Washington Department of Financial Institutions issued interim regulatory guidance to licensed mortgage loan originators and companies that sponsor them relating to temporary remote work. The guidance extends earlier interim guidance (previously covered here , here , here , and...
InfoBytesCourt approves grocery store data breach settlement
On January 25, the U.S. District Court for the Central District of Illinois preliminarily approved a class action settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The preliminary settlement would allow...
InfoBytesElizabeth E. McGinn quoted in Bloomberg Law article, “New FTC leadership likely to put consumer privacy in crosshairs”
Elizabeth E. McGinn was quoted in a Bloomberg Law article, “New FTC leadership likely to put consumer privacy in crosshairs,” which examined how the agency will now approach privacy enforcement. “There were significant settlements related to data security issues under Trump, but we’re likely to see...
In The NewsLaw firm ordered to produce cyberattack report in malpractice action
On January 12, the U.S. District Court for the District of Columbia ordered a law firm to produce a forensic report generated by a consultant retained by the firm’s outside counsel in the wake of the plaintiff’s data breach, concluding that the report and associated materials were neither protected...
InfoBytesNew York introduces biometric privacy act
On January 6, New York Assembly Bill A 27 was prefiled in the 2021-22 state legislative session, which would establish the Biometric Privacy Act and establish provisions regarding the retention, collection, disclosure and destruction of biometric identifiers or biometric information. Highlights of...
InfoBytesUpdated Washington State Privacy Act re-introduced
On January 5, the Washington State Privacy Act , SB 5062, (referred to as “2021 WPA” or “bill”) was re-introduced for the 2021-22 state legislative session with some notable changes from the 2020 version. (InfoBytes coverage of the 2020 Washington Privacy Act, SB 6281, available here .) Highlights...
InfoBytesCourt dismisses data breach claims citing lack of compromised sensitive information
On January 12, the U.S. District Court for the Central District of California dismissed a data breach lawsuit brought against a hotel chain, ruling the plaintiff lacked standing. The plaintiff claimed class members were victims of a data breach when hotel employees at a franchise in Russia...
InfoBytesState AGs reach $2 million settlement to resolve data breach
On December 18, state attorneys general from Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York and Oregon announced a $2 million settlement with an online retailer concerning allegations that the retailer failed to promptly and adequately respond to a 2019 data breach that compromised...
InfoBytesCourt grants preliminary approval of CCPA class action settlement
On December 29, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed settlement in a class action alleging a children’s clothing company and cloud technology service provider (collectively, “defendants”) violated, among other things, the...
InfoBytes9th Circuit affirms dismissal of data breach class action against online payment firm
On December 17, the U.S. Court of Appeals for the Ninth Circuit affirmed dismissal of a class action suit brought against an online payments firm and associated entities and individuals (collectively, “defendants”) for allegedly misleading investors (plaintiffs) about a 2017 data breach. As...
InfoBytesFTC settles with company for data security lapses
On December 16, the FTC announced a settlement with a Nevada-based travel emergency services provider, resolving allegations that the company violated the FTC Act by failing to implement a comprehensive security program to ensure the security of personal consumer information, including sensitive...
InfoBytesIrish Data Protection Commission fines U.S. social networking company for violating GDPR
On December 15, the Irish Data Protection Commission (Commission) announced a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based social networking tech company’s actions related to a 2019 data breach that affected users across the European...
InfoBytesAgencies propose computer-security incident notification rule
On December 18, the FDIC, Federal Reserve Board, and the OCC (collectively, “agencies”) issued a joint notice of proposed rulemaking (NPRM), which would require supervised banking organizations to promptly notify their primary regulator within 36 hours of becoming aware that a “‘computer-security...
InfoBytesFTC settles with mortgage analytics company over vendor oversight deficiencies
On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform...
InfoBytesFCC: Contractors must get consent to make robocalls under TCPA
On December 14, the FCC released an order concluding that federal and state contractors are subject to the restrictions of the TCPA and must obtain prior express consent to call consumers. The order reverses a 2016 decision, which extended the presumption that “the word ‘person’ [in the TCPA] does...
InfoBytesFTC orders social media and video streaming companies to provide data on privacy practices
On December 14, the FTC issued orders to nine social media and video streaming companies requiring each company to provide information on their collection, use, and presentation of personal information, including their data gathering and advertising practices. The orders are issued pursuant to...
InfoBytesMinnesota regulator issues telework guidance
On December 15, the Minnesota Commerce Department issued guidance regarding non-depository financial institution telework. The guidance provides that if the licensed location is still offering financial products or services, employees can work from home to perform tasks as long as the following are...
InfoBytesCalifornia proposes modifying CCPA regs again
On December 10, the California Department of Justice (Department) released a fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , on October 12, the Department released a third set of proposed...
InfoBytesFSOC annual report highlights Covid-19 impact on financial stability
On December 3, the Financial Stability Oversight Council (FSOC) released its 2020 annual report . The report reviews financial market developments, identifies emerging risks, and offers recommendations to enhance financial stability. The report also highlights the impact of Covid-19 on the economy...
InfoBytesOklahoma extends working from home guidance
On December 7, the Oklahoma Department of Consumer Credit extended, for the sixth time, its interim guidance to regulated entities on working from home (see here , here , here , here , here , and here for previous coverage). The guidance sets forth data security standards required for regulated...
InfoBytesNYDFS announces cybersecurity toolkit for small businesses
On November 17, NYDFS announced a partnership with a non-profit company to provide a free cybersecurity toolkit to small businesses, including those in the financial services sector. The toolkit is intended to help small businesses strengthen their cybersecurity and to protect themselves and their...
InfoBytesFTC requires video conferencing provider to improve security safeguards
On November 9, the FTC announced a settlement with a video conferencing provider, resolving allegations that the company violated the FTC Act by misleading users about the levels of encryption and security offered for securing communications during meetings. The FTC’s complaint alleges that, since...
InfoBytesCalifornia voters approve expanded privacy rights
On November 3, California voters approved a ballot initiative , the California Privacy Rights Act of 2020 (CPRA), that expands on the California Consumer Privacy Act (CCPA). While there are a number of differences between the CPRA and the CCPA, some key provisions include: Adding expanded consumer...
InfoBytesNYDFS urges regulating social media companies following hacks
On October 14, NYDFS released a report detailing the Department’s investigation into the July 2020 social media hacks of public figures and cryptocurrency firms, concluding that the social media platform lacked adequate cybersecurity protections and recommending increased regulation of large social...
InfoBytesOklahoma regulator extends working from home guidance through end of year
On October 22, the Oklahoma Department of Consumer Credit extended, for the fifth time, its interim guidance to regulated entities on working from home (see here , here , here , here , and here for previous coverage). The guidance sets forth data security standards for regulated entities with...
InfoBytesCalifornia modifying CCPA regs again
On October 12, the California Department of Justice released a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , on August 14, the regulations went into effect after being approved by the Office of...
InfoBytesG7 urges financial services sector to mitigate ransomware attacks
On October 13, the member nations of the G7 issued a joint statement stressing their commitment to working with the financial services sector to address and mitigate ransomware attacks. The statement highlights the recent increase in ransomware attacks over the last few years and notes that the...
InfoBytesCSBS and others release ransomware mitigation tool
On October 13, the Conference of State Bank Supervisors (CSBS), joined by the Bankers Electronic Crimes Task Force and the U.S. Secret Service, released a self-assessment tool to help supervised financial institutions mitigate the risk of ransomware attacks. The tool will also help financial...
InfoBytesFCC seeks comment on TCPA exemptions
On October 1, the FCC issued a Notice of Proposed Rulemaking (NPRM), seeking comment on exemptions already granted under the TCPA allowing certain entities and types of calls to be made using an automatic telephone dialing system. The FCC is required by Section 8 of The Pallone-Thune Telephone...
InfoBytesHealth insurer to pay $48 million to resolve 2014 data breach
On September 30, a multistate settlement was reached between a health insurance company and a collation of 42 state attorneys general and the District of Columbia to resolve a 2014 data breach that allegedly comprised the personal information of more than 78 million customers nationwide. According...
InfoBytesCertain business and employment CCPA exemptions extended to 2022
On September 29, the California governor signed AB 1281 , which extends certain exemptions under the California Consumer Privacy Act (CCPA) from January 1, 2021 to January 1, 2022. As previously covered by InfoBytes , the CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended...
InfoBytesRhode Island regulator extends work from home guidance for lenders
On September 28, the Rhode Island Department of Business Regulation, Banking Division, extended previous guidance (previously covered here and here ) issued to mortgage loan originators, lenders, loan brokers, and exempt company registrants. The guidance permits working from home, even if the home...
InfoBytes"6 key ways the California Privacy Rights Act of 2020 would revise the CCPA" by Amanda R. Lawrence, Sherry-Maria Safchuk, Garylene D. Javier, and John Georgievski (Corporate Compliance Insights)
The California Consumer Privacy Act (CCPA), the state’s landmark privacy regulation, became effective only eight months ago – and yet, the California Privacy Rights Act of 2020 (CPRA), a modified version of the CCPA, has garnered enough support to appear on the November 2020 ballot in California...
ArticlesOklahoma regulator amends working from home guidance
On September 23, the Oklahoma Department of Consumer Credit extended, for the third time, its interim guidance to regulated entities on working from home (see here , here , here and here for previous coverage). The guidance sets forth data security standards that regulated entities must meet in...
InfoBytesOklahoma regulator extends working from home guidance
On September 23, the Oklahoma Department of Consumer Credit extended, for the fourth time, its interim guidance to regulated entities on working from home (see here , here , here , and here for previous coverage). The guidance sets forth data security standards for regulated entities with employees...
InfoBytesCalifornia AG enters into privacy settlement with fertility-tracking mobile app
On September 17, the California attorney general announced a settlement with a technology company that operates a fertility-tracking mobile app to resolve claims that security flaws put users’ sensitive personal and medical information at risk in violation of state consumer protection and privacy...
InfoBytesNew York AG settles data breach lawsuit with national coffee chain
On September 15, the New York attorney general announced a settlement with a national franchisor of a coffee retail chain to resolve allegations that the company violated New York’s data breach notification statute and several state consumer protection laws by failing to protect thousands of...
InfoBytes"Implementing the CCPA regulations: Are you ready?" by Amanda R. Lawrence, Elizabeth E. McGinn, and Sherry-Maria Safchuk (Cybersecurity Law Report)
The final regulations under the California Consumer Privacy Act, introduced by the California Attorney General last October, became effective on August 14, 2020. The AG has already implemented many of the changes suggested in the public comments, but there are still several open questions that...
Articles"Data security best practices for licensed lenders' telework" by Sherry-Maria Safchuk and James C. Chou (Law360)
State-licensed/registered brokers, lenders and servicers have increased their focus on data security as the spread of COVID-19 has extended work-from-home orders, and what now seems to be a lasting acceptance of remote work means that the tools used to secure data will remain relevant when the...
ArticlesDistrict court preliminarily approves $650 million biometric privacy class action settlement
On August 19, the U.S. District Court for the Northern District of California granted preliminary approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. If granted final approval, the settlement would resolve consolidated class...
InfoBytesDistrict court: BIPA does not violate Illinois constitution
On August 19, the U.S. District Court for the Southern District of Illinois denied defendants’ motion to dismiss claims that they unlawfully collected individuals’ biometric fingerprint data without first receiving informed consent. The court also addressed an argument as to whether the Illinois...
InfoBytesFinal CCPA regulations approved: Overview of changes
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , the CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended...
InfoBytesDistrict court: $925 million statutory damages award not constitutionally excessive
On August 14, the U.S. District Court for the District of Oregon refused to reduce a $925 million statutory damages award against a company found to have violated the TCPA by sending almost two million unsolicited robocalls to consumers. The company argued that the statutory damages award violates...
InfoBytesArkansas Securities Department extends work-from-home guidance
On August 18, the Arkansas Securities Department further extended interim regulatory guidance previously issued to licensed mortgage companies, mortgage loan officers, and branch managers. The original interim regulatory guidance, previously covered here , and extended in May , permits mortgage...
InfoBytesFinal CCPA regulations approved
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , the CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended...
InfoBytes"Reopening well: Balancing employee privacy with employee safety" by Elizabeth E. McGinn, Amanda R. Lawrence, James C. Chou, and David Rivera (Corporate Compliance Insights)
Consumer privacy has been a key area of focus over the past several years, but as companies begin return-to-work operations, they discover that employee privacy looms large as well. Well-intentioned companies seeking to keep employees safe risk incurring penalties from a variety of agencies based...
Articles"Confusion surrounding the Privacy Shield rollback" by Amanda R. Lawrence, Elizabeth E. McGinn, and Magda Gathani
The Court of Justice of the European Union (CJEU) last month invalidated the EU-U.S. Privacy Shield, which over 5,000 companies have relied on as a legal mechanism of transferring data from the EU to the United States.
The European Data Protection Board (EDPB) did not provide a grace...
Buckley Commentary & AnalysisFTC continues to enforce Privacy Shield
On August 5, the FTC Commissioners testified before the Senate Committee on Commerce, Science, and Transportation and discussed, among other things, the agency’s continued enforcement of the EU-U.S. Privacy Shield, despite the recent Court of Justice of the European Union (CJEU) invalidation of the...
InfoBytesDistrict court approves MDL data breach settlement
On July 21, the U.S. District Court for the Northern District of California issued an order approving a $117.5 million class action settlement, including $23 million in attorneys’ fees, with a global internet company to resolve multidistrict litigation concerning the exposure of class members’...
InfoBytesNYDFS enforces its cybersecurity regulation for the first time
On July 22, NYDFS filed a statement of charges against a title insurer for allegedly failing to safeguard mortgage documents, including bank account numbers, mortgage and tax records, and other sensitive personal information. This is the first enforcement action alleging violations of NYDFS’...
InfoBytesFCC provides safe harbors for blocking illegal robocalls
On July 16, the FCC issued an order adopting rules to further encourage phone companies to block illegal and unwanted robocalls and to continue the Commission’s implementation of the TRACED Act (covered by InfoBytes here ). The rule establishes two safe harbors from liability for the unintended or...
InfoBytes"Put bank exam council in charge of data privacy" by Jeremiah S. Buckley (American Banker)
From the European Union to California and now other states and countries, data protection and privacy standards going into effect often share the same objectives, but have separate and different regulatory requirements. This creates a confusing array of legal requirements that pose compliance and...
ArticlesCourt of Justice of the European Union invalidates EU-U.S. Privacy Shield; standard contractual clauses survive (for now)
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its opinion in the Schrems II case (Case C-311/18). In its opinion, the CJEU concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established...
InfoBytesDistrict court allows data breach claim to proceed against national credit reporting agency
On July 8, the U.S. District Court for the Eastern District of New York allowed a consumer’s claim under New York’s consumer protection law (N.Y. G.B.L. § 349) to proceed against a national credit reporting agency (CRA) for grievances stemming from a 2017 data breach that compromised the consumer’s...
InfoBytes"Adjusting information security for long-term telework" by Amanda R. Lawrence, Elizabeth E. McGinn, and James C. Chou (Bloomberg Law)
Amid a fast-moving pandemic in the spring of 2020, many companies were forced to adopt remote-work operations almost overnight to maintain critical business functions. This approach initially seemed like a temporary and imperfect solution to maintaining workforce safety while continuing essential...
ArticlesCalifornia AG publishes CCPA FAQs
The California attorney general recently published a set of frequently asked questions providing general consumer information on the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended several times—became effective January 1...
InfoBytesDistrict court preliminarily approves $6.8 million TCPA settlement
On July 6, the U.S. District Court for the Eastern District of California granted preliminary approval to a nearly $6.8 million settlement between class members and a collection agency that allegedly violated the TCPA, FDCPA, and California’s Rosenthal Fair Debt Collection Practices Act by making...
InfoBytesSupreme Court keeps TCPA, severs government-debt exception as unconstitutional
On July 6, the U.S. Supreme Court held in Barr v. American Association of Political Consultants Inc. that the TCPA’s government-debt exception is an unconstitutional content-based speech restriction and severed the provision from the remainder of the statute. As previously covered by InfoBytes ,...
InfoBytesFCC narrows “autodialer” definition
On June 25, the FCC narrowed the Commission’s definition of an “autodialer,” providing that “if a calling platform is not capable of originating a call or sending a text without a person actively and affirmatively manually dialing each one, that platform is not an autodialer and calls or texts made...
InfoBytesOklahoma regulator amends working from home guidance
On June 30, the Oklahoma Department of Consumer Credit extended, for the third time, its interim guidance to regulated entities on working from home (see here , here , and here for previous coverage). The guidance sets forth data security standards that regulated entities must meet in order for the...
InfoBytesAmanda R. Lawrence quoted in American Banker article, “Referendum on data privacy coming to California in November”
Amanda R. Lawrence was quoted on June 28, 2020 in an American Banker article, “Referendum on data privacy coming to California in November,” which discussed how the state is giving voters the opportunity to expand the protections of the California Consumer Privacy Act with a new proposal ─ the...
In The NewsPrivacy initiative makes California ballot
On June 24, the California Privacy Rights Act of 2020 (CPRA) ballot initiative was submitted to the California Country Clerk’s office as an initiative qualified for the November 2020 General Election ballot after receiving more than the 623,212 valid signatures required to qualify. The initiative...
InfoBytes"What constitutes reasonable security per Calif. privacy law?" by Amanda R. Lawrence, Michael A. Rome, and James C. Chou (Law360)
California Consumer Privacy Act compliance has been focused on developing the policies, procedures and infrastructure to support new privacy rights for California residents, which include, among other things, the right to know what personal information companies have on them, the right to delete...
ArticlesFTC settlement requires retailer to provide transaction records to identity theft victims
On June 10, the FTC announced a settlement to resolve Fair Credit Reporting Act (FCRA) allegations against a Wisconsin-based retailer for failing to provide the proper transaction records to identify theft victims. According to the FTC, this is the first time the Commission has used its authority...
