Privacy and Data Security Resource Center
Introduction
Buckley provides regulatory, strategic advice and litigation advocacy to financial services clients on matters involving the full spectrum of privacy and data security issues affecting their business operations. Our attorneys assist clients in addressing privacy and data security issues by proactively identifying and managing risks to the organization and its customers, aggressively addressing data security incidents, and responding to regulatory examinations, enforcement actions and litigation involving privacy or data security compliance.
Members of the group frequently speak at privacy and data security and financial institutions conferences including those of the International Association of Privacy Professionals, the RSA Conference, the American Conference Institute, the Practising Law Institute, the Information System Security Association, and the International Information Systems Security Certification Consortium. Group members also have authored articles and papers on privacy and data security topics.
Thought Leadership & Analysis
FCC proposes rulemaking to combat unlawful text messages
On September 27, the FCC announced a notice of proposed rulemaking (NPRM) to target and eliminate unlawful text messages. According to the FCC, the number of consumer complaints received related to unwanted text messages has increased by 146 percent between 2019 and 2020, and continues to grow in...
InfoBytesCISA urges companies to take action to combat malicious cyber activity
On September 14, the Cybersecurity and Infrastructure Security Agency, along with several other federal agencies and international partners, released a joint cybersecurity advisory (CSA) highlighting continued malicious cyber activity taken by advanced persistent threat actors affiliated with the...
InfoBytesCalifornia adopts “first-in-nation” act to safeguard children’s online data and privacy
On September 15, the California governor signed into law the California Age-Appropriate Design Code Act (the Act), calling it the “first-in-nation” bill to protect children’s online data and privacy. AB 2273 establishes new legal requirements for businesses that provide online products and services...
InfoBytesFTC proposes rulemaking to combat impersonation fraud
On September 15, the FTC issued a notice of proposed rulemaking (NPRM) to prohibit the impersonation of government, businesses, or their officials. According to the FTC, reported losses due to impersonation fraud spiked at the beginning the Covid-19 pandemic, and more than 2.5 million scams were...
InfoBytesDistrict Court denies defendant summary judgment in data breach suit
On September 8, the U.S. District Court for the District of Maryland denied a defendant hotel corporation’s summary judgment motion, concluding that an economic expert’s opinion that the City of Chicago (plaintiff) experienced a loss in tax revenue due to a security breach of the defendant’s guest...
InfoBytesDistrict Court grants final approval in data breach suit
On September 13, the U.S. District Court for the Eastern District of Virginia granted final approval of a class action settlement in a data breach suit. As previously covered by InfoBytes , in July 2019, a national bank (defendant) announced that an unauthorized individual had obtained the personal...
InfoBytesOFAC sanctions individuals and entities connected to IRGC-QF
On September 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions as part of a joint action with the DOJ, Department of State, FBI, U.S. Cyber Command, National Security Agency, and Cybersecurity and Infrastructure Security Agency, against ten individuals...
InfoBytesFDIC, FinCEN release results of digital identity tech sprint
On September 9, the FDIC and FinCEN announced key takeaways and solution summaries from a recent “Tech Sprint” to develop solutions for banks and regulators to help measure the effectiveness of digital identity proofing. As previously covered in InfoBytes , in January, the FDIC’s technology lab,...
InfoBytesCISA issues RFI on new cyber incident reporting requirements
On September 9, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) from critical infrastructure owners and operators on how to develop new data breach reporting regulations related to ransomware and other malicious attacks. The RFI will inform CISA’s...
InfoBytesDistrict Court grants final approval in BIPA class action
On September 1, the U.S. District Court for the Northern District of Illinois granted final approval of a $6.8 million class action settlement in a biometric privacy data suit. According to the plaintiff’s memorandum of law in support of her unopposed motion for final approval of the settlement,...
InfoBytesFTC hosts forum on commercial surveillance and lax data security practices
On September 8, the FTC hosted a forum regarding its Advance Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security practices. As previously covered by InfoBytes , the ANPR was issued in August to solicit public comment on “the harms stemming from commercial surveillance...
InfoBytes11th Circuit says plaintiff lacks standing in collection letter case
On September 8, the U.S. Court of Appeals for the Eleventh Circuit issued an en banc decision in Hunstein v. Preferred Collection & Management Services, dismissing the case after determining the plaintiff lacked standing to sue. The majority determined that “[b]ecause Hunstein has alleged only...
InfoBytesOCC issues expectations for protecting non-public information
On September 7, the OCC issued Bulletin 2022-21, Information Security: Expectations for Protecting Non-public OCC Information on Institution- or Other Non-OCC-Owned or Managed Video Teleconferencing Services, outlining its expectations for protecting non-public OCC information shared on video...
InfoBytes11th Circuit affirms denial of title company’s cyber fraud claim
On September 6, the U.S. Court of Appeals for the Eleventh Circuit upheld a district court’s decision to deny insurance coverage to a Florida title company under its Cyber Protection Insurance Policy after it was allegedly “fraudulently induced—by an unknown actor impersonating a mortgage lender—to...
InfoBytesCARU orders app company to correct violations of children’s privacy rules
On September 7, the Children’s Advertising Review Unit (CARU) announced that the owner of a cartoon-themed app company has agreed to correct alleged violations of the Children’s Online Privacy Protection Act (COPPA) and CARU’s Self-Regulatory Guidelines for Advertising and for Children’s Online...
InfoBytesDistrict Court says tech company not liable for app in crypto theft
On September 2, the U.S. District Court for the Northern District of California granted a defendant California tech company’s motion to dismiss a putative class action filed by users who claimed their cryptocurrency was stolen after they downloaded a “phishing” program that posed as a legitimate...
InfoBytesDistrict Court preliminarily approves TCPA class action settlement
On August 24, the U.S. District for the Central District of California granted preliminary approval of a TCPA class action settlement with a satellite TV company. According to a memorandum in support of plaintiff’s motion for preliminary approval of class action settlement and certification, the...
InfoBytesDistrict Court grants final approval in TCPA class action
On September 1, the U.S. District Court for the Central District of California granted final approval of a class action settlement in a TCPA suit. According to the plaintiffs’ motion for preliminary approval of the class action settlement , the plaintiffs are non-customers who the defendant...
InfoBytesOFAC amends cyber-related sanctions regulations
On September 2, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced that it is amending, and reissuing in their entirety, the Cyber-Related Sanctions Regulations . OFAC noted that this administrative action replaces regulations that were published in abbreviated form on...
InfoBytes3rd Circuit vacates dismissal of data breach suit
On September 2, the U.S. Court of Appeals for the Third Circuit vacated the dismissal of a class action alleging that a defendant pharmaceutical research company’s negligence led to a data breach. According to the opinion, the plaintiff, who is a former employee of the defendant’s subsidiary,...
InfoBytesPelosi cites preemption concerns in federal privacy bill
On September 1, Speaker of the House Nancy Pelosi (D-CA) released a statement commending the House Energy and Commerce Committee’s work on advancing the American Data Privacy and Protection Act (ADPPA) to the House floor (covered by InfoBytes here ). However, Pelosi also recognized preemption...
InfoBytesTemporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023
The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1,...
InfoBytes11th Circuit says one-year statutory notice period cannot be varied
On August 26, the U.S. Court of Appeals for the Eleventh Circuit vacated and remanded a district court’s summary judgment in favor of a bank after determining that the plaintiff-appellants’ claim for statutory repayment is not time-barred. Plaintiffs (Venezuelan citizens residing in Venezuela)...
InfoBytesDistrict Court dismisses ransomware suit alleging negligence
On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020...
InfoBytesFTC sues data broker for unfair sale of sensitive data
On August 29, the FTC announced an action taken against a data broker accused of allegedly selling precise geolocation data from hundreds of millions of mobile devices that can be used to trace individuals’ movements to and from sensitive locations. According to the complaint , the defendant...
InfoBytesDistrict Court grants preliminary approval of class action settlement against securities trading platform and broker-dealer
On August 29, the U.S. District Court for the Northern District of California granted preliminary approval of a settlement in a class action against a securities trading platform and broker-dealer (defendant) for allegedly allowing unauthorized users access to customers’ accounts. As described in...
InfoBytesTreasury announces MOU with Israel
On August 25, the U.S. Treasury Department announced a bilateral Memorandum of Understanding (MOU) on Cybersecurity Cooperation with the Ministry of Finance of the State of Israel (MOF). According to Treasury, the MOU “builds on U.S. Deputy Secretary of the Treasury Wally Adeyemo’s visit to Israel...
InfoBytesCalifornia fines cosmetics chain for privacy violations
On August 24, the California attorney general announced that following an investigative sweep into online retailers, it entered into a $1.2 million settlement with a cosmetics chain for its alleged failure to disclose to consumers that it was selling their personal information, failure to process...
InfoBytesDistrict Court preliminarily approves data breach class action settlement
On August 24, the U.S. District Court for the Southern District of New York preliminarily approved a putative consolidated class action settlement that would reimburse members for out-of-pocket costs or expenditures actually incurred in connection with a February 2020 data breach. According to...
InfoBytesFCC signs robocall enforcement MOU with Canada
Recently, the FCC announced that it entered into a memorandum of understanding (MOU) with the Canadian Radio-television and Telecommunications Commission (CRTC) to develop a global and coordinated approach for addressing unlawful automated telephone calls. According to the MOU, the FCC and CRTC...
InfoBytes3rd Circuit overturns decision in WESCA suit
On August 16, the U.S. Court of Appeals for the Third Circuit overturned a district court’s decision in a Wiretapping and Electronic Surveillance Control Act (WESCA) suit against a retailer and third-party marketing company (collectively, “defendants”). According to the opinion, the plaintiff...
InfoBytesCalifornia Privacy Protection Agency opposes federal privacy bill
On August 15, the California Privacy Protection Agency (CPPA) sent a letter to House Speaker Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) opposing H.R.8152 , the American Data Privacy and Protection Act (ADPPA). The CPPA expressed concerns that the proposed legislation “could...
InfoBytesDem chairs request info on agency data use
On August 16, Chairman of the Committee on the Judiciary Jerrold Nadler (D-NY) and Chairman of the Committee on Homeland Security Bennie Thompson (D-MS) sent a letter to multiple government agency leaders, requesting information on their purchases and use of personal data from data brokers...
InfoBytesElizabeth E. McGinn quoted in a CSO article, “FTC begins sweeping commercial surveillance and lax data security rulemaking process”
The CSO article, “FTC begins sweeping commercial surveillance and lax data security rulemaking process,” discussed the persistence of data breaches exposing consumers’ sensitive information even as organizations are selling troves of consumers’ personal, financial, and location data to a thriving...
In The NewsNew York proposes new cybersecurity reporting requirements for financial institutions
Recently, NYDFS released proposed second amendments to New York’s Cybersecurity Regulation (23 NYCRR Part 500), which would, if adopted, require a financial institution’s senior officer or board of directors to approve the entity’s cybersecurity policy. Entities would also be required to disclose...
InfoBytesDistrict Court grants final approval of data breach settlement
On August 9, the U.S. District Court for the Western District of North Carolina granted final approval of a class action settlement resolving allegations that two hemp companies (collectively, “defendants”) were involved in data breaches. According to the plaintiffs’ unopposed motion for final...
InfoBytesChopra considers banking to be “under threat”
On August 10, CFPB Director Rohit Chopra discussed the digital market before the 2022 National Association of Attorneys General Presidential Summit. In his remarks, Chopra first discussed the evolution of advertising models over time, describing how the persuasion of advertising continues to be...
InfoBytesFTC seeks feedback on commercial surveillance and data security rulemaking
On August 11, the FTC announced that it issued an advanced notice of proposed rulemaking (ANPR) on a wide range of concerns about commercial surveillance practices. According to the FTC, it is exploring “rules to crack down on harmful commercial surveillance and lax data security.” The FTC...
InfoBytesFTC probes cryptocurrency exchange operators
On August 9, the FTC issued an order denying a petition to quash a civil investigative demand (CID) against the operators of a cryptocurrency exchange regarding allegations of a December 2021 data breach. According to the order, the FTC “is investigating potential law violations arising out of [the...
InfoBytesCSBS releases nonbank cybersecurity examination tools
On August 9, the Conference of State Bank Supervisors (CSBS) released two new tools used by state examiners to assess nonbank financial services companies’ cyber preparedness. Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and...
InfoBytesElizabeth E. McGinn extensively quoted in Cybersecurity Law Report article, “SEC cyber rules: How to prepare for the new 8-K incident mandate”
The Cybersecurity Law Report article, “SEC cyber rules: How to prepare for the new 8-K incident mandate,” examined the SEC’s proposed rules to give investors a better view of how public companies are tackling risks around cybersecurity and better compare companies’ cyber efforts. The new mandate...
In The NewsAgencies seek comment on renewing FFIEC’s cybersecurity assessment tool
On August 8, the OCC, the Federal Reserve Board, the FDIC, and the NCUA (collectively, “Agencies”) issued a notice in the Federal Register soliciting comments on the renewal of the Federal Financial Institutions Examination Council’s cybersecurity assessment tool. According to the notice, the...
InfoBytes"Companies doing business in China caught in a double bind" by Michael Rosenberg
Continuing tensions between the U.S. and China are creating concerns for multinational companies doing business in China. Last June, China enacted the Anti-Foreign Sanctions Law, designed to counteract “discriminatory restrictive measures employed by foreign nations” against Chinese citizens or...
Buckley Commentary & AnalysisSpecial Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank...
InfoBytesHsu discusses cybersecurity risks to financial sector
On August 2, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the Joint Meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council focusing on cybersecurity risks to the financial services sector. Hsu...
InfoBytesNYDFS imposes $30 million fine against trading platform for cybersecurity, BSA/AML violations
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (3 NYCRR Part 504),...
InfoBytesState AGs announce settlement to resolve alleged data security breach
On July 26, a coalition of state attorneys general, co-led by the New Jersey AG and Pennsylvania AG, announced a settlement with a Pennsylvania-based convenience store chain related to an alleged data breach that compromised payment cards of consumers. According to the Assurance of Voluntary...