InfoBytesFBI warns of increased mobile banking cyber threats
On June 10, the Federal Bureau of Investigation issued a Public Service Announcement (PSA) cautioning mobile banking application users to remain vigilant of cyber activity. Specifically, the PSA indicated, with a more than 50 percent increase in mobile web application usage since the start of the...
InfoBytesDistrict court: Plaintiffs whose search terms were disclosed to third parties have standing under Spokeo
On June 5, the U.S. District Court for the Northern District of California issued an order denying a global search engine’s (defendant) motion to dismiss class action claims, ruling that the plaintiffs’ claims met the standing requirement under Spokeo, Inc. v. Robins . The court determined that the...
InfoBytesFTC settles with app developer for COPPA violations
On June 4, the FTC announced that a children’s mobile application developer agreed to pay $150,000 and to delete the personal information it allegedly unlawfully collected from children under the age of 13 to resolve allegations that the developer violated the Children’s Online Privacy Protection...
InfoBytesVirginia Bureau of Financial Institutions issues policy statement regarding Covid-19
The Virginia Bureau of Financial Institutions issued a policy statement encouraging supervised financial institutions to work constructively to mitigate the impacts of Covid-19 on Virginia consumers and businesses. The bureau advised licensees that data security, internal controls, and adherence to...
InfoBytes9th Circuit upholds TCPA liability for reassigned number
On June 2, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s judgment in a TCPA action against a bank, concluding that consent from the person intended to call does not exempt the bank from liability under the TCPA. According to the opinion, the bank’s vendors made over...
InfoBytesCalifornia AG finalizes proposed CCPA regulations, requests expedited review
On June 1, the California attorney general submitted final proposed regulations implementing the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended several times—became...
InfoBytesDistrict court denies arbitration in mobile app BIPA suit
On June 1, the U.S. District Court for the Northern District of Illinois denied a mobile application company’s motion to, among other things, compel arbitration in a class action alleging the company used face-geometry scan technology in violation of the Illinois Biometric Information Privacy Act (...
InfoBytesOklahoma Department of Consumer Credit issues an extension to interim guidance regarding temporary operations from home or alternate locations
On June 1, the Oklahoma Department of Consumer Credit issued a Second Amended Interim Guidance that extends previous guidance permitting mortgage loan originators and employees of regulated entities to work from home or an alternate site, as long as certain data security precautions are taken (...
InfoBytesDistrict court requires bank to produce consultant’s data breach report
On May 26, a magistrate judge of the U.S. District Court for the Eastern District of Virginia ordered a national bank to produce to plaintiffs in litigation a forensic analysis performed by a cybersecurity consulting firm regarding the bank’s 2019 data breach, concluding the report was not entitled...
InfoBytes"TCPA relief for Covid-19 communications could extend to financial institutions" by Ali M. Abugheida and Geoffrey L. Warner (Bloomberg Law)
Financial institutions face unprecedented and rapidly evolving challenges in the wake of the Covid-19 pandemic, including the need to communicate quickly and efficiently with customers in the face of government-issued stay-at-home orders. But the Telephone Consumer Protection Act, with its steep...
Articles"Privacy and cybersecurity issues in 2020 – What to expect" by Amanda R. Lawrence, Elizabeth E. McGinn, and James C. Chou (Journal of Banking and Finance Law and Practice)
A steady drumbeat of data breaches and growing concern among consumers about how companies are using their personal information will keep regulators, policy-makers and private litigants focused on cybersecurity and privacy in 2020 and beyond. While Congress tentatively explores comprehensive...
ArticlesDistrict court allows class autodialer claims to proceed against mortgage lender
On May 18, the U.S. District Court for the Eastern District of Michigan denied a request to dismiss a putative class action concerning alleged violations of the TCPA, ruling that the plaintiff plausibly alleged the mortgage lender (defendant) sent unsolicited texts through the use of an automatic...
InfoBytesFinancial institutions, CRA reach settlement over 2017 data breach
On May 15, a putative class of financial institutions filed an unopposed motion for preliminary approval of a settlement in a multidistrict litigation stemming from a credit reporting agency’s (CRA) 2017 data breach. The class, comprised of financial institutions that issued credit or debit cards...
InfoBytesDistrict court compels arbitration of biometric privacy suit
On May 15, the U.S. District Court for the Northern District of Illinois granted an online photography company’s motion to compel arbitration in a biometric privacy lawsuit, notwithstanding the company’s unilateral modification of arbitration terms after the lawsuit was filed. According to the...
InfoBytes$550 million preliminary settlement reached in biometric privacy class action
On May 8, plaintiffs in a biometric privacy class action in the U.S. District Court for the Northern District of California filed a motion requesting preliminary approval of a $550 million settlement deal. The preliminary settlement, reached between a global social media company and a class of...
InfoBytes"Ruling on anti-hacking law may guide fair lending tests" by Jeffrey P. Naimon and H Joshua Kotin (Law360)
Regulators, consumer groups, academics and private litigants are grappling with the fair lending implications of the credit models powering the explosive growth in online lending by banks and financial technology firms. The U.S. District Court for the District of Columbia in late March concluded...
ArticlesFFIEC discusses cloud computing risk management practices
On April 30, the FFIEC released a statement on risk management principles for cloud computing security in the financial services sector. The FFIEC emphasizes that the statement does not contain new regulatory expectations, but rather highlights examples of risk management practices for the safe and...
InfoBytesCourt approves $5 billion FTC settlement with social media company
On April 23, the U.S. District Court for the District of Columbia approved a $5 billion settlement between the FTC and a global social media company, resolving allegations that the company violated consumer protection laws by using deceptive disclosures and settings to undermine users’ privacy...
InfoBytesMulti-jurisdiction settlement reached with credit reporting agency over 2017 data breach
On April 17, the Massachusetts attorney general announced a settlement with a credit reporting agency (CRA) to resolve a state investigation into a 2017 data breach that reportedly compromised the personal information of nearly three million Massachusetts residents. According to the AG’s 2017...
InfoBytesData breach exposes SBA Emergency Injury Disaster Loan program applicants
On April 21, according to reports, the Small Business Association (SBA) acknowledged that it notified almost 8,000 applicants of the Economic Injury Disaster Loan (EIDL) program that their information may have been exposed as part of a data breach. Specifically, the agency stated that on March 25,...
InfoBytesSupreme Court schedules oral arguments to review TCPA debt collection exemption
On April 15, the U.S. Supreme Court announced it will hear oral arguments via telephone conference on May 6 in a case concerning an exemption to the TCPA that allows debt collectors to use an autodialer to contact individuals on their cell phones without obtaining prior consent to do so when...
InfoBytesMissouri extends duration of “Stay Home Missouri” order
On April 16, the Missouri Department of Health extended the duration of a prior “Stay Home Missouri” order to May 3, 2020, unless extended or modified. Relying on the Cybersecurity and Infrastructure Security Agency (CISA) advisory memorandum , financial services are considered essential.
InfoBytesFTC provides guidance on managing consumer protection risks when using AI and algorithms
On April 8, the FTC’s Bureau of Consumer Protection wrote a blog post discussing ways for companies to manage the consumer protection risks of artificial intelligence (AI) technology and algorithms. According to the FTC, over the years the Commission has dealt with the challenges presented by the...
InfoBytesNew York Department of Financial Services issues Covid-19 cybersecurity guidance
On April 13, the New York Department of Financial Services issued guidance on cybersecurity awareness during the Covid-19 pandemic. The guidance identifies three areas of heightened risk: (i) remote working, including the risks associated with less secure internet connections, expanded use of less...
InfoBytes2nd Circuit joins 9th Circuit in broadening the definition of an autodialer under TCPA
On April 7, the U.S. Court of Appeals for the Second Circuit vacated a district court’s order granting summary judgment in favor of a defendant in a TCPA action. The decision results from a lawsuit filed by a plaintiff who claimed to have received more than 300 unsolicited text messages from the...
InfoBytesD.C. enacts data breach requirements and consumer protections
On March 26, the mayor of the District of Columbia signed Act 23-268 to expand data privacy and consumer protection measures. Among other things, the “Security Breach Protection Amendment Act of 2020” (i) expands the definition of personal information subject to the Act; (ii) specifies the required...
InfoBytesFTC and FCC warn VoIP service providers about illegal Covid-19 robocalls
On April 3, the FTC and the FCC sent letters to three Voice over Internet Protocol (VoIP) service providers, warning the companies to stop sending spam robocall campaigns promoting Covid-19 related scams. According to the agencies, “routing and transmitting illegal robocalls, including Coronavirus-...
InfoBytes"Preparing for private right of action under Calif. privacy law" by Amanda R. Lawrence and Michael A. Rome (Law360)
The California Consumer Privacy Act went into effect at the beginning of this year, and while the California attorney general will not begin enforcing it until July, the private right of action that the CCPA created is available to consumers now. The CCPA expressly provides for a private right of...
ArticlesDistrict of Columbia permits mortgage brokers and originators to work from home, delays reporting deadlines
On March 27, the District of Columbia Department of Insurance, Securities and Banking issued guidance to mortgage lenders, mortgage brokers and mortgage loan originators permitting them to work from non-licensed branches or locations during the Covid-19 outbreak. The guidance requires the...
InfoBytesFINRA provides cybersecurity alert containing measures firms should consider in adjusting to Covid-19
On March 26, FINRA released a cybersecurity alert providing FINRA firms and associated persons with measures they can take to help strengthen their cybersecurity controls in areas where risks may increase in the current environment. The alert contains recommendations concerning the security of...
InfoBytes"The truth about the California Consumer Privacy Act: Debunking three common misconceptions" by Amanda R. Lawrence, Sherry-Maria Safchuk, and Doris Yuen (Equipment Leasing & Finance Magazine)
The highly-anticipated California Consumer Privacy Act (CCPA) took effect on Jan. 1, 2020, and many businesses are scrambling to understand the applicability of the CCPA’s expansive obligations. The CCPA provides California consumers with the following rights: The right to know and access the...
ArticlesFDIC posts Covid-19 FAQs for bankers and bank customers
On March 19, the FDIC issued FIL-18-2020 , which highlights frequently asked questions for bank customers and banks affected by Covid-19. The FAQs, are available on the FDIC’s Covid-19 webpage . Bank customer FAQs cover questions regarding (i) deposit insurance; (ii) customer access to money; (iii...
InfoBytes11th Circuit reverses dismissal of “shotgun” FDCPA, FCRA, TCPA pleadings
On March 16, the U.S. Court of Appeals for the Eleventh Circuit partially reversed a district court’s dismissal of a lawsuit against several defendants for alleged violations of the FDCPA, the FCRA, and the TCPA, holding that the plaintiff’s third amended complaint was not filled with “shotgun...
InfoBytesDistrict court grants summary judgment in favor of bank in TCPA robocall suit
On March 13, the U.S. District Court for the District of New Jersey granted a large bank’s (defendant) motion for summary judgment in a proposed class action alleging that the plaintiff received an unsolicited telemarketing call. The plaintiff—who was himself a TCPA investigator for an attorney—was...
InfoBytesVermont enacts data privacy and consumer protections
On March 5, the Vermont governor signed SB 110 to expand data privacy and consumer protection measures in the state. Among other things, SB 110 (i) expands the definition of personally identifiable information (PII) subject to the Security Breach Notice Act to also include taxpayer identification...
InfoBytesMaine Bureau of Consumer Credit Protection provides guidance to MLOs
On March 18, the Maine Bureau of Consumer Credit Protection provided interim guidance to MLOs, allowing employees to work from home as long as data security provisions are in place, and physical business records are stored only at the licensed main office. The guidance will be effective through May...
InfoBytesCalifornia AG releases second set of modified proposed CCPA regulations
On March 11, the California attorney general released a second set of draft modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications follow the initial proposed regulations published last October and the first set of draft modifications...
InfoBytesVirginia eliminates fee for credit report security freezes
On March 10, the Virginia governor signed HB 509 , which amends certain statutory provisions related to fees for security freezes on credit reports. Currently, a credit reporting agency (CRA) may charge a fee of not more than $5 when a consumer or his representative requests a security freeze on...
InfoBytes"Mitigating crypto UDAAP risk after Ripple ICO ruling" by Ali M. Abugheida (Law360)
Cryptocurrency advocates have long argued that cryptocurrencies are not securities, and therefore not subject to state and federal securities laws. But a district court in California just shed light on whether advocates’ desired outcome also carries a substantial downside: application of state and...
Articles7th Circuit rejects request to void $17.5 million TCPA settlement
On February 25, the U.S. Court of Appeals for the Seventh Circuit denied a request to overturn a $17.5 million settlement agreement arising out of a national bank’s alleged violations of the TCPA. Six different class actions had been filed against the bank in different federal courts, all alleging...
InfoBytesCFPB holds symposium on consumer access to financial records
On February 26, the CFPB held a symposium covering consumer access to financial records and Section 1033 of the Dodd-Frank Act, which deals with consumers’ rights to access information about their financial accounts. In her opening remarks, Director Kathy Kraninger pointed out three major changes...
InfoBytesCalifornia AG says federal privacy legislation should not include preemption
On February 25, California Attorney General Xavier Becerra sent a letter to the chairmen and ranking members of the Senate Committee on Commerce, Science and Transportation and the House Committee on Energy and Commerce, asking lawmakers to not preempt state laws as they draft federal privacy...
InfoBytesAmanda R. Lawrence quoted in American Banker article, “State privacy bills try to cut banks a break, but not completely”
Amanda R. Lawrence was quoted on January 24, 2020 in an American Banker article, “State privacy bills try to cut banks a break, but not completely,” which discussed how state legislatures are trying to ease the impact of various data privacy and cybersecurity laws on banks, though the proposals all...
In The NewsFTC report highlights 2019 privacy and data security work
On February 25, the FTC released its annual report highlighting the agency’s privacy and data security work in 2019. Among other items, the report highlights consumer-related enforcement activities in 2018, including: A $5 billion penalty—the largest consumer privacy penalty to date—against a...
InfoBytesHospitality company’s bid to dismiss data breach suit denied
On February 21, the U.S. District Court for the District of Maryland denied an international hospitality company’s motion to dismiss multidistrict litigation resulting from its 2018 data breach. As previously covered by InfoBytes , the court also recently denied the company’s motion to dismiss in a...
InfoBytes7th Circuit: Dialing system that cannot generate random or sequential numbers is not an autodialer under the TCPA
On February 19, the U.S. Court of Appeals for the Seventh Circuit affirmed a district court’s ruling that a dialing system that lacks the capacity to generate random or sequential numbers does not meet the definition of an automatic telephone dialing system (autodialer) under the TCPA. According to...
InfoBytesDistrict court denies auto lender’s “de minimis” $4 million TCPA class action settlement
On February 14, the U.S. District Court for the Eastern District of Pennsylvania denied the approval of a proposed $4 million class action settlement in a TCPA case based on a “confluence of a number of negative factors,” including that the court believed the defendant—a subprime auto lender—would...
InfoBytesFour trade groups sue Maine over privacy law
On February 14, four trade groups filed suit against Maine in the U.S. District Court for the District of Maine, alleging that a recently enacted state privacy law (covered by InfoBytes here ) infringes the rights of Internet Service Providers (ISPs). The complaint claims that L.D. 946 “imposes...
InfoBytes"Don’t let your shield down—FTC gets tough on EU-U.S. privacy shield framework" by Elizabeth E. McGinn and Magda Gathani (Bloomberg Law)
The Federal Trade Commission took more enforcement actions related to the EU-U.S. Privacy Shield Framework in 2019 and the beginning of 2020 than it did in the prior three years combined. The FTC also has alleged deception in many cases where there was no indication that any misrepresentations...
ArticlesSpecial Alert: California attorney general releases modified proposed CCPA regulations
The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Buckley Special Alert ) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Buckley Special Alert ) and amended...
Special AlertsSpecial Alert: California attorney general modifies proposed CCPA regulations
The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Buckley Special Alert ) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Buckley Special Alert ) and amended...
InfoBytes"2020 examination priorities: OCIE pushes again on information security" by Ian Acker
The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations announced its annual examination priorities for...
Buckley Commentary & AnalysisDistrict court: Banks' claims against hospitality company for data breach may proceed
On February 7, the U.S. District Court for the District of Maryland ruled in a multidistrict litigation action that a proposed class of banks may proceed with negligence claims under Louisiana law and pursue declaratory and injunctive relief against an international hospitality company. In this...
InfoBytesElizabeth E. McGinn extensively quoted in three-part series in Cybersecurity Law Report, “The Rise of Facial Recognition Technology”
Elizabeth E. McGinn was extensively quoted in a three-part series in Cybersecurity Law Report, “The Rise of Facial Recognition Technology,” which discussed the uses, risks, and legal framework governing FRT. McGinn noted “If a company experiences a breach and has biometric data customers residing...
In The News"State privacy law initiatives to prepare for in 2020" by Amanda R. Lawrence, Sasha Leonhardt, and David Rivera (Law360)
The California Consumer Privacy Act, which went into effect on Jan. 1, gave California residents the broadest rights in the nation to learn what data a business has about them, to request that the business delete that data and to demand that the business not sell their data. The CCPA opened a...
ArticlesMaryland, Hawaii, and Virginia are latest states to introduce privacy legislation
Recently, Maryland, Hawaii, and Virginia introduced privacy legislation designed to strengthen consumer access and control over personal data, joining efforts by Washington and New York to pass privacy bills containing provisions that differ from those in the California Consumer Privacy Act (CCPA...
InfoBytesCFTC adopts NIST Privacy Framework
On January 28, the CFTC announced that it has adopted the National Institute of Standards and Technology (NIST) Privacy Framework , making it the first federal agency to do so. The September NIST release of a preliminary draft of the framework described it as “[a] Tool for Improving Privacy through...
InfoBytes"Managing legal risks to U.S. companies from foreign cyberattacks" by Amanda R. Lawrence, Sasha Leonhardt, and James C. Chou (Cybersecurity Law Report)
Protecting online systems against individual hackers has been a top priority for companies for several years, but as we begin a new decade, a new threat has risen to the forefront: well-funded and sophisticated foreign governments seeking to wage a new kind of warfare on the United States. In...
ArticlesSEC reports cybersecurity and resiliency observations
On January 27, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of a report entitled Cybersecurity and Resiliency Observations, compiled from an assessment of prior examinations. The report provides best practices for regulated entities to increase readiness...
InfoBytesAppellate Court reverses and remands FACTA action
On January 22, the Illinois Appellate Court, Second District, reversed the dismissal for lack of standing of a FACTA class action brought on behalf of the class by two individuals (consumers) who claimed that an entertainment company (defendant) violated the act when it printed more than the last...
InfoBytesTreasury seeks information on financial sector cybersecurity risks
On January 22, the Department of the Treasury published a request for comments on a proposed information collection designed to better understand cybersecurity risks facing the U.S. financial services sector and financial services critical infrastructure. The “Financial Sector Critical...
InfoBytesNew York Fed analyzes potential impact of cyber attacks on payments network
In January, the Federal Reserve Bank of New York (New York Fed) released a staff report that analyzes how a cyber attack transmitted through a payment network could be amplified throughout the U.S. financial system. According to the report, Cyber Risk and the U.S. Financial System: a Pre-Mortem...
InfoBytesDistrict Court: Michigan privacy law covers out-of-state residents
On January 16, the U.S. District Court for the Eastern District of Michigan denied a publishing company’s motion to dismiss putative class allegations that it disclosed subscribers’ personal information to third parties, ruling that the subscribers did not need to live in Michigan in order to bring...
InfoBytesFDIC, OCC issue joint notice of heightened cybersecurity risk
On January 16, the FDIC and the OCC announced (FDIC FIL-3-2020 , OCC Bulletin 2020-5 ) the issuance of a joint statement on risk management of current heightened cybersecurity risks. The statement reminds supervised financial institutions to maintain preventative controls and update and test...
InfoBytesData breach settlement of $380.5 million approved in consumer reporting agency class action
On January 13, the U.S. District Court for the Northern District of Virginia issued a final order and judgment in a class action settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (company) to resolve allegations arising from a 2017 cyberattack causing a data...
InfoBytesWashington state introduces comprehensive privacy bill
On January 13, Washington state lawmakers announced two bills designed to strengthen consumer access and control over personal data and regulate the use of facial recognition technology. Highlights of SB 6281 , the Washington Privacy Act, include the following: Applicability. SB 6281 will apply to...
InfoBytesSupreme Court to review TCPA debt collection exemption
On January 10, the U.S. Supreme Court announced it had granted a petition for a writ of certiorari filed by the U.S. government in Barr v. American Association of Political Consultants Inc. —a Telephone Consumer Protection Act (TCPA) case concerning an exemption that allows debt collectors to use...
InfoBytesRepresentatives urge financial regulators to strengthen cyber infrastructures
On January 7, Representatives Emanuel Cleaver II (D-MO) and Gregory Meeks D-NY) sent a letter to nine federal financial regulators urging them to strengthen their financial infrastructures against possible cyber-attacks in the wake of recent threats against the U.S. from Iran and its allies...
InfoBytesCalifornia outlines new data privacy rights
On January 6, the California attorney general issued an advisory explaining consumers’ rights under the California Consumer Privacy Act (CCPA), which took effect January 1. (See previous InfoBytes coverage on the CCPA here .) These rights include (i) the right to request from businesses what...
InfoBytesNCUA releases 2020 supervisory priorities
In January, the NCUA issued a letter to board of directors and chief executive officers at federally insured credit unions outlining the agency’s 2020 supervisory priorities. Top supervisory priorities include: Bank Secrecy Act/Anti-Money Laundering (BSA/AML). Examinations will continue to focus on...
InfoBytesMortgage broker allegedly violated federal laws by posting customers’ personal information on website
On January 7, the FTC announced a proposed settlement with a California mortgage broker and his company to resolve alleged violations of the FTC Act, FCRA, Regulation P, and the Safeguards Rule. According to a complaint filed by the DOJ on behalf of the FTC, the defendants published the personal...
InfoBytesFTC notes data security order improvements
On January 7, the Director of the FTC’s Bureau of Consumer Protection noted that the Commission has made “three major changes” in its data security orders to “improve data security practices and provide greater deterrence” by focusing on specificity, accountability, and responsibility. The first...
InfoBytesNYDFS encourages regulated entities to prepare for cyber attacks
On January 4, NYDFS issued an Industry Letter warning regulated entities about the “heightened risk” of cyberattacks by hackers affiliated with the Iranian government following the killing of Iranian official Qasem Soleimani, and strongly encouraging entities to undertake preparations to ensure...
InfoBytesTrump signs bill to combat robocalls
On December 30, President Trump signed S. 151 —the “Telephone Robocall Abuse Criminal Enforcement and Deterrence Act” (TRACED Act, Public Law 116-105)—which, among other things, grants the FCC authority to promulgate rules to combat illegal robocalls and requires voice service providers to develop...
InfoBytesPennsylvania reaches settlement with travel websites over data breach
On December 13, the Pennsylvania attorney general announced a settlement with two travel websites resolving allegations that a 2018 data breach may have exposed consumer data for more than 20,000 state customers, including 880,000 affected payment cards globally. According to the state’s...
InfoBytesStates recommend FTC “significantly” strengthen COPPA
On December 9, a coalition of 25 state attorneys general responded to the FTC’s request for comments on a wide range of issues related to the Children’s Online Privacy Protection Rule (COPPA). As previously covered by InfoBytes , the FTC released a notice in July seeking comments on all major...
InfoBytesHospitality company's bid to dismiss data breach suit rejected
On December 13, the U.S. District Court for the District of Maryland denied an international hospitality company’s motion to dismiss a data breach suit brought by the City of Chicago. According to the city’s complaint , the company violated the Illinois Consumer Fraud and Deceptive Business...
InfoBytesFTC says British data analytics firm misled consumers about collection of personal information
On December 6, the FTC issued an unanimous opinion against a British consulting and data analytics firm, finding that the firm violated the FTC Act by engaging in “deceptive practices to harvest personal information from tens of millions of [a social media company’s] users.” The information—which...
InfoBytesSenate holds hearing on privacy law proposals
On December 4, the Senate Commerce Committee held a hearing titled “Examining Legislative Proposals to Protect Consumer Data Privacy” to discuss how to “provide consumers with more security, transparency, choice, and control over personal information both online and offline.” Among the issues...
InfoBytesBuckley Insights: Trends show DDoS attacks continue to increase
On November 19, Neustar released a report showing a 241 percent increase in Distributed Denial of Service (DDoS) attacks in 3Q 2019 versus 3Q 2018. Notably, a couple of new and emerging methods of DDoS attacks have emerged, including: DDoS reflection/amplification attacks take advantage of IP...
InfoBytesFSOC issues final guidance on nonbank designations; highlights key risks in annual report
On December 4, the Financial Stability Oversight Council (FSOC) issued final interpretive guidance to revise and update 2012 guidance concerning nonbank financial company designations. According to Treasury Secretary Steven T. Mnuchin, the guidance “enhances [FSOC’s] ability to identify, assess,...
InfoBytesNew York considers privacy legislation broader than the CCPA
On November 22, the New York Senate’s Committee on Consumer Protection and Committee on Internet and Technology held a joint hearing titled, “Consumer Data and Privacy on Online Platforms,” which discussed the proposed New York Privacy Act , SB S5642 (the Act). The Act was introduced in May and...
InfoBytes11th Circuit vacates class certification in TCPA action against satellite TV provider
On November 15, the U.S. Court of Appeals for the Eleventh Circuit vacated the district court’s certification order of a class action alleging a national satellite TV company violated the TCPA by contacting individuals who had previously asked to not be contacted. According to the opinion, a...
InfoBytesBuckley Insights: Leveraging open source intelligence for cyber threat modeling
The FTC Safeguards Rule , FFIEC Cybersecurity and IT Guidance , and other OCC guidelines ( here and here ) emphasize the need for cyber threat intelligence (CIT) and threat identification to inform an organization’s overall cyber risk identification, assessment, and mitigation program. Indeed, to...
InfoBytesFCC seeks comment on whether an opt-out clarification text violates TCPA
On November 7, the FCC released a public notice seeking comment on a petition filed by a financial institution requesting a declaratory ruling on whether a company can send a follow-up clarification text message in response to an opt-out message from a consumer without violating the TCPA. More...
InfoBytesFTC settles with technology service provider on data security issues
On November 12, the FTC announced a proposed settlement , which requires a technology service provider to implement a comprehensive data security program to resolve allegations of security failures, which allegedly allowed a hacker to access the sensitive personal information of about one million...
InfoBytes"Website cookies and privacy—GDPR, CCPA, and evolving standards for online consent" by Amanda R. Lawrence, Sasha Leonhardt, and Magda Gathani (Bloomberg Law)
Virtually all companies with high-traffic websites use cookies to track visitors’ online experience, but global best practices in disclosing the use of cookies—and obtaining visitors’ consent to their use—have proven elusive despite intense scrutiny from privacy advocates. With requirements varying...
ArticlesDistrict Court approves $12.5 million settlement in TCPA class action
On October 28, the U.S. District Court for the Northern District of Illinois granted final approval of a $12.5 million TCPA class action settlement between a group of consumers and three cruise lines and their marketing group (collectively, “defendants”). According to the opinion, a consumer filed...
InfoBytesU.K. ICO and social media company settle privacy investigation
On October 30, the U.K. Information Commissioner’s Office (ICO) announced an agreement reached between the ICO and a social media company that resolves an investigation into the company’s alleged misuse of personal data. The company has agreed to withdraw its appeal of the £500,000 penalty issued...
InfoBytes"Congress needs to hurry up on data protection" by Jeremiah S. Buckley (American Banker)
Data is the lifeblood of the burgeoning digital economy. The debate about its use — and its protection — is now playing out globally. As big data, artificial intelligence and machine learning increasingly shape everyday lives, Congress will have some important policy choices to make, weighing how...
ArticlesNIST publishes updated Big Data Interoperability Framework
On October 21, the National Institute for Standards and Technology (NIST) released the second revision of its Big Data Interoperability Framework (NBDIF), which aims to “develop consensus on important, fundamental concepts related to Big Data” with the understanding that Big Data systems have the...
InfoBytesCalifornia governor signs CCPA amendments
On October 11, the California governor signed several amendments to the California Consumer Privacy Act (CCPA) and other privacy-related bills. As previously covered by a Buckley Special Alert , AB 874 , AB 1355 , AB 1146 , AB 25 , and AB 1564 leave the majority of the consumer’s rights intact in...
InfoBytesSpecial Alert: California attorney general releases proposed CCPA regulations
Buckley Special Alert Last week, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA — which was enacted in June 2018 (covered by a Buckley Special Alert ), amended several times and with the most...
InfoBytesCalifornia attorney general releases proposed CCPA regulations
On October 10, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—which was enacted in June 2018 (covered by a Buckley Special Alert ), amended in September 2018, amended again in October 2019 (...
InfoBytesDistrict Court denies TCPA class certification involving collection calls placed to wrong number
On September 27, the U.S. District Court for the Middle District of Florida denied class certification in an action alleging violations of the TCPA, the Florida Consumer Collection Practices Act, and the FDCPA brought against two companies. The action alleged that defendants used an automated...
InfoBytesEU Court of Justice: Orders to remove defamatory content issued by member state courts can be applied worldwide
On October 3, the European Court of Justice held that a social media company can be ordered to remove, worldwide, defamatory content previously declared to be unlawful “irrespective of who required the storage of that information.” The decision results from a 2016 challenge brought by a former...
InfoBytesCalifornia addresses robocall spoofing
On October 2, the California governor signed SB 208 , the “Consumer Call Protection Act of 2019,” which requires telecommunications service providers (TSPs) to implement specified technological protocols to verify and authenticate caller identification for calls carried over an internet protocol...
InfoBytesPre-checked box does not give consent to cookies under EU privacy directive and GDPR
On October 1, the European Court of Justice held that, under the Privacy and Electronic Communications Directive (ePrivacy Directive), a website user does not “consent” to the use of a cookie when a website provides a “pre-checked box” that needs to be deselected for a user to withdraw consent...
InfoBytesNew York AG sues national coffee chain over data breach
On September 26, the New York attorney general announced a lawsuit against a national franchisor of a coffee retail chain for allegedly failing to protect thousands of customer accounts from a series of cyberattacks. According to the complaint , the attorney general asserts that, beginning in 2015...
InfoBytes"Wearables present new realm of legal risks for teams" by Elizabeth E. McGinn and John B. Williams, III (Sports Business Journal)
Reaching peak athletic performance is an increasingly scientific and quantitative pursuit, and professional sports franchises, which have tremendous financial and emotional motivation to be the best, are at the forefront in gathering as much data about their assets as possible. FitBits, Apple...
ArticlesBallot initiative seeks to expand CCPA, create new enforcement agency
On September 25, Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy and the drafter of the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA), announced a newly filed ballot measure to further expand the CCPA (currently effective on...
InfoBytesEU's “right to be forgotten” law applies only in EU
On September 24, the European Court of Justice held that Europe’s “right to be forgotten” online privacy law — which allows individuals to request the deletion of personal information from online sources that the individual believes infringes on their right to privacy—can be applied only in the...
InfoBytesDistrict Court dismisses investors’ data breach claims
On September 18, the U.S. District Court for the Northern District of California dismissed with prejudice a class action suit brought against an online payments firm and associated entities and individuals (collectively, “defendants”) for allegedly misleading investors (plaintiffs) about a 2017...
InfoBytesCFTC orders FCM to pay $1.5 million for poor cybersecurity
On September 12, the CFTC issued an order against an Illinois-based futures commission merchant imposing a $1.5 million fine for allegedly failing to protect its systems from cybersecurity threats and not alerting its customers in a reasonable timeframe after a breach occurred. According to the...
InfoBytesSpecial Alert: California Legislature passes several amendments to the California Consumer Privacy Act and other privacy-related bills
Lawmakers in California last week amended the landmark California Consumer Privacy Act (CCPA or the Act), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers...
InfoBytesSpecial Alert: California Legislature passes several amendments to the California Consumer Privacy Act and other privacy-related bills
Lawmakers in California last week amended the landmark California Consumer Privacy Act (CCPA or the Act), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers...
Special AlertsDistrict Court: Debt collector must pay $267 million in robocall damages
On September 9, the U.S. District Court for the Northern District of California entered a final judgment against a debt collection agency that was found guilty of violating the TCPA by making more than 500,000 unsolicited robocalls using autodialers. The court’s final judgment is consistent with...
InfoBytesNIST requests comments on draft privacy framework
On September 6, the National Institute of Standards and Technology (NIST) released a preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management to help organizations assess and reduce risks. The draft framework is designed to align with NIST’s...
InfoBytesIllinois Appeals Court vacates $4.3 million FACTA class action settlement
On September 6, the Illinois Appellate Court, 5th District, vacated a circuit court’s $4.3 million settlement in a class action brought against a merchant for allegedly violating the Fair and Accurate Credit Transaction Act (FACTA) when it printed the first six and last four digits of customers’ 16...
InfoBytesDistrict Court allows majority of privacy invasion class action claims to proceed against social media company
On September 9, the U.S. District Court for the Northern District of California granted in part and denied in part a social media company’s motion to dismiss a multidistrict class action alleging the company failed to prevent third parties from accessing and misusing private data of its users, in...
InfoBytesFTC approves settlement with software provider over FTC Act and GLBA data security failures
On September 6, the FTC voted 5-0 to approve a final settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its...
InfoBytesDistrict Court says TCPA dismissal bid cannot rely upon Supreme Court ruling
On September 3, the U.S. District Court for the District of New Jersey denied a medical laboratory’s motion to dismiss, ruling that the company cannot use a Supreme Court ruling to avoid a proposed TCPA class action suit concerning allegations that it made unsolicited calls using an “autodialer.”...
InfoBytesVideo-sharing site reaches $170 million settlement with FTC and New York AG
On September 4, the FTC and the New York Attorney General announced (see here and here ) a combined $170 million proposed settlement with the world’s largest online search engine and its video-sharing site subsidiary concerning alleged violations of the Children’s Online Privacy Protection Act (...
InfoBytesDistrict Court allows TCPA class action to proceed against auto company
On August 27, the U.S. District Court for the Central District of California denied a car manufacturer’s motion to dismiss a class action alleging that it violated the TCPA by sending unwanted automated text messages. According to the opinion, after a consumer visited a car dealership, she...
InfoBytes11th Circuit: Unsolicited text message doesn't establish standing under TCPA
On August 28, the U.S. Court of Appeals for the 11th Circuit held that receiving one unsolicited text message is not enough of a concrete injury to establish standing under the TCPA. According to the opinion, a former client of an attorney received an unsolicited “multimedia text message” from the...
InfoBytesFFIEC urges standardized cybersecurity approach
On August 28, the FFIEC issued a press release emphasizing the benefits of implementing a standardized cybersecurity preparedness approach. The FFIEC noted that firms who adopt a standardized approach are “better able to track their progress over time, and share information and best practices with...
InfoBytesDemocratic members ask FSOC to deem cloud providers as "systemically important"
On August 22, two members of the U.S. House of Representatives, Katie Porter (D-Calif.) and Nydia Velázquez (D-N.Y.), sent a letter to the U.S. Department of Treasury requesting that the Financial Stability Oversight Council (FSOC) consider designating the three leading providers of cloud-based...
InfoBytesDistrict Court: No negligent misrepresentation claims in smart-TV privacy suit
On August 20, the U.S. District Court for the District of New Jersey dismissed without prejudice a proposed class action alleging consumer fraud claims. Specifically, in 2017, the plaintiffs filed a complaint alleging that smart televisions manufactured by the defendants surreptitiously collected...