InfoBytesOCC reports on cybersecurity and financial system resilience
Recently, the OCC released its annual report on cybersecurity and financial system resilience, which describes its cybersecurity policies and procedures, including those adopted in accordance with the Federal Information Security Modernization Act. According to the report, cybersecurity and...
InfoBytesCourt grants final approval of privacy class action settlement
On July 20, the U.S. District Court for the Northern District of California granted final approval of a class action settlement in a suit against a fintech company alleged to have accessed the personal banking data of users without first obtaining consent, in violation of California privacy, anti-...
InfoBytesHouse committee advances comprehensive consumer privacy bill
On July 20, the U.S. House Committee on Energy and Commerce voted 53-2 to send H.R. 8152 , the American Data Privacy and Protection Act, to the House floor. As previously covered by a Buckley Special Alert , a draft of the bill was released in June, which would, among other things, require...
InfoBytesDOJ reports on cybersecurity and announces seizure of $500,000 from hackers
On July 19, Deputy Attorney General Lisa O. Monaco spoke before the International Conference on Cyber Security (ICCS) 2022 regarding DOJ’s efforts to combat the increase of cyberattacks. Monaco also announced the release of the Comprehensive Cyber Review , which reflects “the need to prioritize...
InfoBytesCalifornia’s privacy agency initiates formal CPRA rulemaking
On July 8, the California Privacy Protection Agency (CPPA) initiated formal rulemaking procedures to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), a law amending and building on the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes...
InfoBytesFTC seeks to protect highly sensitive data
On July 11, the FTC’s Division of Privacy & Identity Protection published a blog post addressing risks associated with the sharing of highly personal information with strangers, particularly with respect to the use of technology that directly observes or derives sensitive information about...
InfoBytesFed discusses cybersecurity risk management and emerging threats
On July 7, the Federal Reserve Board published its 2022 Cybersecurity and Financial System Resilience Report . Issued pursuant to the Consolidated Appropriations Act, the Fed’s report described measures it has taken to strengthen cybersecurity in the financial services sector. The report identified...
InfoBytesDistrict Court grants preliminary approval of contact tracing suit
On June 30, the U.S. District Court for the Northern District of California granted plaintiffs’ motion for preliminary approval of a class action settlement alleging that an internet platform (defendant) violated the California Confidentiality of Medical Information Act, as well as other state laws...
InfoBytesDistrict Court preliminarily approves $3.7 million data breach settlement
On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of...
InfoBytesNew York fines supermarket chain $400,000 for mishandled consumer data
On June 30, the New York attorney general announced a settlement with a New York-based supermarket chain (respondent) for allegedly leaving more than three million customers’ personal information in unsecured, misconfigured cloud storage containers, which made the data potentially easy to access...
InfoBytesInsurers consider biometric exclusions as privacy cases increase
According to sources, some insurers are considering adding biometric exclusions to their insurance policies as privacy lawsuits increase. An article on the recent evolution of biometric privacy lawsuits noted an apparent increase in class actions claiming violations of the Illinois Biometric...
InfoBytesDistrict Court says Massachusetts law will apply in choice-of-law privacy dispute
On June 28, the U.S. District Court for the District of South Carolina ruled that it will apply Massachusetts law to negligence claims in a putative class action concerning a cloud-based services provider’s allegedly lax data-security practices. The plaintiffs claimed that the defendant’s “security...
InfoBytesNYDFS imposes $5 million fine against cruise line for cybersecurity violations
On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity...
InfoBytesOCC reports on key risks facing the federal banking system
On June 23, the OCC released its Semiannual Risk Perspective for Spring 2022 , which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that as “banks continue to navigate the operational-...
InfoBytesFTC finalizes action against e-commerce platform for data breach cover up
On June 24, the FTC announced a final decision and order against two limited liability companies (respondents) accused of allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. As previously covered by InfoBytes , the respondents—former and current owners of...
InfoBytesRep. McHenry introduces draft privacy legislation based on GLBA
On June 23, House Financial Services Ranking Member Patrick McHenry (R-NC) released a discussion draft of new federal legislation intended to modernize financial data privacy laws and provide consumers more control over the collection and use of their personal information. (See overview of the...
InfoBytesStates reach $1.25 million data breach settlement with cruise line
On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According...
InfoBytesU.S. and EU collaborate to combat ransomware attacks
On June 16, the DOJ announced that representatives from the U.S. and EU met at a recent workshop in the Hague to share best practices and to plan enhanced collaboration efforts to confront ransomware attacks. According to the DOJ, attorneys from the DOJ’s Computer Crime and Intellectual Property...
InfoBytesDistrict Court grants preliminary approval of class action settlement in data breach case
On June 21, the U.S. District Court for the Southern District of New York granted preliminary approval of a class settlement in an action against a cable TV and communications provider (defendant) for failing to protect current and former employees’ (plaintiffs) personal information and prevent a...
InfoBytesSpecial Alert: House subcommittee hears testimony on privacy bill
The House Subcommittee on Consumer Protection and Commerce held a June 14 hearing , “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security,” to listen to testimony from consumer advocates and industry representatives on the recently proposed American Data...
InfoBytesFTC issues report to Congress on use of AI
On June 16, the FTC issued a report to Congress regarding the use of artificial intelligence (AI), warning that policymakers should use caution when relying on AI to combat the spread of harmful online conduct. In the 2021 Appropriations Act, Congress directed the FTC to study and report on whether...
InfoBytesU.S., UK collaborate on privacy-enhancing tech prize challenges
On June 13, the White House announced that the U.S. and UK governments are developing privacy-enhancing technology prize challenges to help address cross-border money laundering. The White House highlighted that the estimated $2 trillion of cross-border money laundering which happens annually could...
InfoBytesDistrict Court approves data breach settlement
On June 8, the U.S. District Court for the Southern District of New York granted a plaintiffs’ motion for final approval of a class action settlement resolving claims that several retail businesses failed to establish reasonable safeguards that led to a data breach. According to the opinion, the...
InfoBytesSpecial Alert: Congress releases draft privacy bill
A comprehensive federal privacy law drew one step closer to reality earlier this month when a bipartisan group of representatives and senators released a draft of the proposed American Data Privacy and Protection Act. Passage of the ADPPA, which combines elements of prior proposals in an effort to...
InfoBytesDistrict Court preliminarily approves $63 million data breach settlement
On June 7, the U.S. District Court for the District of Columbia granted preliminary approval of a class action settlement resolving claims that a government agency and its contractor (collectively, defendants) did not detect hackers because they failed to establish reasonable safeguards that led to...
InfoBytesSenate Banking Committee sends letter to Yellen on consumer data activities
On June 7, Chairman of the Senate Committee on Banking, Housing, and Urban Affairs, Senator Sherrod Brown sent a letter to Treasury Secretary Janet Yellen requesting that the Financial Stability Oversight Council conduct a review on the effect of the collection and sale of consumer data by...
InfoBytesDistrict Court: Company must face data breach claims
On June 1, the U.S. District Court for the District of Arizona ruled that a health care company must face a proposed class action related to claims that its failure to implement cybersecurity safeguards led to a data breach that compromised individuals’ personal health information. In granting in...