InfoBytesState AGs and VSPs to collaborate on robocalls
On August 22, North Carolina Attorney General Josh Stein announced a bipartisan agreement between 51 state attorneys general and 12 voice service providers, adopting eight principles for fighting illegal robocalls and preventing consumer fraud. Under the principles, the voice providers will: (i)...
InfoBytesDistrict Court approves final call-taping settlement
On August 21, the U.S. District Court for the Central District of California issued an order granting final approval of a settlement reached between a class of California consumers and a mortgage company. The approval of the settlement resolves allegations that the company contacted delinquent...
InfoBytesCSBS launches online tools to navigate state rules
On August 21, the Conference of State Bank Supervisors (CSBS) launched three online tools designed to assist financial institutions navigate the state regulatory landscape and protect against cyber risks. The tools are: (i) a portal of state agency guidance for nonbank financial services companies...
InfoBytesDistrict Court upholds $925 million TCPA jury verdict against direct sales company
On August 21, the U.S. District Court for the District of Oregon upheld a $925 million jury verdict against a direct sales company in a TCPA class action lawsuit, denying the company’s motion to decertify the class. According to the opinion, the named plaintiff brought the 2015 class action lawsuit...
InfoBytesDistrict court concludes loan servicer violated TCPA
On August 19, the U.S. District Court for the Western District of Michigan held that a Pennsylvania-based student loan servicing agency violated the TCPA by calling the plaintiffs’ cell phones over 350 times using an automatic telephone dialing system (autodailer) after consent was revoked...
InfoBytesIllinois requires companies to report data breaches to attorney general
On August 9, the Illinois governor signed SB 1624 , which requires that a single data breach involving the personal information of more than 500 Illinois residents must be reported to the state attorney general. The notice must include: (i) a description of the nature of the breach of security or...
InfoBytesDistrict Court approves TCPA class action settlement
On August 15, the U.S. District Court for the Northern District of California entered a final approval order and judgment to resolve class action allegations claiming a security system company and its third-party dealer violated the TCPA through the use of an automatic telephone dialing system and...
InfoBytes9th Circuit: Plaintiffs’ face-scanning claims can proceed
On August 8, the U.S. Court of Appeals for the 9th Circuit affirmed a district court order certifying a class action suit that alleged a social media company’s face-scanning practices violated the Illinois Biometric Information Privacy Act (BIPA). The court found that the plaintiffs alleged a...
InfoBytesFCC adopts rules addressing spoofed texts and international robocalls
On August 1, the FCC announced the adoption of new rules that will extend the Truth in Caller ID’s prohibitions against robocalls to caller ID spoofing of text messages and international calls, and implement measures passed last year in the RAY BAUM’s Act. As previously covered by InfoBytes , the...
InfoBytesNational bank announces data breach
On July 29, a national bank announced a data breach affecting approximately 100 million individuals in the United States and approximately six million in Canada. According to the announcement, the incident occurred on July 19 when an unauthorized individual obtained personal information of credit...
InfoBytesNew York expands data breach notification laws
On July 25, the New York governor signed two bills designed to strengthen protections for consumers in the event their private information is compromised in a data breach. A 5635B , the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) updates the state’s privacy law by expanding the...
InfoBytesFTC and DOJ announce $5 billion privacy settlement with social media company; SEC settles for $100 million
On July 24, the FTC and the DOJ officially announced (see here and here ) that the world’s largest social media company will pay a $5 billion penalty to settle allegations that it mishandled its users’ personal information. As previously covered by InfoBytes , it was reported on July 12 that the...
InfoBytesCredit reporting agency agrees to multi-agency settlement over 2017 data breach
On July 22, the CFPB , FTC , and 48 states, the District of Columbia and Puerto Rico announced a settlement of up to $700 million with a major credit reporting agency to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for...
InfoBytesU.K.’s ICO fines real estate management company for data security failures
On July 19, the United Kingdom’s Information Commissioner’s Office (ICO) issued a £80,000 fine against a London-based real estate management company for allegedly leaving over 18,000 customers’ personal data exposed for almost two years. According to the ICO, when the company transferred personal...
InfoBytesDistrict Court strikes class certification from robocall suit
On July 18, the U.S. District Court for the Northern District of Illinois granted a rental car company’s (defendant) motion to strike class allegations in a TCPA suit over alleged robocalls. The plaintiff, whose telephone number was listed on a rental contract between his mother and the defendant...
InfoBytesFTC reportedly approves $5 billion privacy settlement with social media company
On July 12, it was reported that the FTC has approved a $5 billion penalty against the world’s largest social media company for allegedly mishandling its users’ personal information. The reported settlement would be the largest privacy penalty ever levied by the agency. According to reports, the...
InfoBytesFTC seeks comment on COPPA Rule
On July 17, the FTC released a notice seeking comment on a wide range of issues related to the Children’s Online Privacy Protection Rule (COPPA Rule). The FTC last amended COPPA in 2013, and while the FTC usually reviews its rules every 10 years, the FTC notes that “[r]apid changes in technology,...
InfoBytes8th Circuit affirms reduction in TCPA statutory damages from $1.6 billion to $32 million
On July 16, the U.S. Court of Appeals for the 8th Circuit affirmed a district court’s decision to reduce a $1.6 billion award in statutory damages for TCPA violations to $32.4 million after the court determined the original award violated the Fifth Amendment’s Due Process Clause. The named...
InfoBytesAmanda R. Lawrence quoted in American Banker article, “Will Libra force Congress to act on data protection?”
Amanda R. Lawrence was quoted on July 14, 2019 in an American Banker article, “Will Libra force Congress to act on data protection?” which discussed Libra, Facebook's cryptocurrency plan, and how it initiating debates over data security and privacy reform. The article stated, “One of the debates...
In The NewsU.K.’s ICO announces two GDPR data breach actions
On July 8 and 9, the United Kingdom’s Information Commissioner’s Office (ICO) issued two notices of its intention to fine companies for infringements of the General Data Protection Regulation (GDPR). On July 8, the ICO announced it intended to fine a U.K.-based airline £183.39M for a September 2018...
InfoBytesFCC Chairman proposes rules addressing spoofed texts and international robocalls
On July 8, FCC Chairman Ajit Pai proposed rules supported by a bipartisan group of more than 40 state attorneys general that would extend prohibitions against robocalls to caller ID spoofing of text messages and international calls, implementing measures passed last year in the RAY BAUM’s Act...
InfoBytesD.C. Circuit: Receipt containing complete credit card information constitutes concrete injury
On July 2, the U.S. Court of Appeals for the D.C. Circuit reversed a district court’s ruling that a consumer lacked Article III standing to allege a violation of the Fair and Accurate Credit Transaction Act (FACTA) when a merchant included all 16 digits of her credit card account number, her full...
InfoBytesFTC holds fourth annual PrivacyCon to address hot topics
On June 27, the FTC held its fourth annual PrivacyCon, which hosted research presentations on a wide range of consumer privacy and security issues. Following opening remarks by FTC Chairman Joseph Simons, the one-day conference featured four plenary sessions covering a number of hot topics: Session...
InfoBytes"3 key areas where the NYDFS ups the ante on cybersecurity" by Elizabeth E. McGinn and David Rivera (Westlaw Journal)
On March 1, the two-year transitional period under the New York State Department of Financial Services’ “Cybersecurity Requirements for Financial Services Companies” regulation expired, making all requirements effective. The cybersecurity regulation marks a shift in the governance of cybersecurity...
ArticlesFTC settles with software provider over data security failures
On June 12, the FTC announced a settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in...
InfoBytesMaine enacts consumer privacy law for internet service providers
On June 6, the Maine governor signed S.P. 275/L.D. 946 , which requires certain broadband Internet access services to receive express, affirmative consent from a customer before disclosing, selling, or permitting access to a customer’s personal information. Among other things, the provisions...
InfoBytesFCC approves robocall blocking
On June 6, the FCC approved a Declaratory Ruling and Notice of Proposed Rulemaking to address unwanted robocalls to consumers. The Declaratory Ruling affirms that voice service providers may block unwanted robocalls “based on reasonable call analytics, as long as their customers are informed and...
InfoBytesOregon enacts new vendor data breach notification requirements
On May 24, the Oregon Governor signed SB 684 , which amends the state’s data breach notification provisions related to third-party vendors. Among other provisions, the amendments require vendors that are contracted to maintain or access personal information on behalf of a covered entity to (i)...
InfoBytes4th Circuit upholds certification of TCPA class action against satellite provider
On May 30, the U.S. Court of Appeals for the 4th Circuit held that a lower court correctly certified a class of individuals who claimed a satellite provider (defendant) violated the TCPA when its authorized sales representative routinely placed telemarketing calls to numbers on the national Do-Not-...
InfoBytesNYDFS creates Cybersecurity Division
On May 22, NYDFS announced its newly created Cybersecurity Division, led by Justin Herring as Executive Deputy Superintendent, that is, according to NYDFS, “the first of its kind to be established at a banking or insurance regulator.” The new division will focus on enforcing and issuing guidance on...
InfoBytes3rd Circuit: Commercial purpose does not make unsolicited fax an advertisement under TCPA
On May 28, the U.S. Court of Appeals for the 3rd Circuit, in a consolidated action, affirmed summary judgment that a health care provider database company’s (defendant) unsolicited fax did not violate the TCPA. According to the opinion, the defendant updated its database by sending unsolicited...
InfoBytesFTC Commissioners discuss state privacy preemption
On May 8, the FTC Commissioners participated in a subcommittee hearing before the House Committee on Energy and Commerce entitled, “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.” During the hearing, the Commissioners were questioned...
InfoBytesStates enact data breach notification requirements
On May 10, the New Jersey governor signed S 52 , which amends the state’s data breach notification provisions. The amendments expand the definition of “personal information” to include “user name, email address, or any other account holder identifying information, in combination with any password...
InfoBytesIndiana sues credit reporting agency over 2017 data breach
On May 6, the Indiana Attorney General announced a lawsuit filed against a national credit reporting agency in response to its 2017 data breach, alleging the company “chose increasing revenue over protecting the safety of consumers’ sensitive personal information.” According to the complaint , the...
InfoBytesMaryland amends security breach notification requirements
On April 30, the Maryland governor signed HB 1154 to amend current law related to security breach notification requirements. Among other provisions, HB 1154 (i) requires businesses that own, license, or maintain computerized data that includes a resident’s personal information to conduct a...
InfoBytes2nd Circuit: Unsolicited text messages are sufficient injury under TCPA
On April 30, the U.S. Court of Appeals for the 2nd Circuit held that the receipt of unsolicited text messages, absent any additional injury, is sufficient to demonstrate injury-in-fact in a TCPA class action. According to the opinion, consumers filed a class action lawsuit against a retail store...
InfoBytesWebsites settle FTC data security allegations
On April 24, the FTC announced separate settlements with the operators of an online rewards website and a dress-up games website to resolve allegations concerning poorly implemented data security measures and Children’s Online Privacy Protection Act (COPPA) violations. According to the FTC, the...
InfoBytes11th Circuit: Increased risk of identity theft is sufficient to bring FACTA claims
On April 22, the U.S. Court of Appeals for the 11th Circuit affirmed a district court’s ruling that including too many digits of a consumer’s credit card account number on a receipt was sufficient to constitute a concrete injury even if the consumer’s identity was not stolen. Under the Fair and...
InfoBytes4th Circuit: TCPA debt collection exemption is unconstitutional
On April 24, the U.S. Court of Appeals for the 4th Circuit vacated a district court’s decision to grant summary judgment in favor of the FCC, concluding that an exemption under the TCPA that allows debt collectors to use an autodialer to contact individuals on their cell phones when collecting...
InfoBytesDistrict Court rejects business owners’ Do Not Call Registry TCPA claims
On April 16, the U.S. District Court for the Eastern District of Pennsylvania granted in part and denied in part a telemarketing company’s motion to dismiss, concluding that the plaintiff did not have standing to bring some of his claims under the TCPA. According to the opinion, the plaintiff filed...
InfoBytesDistrict Court approves final $7.5 million TCPA class action settlement with payment processor
On April 16, the U.S. District Court for the Northern District of California granted final approval to a $7.5 million class action settlement resolving allegations that a payment processor and its sales representative violated the TCPA by using an autodialer for telemarketing purposes without first...
InfoBytesArkansas law stiffens criminal penalties for spoofing, robocalls
On April 4, the Arkansas governor signed SB 514 , which establishes a process for state regulation of telecommunications service providers and third-party spoofing providers, and stiffens criminal penalties for persons who engage in illegal robocalling and spoofing practices. The act reclassifies “...
InfoBytesMaryland Financial Consumer Protection Commission to disband June 30
On April 2, 10 out of the 11 Maryland Senate Finance Committee members voted in favor of a motion to consider SB 786 as “unfavorable.” The bill would have extended the effectiveness of the Maryland Financial Consumer Protection Commission (MFCPC) through June 30, 2021; however, because the bill...
InfoBytesDistrict Court finds text messages were not sent by autodialer
On March 29, the U.S. District Court for the Northern District of Illinois granted a telecommunication company’s summary judgment motion in a putative TCPA class action involving text messages. The plaintiff asserted that the company sent him text messages asking survey questions, even though he...
InfoBytesDistrict Court: “Ringless” voicemail is a “call” under the TCPA
On March 25, the U.S. District Court for the Southern District of Florida granted in part and denied in a part a motion to dismiss a putative class action alleging that an auto dealer violated the TCPA by using a “ringless” voicemail platform to leave pre-recorded telemarketing voicemails on...
InfoBytesFTC reaches settlements with mega-robocallers
On March 26, the FTC announced settlements issued against four separate operations for allegedly placing billions of illegal robocalls to consumers selling auto warranties, debt-relief services, home security systems, veterans’ charities and Google search results services. The actions are part of...
InfoBytesNorth Dakota expands personal identifying information law
On March 20, the North Dakota governor signed SB 2262 , which, among other things, amends the state’s law covering the unauthorized use of personal identifying information (PII). Specifically, the bill expands the definition of PII to include, (i) an individual’s payment card information; (ii) an...
InfoBytesVirginia requires breach of personal information notification
On March 18, the Virginia governor signed HB 2396 , which amends the Code of Virginia and requires an individual or entity owning or licensing computerized data that includes personal information to disclose all data breaches without “unreasonable delay” to the Virginia Attorney General and any...
InfoBytesFTC report highlights 2018 privacy and data security work
On March 15, the FTC released its annual report highlighting the agency’s privacy and data security work in 2018. Among other items, the report highlights consumer-related enforcement activities in 2018, including: an expanded settlement with a global ride-sharing company over allegations that the...
InfoBytesState AGs support bipartisan bill to combat illegal robocalls
On March 5, Attorneys General from all 50 states, as well as from the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, sent a letter to the Senate Committee on Commerce, Science, and Transportation supporting a recently introduced bipartisan bill to combat illegal robocalls...
InfoBytesFTC seeks comments on Safeguards and Privacy rules
On March 5, the FTC released proposed amendments to two rules that protect the privacy and security of customer data held by financial institutions. The agency seeks comments on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule...
InfoBytesClass settles data breach claims over compromised payment card data
On February 26, the U.S. District Court for the Middle District of Florida granted final approval and class certification, following a final approval hearing, to a settlement resolving class action allegations concerning a data breach involving an international fast-food chain. According to the...
InfoBytesCalifornia AG seeks to strengthen the California Consumer Privacy Act
On February 25, the California Attorney General announced a legislative proposal that would amend several aspects of the California Consumer Privacy Act (CCPA). The CCPA was originally enacted in June 2018 (covered by a Buckley Special Alert ) and subsequently amended in September 2018 (covered by...
InfoBytesVideo social networking app settles COPPA allegations
On February 27, the FTC announced a $5.7 million settlement with the operators of a video social networking app concerning alleged violations of the Children’s Online Privacy Protection Act (COPPA). Among other things, the FTC claims the operators failed to provide parents notice of its information...
InfoBytes"FTC has big agenda for 2019. How should companies prepare?" by Michelle L. Rogers and Katherine L. Halliday (Bloomberg Law)
Federal Trade Commission Chairman Joseph Simons recently previewed an aggressive and expansive consumer protection agenda for 2019, invoking the commission’s broad powers to pursue unfair or deceptive acts or practices, and adding “fraudulent” to the types of conduct he expects to police. Among the...
ArticlesFCC proposes to strengthen enforcement of caller ID spoofing
On February 14, the FCC released a notice of proposed rulemaking intended to strengthen its rules against caller ID spoofing and expand the agency’s enforcement efforts against illegal spoofed text messages and phone calls, including those from overseas. The proposed rules would enact requirements...
InfoBytesSenate Banking Committee seeks data privacy feedback
On February 13, Senate Committee on Banking, Housing, and Urban Affairs Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) invited stakeholder feedback on “the collection, use and protection of sensitive information from financial regulators and private companies” as a means of...
InfoBytesDistrict Court concludes communications transmitter can be liable under the TCPA
On February 13, the U.S. District Court for the District of Nevada rejected a cloud communication company’s motion to dismiss a TCPA class action. According to the opinion, the plaintiffs’ alleged the company “collaborated as to the development, implementation, and maintenance of [a] telemarketing...
InfoBytesFDIC issues 2018 annual report
On February 14, the FDIC released its 2018 Annual Report , which includes, among other things, the audited financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund. The report also provides an overview of key FDIC initiatives...
InfoBytesState AGs urge FTC to update identity theft rules
On February 11, a bipartisan group of 29 state Attorneys General, the District of Columbia Attorney General, and an official from the Hawaii Office of Consumer Protection, responded to the FTC’s request for comment on whether the agency should make changes to its identity theft detection rules (the...
InfoBytesDistrict Court approves final $2.5 million TCPA class action settlement
On February 8, the U.S. District Court for the Eastern District of Virginia granted final approval to a $2.5 million putative class action settlement resolving allegations that a student loan servicer violated the TCPA by using an autodialer to contact student borrowers’ credit references without...