InfoBytesCalifornia’s privacy agency posts CPRA proposal
Recently, in advance of its June 8 board meeting, the California Privacy Protection Agency (CPPA) Board posted draft regulations to implement the California Privacy Rights Act (CPRA). As previously covered by InfoBytes , the CPRA (largely effective January 1, 2023, with enforcement delayed until...
InfoBytesMaryland amends security procedures standards
On May 29, Maryland HB 962 was enacted under Article II, Section 17(c) of the Maryland Constitution - Chapter 502, which amends the Maryland Personal Information Protection Act. The bill, among other things, expands the types of businesses that are required to implement and maintain reasonable...
InfoBytesNAAG establishes cyber training center to help states understand emerging and evolving technologies
Recently, the National Association of Attorneys General (NAAG) established a new center dedicated to the development of programs and resources for supporting states’ understanding of emerging and evolving technologies. The Center on Cyber and Technology will also assist with cybercrime...
InfoBytesSocial media company to pay $150 million to settle FTC, DOJ data security probe
On May 25, the DOJ filed a complaint on behalf of the FTC against a global social media company for allegedly misusing users’ phone numbers and email addresses uploaded for security purposes to target users with ads. (See also FTC press release here .) According to the complaint, the defendant...
InfoBytesFTC addresses importance of effective incident response and breach disclosure
On May 20, the FTC’s Team CTO and the Division of Privacy and Identity Protection published a blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures . The blog noted that the FTC Act creates a de facto data breach notification requirement because failure to...
InfoBytesFDIC highlights operational risks in 2022 Risk Review
On May 20, the FDIC released its 2022 Risk Review , summarizing emerging risks in the U.S. banking system observed during 2021 in four broad categories: credit risk, market risk, operational risk, and climate-related financial risk. According to the FDIC, the current risk review expands upon...
InfoBytesDOJ will not charge researchers who report cybersecurity flaws in “good faith”
On May 19, the DOJ revised its policy for charging cases under the Computer Fraud and Abuse Act (CFAA), directing prosecutors to not charge researchers who report cybersecurity flaws in “good faith.” The policy directive informs prosecutors that the DOJ will not prosecute security researchers that...
InfoBytesFCC acts to stop international robocalls
On May 19, the FCC unanimously adopted proposed rules to ensure gateway providers that channel international call traffic comply with STIR/SHAKEN caller ID authentication protocols and validate the identity of the providers whose traffic they are routing to help weed out robocalls. As part of the...
InfoBytesFTC cracks down on ed tech providers’ COPPA compliance
On May 19, the FTC warned providers of education technology (ed tech) tools for children that they must fully comply with all provisions of the Children’s Online Privacy Protection Act (COPPA). The Commission voted unanimously to approve a policy statement clarifying how COPPA applies to ed tech...
InfoBytesOklahoma establishes telephone solicitation restrictions
On May 20, the Oklahoma governor signed HB 3168 , which establishes the Telephone Solicitation Act of 2022. The bill, among other things, prohibits (i) certain sales calls without the prior express written consent of the called party; (ii) commercial telephone sellers or salespersons from using...
InfoBytesIllinois amendments address confidentiality of customer financial records
On May 13, the Illinois governor signed SB 3971 , which makes various amendments to Illinois Banking Act and Savings Bank Act provisions concerning the confidentiality of customer financial records. Among other things, the Act provides that a bank must disclose financial records “only after the...
InfoBytesU.S. signs protocol to strengthen international efforts to combat cybercrime
On May 12, the U.S. signaled its commitment to fight cybercrime by signing the Second Additional Protocol to the Convention on Cybercrime to obtain access to needed electronic evidence. Deputy Assistant Attorney General Richard Downing of the DOJ’s Criminal Division signed the new protocol to...
InfoBytesSenate confirms Bedoya as FTC commissioner; Powell to serve second term as Fed chair
On May 11, the U.S. Senate voted along party lines to confirm Alvaro Bedoya as an FTC Commissioner. Bedoya, who brings a background in privacy and data security, fills the FTC commissioner seat vacated by current CFPB Director Rohit Chopra. A Georgetown University visiting professor of law, Bedoya...
InfoBytesConnecticut becomes fifth state to enact comprehensive privacy legislation
On May 10, the Connecticut governor signed SB 6 , establishing a framework for controlling and processing consumers’ personal data in the state. Connecticut is now the fifth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Virginia, and Utah (...
InfoBytesDistrict Court settles data scraping lawsuit
On May 9, the U.S. District Court for the Northern District of California issued a final judgment on consent resolving a lawsuit concerning data scraping allegations. A professional networking site (plaintiff) sued a Singapore-based company and three company founders (collectively, “defendants”)...
InfoBytesFed updates synthetic identity fraud mitigation toolkit
Recently, the Federal Reserve updated a synthetic identity fraud mitigation toolkit offering new information regarding fraud detection technology and data sharing and discussing the value of fraud information sharing within the industry to help fight synthetic identity fraud. As previously covered...
InfoBytesDistrict Court dismisses privacy class action claims citing absence of jurisdiction
On May 5, the U.S. District Court for the Northern District of California granted defendants’ motions to dismiss a putative class action concerning invasion of privacy claims related to the collection of consumer data over an online shopping platform. The Canada-based e-commerce company and two of...
InfoBytesDefendants to pay $5.7 million for alleged data breach
On May 10, the U.S. District Court for the Northern District of Ohio granted preliminary approval of a $5.7 million settlement in a class action against a fast-food chain (defendant) resolving allegations that it acted negligently for failing to protect customers’ data when hackers stole payment...
InfoBytesDistrict Court allows data sharing invasion of privacy claims to proceed
On May 4, the U.S. District Court for the Central District of California partially dismissed the majority of a putative class action accusing several large retailers and a data analytics company (collectively, “defendants”) of illegally sharing their consumer transaction data, allowing only an...
InfoBytesDistrict Court partially certifies data breach suit
On May 3, the U.S. District Court for the District of Maryland granted in part and denied in part certification of eight class actions against a hotel corporation (defendant) alleging that it misled consumers regarding a major breach of customers’ personal information. According to the opinion, the...
InfoBytes9th Circuit: Data release did not violate defendant’s Fourth Amendment rights
On April 27, the U.S. Court of Appeals for the Ninth Circuit concluded that limited digital data uncovered online that was not collected at the behest of the government did not violate the Fourth Amendment, which protects individuals from unreasonable government searches and seizures. According to...
InfoBytesDistrict Court approves final class action privacy settlement
On April 29, the U.S. District Court for the Western District of New York granted final approval of a class action settlement resolving privacy and data security allegations against a health insurance company and several related health insurance entities (collectively, “defendants”). According to...
InfoBytesEU Court of Justice rules consumer protection agencies can sue companies for GDPR violations
On April 28, the Court of Justice of the European Union (CJEU) issued an opinion concluding that consumer protection associations are permitted to bring representative actions against infringements of personal data protection “independently of the specific infringement of a data subject’s right to...
InfoBytesConnecticut legislature passes consumer data privacy bill
Recently, the Connecticut legislature passed SB 6 , which would enact provisions related to consumer data privacy and online monitoring. Highlights of the bill include: Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for...
InfoBytes4th Circuit will not revive investors’ data breach case
On April 21, the U.S. Court of Appeals for the Fourth Circuit affirmed a district court’s dismissal of a securities suit against a hotel corporation (defendant) alleging that they misled the plaintiffs regarding data vulnerabilities connected to a major breach of customers’ personal information...
InfoBytesNYDFS encourages virtual currency licensees to use blockchain analytics tools for sanctions and AML compliance
On April 28, NYDFS announced new guidance on virtual currency entities that are establishing the use of blockchain analytics tools. NYDFS explained that virtual currency activities can involve, among other things, different sources, destinations, and types of funds flows than are found in more...
InfoBytesDistrict Court dismisses state law claims concerning scanned email allegations
On April 26, the U.S District Court for the Northern District of California granted a defendant tech company’s motion for reconsideration to dismiss a plaintiffs’ Washington Privacy Act (WPA) claims that it shared customer data with third parties without first obtaining consent. According to the...
InfoBytesDistrict Court allows state claims concerning the use of individuals’ likenesses in online ads to proceed
On April 19, the U.S. District Court for the Northern District of California denied a motion to dismiss in a putative class action alleging a California-based website operator violated various Ohio, Indiana, and California state laws by appropriating individuals’ names and likenesses and using this...
InfoBytesDistrict Court approves final $85 million class action privacy settlement despite objections
On April 21, the U.S. District Court for the Northern District of California granted final approval of an $85 million class action settlement resolving privacy and data security allegations against a video conferencing provider. As previously covered by InfoBytes , consolidated class members...
InfoBytesDistrict Court denies class cert in data breach suit
On April 20, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for class certification in a lawsuit alleging a defendant hotel and restaurant group breached its contract when a data breach exposed the plaintiffs’ credit card account numbers and other private...
InfoBytesDefendants to pay $5 million for alleged data breach
On April 20, the U.S. District Court for the Southern District of California granted preliminary approval of a proposed class settlement, resolving claims against a medical supplier company after a data breach allegedly compromised personal information of its consumers in its database. According to...
InfoBytesCRS report raises privacy concerns regarding digital wallets
On April 18, the Congressional Research Service released an overview of digital wallet technology and related cybersecurity, data privacy and consumer protection policy considerations. Digital wallets are software applications that store payment or account details to facilitate traditional payments...
InfoBytes9th Circuit: Networking site cannot deny data scraping access to publicly available profiles
On April 18, on remand from the U.S. Supreme Court, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order preliminarily enjoining a professional networking site from denying a data analytics company access to publicly available member profiles. At issue are allegations...
InfoBytesColorado seeks comments on privacy rulemaking; draft regulations to come this fall
Recently, the Colorado attorney general released pre-rulemaking considerations for the Colorado Privacy Act (CPA). The considerations seek informal public input on any area of the CPA, including those “that need clarification, consumer concerns, anticipated compliance challenges, impacts of the CPA...
InfoBytesVirginia enacts additional consumer data protections
On April 11, the Virginia governor signed legislation enacting additional amendments to the Virginia Consumer Data Protection Act (VCDPA). Both bills take effect July 1. HB 714 (identical bill SB 534) expands the definition of a nonprofit organization to include political and certain tax-exempt 501...
InfoBytesKhan outlines FTC’s plans to enforce privacy, data security
On April 11, FTC Chair Lina Khan spoke at the Opening General Session of the IAPP Global Privacy Summit 2022, focusing on the Commission’s’ approach to privacy and data security enforcement strategy. In her remarks , Khan offered observations on “the new political economy” of how American consumers...
InfoBytesDistrict Court preliminarily approves $90 million settlement in data tracking suit
On March 31, the U.S. District Court for the Northern District of California preliminarily approved a $90 million class action settlement resolving claims that a social media platform unlawfully tracked consumers’ browsing data. According to the settlement agreement , the defendant obtained and...
InfoBytesArizona amends data breach notification requirements
On March 29, the Arizona governor signed HB 2146 , amending the Arizona Revised Statutes’ security breach notification requirements. Specifically, if a person conducting business in the state that “owns, maintains or licenses unencrypted and unredacted computerized personal information becomes...
InfoBytesDistrict Court refuses to enforce choice-of-law provision, allows individual state data privacy claims to proceed
On March 30, the U.S. District Court for the Northern District of Illinois denied a global tech company’s bid to dismiss class action Illinois Biometric Information Privacy Act (BIPA) claims. Plaintiffs (Illinois residents) sued the company alleging it violated BIPA by applying image recognition...
InfoBytesSEC 2022 examination priorities include information security, emerging technologies, and crypto-assets
On March 30, the SEC’s Division of Examinations announced that its 2022 examination priorities will focus on key risk factors related to private funds, environmental, social and governance investing, retail investor protections, information security and operational resiliency, emerging technologies...
InfoBytesEU and U.S. agree in principle on new Trans-Atlantic Data Privacy Framework
On March 25, the U.S. and the European Commission announced their agreement in principle on a new Trans-Atlantic Data Privacy Framework (Framework) to foster cross-border transfers of personal data from the EU to the U.S. (See also White House and European Commission fact sheets here and here .)...
InfoBytesAgencies provide points of contact for computer security incident notifications
On March 29, the FDIC, OCC, and Federal Reserve Board issued guidance related to a final rule issued last November by the agencies along with the Federal Reserve Board, which requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-...
InfoBytesSocial networking apps settle minors' data claims for $1.1 million
On March 25, the U.S. District Court for the Northern District of Illinois granted final approval to a $1.1 million class action settlement resolving claims that the operators of two video social networking apps (defendants) “‘surreptitiously tracked, collected, and disclosed the personally...
InfoBytesInsurers obligated to indemnify retailer’s payment card claims following data breach
On March 22, the U.S. District Court for the District of Minnesota ordered two insurance companies to cover a major retailer’s 2013 data breach settlement liability under commercial general liability policies. As previously covered by InfoBytes , in 2018 the retailer reached a $17 million class...
InfoBytesUtah becomes fourth state to enact comprehensive privacy legislation
On March 24, the Utah governor enacted the Utah Consumer Privacy Act (UCPA), which establishes a framework for controlling and processing consumers’ personal data in the state. Utah is now the fourth state in the nation to enact comprehensive consumer privacy measures, following California,...
InfoBytesBiden urges private-sector businesses to strengthen cyber defenses
On March 21, President Biden issued a fact sheet warning private-sector businesses of potential retaliatory Russian cyberattacks. Biden reiterated previous “warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks” against the U.S. in “...
InfoBytesDistrict Court denies defendant’s motion to certify an interlocutory appeal in BIPA case
On March 18, the U.S. District Court for the Northern District of Illinois denied a retailer’s motion to certify for interlocutory appeal the court’s earlier ruling denying, in part, the retailer’s motion to dismiss. This multi-district litigation involves allegations that the retailer used a...