InfoBytesDistrict court orders TCPA suit to mediation, states FCC’s interpretation of autodialer may take years
On February 1, the U.S. District Court for the Eastern District of Missouri issued an order referring the parties in a putative TCPA class action to mediation. The plaintiff’s complaint alleges that the defendant’s insurance company sent her text messages without her consent using an automatic...
InfoBytesNYDFS’ cybersecurity FAQs provide process for covered entities that no longer qualify for exemptions
On February 2, NYDFS updated its answers to FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See here for previous InfoBytes coverage on updates to the FAQs.) Among other things, the update...
InfoBytesSpecial Alert: California governor signs significant data privacy bill into law
On June 28, California Governor Jerry Brown signed the California Consumer Privacy Act (the “Consumer Privacy Act” or the “Act”) into law. The Act was enacted largely in response to a more restrictive ballot initiative (“Ballot Initiative”) that appeared to have gained a sufficient number of...
Special AlertsFinal deadline approaching for NYDFS cybersecurity regulation
On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services...
InfoBytesDistrict Court: Approval of data breach settlement denied due to several deficiencies
On January 28, the U.S. District Court for the Northern District of California denied preliminary approval of a proposed class action settlement after identifying several deficiencies with the deal. The proposed settlement was intended to resolve allegations concerning security failures by a global...
InfoBytesFINRA provides 2019 risk monitoring and examination guidance
On January 22, the Financial Industry Regulatory Authority (FINRA) issued new guidance on areas member firms should consider when seeking to improve their compliance, supervisory, and risk management programs. The 2019 FINRA Risk Monitoring and Examination Priorities Letter (2019 Priorities Letter...
InfoBytes"The great data breach standing circuit split" by Amanda R. Lawrence and Michael A. Rome (Law360)
Data breaches are back in the news in a big way. Over the past several weeks alone, prominent hotel chains, online platforms and retailers announced significant data breaches. Unsurprisingly, in the aftermath of these disclosures, consumers filed class actions alleging that the data breaches...
ArticlesDistrict Court allows TCPA action to proceed, citing 9th Circuit autodialer definition as binding law
On January 17, the U.S. District Court for the District of Arizona denied a cable company’s motion to stay a TCPA action, disagreeing with the company’s arguments that the court should wait until the FCC releases new guidance on what constitutes an automatic telephone dialing system (autodialer)...
InfoBytesDistrict Court dismisses TCPA action against ride-sharing company, allows plaintiff to correct deficiencies
On January 16, the U.S. District Court for the Southern District of California granted in part and denied in part a ride-sharing company’s motion to dismiss a proposed TCPA class action, holding that the plaintiff sufficiently alleged the company is vicariously liable for the sent text messages but...
InfoBytesMassachusetts amends legislation protecting consumers from security breaches
On January 10, the Massachusetts Governor signed HB 4806 , following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other...
InfoBytesDistrict Court: FCRA lawsuit passes Spokeo test, survives motion to dismiss
On January 8, the U.S. District Court for the Northern District of Illinois denied a bank’s motion to dismiss claims that it had obtained a credit report without a permissible purpose, ruling that the allegations rise above a mere procedural violation of the FCRA. According to the opinion, the...
InfoBytesRetailer settles multistate data breach investigation for $1.5 million
On January 8, a national retailer reached a $1.5 million multistate settlement with 43 states and the District of Columbia to resolve an investigation following a 2013 data breach of customer payment card information. According to the Illinois Attorney General’s announcement , the retailer will...
InfoBytesDistrict Court: Privacy claims related to incentive compensation sales program can proceed
On December 31, 2018, the U.S. District Court for the District of Utah granted in part and denied in part a national bank’s motion to dismiss putative class action claims concerning the bank’s use of confidential customer information to open deposit and credit card accounts as part of its incentive...
InfoBytesDistrict Court concludes company’s dialing system is not an autodialer under TCPA
On December 20, the U.S. District Court for the District of New Jersey granted a student loan company’s motion for summary judgment, holding that the plaintiff failed to establish the company’s phone system qualified as an automated telephone dialing system (autodialer) under the TCPA. The...
InfoBytesMassachusetts Attorney General settles with payment processor over data breach claims
On December 19, the Massachusetts Attorney General announced a $155,000 settlement with a California-based payment processor resolving allegations that the company exposed consumers’ personal information online in violation of consumer protection and data security laws. According to the...
InfoBytesDistrict Court holds “dead air” is indicative of a predictive dialer, denies TCPA dismissal bid
On December 10, the U.S. District Court for the District of New Jersey denied a medical laboratory’s motion to dismiss a putative TCPA class action against the company, holding the plaintiff sufficiently alleged the equipment used to make unsolicited calls qualified as an “autodialer.” According to...
InfoBytesVA releases Loan Guaranty Red Flag Rules Policy
On December 13, the Department of Veterans Affairs (VA) released Circular 26-18-28 , which outlines the VA’s Loan Guaranty Service Red Flag Rules Policy to aid in the detection, prevention, and mitigation of identity theft for certain loans financed by the VA (known as, “Vendee loans”), Native...
InfoBytesNew York Attorney General settles with five companies over mobile app security failures
On December 14, the New York Attorney General announced settlements with five companies, including a global payment processor, a credit reporting agency, and a credit score company, whose mobile apps allegedly failed to secure sensitive user data. As part of the Attorney General’s initiative to...
InfoBytesFCC to create reassigned number database to reduce unwanted calls
On December 12, the FCC adopted new rules to establish a single, comprehensive database designed to reduce the number of calls inadvertently made to reassigned numbers as part of its strategy to help stop unwanted calls. According to FCC Chairman Ajit Pai, the database would enable callers to...
InfoBytes"SEC tool could test executive online impulse control" by Ian Acker (Legaltech News)
A message to corporate executives and their public-relations minders: One in a trillion may no longer be a reasonable guarantee of anonymity. The Securities and Exchange Commission (SEC) is confronting the difficult challenge of how to keep an eye on and sort through a fire hose of social media...
ArticlesVirginia Attorney General joins bipartisan coalition to stop or reduce robocalls
On December 6, Virginia Attorney General Mark Herring announced he is joining a bipartisan group of 40 state Attorneys General to stop or reduce “annoying and dangerous” robocalls. The multistate group is reviewing, through meetings with several major telecom companies, the technology the companies...
InfoBytesDistrict Court rules text message inviting a responsive text does not violate TCPA
On November 29, the U.S. District Court for the District of New Jersey partially denied a company’s motion to dismiss proposed class action allegations that it violated the TCPA when it used an automatic telephone dialing system (ATDS) to send unsolicited text messages to customers’ cell phones...
InfoBytesNew York Attorney General reaches largest ever COPPA settlement to resolve violations of children’s privacy
On December 4, the New York Attorney General announced the largest Children’s Online Privacy Protection Act (COPPA) settlement in U.S. history—totaling approximately $6 million —to resolve allegations with a subsidiary of a telecommunications company that allegedly conducted billions of auctions...
InfoBytesFTC seeks comments on identity theft detection rules
On December 4, the FTC released a request for public comment on whether the agency should make changes to its identity theft detection rules—the Red Flags Rule and the Card Issuers Rule—which require financial institutions and creditors to take certain actions to detect signs of identity theft...
InfoBytesFTC commissioners discuss need for expanded authority over consumer data privacy and security
On November 27, the Senate Committee on Commerce, Science and Transportation’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security conducted a hearing to discuss, among other topics, whether the FTC should be granted expanded authority over consumer data privacy and...
InfoBytesCourt grants summary judgment in favor of bank in TCPA action
On November 13, the U.S. District Court for the District of Minnesota held that a bank’s predictive dialing systems do not violate the Telephone Consumer Protection Act (TCPA), granting summary judgment for the bank. According to the opinion, a customer of a national bank changed his phone number...
InfoBytesFTC emphasizes need for privacy and data security legislation
On November 13, the FTC submitted comments in response to the Department of Commerce’s National Telecommunications and Information Administration (NTIA) request for input on developing the Administration’s approach to consumer data privacy protections. In its comment letter , the FTC noted that it...
InfoBytesFCC urges voice providers to participate in spoofed robocalls “traceback” program
On November 6, the FCC announced that it sent letters to voice providers urging them to participate in “traceback” efforts to help the FCC identify the source of illegal spoofed robocalls. The FCC released copies of the letters that it sent to eight voice providers that are not currently assisting...
InfoBytesFFIEC issues joint statement on OFAC Cyber-Related Sanctions Program
On November 5, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement alerting financial institutions to the potential impact that the U.S. Treasury Department’s Office of Foreign Assets Control’s (OFAC) recent actions under its Cyber-Related Sanctions...
InfoBytesDebt collector settles for $9 million over allegedly illegal calling practices
On October 30, a third-party debt collector and its affiliates (defendants) entered into a stipulated final judgment in the Superior Court of California to settle a consumer protection lawsuit brought by the state of California over allegedly illegal debt collection calling practices. According to...
InfoBytesDistrict Court rejects motion to dismiss robocall claims, says predictive dialer is autodialer
On October 30, the U.S. District Court for the Western District of Wisconsin denied a company’s motion to dismiss allegations that it violated the TCPA when it used a predictive dialer to try to collect a debt from the plaintiff. According to the opinion, the plaintiff alleged the company called...
InfoBytes9th Circuit denies petition for en banc rehearing of TCPA action against gym
On October 30, the U.S. Court of Appeals for the 9th Circuit denied a California gym’s petition for a rehearing en banc of the court’s September decision reviving a TCPA putative class action. As previously covered by InfoBytes , the appeals court vacated a district court order granting summary...
InfoBytesFTC to hold public hearings on consumer privacy and data security; focus will address data security enforcement program
On October 26, the FTC announced it will hold four days of public hearings in December 2018 and February 2019 to examine the Commission’s authority to deter unfair and deceptive conduct in data security and privacy matters as part of its broader series of hearings on “Competition and Consumer...
InfoBytesNYDFS updates cybersecurity FAQs to address use of utilization review agents
On October 25, NYDFS provided a new update to its answers to FAQs relating to 23 NYCRR Part 500, which took effect March 1, 2017, and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. The original promulgation of the FAQs was covered...
InfoBytesFTC approves final expanded settlement with global ride-sharing company over data breaches
On October 26, the FTC announced its final approval of an expanded settlement with a global ride-sharing company over allegations that the company violated the FTC Act by deceiving consumers regarding the company’s privacy and data practices. Specifically, the company allegedly failed to closely...
InfoBytes"‘Reasonable security’: A moving target" by Elizabeth E. McGinn (Cyber Security)
The concept of ‘reasonable security’ for personal information maintained by financial institutions began with the Gramm-Leach-Bliley Act (GLBA). On 12th November, 1999, Congress enacted GLBA, a landmark privacy and data security law which required the federal financial regulatory agencies to...
ArticlesFTC to review potential updates to federal privacy rules
On October 17, as part of its fall 2018 rulemaking agenda , the FTC announced that it plans to review potential updates to federal privacy rules on how banks protect consumer data. The planned recommendation —scheduled to be presented to FTC commissioners at the end of November—will incorporate...
InfoBytesConsumer advocates testify before Senate Commerce Committee on need for federal consumer data privacy legislation
On October 10, the Senate Committee on Commerce, Science, and Transportation held the second in a series of hearings on the subject of consumer data privacy safeguards. The hearing entitled “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and...
InfoBytesCoalition of state Attorneys General encourages FCC to create rules to block illegal robocalls
On October 8, a collation of 35 state Attorneys General submitted reply comments in response to a public notice seeking ways the FCC could create rules that will enable telephone service providers to block illegal robocalls. In their comments to the FCC, the coalition encourages the FCC to...
InfoBytes"FTC v. D-Link Systems and the internet of things" by Elizabeth E. McGinn, John B. Williams, and Christopher M. Walczyszyn (Westlaw)
As businesses expand the availability of internet-connected devices, Buckley Sandler LLP attorneys Elizabeth McGinn, John Williams and Christopher Walczyszyn address the Federal Trade Commission’s role in regulating and enforcing “internet of things” device security to protect consumers’ data...
ArticlesFCC seeks comments on interpretation of TCPA definition of autodialer following 9th Circuit decision
On October 3, the FCC’s Consumer and Governmental Affairs Bureau released a notice seeking comment on the interpretation of the TCPA in light of a recent 9th Circuit decision, which broadened the definition of an automatic telephone dialing system (autodialer) under the TCPA. As previously covered...
InfoBytesDOJ issues updated cybersecurity incident response guidance
On September 28, the DOJ issued updated guidance originally presented the day before at a cybersecurity roundtable discussion on best practices for companies when responding to and reporting cybersecurity incidents. Officials from the DOJ, National Security Council, and the Department of Homeland...
InfoBytesSEC penalizes investment company $1 million for cyber security failings
On September 26, the SEC announced a settlement with an Iowa-based broker-dealer and investment advisement company, which agreed to pay $1 million to resolve allegations that the company violated the Safeguards Rule and the Identity Theft Red Flags Rule arising out of the company’s failure to...
InfoBytesGlobal technology companies testify before Senate Commerce Committee on need for federal consumer data privacy legislation
On September 26, the Senate Committee on Commerce, Science, and Transportation held a hearing entitled “Examining Safeguards for Consumer Data Privacy” to discuss whether federal lawmakers should write a broad federal online privacy law in the wake of the European Union’s General Data Protection...
InfoBytesGlobal ride-sharing company settles with state Attorneys General for $148 million over data breach
On September 26, the California Attorney General announced that a global ride-sharing company reached a joint settlement with all 50 state Attorneys General and the District of Columbia for $148 million to resolve allegations that the company failed to safeguard user data and to notify authorities...
InfoBytesDepartment of Commerce requests comments on new federal approach to consumer privacy rules
On September 26, the National Telecommunications and Information Administration (NTIA) published a notice and request for comments on behalf of the Department of Commerce seeking input from stakeholders on ways to address consumer privacy concerns while protecting prosperity and innovation. The...
InfoBytesFCC fines health insurance lead generator $82 million for spoofed robocalls
On September 26, the FCC announced that it fined a telemarketer and associated companies more than $82 million for using allegedly illegal caller ID spoofing to market and generate leads for health insurance sales in violation of the Truth in Caller ID Act (the Act). The Act prohibits telemarketers...
InfoBytesOCC releases bank supervision operating plan for fiscal year 2019
On September 26, the OCC’s Committee on Bank Supervision released its bank supervision operating plan (Plan) for fiscal year 2019. The Plan outlines the agency’s supervision priorities and specifically highlights the following supervisory focus areas: (i) cybersecurity and operational resiliency; (...
InfoBytesCalifornia amends the California Consumer Privacy Act of 2018
On September 23, the California governor signed SB 1121 , a bill amending the California Consumer Privacy Act of 2018 (the Act) enacted on June 28. (See Buckley Sandler Special Alert here .) The Act, which carries an effective date of January 1, 2020, on most provisions, sets forth various...
InfoBytesCourt sends class action TCPA suit against global ride-sharing company to arbitration
On September 20, the U.S. District Court for the Northern District of Illinois granted a global ride-sharing company’s motion for summary judgment, ruling that a user had consented to arbitrate any disputes when he signed up for an account with the company. Specifically, the named plaintiff of the...
InfoBytesCalifornia law requires credit reporting agencies to address security vulnerabilities
On September 19, the California governor signed AB 1859 , which requires a credit reporting agency “that owns, licenses, or maintains personal information about a California resident” or a third party that maintains such personal information on behalf of a credit reporting agency to implement...
InfoBytesDistrict Court holds hotel calling system is not an autodialer under TCPA
On September 24, the U.S. District Court for the Middle District of Florida held that a hotel calling system, which required human intervention before a call was placed, does not qualify as an automatic telephone dialing system (autodialer) under the TCPA. The plaintiff filed the putative class...
InfoBytes9th Circuit ruling broadens the definition of automatic telephone dialing system under TCPA
On September 20, the U.S. Court of Appeals for the 9th Circuit vacated the district court’s order granting summary judgment in a TCPA action, in light of the recent D.C. Circuit opinion in ACA International v. FCC (covered by a Buckley Sandler Special Alert ). The case arises from a plaintiff’s...
InfoBytesFree security freezes available nationwide
On September 21, the FTC announced the nationwide availability of free security freezes and one-year fraud alerts, which were authorized under the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA). Specifically, Section 301 of EGRRCPA prohibits a national credit reporting...
InfoBytesNew Mexico Attorney General sues technology companies over COPPA violations regarding the collection of children’s personal data
On September 12, the New Mexico Attorney General announced the filing of a lawsuit against a group of technology companies for allegedly designing and marketing mobile gaming applications (apps) targeted towards children that contain illegal tracking software. The complaint asserts that the...
InfoBytesCalifornia governor signs amendments requiring the furnishing of customer account information associated with certain crime reports
On September 6, the governor of California signed amendments to the California Right to Financial Privacy Act to provide various state and local agencies—including the police, sheriff’s department, or district attorney in the state—the authorization to request information from financial...
InfoBytesNew Jersey Attorney General announces settlement with data management software company over auto dealer data breach claims
On September 7, the New Jersey Attorney General announced a settlement with an Iowa-based data management software company related to an alleged data breach that exposed the personally identifiable information (PII) of auto dealership customers across the country. According to the consent order ,...
InfoBytesCourt approves $8.5 million class action settlement with global money service for alleged TCPA violations
On August 31, the U.S. District Court for the Northern District of Illinois approved an $8.5 million class action settlement resolving allegations that a global money service violated the Telephone Consumer Protection Act (TCPA) by sending unsolicited text messages to class members. While the court...
InfoBytesNYDFS launches online registration form for credit reporting agencies to comply with new regulation
On August 22, the New York Department of Financial Services (NYDFS) announced an online registration form for credit reporting agencies (CRAs) to comply with the state’s final regulation that requires CRAs with significant operations in New York to register with NYDFS and to comply with New York’s...
InfoBytesCourt approves $115 million settlement for health insurer data breach
On August 15, the U.S. District Court for the Northern District of California issued final approval for a $115 million class action settlement to resolve claims stemming from a large health insurer’s 2015 data breach. As previously covered by InfoBytes , in June 2017, the health insurer and...
InfoBytesNYDFS reminds covered entities of upcoming cybersecurity regulation compliance dates; updates FAQs
On August 8, the New York Department of Financial Services (NYDFS) issued a reminder for regulated entities required to comply with the state’s cybersecurity requirements under 23 NYCRR Part 500 that the third transitional period ends September 4. Banks, insurance companies, and other financial...
InfoBytesCourt rejects mortgage company’s motions to dismiss in two separate TCPA actions
On August 2, the U.S. District Court for the District of New Jersey denied a mortgage company’s motions to dismiss in two putative class actions (opinions available here and here ) alleging violations of the Telephone Consumer Protection Act (TCPA) for unsolicited phone calls. In both cases, the...
InfoBytesCFPB amends Regulation P, provides exemptions for annual privacy notice requirement
On August 10, the CFPB issued final amendments to Regulation P, which implements the Gramm-Leach-Bliley Act and provides, among other things, exemptions for financial institutions from sending annual privacy notices to consumers provided they meet certain conditions. The final rule —originally...
InfoBytesFTC seeks comments on possible adjustments to privacy and data security rulemaking authority
On August 6, the FTC published a request for comments in the Federal Register —in advance of a series of 15 to 20 public hearings scheduled to start this September—on whether the agency should make adjustments to competition and consumer protection law, enforcement priorities, and policy in light...
InfoBytesConference of State Bank Supervisors supports legislation to coordinate federal and state examinations of third-party service providers
On July 12, the Conference of State Bank Supervisors (CSBS) issued a statement to the Senate Banking Committee, offering support for legislation that would “enhance state and federal regulators’ ability to coordinate examinations of, and share information on, banks’ [third-party technology service...
InfoBytesFTC announces settlement with California company over EU-U.S. Privacy Shield false certification claims
On July 2, the FTC announced it had reached a settlement with a California-based company over allegations that it falsely claimed participation in the European Union-U.S. Privacy Shield framework, EU-U.S. Privacy Shield . According to the FTC, the company’s false claim that it was in the process of...
InfoBytesBuckley Special Alert: California governor signs significant data privacy bill into law
On June 28, California Governor Jerry Brown signed the California Consumer Privacy Act (the “Consumer Privacy Act” or the “Act”) into law. The Act was enacted largely in response to a more restrictive ballot initiative (“Ballot Initiative”) that appeared to have gained a sufficient number of...
InfoBytesCredit reporting agency agrees to cybersecurity corrective action with eight state regulators
On June 27, the New York Department of Financial Services (NYDFS) announced that a major credit reporting agency has agreed to cybersecurity and internal control corrective action following its 2017 data breach, which reportedly affected 143 million American consumers. The consent order , which was...
InfoBytesNew York regulation requires all credit reporting agencies to register with NYDFS
On June 25, the New York governor announced the issuance by the New York Department of Financial Services (NYDFS) of a final regulation that requires consumer credit reporting agencies (CRAs) with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity...
InfoBytesDistrict Court grants preliminary approval of TCPA class action settlement
On June 25, the U.S. District Court for the Northern District of California issued an order preliminarily approving a class action settlement between class members and a student loan management enterprise (defendants) accused of violating the Telephone Consumer Protection Act (TCPA) by using an...
InfoBytes3rd Circuit affirms summary judgment for internet company in TCPA action
On June 26, the U.S. Court of Appeals for the 3rd Circuit affirmed summary judgment for a global internet media company holding that the plaintiff failed to show the equipment the company used fell within the definition of “automatic telephone dialing system” (autodialer) based the recent holding...
InfoBytesRhode Island and New Hampshire prohibit security freeze fees
On June 14, the governor of Rhode Island signed S2562 , which prohibits consumer reporting agencies from charging a fee for security freeze services, including the placement, removal, or temporary lifting of a security freeze for a consumer. The law also prohibits the charging of a fee in...
InfoBytes"The devil is in the details: LabMD imposes limitations on the FTC’s enforcement authority" by Elizabeth E. McGinn and Sasha Leonhardt, (Cybersecurity Law Report)
In the latest data security case with significant implications for all enforcement actions, the United States Court of Appeals for the Eleventh Circuit struck down a cease-and-desist order as impermissibly vague. By ruling against the FTC in its long-running and contentious dispute with LabMD, the...
Articles8th Circuit affirms $17 million class settlement for retailer data breach
On June 13, the U.S. Court of Appeals for the 8th Circuit affirmed the district court’s ruling approving a $17 million class settlement to resolve consumer claims related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of...
InfoBytesIllinois, Connecticut, and Hawaii pass security freeze legislation
On June 8, the Illinois governor approved HB 4095 , which amends the Consumer Fraud and Deceptive Business Practices Act to prohibit consumer reporting agencies (CRAs) from charging consumers a fee for placing, removing, or temporarily lifting a security freeze. The act takes effect immediately...
InfoBytesDistrict Court grants preliminary injunction in FTC search engine suit
On June 6, the U.S. District Court for the Southern District of Florida granted the FTC’s request for preliminary injunction against an individual defendant and the company he owns and manages (stipulating defendants) for allegedly violating the FTC Act by making robocalls to small business owners...
InfoBytes11th Circuit vacates FTC data security cease and desist order issued against medical testing laboratory
On June 6, the U.S. Court of Appeals for the 11th Circuit vacated an FTC cease and desist order (Order) that directed a Georgia-based medical testing laboratory to overhaul its data security program, ruling that the Order was unenforceable because it lacked specifics on how the overhaul should be...
InfoBytesFTC files complaint against two operations allegedly responsible for making billions of illegal robocalls
On June 5, the FTC announced charges filed against two individuals and their related operations (defendants) for allegedly facilitating billions of robocalls to consumers across the country through a telephone dialing platform in violation of the FTC Act, the Telemarketing and Consumer Fraud and...
InfoBytesColorado enacts expansive consumer data protection law, includes 30-day breach notification requirement
On May 29, the Colorado governor signed HB1128 , which significantly expands Colorado’s consumer data protection laws to include a broader definition of personal information and a 30-day notice requirement regarding data breaches. The law, which is effective on September 1, requires covered...
InfoBytesLouisiana governor amends data breach notification law; passes security freeze legislation
On May 20, the Louisiana governor signed SB361 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state or that own or license computerized data to (i) “implement and maintain reasonable security procedures and practices...
InfoBytesCourt denies plaintiff’s motion for summary judgment in TCPA action, questions accuracy of report citing number of robocalls
On May 21, the U.S. District Court for the Southern District of California denied a plaintiff’s motion for summary judgment against a solar company that she claimed made multiple unwanted robocalls to her cell phone, holding that questions remained about the accuracy of a report identifying the...
InfoBytesVermont legislation regulates data brokers and provides consumer protections
On May 22, a Vermont bill, established to regulate data brokers and provide consumers with protections against companies that collect, analyze, and sell their personal information, was enacted without the governor’s signature. Among other things, H.764 : (i) requires data brokers to pay a $100 fee...
InfoBytesMinnesota prohibits security freezes fees, authorizes security freezes for protected persons
On May 19, the Minnesota governor signed HF1243 , which, effective immediately, prohibits credit reporting agencies for charging a fee for the placement, removal, or temporary lift of a security freeze. The law previously allowed for a fee of $5.00. Additionally, effective January 1, 2019, the law...
InfoBytesMaryland and Georgia prohibit security freeze fees
On May 15, the Maryland governor signed SB 202 , which prohibits consumer reporting agencies from charging consumers, or protected consumers’ representatives, a fee for the placement, removal, or temporary lift of a security freeze. Previously, Maryland allowed for a fee, in most circumstances, of...
InfoBytesCourt holds text message advertisements sent by internet domain provider do not violate TCPA
On May 14, the U.S. District Court for the District of Arizona granted an internet domain provider’s motion for summary judgment, holding that the platform used by the company to send text message advertisements did not qualify as an “autodialer” under the Telephone Consumer Protection Act (TCPA)...
InfoBytesD.C. Circuit rejects challenge to FTC’s 2016 staff letter on soundboard technology
On April 27, the U.S. Court of Appeals for the D.C. Circuit dismissed a challenge to a November 2016 FTC staff letter , which announced the FTC would treat calls using soundboard technology as robocalls. According to the D.C. Circuit opinion, the FTC’s 2016 staff letter rescinded a 2009 staff...
InfoBytesCourt preliminarily approves $80 million settlement for shareholders after global internet company data breach
On May 9, the U.S. District Court for the Northern District of California granted a preliminary approval of a settlement between a global internet media company and its shareholders over alleged securities law violations related to cybersecurity breaches in 2013 and 2014. The $80 million settlement...
InfoBytesMaryland expands authority over credit reporting agencies
On May 8, Maryland governor Larry Hogan signed HB848 , which expands Maryland’s authority over Credit Reporting Agencies (CRAs) by requiring CRAs to develop a secure system to process electronic requests for placing, lifting, or removing a security freeze. Additionally, the law expands the...
InfoBytesFDIC Chairman delivers remarks on the impact of technology in the business of banking
On May 7, FDIC Chairman, Martin J. Gruenberg, spoke at the Forum on the Use of Technology in the Business of Banking about the importance of understanding the ways in which emerging technology is positively affecting banking operations, while also recognizing associated risk management challenges...
InfoBytesFTC settles with cellphone manufacturer over data security issues
On April 30, the FTC and a Florida cellphone manufacturer entered into a settlement over allegations that the manufacturer allowed third party data collection from customer phones after falsely claiming data collection was limited only to information needed by the third parties to perform requested...
InfoBytes9th Circuit denies online retailer’s petition for full panel review of decision on standing in data breach case
On April 20, the U.S. Court of Appeals for the 9th Circuit denied an online retailer’s request to have the full bench reconsider the court’s March 8 ruling, which ruling held that the increased risk of fraud or identity theft from a data breach gave consumers Article III standing to sue. As...
InfoBytesFDIC OIG releases Special Inquiry Report to address breach response plan
On April 16, the FDIC’s Office of Inspector General (OIG) released its Special Inquiry Report —“The FDIC’s Response, Reporting, and Interactions with Congress Concerning Information Security Incidents and Breaches”—which contains findings from an examination of the FDIC’s practices and policies...
InfoBytesHouse passes measures to address identity theft
On April 18, the House passed H.R. 2905 by a vote of 403-3. The “Justice for Victims of IRS Scams and Identity Theft Act of 2017,” would direct the DOJ and the Treasury Department to submit reports to Congress detailing identity theft prosecutions. The DOJ’s report must contain the number of...
InfoBytesNational Institute of Standards and Technology issues updated cybersecurity framework
On April 16, the National Institute of Standards and Technology (NIST) announced the release of enhancements to its cybersecurity framework guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. Updates to...
InfoBytesStates pass legislation updating security freeze laws
On April 12, the Kansas governor signed HB 2580 , which amends existing law to prohibit consumer reporting agencies (CRAs) from charging a fee to a consumer for placing, temporarily lifting, or removing a security freeze on his or her credit report. Moreover, it prevents CRAs from charging fees for...
InfoBytesArizona governor amends data breach law, updates security freeze legislation
On April 11, the Arizona governor signed HB 2154 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state that maintain, own, or licenses unencrypted and unredacted computerized data to conduct a reasonable investigation of...
InfoBytesFFIEC joint statement addresses role of cyber insurance in risk management programs
On April 10, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement advising financial institutions to consider the role of cyber insurance as a component of their overall risk management programs in light of the increasing number of sophisticated cyber-...
InfoBytes9th Circuit amended opinion holds company not vicariously liable under TCPA
On April 4, the U.S. Court of Appeals for the 9th Circuit issued an amended opinion to further affirm a district court’s decision to grant summary judgment in favor of a defendant concerning allegations that it was vicariously liable for telemarketing activity in violation of the Telephone Consumer...
InfoBytesState judge says Massachusetts can sue credit reporting agency over data breach
On April 2, a state court judge denied a credit reporting agency’s motion to dismiss claims for violations of state data security regulations. The court stated that while the “mere existence of data breach” does not translate into violations of the state data security regulations, the Massachusetts...
InfoBytesStates pass bills amending security freeze laws
On March 29, the Colorado governor signed HB 1233 , which authorizes a parent or legal guardian to request a credit reporting agency place a security freeze on a protected consumer’s credit file; the law defines protected person to include a minor under 16 years of age or an individual who is a...
InfoBytesAlabama enacts data breach notification law
On March 28, the Alabama governor signed SB 318 , The Alabama Data Breach Notification Act of 2018 (Act), which requires entities doing business in the state to (i) notify consumers within 45 days if their personal data has been compromised in a data breach; and (ii) notify the state Attorney...
InfoBytesOFAC sanctions Iranian nationals for malicious cyberattacks
On March 23, the Treasury Department’s Office of Foreign Assets Control (OFAC), in coordination with the DOJ, imposed additional sanctions on an Iranian entity and 10 Iranian nationals, pursuant to Executive Order 13694 , for conducting malicious cyberattacks against hundreds of U.S. and third-...
InfoBytesNYDFS updates cybersecurity regulation FAQs
On March 23, the New York Department of Financial Services (NYDFS) provided a second update to its answers to FAQs relating to 23 NYCRR Part 500, which took effect March 1, 2017 and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. The...
InfoBytesMultiple states update security freeze legislation
On March 23, the Governor of Tennessee signed HB 1486 , which prohibits credit reporting agencies from charging a fee to a consumer for the placement or removal of a security freeze if the need to place or remove the security freeze was caused by the credit reporting agency. Tennessee already...
InfoBytesCoalition of state Attorneys General urges Congress to oppose data breach bill
On March 19, the Illinois Attorney General, along with 30 other state Attorneys General and the Executive Director of the Hawaii Office of Consumer Protection, issued a letter to selected members of Congress opposing the Data Acquisition and Technology Accountability and Security Act (the DATAS Act...
InfoBytesFlorida prohibits fees for security freezes
On March 21, the Florida governor signed HB 953 , which prohibits credit reporting agencies from charging any fee to consumers or their representatives for “placing, removing, or temporarily lifting” security freezes on a credit report. Previously the state allowed for a fee of up to $10 to use the...
InfoBytesStates enact data breach notification laws; Oregon prohibits fees for security freezes
On March 21, the South Dakota governor signed SB 62 , which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers...
InfoBytesFTC reaches $45.5 million settlement with companies over illegal telemarketing calls
On March 16, the FTC and three Utah-based movie companies (defendants) agreed to a proposed stipulated final order settling charges that they violated the FTC Act and the Telemarketing Sales Rule (TSR). In 2011, the DOJ filed a complaint on behalf of the FTC, which alleged defendants engaged in...
InfoBytesMultiple states address cost of security freezes
On March 19, the Michigan governor signed legislation, HB 5094 , which amends the Michigan Security Freeze Act to prohibit consumer reporting agencies (CRAs) from charging a fee for “placing, temporarily lifting, or removing a security freeze” on a credit report. Previously, the state allowed for a...
InfoBytesWashington governor enacts amendment relating to security freeze fees
On March 13, the Washington governor signed Senate Bill 6018 , which amends sections of the state’s Fair Credit Reporting Act addressing the removal of security freezes. Among other things, the amended act prohibits credit reporting agencies (CRAs) from charging a fee for placing, temporarily...
InfoBytesSenate passes bipartisan financial regulatory reform bill
On March 14, by a vote of 67-31, the Senate passed the Economic Growth, Regulatory Relief, and Consumer Protection Act (S. 2155) (the bill)—a bipartisan regulatory reform bill crafted by Senate Banking, Housing, and Urban Affairs Committee Chairman Mike Crapo, R-Idaho—that would repeal or modify...
InfoBytesNYDFS issues cybersecurity compliance certificate reminder
On March 5, the New York Department of Financial Services (NYDFS) published FAQs for regulated entities that have not yet filed cybersecurity certifications of compliance (Certification of Compliance) required under 23 NYCRR 500. The deadline to file was February 15 and notices recently were sent...
InfoBytesVirginia governor enacts amendment relating to security freeze fees
On March 9, the governor of Virginia signed House Bill 1027 , which amends sections of the Code of Virginia relating to security freezes and lowers the maximum amount that a credit reporting agency may charge to place, remove, or lift a security freeze on a protected consumer’s credit report from $...
InfoBytesCalifornia judge limits plaintiffs’ ability to seek certain punitive damages in internet data breach
On March 9, the U.S. District Court for the Northern District of California partially granted a motion to dismiss limiting plaintiffs’ ability to seek certain punitive damages for data breaches. The court also held that the plaintiffs cannot seek claims under the California Customer Records Act (...
InfoBytes9th Circuit reinstates class action data breach lawsuit against online retailer
On March 8, the U.S. Court of Appeals for the 9th Circuit reinstated a putative class action lawsuit against an online retailer, concluding that the increased risk of identity theft resulting from a 2012 data breach affecting over 24 million shoppers gave consumers Article III standing to sue. The...
InfoBytesHouse Financial Services Committee holds hearing on data security, breach notifications
On March 7, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime” to discuss data security and breach notification rules and cybersecurity...
InfoBytesPennsylvania Attorney General sues ride-sharing company for 2016 data breach
On March 5, Pennsylvania Attorney General filed a lawsuit against a ride-sharing company for violating Pennsylvania’s Breach of Personal Information Notification Act (BPINA) because of its failure to disclose a 2016 data breach caused by hackers. The complaint alleges that after the company became...
InfoBytesCalifornia district court rules social media company cannot dismiss non-users’ facial scan privacy claims
On March 2, the U.S. District Court for the Northern District of California denied a motion to dismiss an action for lack of standing in a lawsuit brought under the Illinois Biometric Information Privacy Act (BIPA) against a social media company (defendant) for allegedly collecting and storing non-...