InfoBytesDistrict Court grants preliminary approval in data breach case
On March 21, the U.S. District Court for the Eastern District of Texas granted preliminary approval of a settlement in a class action resolving claims that a software company and its subsidiary (collectively, “defendants”) failed to properly safeguard customers' personally identifiable information...
InfoBytesIndiana enacts data breach disclosure requirements
On March 18, the Indiana governor signed HB 1351 , which provides that in the event of the discovery of a data breach, persons are required to disclose or provide notification “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” The bill provides...
InfoBytesDistrict Court approves $17 million data breach settlement
On March 15, the U.S. District Court for the Northern District of Illinois granted final approval of a class settlement to resolve claims alleging two defendant insurance companies failed to protect over six million employee/customers’ personal and private identifying information, including names,...
InfoBytesIrish DPC fines global social media company €17 million for GDPR violations
On March 15, the Irish Data Protection Commission (DPC) adopted a decision fining a global social media company €17 million (approximately $18.6 million) after finding that the company failed to prevent a series of data breaches in 2018. The DPC conducted an inquiry into a series of 12 data breach...
InfoBytesFTC settles action against e-commerce platform for data breach cover up
On March 15, the FTC announced a proposed settlement with two limited liability companies, the former and current owners, of an online customized merchandise platform (collectively, “respondents”) for allegedly failing to secure consumers’ sensitive personal data and covering up a major breach...
InfoBytesBiden signs $1.5 trillion omnibus package
On March 15, President Biden signed H.R. 2471 the “Consolidated Appropriations Act, 2022” (Act) into law. According to House Appropriations Committee Chair Rosa DeLauro’s press release , the Act is an omnibus spending measure that provides $1.5 trillion in discretionary resources across the 12...
InfoBytesWyoming enacts genetic data privacy provisions
On March 8, the Wyoming governor signed HB 86 , which requires businesses that collect genetic data to obtain consent from a consumer or a consumer’s authorized representative before collecting genetic data, performing genetic testing, or retaining or disclosing a consumer’s genetic data. To...
InfoBytesCalifornia clarifies that internally generated inferences are “personal information” under the CCPA
On March 10, the California Office of the Attorney General (OAG) issued an opinion on the question of whether, under the California Consumer Privacy Act (CCPA), a consumer’s right to know the specific pieces of personal information collected by a covered business about that consumer applies to...
InfoBytesDFPI reminds financial institutions of their sanctions compliance obligations
On March 4, the California Department of Financial Protection and Innovation (DFPI) issued guidance, in light of the evolving situation in Ukraine, to remind financial institutions of their sanctions compliance obligations under state and federal law. Licensees are reminded that they are prohibited...
InfoBytesSEC proposes amendments to cybersecurity risk management
On March 9, the SEC announced proposed amendments to its standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed amendments would require, among other things, “current reporting about material cybersecurity...
InfoBytesBiden calls for coordinated approach to digital asset innovation
On March 9, President Biden issued an Executive Order (E.O.) on digital assets outlining the first “whole-of-government” strategy to coordinate a comprehensive approach for ensuring responsible innovation in digital assets policy. ( See also White House fact sheet here .) The White House...
InfoBytesCARU orders app company to correct violations of children’s privacy rules
On March 8, the Children’s Advertising Review Unit (CARU) announced that a smart watch phone operator has agreed to take actions to correct alleged violations of the Children’s Online Privacy Protection Act (COPPA) and CARU’s Self-Regulatory Guidelines for Children’s Online Privacy Protection...
InfoBytesDistrict Court preliminarily approves $4.75 million data breach settlement
On March 3, the U.S. District Court for the Western District of Texas preliminarily approved a $4.75 million class action settlement resolving claims between a pharmacy benefits manager and consumers in six different proposed class actions filed in Texas and California. The court also conditionally...
InfoBytesVirginia passes additional VCDPA amendments
On March 7, the Virginia House and Senate passed HB 714 , which amends Sections 59.1-575 and 59.1-584 and repeals Section 59.1-585 of the Virginia Consumer Data Protection Act (VCDPA). Specifically, the amendments expand the definition of a nonprofit organization to include political and certain...
InfoBytes9th Circuit affirms dismissal of investors’ data breach disclosures suit
On March 2, the U.S. Court of Appeals for the Ninth Circuit affirmed the dismissal of a class action suit for failure to state a claim, concluding that investors had failed to adequately allege that statements about the defendant company’s cybersecurity practices in the company’s 2018 Form 10-K...
InfoBytesFTC, DOJ reach $1.5 million settlement with weight-loss companies
On March 4, the FTC and DOJ announced a $1.5 million settlement with an international weight loss service organization and its subsidiary (collectively, “defendants”) accused of allegedly using unfair and deceptive practices to obtain personal information of underage users without parental consent...
InfoBytesState AGs investigate streaming service for privacy violations
On March 2, a coalition of state attorneys general, led by California Attorney General Rob Bonta, announced a nationwide investigation into a video streaming service regarding whether it is violating state consumer protection laws and putting children at risk by promoting its social media platform...
InfoBytesFlorida house tries again on consumer privacy legislation
On March 2, the Florida house passed HB 9 , which would, among other things, regulate the sale and sharing of consumers’ personal data and provide consumers the right to sue over alleged violations. This is the state’s latest attempt to pass comprehensive consumer privacy legislation. Last year,...
InfoBytesFCC launches inquiry to reduce cyber risks
On February 25, the FCC adopted a Notice of Inquiry proposed by FCC Chairwoman Jessica Rosenworcel that would launch an inquiry into the vulnerabilities of the internet’s global routing system, in response to the increasing risk of cyberattacks stemming from Russia’s invasion of Ukraine. The...
InfoBytesUtah legislature passes privacy bill
Recently, the Utah legislature passed SB 227 , which would enact the Utah Consumer Privacy Act and establish a framework for controlling and processing consumers’ personal data in the state. (See also senate and house approved amendments here .) Highlights of the bill include: Applicability. The...
InfoBytesVirginia passes amendments on CDPA for data deletion
On February 25, the Virginia House and Senate passed HB 381 , which amends Section 59.1-577 of the Virginia Consumer Data Protection Act (VCDPA) related to consumers’ data deletion requests. Specifically, the amendment provides that a controller that has obtained a consumer’s personal data from a...
InfoBytesIrish DPC releases annual report
On February 24, the Irish Data Protection Commission (DPC) released their 2021 Annual Report. According to the report, the EU’s General Data Protection Regulations (GDPR) enforcement efforts have gained “significant momentum” by, among other things: (i) “resolving thousands of complaints”; (ii) “...
InfoBytesSpecial Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing...
Special AlertsDistrict Court: Employees are not “customers” under California Customer Records Act in breach lawsuit
On February 24, the U.S. District Court for the Southern District of New York granted a waste management company’s motion to dismiss putative class action data breach claims after determining, in part, that the plaintiffs failed to allege how the company breached any duty of care. Plaintiffs,...
InfoBytesWisconsin assembly passes comprehensive data privacy bill
On February 23, the Wisconsin assembly passed AB 957 , which establishes requirements for controllers and processors of consumer personal data. An assembly amendment to the bill making various changes was adopted the same day. Highlights of the bill include: Applicability. The bill will apply to...