InfoBytesNew York Attorney General settles HIPAA allegations with a health insurance company
On March 6, the New York Attorney General announced a settlement with a healthcare provider for an alleged violation of the Health Insurance Portability Accountability Act (HIPAA) concerning a mailing error, which resulted in the disclosure of over 80,000 social security numbers. According to the...
InfoBytesNebraska, South Dakota enact legislation relating to security breaches and credit freezes
On March 1, the governor of South Dakota signed House Bill 1078 to revise certain provisions addressing the removal of credit security freezes. The amended act states that a security freeze will remain in place until a consumer requests the removal from the consumer reporting agency. The consumer...
InfoBytesFTC issues annual summary of consumer complaints
On March 1, the FTC issued its annual summary on consumer complaints received by the agency over the past year, highlighting trends in various categories such as fraud and identity theft. The report, Consumer Sentinel Network Data Book 2017 (2017 Data Book), provides category breakdowns and...
InfoBytesOnline payments system company settles FTC privacy, security, and money transfer allegations
On February 23, the FTC announced a proposed settlement with a global online payments system company (company) to resolve a complaint filed in 2016 concerning allegations that its payment and social networking service (service) violated the FTC Act when it, among other things, failed to adequately...
InfoBytesNYDFS releases new updates to cybersecurity regulation FAQs
On February 21, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500, which was last updated in December 2017 . As previously covered in InfoBytes , 23 NYCRR Part 500 took effect March 1, 2017, and establishes cybersecurity requirements for...
InfoBytesFCC publishes Restoring Internet Freedom Order overturning net neutrality
On February 22, the FCC formally published its Restoring Internet Freedom Order (Order) to overturn the 2015 Title II Order (known as, “Net Neutrality” rules). As previously covered in InfoBytes , the FCC voted last December to remove the restrictions barring internet service providers (ISPs) from...
InfoBytesSEC issues new cybersecurity reporting guidance
On February 21, the SEC released Cybersecurity Interpretive Guidance designed to provide assistance to public companies when preparing disclosures about cybersecurity risks and incidents. According to a press release , the commissioners voted unanimously on February 20 to approve the guidance,...
InfoBytesAttorney General Sessions announces plans to create Cyber-Digital Task Force
On February 20, U.S. Attorney General Jeff Session announced plans to create a Cyber-Digital Task Force (Task Force) designed to combat global cyber threats. According to the DOJ’s press release, Attorney General Sessions stated that the Task Force will “advise me on the most effective ways that...
InfoBytesSupreme Court denies writ challenging data breach standing
On February 20, the U.S. Supreme Court denied without comment a medical insurance company’s petition for writ of certiorari to challenge an August 2017 D.C. Circuit Court of Appeals decision, which reversed the dismissal of a data breach suit filed by the company’s policyholders in 2015. According...
InfoBytesHouse Financial Services Committee holds hearing on current data security regulatory regime
On February 14, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Examining the Current Data Security and Breach Notification Regulatory Regime” to discuss opportunities to reform data security regulations at the federal and state level...
InfoBytesDistrict Court dismisses First Amendment challenge to Montana’s statute banning robocalls
On February 9, a federal judge for the U.S. District Court for the District of Montana denied a plaintiff’s motion for summary judgment, which sought to overturn the State of Montana’s statutory restrictions on robocalls. Among other things, the plaintiff—a Michigan-based political consulting firm...
InfoBytesAlabama attorney general establishes cybercrime lab
On February 14, the Alabama Attorney General’s Office announced the establishment of the Cybercrime Lab, which was created in partnership with the U.S. Secret Service, the Federal Bureau of Investigation, U.S. Department of Homeland Security Investigations, the Alabama Fusion Center, the Alabama...
InfoBytesPresident Trump releases 2019 budget proposal; key areas of reform include appropriation shifts, cybersecurity, and financial crimes
On February 12, the White House released its fiscal 2019 budget request, Efficient, Effective, Accountable, an American Budget (2019 budget proposal), along with Major Savings and Reforms (MSR) and an Appendix . The mission of the President’s budget sets forth priorities, including imposing fiscal...
InfoBytesSEC exams to focus on ICOs, cybersecurity, and AML programs
On February 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released its 2018 Examination Priorities , which includes cryptocurrency and Initial Coin Offerings (ICOs) for the first time. According to the document, the OCIE’s 2018 priorities reflect “certain practices, products...
InfoBytesMassachusetts attorney general launches data breach reporting portal
On February 1, Massachusetts Attorney General Maura Healey launched a Data Breach Reporting Online Portal , which is available through the agency’s Security Breaches site . Organizations can use the online portal to provide notice to the attorney general’s office of a data breach as required by the...
InfoBytesFTC issues comments on FCC’s robocall blocking rules
On January 31, the FTC submitted a comment letter in response to the FCC’s request for input on its November adoption of rules allowing phone companies to proactively block illegal robocalls originating from certain types of phone numbers. (See previous InfoBytes coverage here .) Calling the...
InfoBytesMaryland issues bipartisan consumer protection recommendations
On January 26, the Maryland Financial Consumer Protection Commission (the “Commission”) and ranking officials from the Maryland legislature announced bipartisan “Interim Recommendations” of the Commission for State and local action in response to the federal government’s “efforts to change or...
InfoBytesNew York, Montana governors sign executive orders to safeguard net neutrality
On January 24, New York Governor Andrew M. Cuomo signed an executive order to protect net neutrality in his state, while earlier on January 22, Montana Governor Steve Bullock signed his own executive order designed to “safeguard internet freedom.” Both executive orders have been issued in response...
InfoBytesNYDFS warns financial institutions of February 15 cybersecurity compliance certification deadline
On January 22, the New York Department of Financial Services (NYDFS) issued a reminder to all NYDFS-regulated banks, insurance companies, and other financial services institutions that the deadline to file cybersecurity certifications of compliance is February 15, 2018. Mandated by NYDFS’...
InfoBytesState AGs file protective petition to stop rollback of net neutrality rules; Senate Democrats announce plans to reverse FCC rule
On January 16, a coalition of 22 state attorneys general filed a protective petition for review in the D.C. Circuit Court of Appeals against the Federal Communications Commission (FCC) and the United States to block the FCC’s Declaratory Ruling, Report and Order released last December to rollback...
InfoBytesFTC report highlights 2017 privacy and data security enforcement work
On January 18, the FTC released its annual report on the agency’s privacy and data security work performed in 2017. Among other items, the report highlights consumer-related enforcement activities in 2017, including: a settlement with a ride-sharing company over allegations that it violated the FTC...
InfoBytesOCC highlights supervisory priorities in fall 2017 semiannual risk report
On January 18, the OCC announced the release of its Semiannual Risk Perspective for Fall 2017 , identifying key risk areas for national banks and federal savings associations. Top supervisory priorities will focus on credit, operational, and compliance risk. As previously discussed in the spring...
InfoBytesNinth Circuit: payday lenders not vicariously liable under TCPA for text messages
On January 10, the U.S. Court of Appeals for the Ninth Circuit affirmed that three payday lenders and two marketing companies (together, the defendants) did not indirectly violate the Telephone Consumer Protection Act (TCPA) by accepting marketing help from a separate lead generator company that...
InfoBytesNYDFS updates cybersecurity regulation FAQs
Recently, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500. As previously covered in InfoBytes , 23 NYCRR Part 500 took effect March 1 and establishes cybersecurity requirements for banks, insurance companies, and other financial...
InfoBytesFCC Votes to Overturn Net Neutrality Rules
On December 14, the FCC voted 3-2 to overturn the 2015 Open Internet Order rules (known as, “Net Neutrality” rules) which mandate that internet service providers (ISPs) treat all web content equally. The FCC released a draft order in November, which outlined the new framework for ISPs, including...
InfoBytesCredit Reporting Agencies Must Comply With Emergency Regulations
On Tuesday, New York State adopted emergency regulations intended to “provide consumers with the means to protect themselves against identity theft” and assist those consumers who have fallen victim to such theft. The New York Department of State’s Division of Consumer Protection (the Division),...
InfoBytesFTC Announces Final Approval of Settlements With Companies Over EU-U.S. Privacy Shield False Certification Claims
On November 29, the FTC announced it had approved final settlements with three companies over allegations that they falsely claimed participation in the European Union-U.S. Privacy Shield ( EU-U.S. Privacy Shield ) framework. ( See previous InfoBytes coverage here .) The settlements mark the FTC’s...
InfoBytesRide-Sharing Company Announces Data Breach; State Attorneys General Launch Investigations
On November 21, a ride-sharing company disclosed via press release a 2016 data breach that exposed the personal data of 57 million riders and drivers. According to the company, an outside forensic investigation revealed that in October 2016 hackers obtained approximately 600,000 driver names and...
InfoBytesFederal Reserve Governor Calls for Collaboration Between Regulators, Banks, Data Aggregators, and Fintech Firms for Financial Data Sharing Standards
On November 16, Federal Reserve Governor Lael Brainard spoke at a fintech conference sponsored by the University of Michigan regarding consumers’ right to understand and control how their financial data is used by third-party aggregators, and in developing fintech technology. “There's an increasing...
InfoBytesFCC Adopts Rules Allowing Voice Service Providers to Block Illegal Robocalls
On November 16, the FCC approved new rules allowing phone companies to proactively block illegal robocalls originating from certain types of phone numbers. Pursuant to the report and order released on November 17, providers may block calls that: (i) are made from telephone numbers that are not...
InfoBytesSEC Releases FY 2017 Annual Report on Enforcement Priorities and Results
On November 15, the SEC Division of Enforcement released a report highlighting the division’s priorities for the coming year and summarizing the enforcement actions from FY 2017. Division Co-Directors Stephanie Avakian and Steven Peikin identify and discuss the five core principles that guide their...
InfoBytesMissouri AG Announces Investigation Into Tech Company’s Privacy Policies and Use of Consumer Data
On November 13, Missouri Attorney General Joshua Hawley announced that his office has issued a civil investigative demand (CID) to a major California-based technology company as part of an investigation into suspected violations of the Missouri Merchandising Practices Act and the state’s antitrust...
InfoBytes50-State Class Action Complaint Filed Against Credit Reporting Company in Response to September Data Breach Announcement
On November 10, plaintiffs, and the members of the class and subclasses they seek to represent, filed a complaint in the Northern District of Georgia against a major credit reporting company, consolidating individual suits filed against the company since September in each of the 50 states and the...
InfoBytesHouse Energy and Commerce Subcommittee Examines Consumer Data Security
On November 1, the House Subcommittee on Digital Commerce and Consumer Protection (Subcommittee) held a hearing entitled “Securing Consumers’ Credit Data in the Age of Digital Commerce” to examine: (i) the legal and regulatory framework for consumer reporting agencies, including the Gramm-Leach-...
InfoBytesDistrict of Columbia Mayor Signs Emergency Legislation Temporarily Prohibiting Credit Freeze Fees
On October 23, District of Columbia Mayor Muriel Bowser signed emergency legislation ( Act 22 155 ) that prohibits credit reporting agencies (CRAs) from charging consumers fees for security credit freezes. The Credit Protection Fee Waiver Emergency Amendment Act of 2017 requires CRAs to provide...
InfoBytesEuropean Commission Releases First Annual E.U.-U.S. Privacy Shield Review; Framework Works Well With Room for Improvement
On October 18, the European Commission (Commission) released its first annual review of the E.U.-U.S. Privacy Shield (Privacy Shield) framework for transatlantic data transfers, citing the Privacy Shield “ensures an adequate level of protection for personal data,” but “there is some room for...
InfoBytesCFPB Issues Principles Concerning Security and Transparency for Financial Data Sharing and Third-Party Aggregation
On October 18, the CFPB published guidelines entitled “ Consumer Protection Principles ” (Principles), which are “intended to reiterate the importance of protecting consumers” when companies, including “fintech” firms, banks, and other financial institutions, get authorization from consumers to...
InfoBytesG-7 Releases Follow-Up Report on Fundamental Elements for Cybersecurity Assessment
On October 13, G-7 finance ministers and central bank governors released a report titled G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector to provide guidance on G-7 countries’ (Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States...
InfoBytesCoalition of State Attorneys General Urge Credit Reporting Agencies to Offer No-Fee Credit Freeze
On October 10, a coalition of 37 state attorneys general sent letters ( here and here ) to the CEOs of two major credit reporting agencies (CRAs), urging them to stop charging fees to consumers seeking credit freezes as a measure to protect against identity theft in light of a third CRA’s massive...
InfoBytesSenate Special Committee Hearing Focuses on Continuing Efforts to Combat Illegal Robocalls
On October 4, the Senate Special Committee on Aging (Committee) held a hearing entitled “Still Ringing Off the Hook: An Update on Efforts to Combat Robocalls” to discuss efforts to combat illegal robocalls. Committee Chairman Susan M. Collins (R-Me.) opened the hearing by reinforcing the importance...
InfoBytesFTC, Department of Education Announce Education Technology Workshop to Explore Privacy Issues
On October 4, the FTC and the Department of Education issued a notice announcing a joint Ed Tech (education technology) workshop to examine the challenges concerning privacy implications as more schools are using school-issued personal computing devices. The workshop will discuss issues surrounding...
InfoBytesFTC to Hold Informational Injury Workshop
On September 29, the FTC announced it will host an “informational injury” workshop on December 12 to examine the types of injuries consumers face when information about them is misused , as well as the tradeoffs when collecting, using, or sharing consumers’ personal information. In preparation for...
InfoBytesWhite House Releases Proclamation Announcing National Cybersecurity Awareness Month
On September 30, President Trump issued a Proclamation announcing October 2017 as National Cybersecurity Awareness Month. As part of the initiative, the Department of Homeland Security (DHS) issued tools and resources for both consumers and organizations to manage cybersecurity risk. As previously...
InfoBytesSenate Judiciary Tech Subcommittee to Hold Hearing on Data Breach; New Credit Reporting Agency CEO Speaks Out
On September 27, interim CEO, Paulino do Rego Barros Jr., spoke out for the first time since a major credit reporting agency (agency) appointed him to the role the previous day. In addition to issuing an apology, Barros stated that the agency is extending the deadline to sign up for their credit...
InfoBytesSEC Announces Two Enforcement Initiatives Designed to Combat Cyber Threats
On September 25, the SEC announced the expansion of its Enforcement Division’s focus on cyber-related misconduct with the creation of a Cyber Unit and a Retail Strategy Task Force. The Cyber Unit will focus on areas such as (i) market manipulation schemes involving electronically-transferred false...
InfoBytesBuckley Sandler Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation
On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually...
ArticlesSEC Chairman Releases Statement Discussing Internal Cybersecurity Assessment, Announces EDGAR Vulnerability May Have Led to Illicit Gain
On September 20, the SEC released a statement issued by Chairman Jay Clayton regarding the Commission’s approach to cybersecurity and its impact on market participants. Topics discussed in the statement, which is part of the SEC’s ongoing assessment of its cybersecurity risk profile, include: the...
InfoBytesData Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled
The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer...
InfoBytesBuckley Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation
On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually...
InfoBytesOFAC Imposes Additional Iranian Sanctions, List Includes Entities Involved in DDoS Attacks Against U.S. Financial Institutions
On September 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced it was imposing sanctions on 11 entities and individuals for supporting designated Iranian actors or for conducting malicious cyberattacks, including engaging in a series of distributed denial of...
InfoBytesSenate Banking Committee’s Fintech Hearing Discusses Regulatory Challenges and Innovation Risks
On September 12, the full Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Examining the Fintech Landscape” to discuss topics concerning fintech innovation and the regulatory landscape. Committee Chairman Mike Crapo (R-Idaho) opened the hearing by asserting that...
InfoBytesFTC Announces First EU-U.S. Privacy Shield Enforcement Actions Over False Certification Claims
On September 8, the FTC announced settlements with three companies over allegations that they falsely claimed certification to take part in the European Union-U.S. Privacy Shield ( EU-U.S. Privacy Shield ) framework. These settlements mark the FTC’s first EU-U.S. Privacy Shield enforcement actions...
InfoBytesLegislators, State Attorneys General, and Consumers React to Credit Reporting Agency Data Breach
As previously reported in InfoBytes , a major credit reporting agency suffered a data breach from mid-May through the end of July that impacted approximately 143 million U.S. consumers. Shortly after the agency disclosed the breach, several Republican and Democratic lawmakers promised legislative...
InfoBytesCredit Reporting Agency Announces Widespread Consumer Data Breach
On September 7, a major credit reporting agency issued a press release announcing a data breach that impacts approximately 143 million U.S. consumers. An internal investigation revealed that from mid-May through the end of July 2017, hackers exploited a website application vulnerability to access...
InfoBytesDelaware Governor Enacts Amendments to Computer Security Code
On August 17, Delaware Governor John Carney signed into law amendments ( House Substitute No. 1 ) to the state’s code regarding computer security breaches involving personal information. Among other changes, the amendments include the following: (i) any person who conducts business in Delaware and...
InfoBytesFTC and 32 States Settle Charges with Computer Manufacturer Concerning Preinstalled Software that Allegedly Compromised Online Security
On September 5, the FTC announced that, along with 32 state attorneys general, it had entered into a consent order with a global computer manufacturer to settle charges that it had preloaded advertising software on certain laptops that compromised consumers’ security protections. According to a...
InfoBytesElizabeth E. McGinn Quoted in Bloomberg BNA Article, “FTC Blogs Help Define Reasonable Data Security, Attorneys Say”
Elizabeth E. McGinn was quoted on August 25, 2017 in Bloomberg BNA article, “FTC Blogs Help Define Reasonable Data Security, Attorneys Say,” which discussed the new FTC weekly data security blog and the information it can provide to create best practices for companies. The article stated, “The FTC...
In The NewsNYDFS Issues Reminder on Cybersecurity Regulation Compliance Effective August 28
On August 28, the New York Department of Financial Services (NYDFS) issued an announcement reminding all NYDFS-regulated banks, insurance companies, and other financial services institutions that they must now begin complying with the state’s “first-in-nation cybersecurity regulation.” As...