InfoBytesSpecial Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing...
InfoBytesDistrict Court grants motion to dismiss in privacy suit
On February 17, the U.S. District Court for the District of Delaware granted a motion to dismiss a putative class action suit for lack of Article III standing, in which plaintiffs alleged that the defendant violated their privacy rights by intercepting and recording mouse clicks and other website...
InfoBytesDistrict Court approves $15 million class action settlement over BIPA violations
On February 18, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving allegations that a workplace management software company (defendant) violated the Illinois Biometric Information Privacy Act (BIPA) by collecting data...
InfoBytesDistrict Court: California privacy laws do not absolve discovery obligations in federal litigation
Last month, the U.S. District Court for the Central District of California granted plaintiffs’ motion to compel defendants’ responses to a request for production of documents after determining that defendants may not rely on the California Consumer Protection Act (CCPA) or other state laws to avoid...
InfoBytesNew York to coordinate state cybersecurity efforts
On February 22, New York Governor Kathy Hochul announced the creation of the Joint Security Operations Center (JSOC) to coordinate state efforts to anticipate potential cybersecurity threats and respond to security incidents. Calling the center the “first-of-its-kind” in the U.S., Houchel stated...
InfoBytesNIST to update cybersecurity framework with a focus on supply chain risk
On February 22, the National Institute of Standards and Technology (NIST) published a notice and request for information (RFI) in the Federal Register seeking information to assist in the evaluation and improvement of the agency’s “Framework for Improving Critical Infrastructure Cybersecurity,” as...
InfoBytesDistrict Court approves settlement in data breach suit
On February 22, the U.S. District Court for the Central District of California granted final approval of a class settlement and ordered a final judgment between a plaintiff class and a provider of outpatient imaging (defendant) resolving allegations that the defendant was responsible for failing to...
InfoBytesDistrict Court approves $14.8 million cloud subscription settlement
On August 4, the U.S. District Court for the Northern District of California approved a $14.8 million class action settlement resolving claims that a major technology company allegedly misled users about its cloud storage practices. In 2020, plaintiffs filed an amended complaint alleging the...
InfoBytesCalifornia Privacy Protection Agency plans to finish rulemaking by Q4 of 2022
On February 17, the California Privacy Protection Agency (CPPA) Board held a public meeting to provide an update on the California Privacy Rights Act (CPRA or the Act) rulemaking process. According to sources, the CPPA, which was established under the CPRA, stated it intends to finalize rulemaking...
InfoBytesConsulting firm agrees to $4.95 million settlement to resolve class data breach claims
On February 16, the U.S. District Court for the Southern District of New York granted final approval of a $4.95 million class action settlement, resolving allegations that a consulting firm failed to use reasonable data security measures when designing web-based portals for state employment...
InfoBytesTexas AG issues CID to video streaming company
On February 18, the Texas attorney general issued two Civil Investigative Demands (CIDs) to a video streaming company that focus on the company’s potential facilitation of human trafficking and child privacy violations, as well as other potential unlawful conduct. According to the CIDs, the company...
InfoBytesFCC proposes record $45 million fine against robocaller
On February 18, the FCC released a proposed $45 million fine against a lead generator accused of conducting an illegal robocall campaign that made false claims about the Covid-19 pandemic to induce consumers into purchasing health insurance. This is the FCC’s largest ever proposed robocall fine to...
InfoBytesFTC sues weight-loss companies alleging COPPA and FTC Act violations
On February 16, the FTC filed a complaint for permanent injunction in the U.S. District Court for the Northern District of California against an international weight loss service organization and its subsidy (collectively, “defendants”) for allegedly using unfair and deceptive practices to obtain...
InfoBytesDistrict Court approves settlement of class claiming privacy violations
On February 11, the U.S. District Court for the Central District of California granted approval of a $217 million class action settlement, resolving allegations that the Transportation Corridor Agencies (TCA) and their contractors (collectively, “defendants”) allegedly repeatedly used their access...
InfoBytesUK accepts multinational tech company’s privacy sandbox proposals
On February 11, the UK Competition and Markets Authority (CMA) issued a decision accepting a multinational technology company’s offer to provide more transparency and oversight to its privacy sandbox proposals. The purpose of these proposals is to remove cross-site tracking of certain users through...
InfoBytesFrance says tool for EU-U.S. data transfers is unsafe
On February 10, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), issued a decision related to a multinational technology company’s practice of transferring data collected through its analytics tool to the U.S. The analytics tool, which measures the...
InfoBytesFed releases synthetic identity fraud mitigation toolkit
Recently, the Federal Reserve released a synthetic identity fraud mitigation toolkit to help financial institutions, businesses, and consumers improve awareness, detection, measurement, and mitigation of identity fraud. The Fed emphasized that synthetic identity fraud (in which fictitious people...
InfoBytesSEC proposes cybersecurity risk management rules and amendments
On February 9, a divided SEC voted to release proposed cybersecurity risk management rules and amendments to certain requirements for registered investment advisers and funds. (See SEC fact sheet here .) Commissioner Hester Peirce voted against the proposal, stressing that because “an adviser’s or...
InfoBytesIllinois Supreme Court rules Workers’ Compensation Act does not bar BIPA privacy claims
On February 3, the Illinois Supreme Court unanimously ruled that the Illinois Workers’ Compensation Act (Compensation Act) does not bar claims for statutory damages under the state’s Biometric Information Privacy Act (BIPA). According to the opinion, the plaintiff sued the defendant and several...
InfoBytesColorado releases guidance on data privacy and security in advance of CPA implementation
On January 28, the Colorado attorney general issued prepared remarks and guidance on data security best practices in advance of the implementation of the Colorado Privacy Act (CPA). As covered by a Buckley Special Alert , the CPA was enacted last July to establish a framework for personal data...
InfoBytesDistrict Court partially grants summary judgment to defendants in FCA case
On February 1, the U.S. District Court for the Eastern District of California denied a relator’s (plaintiff’s) motion for summary judgment on an allegation of promissory fraud in violation of the False Claims Act (FCA) in a case against a rocket manufacturer and its subsidy (defendants). The court...
InfoBytesFCC proposes to classify ringless voicemails as “calls” under the TCPA
On February 2, FCC Chairwoman Jessica Rosenworcel announced a proposal that would classify technology that leaves ringless voicemails on consumers’ cell phones as “calls” under the TCPA and therefore subject to the FCC’s robocalling restrictions. If adopted by the full Commission, callers using...
InfoBytesDistrict Court approves class settlement in data breach
On January 28, the U.S. District Court for the Northern District of California granted a plaintiffs’ motion for final approval in a class action settlement alleging an online support services provider (defendant) failed to adequately secure and safeguard the payment card data and other personally...
InfoBytesFrench Council of State confirms €100 million fine against tech company
On January 28, the French Council of State confirmed the French data protection agency Commission Nationale de l’Informatique et des Libertés’s (CNIL) jurisdiction to impose sanctions on a multinational technology company and its Irish affiliate related to the companies’ process for managing...