InfoBytesFTC Announces Settlement with Operator of Online Tax Preparation Service Over Privacy and Security Allegations
On August 29, the FTC issued a press release announcing a settlement with the operator of a Georgia-based online tax preparation service to resolve allegations that the company failed to implement adequate security procedures to protect client information in violation of several federal privacy and...
InfoBytesElizabeth E. McGinn Quoted in Bloomberg BNA Article, “Trump’s Possible FTC Pick Likely to Uphold Data Security Agenda”
Elizabeth E. McGinn was quoted on August 14, 2017 in a Bloomberg BNA article, “Trump’s Possible FTC Pick Likely to Uphold Data Security Agenda,” which said President Trump is poised to bypass Federal Trade Commission Acting Chairman Maureen K. Ohlhausen and tap antitrust attorney Joseph Simons to...
In The NewsFTC Announces Settlement with Ride-Sharing Company Over Privacy Allegations
On August 15, the FTC issued a press release announcing a settlement with a ride-sharing company over allegations that it violated the Federal Trade Commission Act by making deceptive claims about its privacy and data practices. According to the complaint , the company allegedly failed to closely...
InfoBytesNational Insurance Company Settles States’ Investigation over 2012 Data Breach, Pays $5.5 Million in Settlement
On August 9, a national insurance company and its wholly-owned subsidiary reached a $5.5 million settlement with 32 states and the District of Columbia to resolve the states’ investigation into a 2012 data breach, which allegedly caused the personal information of certain consumers to be...
InfoBytesSEC Releases Risk Alert, IMF Issues White Paper on Cybersecurity Awareness
On August 7, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert entitled “Observations from Cybersecurity Examinations,” which provides findings and observations concerning industry practices and legal and compliance issues related to cybersecurity preparedness. The SEC...
InfoBytesNYDFS Launches New Cybersecurity Portal, Sets Compliance Deadlines
On July 31, the New York Department of Financial Services (NYDFS) announced the launch of an online cybersecurity portal for businesses to securely report cybersecurity events as required by the state’s cybersecurity regulation that took effect March 1. ( See previous InfoBytes summary here .) The...
InfoBytesFTC to Use Consumer Complaints to Help End Robocalls
On August 1, the FTC announced a new initiative to help stop the practice of illegal robocalls. According to the FTC, more than 1.9 million complaints regarding unwanted robocalls were received from January through May of this year, making it the FTC’s number one complaint category. Under the new...
InfoBytesFTC Approves Modifications to COPPA Safe Harbor Program
On July 31, the FTC announced it has approved TRUSTe’s proposed modifications to its Children’s Online Privacy Protection Rule's (COPPA) safe harbor program. As previously covered in InfoBytes , COPPA regulates what websites and online services are required to do to ensure the protection of...
InfoBytesFTC Announces Weekly Blog on Reasonable Data Security Practices
On July 21, the FTC announced a new initiative as part of ongoing efforts to provide guidance to businesses on protecting and securing consumer data. Each Friday, the FTC will post a new blog that will build on the FTC’s Start with Security principles , and will showcase hypothetical examples using...
InfoBytesFTC to Host Small Business Roundtables Focusing on Cybersecurity
On July 20, the FTC announced it will host a series of public roundtables to discuss pressing challenges facing small businesses when protecting the security of their computers and networks. The feedback will be used to assist the FTC and its partners in creating additional cybersecurity education...
InfoBytesFTC Staff Supports FCC’s Proposal to Reverse Broadband Enforcement Authority
On July 17, FTC staff submitted its comments to the FCC in response to the FCC’s Notice of Proposed Rulemaking on Restoring Internet Freedom (NPRM), in favor of returning broadband enforcement authority to FTC. ( See previous InfoBytes coverage here .) The NPRM would reverse a 2015 FCC decision,...
InfoBytesHawaii Enacts Law to Prohibit Release of Credit Information of Children, Others
On July 5, Hawaii Governor David Y. Igge signed into law H.B. 651 , which was devised to protect children and certain other individuals from identity theft and credit fraud. The law applies to “protected consumers,” defined as minors under the age of 16 years, incapacitated persons, and individuals...
InfoBytesDebt Collector Liable for Violating FDCPA and TCPA
On July 3, the Court of Appeals for the Third Circuit affirmed that a debt collector violated the Telephone Consumer Practices Act (TCPA) when it called a consumer’s cell phone without the consumer’s consent, resulting in a damages award of $34,500. Additionally, the appellate court reversed the...
InfoBytesFINRA Fines Financial Firms $2.4 Million for Improper Customer Records Storage
On July 5, the Financial Industry Regulatory Authority (FINRA) announced that several investment firms agreed to pay fines totaling $2.4 million for allegedly failing to maintain customer records in an electronic format that cannot be altered or destroyed. The firms all signed FINRA’s letters of...
InfoBytesFTC Announces Settlement of More Than $104 Million with Company for Selling Sensitive Financial Information
On July 5, the FTC issued a press release announcing a settlement of more than $104 million with a lead generation company for allegedly misleading loan applicants with promises of matching consumers with lenders that could offer the best loan terms. Actually, the FTC asserts, defendants were...
InfoBytesData Breach Lawsuit Settled for $115 Million
On June 23, one of the nation’s largest health insurers agreed to pay $115 million to settle a data breach class action suit pending in the U.S. District Court for the Northern District of California. In 2015, the insurer announced that it had been hacked and that customer information had been...
InfoBytesFTC Releases Updates to COPPA Compliance Plan
On June 21, the FTC released updated guidance designed to assist businesses when complying with the Children’s Online Privacy Protection Rule (COPPA), which regulates what websites and online services are required to do to ensure the protection of children’s privacy and safety online. Specifically...
InfoBytesBipartisan Coalition of State Attorneys General File Petition to the FCC Seeking Broadband Consumer Protections
On June 19, New York Attorney General Eric T. Schneiderman announced a petition filed on behalf of a bipartisan coalition of 35 state attorneys general to jointly oppose a cable and telecommunications industry petition , which is intended to stop state and local authorities from enforcing state...
InfoBytesOCC to Host Operational Risk Workshop, Will Hold Innovation "Office Hours"
On July 25, the OCC will host an operational risk workshop in Charleston, WV for directors of national community banks and federal savings associations supervised by the OCC. The workshop will focus on the key components of operational risk, governance, third-party risk, vendor management, and...
InfoBytesBAFT Announces 2017 Global Payments Symposium; Will Highlight Advances in Payments Innovation, Blockchain, and Artificial Intelligence
On July 19 and 20, the Bankers Association for Finance and Trade (BAFT) will host its 2017 Global Payments Symposium in New York City. The symposium will help bankers and payments professionals understand the latest innovation trends affecting compliance, payments, blockchain, fintech, cybercrime,...
InfoBytesFTC Announces Settlement with Operators of Tech Support Scam
On June 7, the FTC announced two settlements in a pending action brought against defendants who allegedly used pop-up internet ads to deceive consumers into believing their computers were infected and then sold unnecessary technical support services to fix the issues. Under the terms of the...
InfoBytesHouse Subcommittee on Digital Commerce and Consumer Protection Holds Hearing to Discuss Consumer Fintech Needs
On June 8, the House Energy and Commerce Committee’s Subcommittee on Digital Commerce and Consumer Protection held a hearing to discuss financial products and services offered by the fintech industry to meet consumer needs. ( See previous InfoBytes coverage here .) Committee Chairman Rep. Bob Latta...
InfoBytesVermont Governor Enacts Law Including Blockchain Application
On June 8, Vermont Governor Phil Scott signed into law legislation (S. 135), which would, among other things, allow for broader business and legal application of blockchain technology to promote economic development. Additionally, S. 135 requires the Center for Legal Innovation at Vermont Law...
InfoBytesFTC to Host Third PrivacyCon Event, Issues Call for Presentations
On June 8, the FTC announced it will hold its third PrivacyCon , which will “expand collaboration among leading privacy and security researchers, academics, industry representatives, consumer advocates, and the government” to explore “the privacy and security implications of emerging technologies,...
InfoBytesNASAA to Convene Roundtable on Cybersecurity Developments
On May 31, the North American Securities Administrators Association (NASAA) announced it will hold a cybersecurity roundtable for industry experts to discuss latest developments as well as strategies for investment advisers and broker-dealers to protect personal client information. In addition to...
InfoBytesFFIEC Releases Update to Cybersecurity Assessment Tool to Aid Institution Preparedness
On May 31, the Federal Financial Institutions Examination Council (FFIEC) announced the release of an update to the Cybersecurity Assessment Tool (CAT) developed to aid institutions in determining their risk profiles, identifying risks, and determining cybersecurity preparedness. The update details...
InfoBytesNew York AG Settles Charges with Tech Company Over WiFi Lock Vulnerabilities
On May 22, New York Attorney General Eric T. Schneiderman announced that a Utah-based tech company agreed to settle allegations that, among other things, its wireless doors and padlocks failed to protect consumers’ personal information, leaving consumers vulnerable to hacking and theft. This action...
InfoBytesU.S. Retailer Settles States’ Investigation Over 2013 Data Breach, Fined $18.5 Million in Settlement
On May 23, a major U.S. retailer reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the retailer’s 2013 data breach, which affected more than 41 million customer payment card accounts and exposed contact information for more...
InfoBytesActing FTC Chairman Ohlhausen Welcomes New FCC Approach to Internet Openness
On May 18, Acting FTC Chairman Maureen Ohlhausen issued a statement on the FCC’s publication of a Notice of Proposed Rulemaking (NPRM) to “reinstate a light-touch regulatory approach protecting Internet openness.” The Notice proposes the following actions: (i) returning to the framework under Title...
InfoBytesHouse Passes Cyber Crime Bill
On May 16, the U.S. House of Representatives officially approved the Strengthening State and Local Cyber Crime Fighting Act of 2017 ( H.R. 1616 ) in a vote of 408-3. The Act would amend the Homeland Security Act of 2012 to formalize the Secret Service’s National Computer Forensic Institute’s (NCFI...
InfoBytesRansomware Attack Has Global Impact, Bipartisan Legislation Introduced to Counter Hacking
On May 12, a cyberattack spread around the world, affecting more than 230,000 computers in roughly 150 countries, according to a statement issued by the American Bankers Association. The ransomware, known as “WannaCry,” was used to exploit a vulnerability that affects computers running Microsoft...
InfoBytesFTC, Federal, State, and International Partners Announce Crackdown on Tech Support Scams
On May 12, the FTC, along with federal, state and international law enforcement partners, announced new enforcement actions in its “Operation Tech Trap” program. The program is designed to crack down on tech support scams that, among other things, deceive consumers into believing their computers...
InfoBytesFTC Launches New Website for Small Businesses, Provides Resources to Avoid Scams and Cyberattacks
On May 9, the FTC announced the launch of its new website— ftc.gov/SmallBusiness —designed to provide useful information so small businesses can protect their networks and customer data from scams and cyberattacks. The website offers specific guidance such as the Small Business Computer Security...
InfoBytesPresident Issues Executive Order Directing Agencies to Focus on Cybersecurity
On May 11, the Trump Administration issued an Executive Order , directing federal agencies to increase their efforts to mitigate cyber risks. The order, entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” mandates that agencies follow the National Institute...
InfoBytesSecond Circuit Holds Purported Class Action Plaintiff Failed to Establish Article III Standing in Data Breach Case
In a summary order handed down May 2, the Second Circuit Court of Appeals held that a plaintiff in a purported class action lacked Article III standing to bring claims against a retailer for breach of an implied contract and for violation of New York General Business Law § 349 arising out of a data...
InfoBytesFBI Issues PSA on Social Engineering Scams
On May 4, the FBI’s Internet Crime Complaint Center released a public service announcement (I-050417-PSA) citing losses to U.S. businesses of nearly $1.6 billion due to social engineering wire transfer and other payment scams between October 2013 and December 2016, with approximately one fifth of...
InfoBytesAmerican Bankers Association Argues for “Strong, Consistent” National Data Protection Standard
In a May 8 letter to Congress, the American Bankers Association (ABA) called on Congress to pursue national data protection standards for companies that handle consumers’ sensitive financial data. The letter notes that the financial sector has an excellent track record in protecting consumer data,...
InfoBytesElizabeth E. McGinn and Jessica M. Shannon Authored a Bloomberg BNA Article, "Consumer Privacy Should Be Top-of-Mind for FinTech Firms to Avoid Scrutiny"
With many people underserved by traditional lending institutions, including the close to 45 million adults in the U.S. who the Consumer Financial Protection Bureau estimates are “credit invisible” or have had past credit challenges, emerging FinTech lenders and online lending platforms (FinTech...
ArticlesElizabeth E. McGinn Authored a Westlaw Journal Article, "Data Security Breach Litigation Post-Spokeo"
California enacted the nation’s first data security breach notification law 15 years ago. Following a few high-profile incidents in 2005, other states rapidly began enacting breach-notice requirements based largely on the California model. This proliferation of laws — and the constant news of...
ArticlesFINRA Releases New Guidance on Rules Concerning Digital Communications
On April 25, FINRA issued new guidance on the application of its rules governing communications with the public concerning social media networking sites and online business communications. In 2010 and 2011, FINRA released Regulatory Notices 10-06 and 11-39 to provide initial guidance on these...
InfoBytesCalifornia Company Settles FTC Charges, Agrees to Provide Effective Opt-Out for Consumers
On April 21, the FTC announced that it had reached a settlement with a California company, which enables sellers to target digital advertisements to consumers, over allegations in violation of the FTC Act that the company deceived consumers by tracking them online and through their mobile devices...
InfoBytesNew Mexico Enacts Data Breach Notification Act
On April 6, New Mexico Governor Susana Martinez signed into law the Data Breach Notification Act ( H.B. 15 ), making New Mexico the 48th state to pass a data breach notification law. Under the new law—which is scheduled to take effect on June 16—companies are now required to notify any New Mexico...
InfoBytesNew York AG Announces Settlements with Three Mobile Health Application Developers over Misleading Marketing Practices and Privacy Policies
On March 23, the New York Attorney General’s (NYAG) office announced settlements with U.S. -, Austria -, and Israel- based mobile application (app) developers who allegedly participated in misleading marketing practices and the mismanagement of consumer information—both of which are violations of...
InfoBytesCongress Approves Joint Resolution to Repeal FCC’s Broadband Privacy Rules, Signed into Law by President Trump
On April 3, President Trump signed into law a measure ( S.J.Res. 34 ) rescinding the new Federal Communications Commission (FCC) broadband privacy rules related to Internet service providers (ISPs). As previously covered on InfoBytes , the privacy rules— passed last year in a 3-2 party-line vote...
InfoBytesFTC Releases 2016 Annual Highlights
On March 28, the FTC released its 2016 Annual Highlights Report , which outlines the agency’s ongoing efforts over the past year to protect consumers and promote competition. Acting Chairman Maureen K. Olhausen stated, “2016 was a historic year for the FTC. We obtained almost $12 billion in redress...
InfoBytesFederal District Court Allows Discovery in Class Action Concerning Internet Company’s Collection of Biometric Data
In a Memorandum Opinion and Order handed down on February 27, a District Court in the Northern District of Illinois declined to dismiss a putative class action alleging that a cloud-based photographic storage service offered by an Internet company (the Company) violated the Illinois Biometric...
InfoBytesSpecial Alert: Revised NYDFS Cybersecurity Rule
On December 28, 2016, the New York Department of Financial Services (DFS) issued a revised version (Revised Proposed Rule) of its cybersecurity rule for financial institutions issued on September 13, 2016 (Proposed Rule). The revision came after DFS received more than 150 comments in response to...
InfoBytesKey Changes in E-Discovery
On December 1, 2015, proposed amendments to the Federal Rules of Civil Procedure (FRCP) (which were last amended in 2006) became effective, as they were not rejected or modified by congressional legislation. The now effective amendments take into account not only the more “exotic” sources of...
ArticlesHow to Stay Out of the FCC's Way
Three key lessons can be drawn from the FCC’s recent privacy and data security actions: Know how your customer data is kept private; monitor how your employees and third-party partners can access it, and check what you disclose to consumers about both. Click here to read the full article at www...
ArticlesTreading Beyond the Iota of Fear: eDiscovery of the Internet of Things
The first difficulty to preservation concerns the primary question of control of the cloud data, which is not unique to IoT. Businesses are investing billions into IoT not only because of their profit expectations from the one-time sale of an IoT device, but also from having unfettered access to...
ArticlesThe Board of Directors and Cybersecurity: Setting up the Right Structure
Because investments in cybersecurity do not generate revenue, they can be a hard sell. At the same time, such investments generally lead to significant cost savings and can help a company avoid the reputational damage associated with a successful attack. In addition to devoting attention to reports...
ArticlesTrust and Transparency in the Era of 'Bring Your Own Device'
Information, including proprietary business information and personally identifiable information, is one of a financial institution’s most precious assets, and protecting this asset is necessary to establishing and maintaining long-standing relationships between a financial institution and its...
ArticlesBitcoin, Banks & Billions: Regulatory and Compliance Implications of Bitcoin-Based Consumer Banking
With virtual currencies becoming a fixture of the global economy, it is critical that financial institutions understand these 21st century monetary tools. And, of all the virtual currencies emerging in the dynamic area of e-commerce, none more perfectly demonstrates the technical, regulatory and...
ArticlesPrivacy and Data Security: The Role of the US Regulators
In the wake of the Dodd-Frank Wall Street Reform and ConsumerProtection Act and in light of the rapid pace of innovation in the online and mobile payments industry, those involved in payment systems need to understand the US regulatory scheme for privacy and data security under which they operate...
ArticlesIs Regulatory Uncertainty an Impediment to Mobile Payments?
There is little question that smartphones and tablet computers are re-shaping the delivery of financial services to consumers. The mobile device is rapidly becoming a full-fledged platform for electronic financial services, and especially for mobile payments. Juniper Research and Gartner estimated...
Articles