InfoBytesCalifornia investigating loyalty programs for CCPA compliance
On January 28, the California attorney general announced an “investigative sweep” of businesses operating loyalty programs in the state. The California Consumer Privacy Act (CCPA), which became effective January 1, 2020, requires businesses that offer financial incentives in exchange for personal...
InfoBytesDistrict Court grants motion to dismiss in CIPA class action
On January 25, the U.S. District Court for the Northern District of California granted a motion to dismiss a class action suit, in which plaintiffs alleged that the defendant continued to monitor mobile users’ browsing history even after being asked to cease and desist. In their third amended...
InfoBytesSEC chair considers updating cybersecurity rules
On January 24, SEC Chair Gary Gensler discussed the agency’s cybersecurity policy work before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute. Gensler commented that the SEC is working to improve the overall cybersecurity resiliency of the financial sector with a...
InfoBytesDistrict Court finalizes BIPA class action settlement
On January 24, the U.S. District Court for the Northern District of Illinois granted final approval to a nearly $877,000 class action settlement to resolve allegations that a food manufacturer’s fingerprint-based timekeeping system violated Illinois’ Biometric Information Privacy Act (BIPA). Class...
InfoBytesFed examines ramifications of U.S. central bank digital currency
On January 20, the Federal Reserve Board published a discussion paper, Money and Payments: The U.S. Dollar in the Age of Digital Transformation , which calls for public comments on questions related to the possibility of a U.S. central bank digital currency, or CBDC. “The introduction of a CBDC...
InfoBytesSBA rolls out small business cybersecurity pilot program
On January 21, the SBA announced $3 million in funding for the agency’s Cybersecurity for Small Business Pilot Program. The funding is intended to help state governments assist emerging small businesses develop their cybersecurity infrastructures to combat increasing and evolving threats...
InfoBytesDistrict Court dismisses data breach class action
On January 19, the U.S. District Court for the Southern District of New York dismissed a class action against a menswear company (defendant) accused of exposing personal information in a December 2020 data breach. According to the opinion, the plaintiff bought items on the defendant’s website in...
InfoBytesFDIC and FinCEN launch Tech Sprint to help digital identity proofing
On January 11, the FDIC’s technology lab, FDiTech , and FinCEN announced the launch of a Tech Sprint challenging participants “to develop solutions for financial institutions and regulators to help measure the effectiveness of digital identity proofing—the process used to collect, validate, and...
InfoBytesFCC proposes new reporting on telecom data breaches
On January 12, the FCC announced that it shared , among the FCC staff, a notice of proposed rulemaking (NPRM) to strengthen the rules for notifying consumers and federal law enforcement of breaches of customer proprietary network information. According to the FCC, the NPRM “would better align the...
InfoBytes2nd Circuit addresses TCPA’s definition of “unsolicited advertisement”
On January 6, the U.S. Court of Appeals for the Second Circuit held that an unsolicited fax asking recipients to participate in a market research survey in exchange for money does not constitute as an “unsolicited advertisement” under the TCPA. According to the opinion, the plaintiff medical...
InfoBytesFrench data protection agency issues privacy fines over cookies
On January 6, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a multinational technology company 150 million euros and a global social media company 60 million euros (approximately $170 and $68 million USD respectively) for failure to comply...
InfoBytesFTC says robocall violations top consumers’ do-not-call complaints
On January 5, the FTC issued its National Do Not Call (DNC) Registry biennial report to Congress. According to the report, more than 244 million consumers have now placed their telephone numbers on the DNC Registry over the past two years. The report also highlighted that in FY 2021, the Commission...
InfoBytesNew York AG alerts companies on “credential stuffing” cyberattacks
On January 5, the New York attorney general issued a report , which highlights the results of an investigation into “credential stuffing.” The investigation discovered over 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. The report, Business Guide for Credential...
InfoBytesDistrict Court temporarily halts enforcement of New York’s user data-sharing ordinances
On December 27, the U.S. District Court for the Southern District of New York issued a stipulation and order in a consolidated action, temporarily reprieving three delivery app companies from complying with New York City’s Administrative Code §§ 20-847.3 and 20-563.7 (collectively, “the ordinances...
InfoBytesDistrict Court preliminarily approves TCPA class action
On December 27, the U.S. District Court for the Eastern District of Washington granted class certification and preliminarily approved a putative class action settlement alleging two Washington cannabis companies violated the TCPA by sending unsolicited promotional text messages without consumer...
InfoBytesNew Jersey settles CFA and HIPAA violations following 2019 data breach
On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by...
InfoBytesFTC settles with mortgage analytics company
On December 22, the FTC announced the final approval of a settlement with a mortgage industry data analytics firm (defendant) for allegedly failing to develop, implement, and maintain a comprehensive information security program and ensure third-party vendors are capable of implementing and...
InfoBytesNew Mexico settles with technology company over COPPA violations
On December 13, the New Mexico attorney general announced a settlement in two federal court cases filed against a multinational technology company both of which resolve allegations against the company under the federal Children’s Online Privacy Protection Act (COPPA) and other state consumer...
InfoBytesFTC finalizes decision banning respondents from surveillance business
On December 21, the FTC announced a decision banning a data monitoring application and its CEO (collectively, “respondents”) from the surveillance industry. As previously covered by InfoBytes , the respondents allegedly violated Section 5 of the FTC Act by failing to provide reasonable data...
InfoBytesGlobal tech corporation fined for GDPR violations fends off daily fines
According to sources, the Luxembourg President of the Administrative Tribunal issued an ordinance on December 17 partially suspending a July decision issued by the Luxembourg National Commission for Data Protection (CNPD) against a global technology corporation for alleged violations of the EU’s...
InfoBytesFSOC highlights potential risks in 2021 annual report
On December 17, the Financial Stability Oversight Council (FSOC) released its annual report highlighting significant financial market and regulatory developments, potential financial risks, and recommendations for promoting U.S. financial stability. The report focused on several recommendations...
InfoBytesFTC proposes rule to combat impersonation fraud
On December 16, the FTC issued an advanced notice of proposed rulemaking (ANPR) seeking comments on a wide-range of questions related to government and business impersonation fraud. According to the FTC, reported losses due to impersonation fraud have spiked during the Covid-19 pandemic, with data...
InfoBytesNorwegian Data Protection Authority fines U.S. dating app $7.1 million for alleged GDPR violations
On December 13, the Norwegian Data Protection Authority issued a reduced administrative fine against a U.S. company operating a GPS-based mobile dating app for allegedly violating the EU’s General Data Protection Regulation (GDPR). The regulator’s 2020 complaint stated that the company allegedly...
InfoBytesFTC settles with advertising platform for COPPA violations
On December 15, the FTC announced a settlement with a California-based online advertising platform for allegedly engaging in deceptive acts of practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). (See also DOJ press release here .) According to the FTC, the defendant...
InfoBytesFTC publishes 2022 regulatory priorities
On December 10, the FTC published a statement disclosing its regulatory priorities for 2022. Among other things, the statement highlights; (i) newly initiated and upcoming periodic reviews of rules and guides; (ii) ongoing periodic reviews of rules and guides; (iii) proposed rules; and (iv) final...
InfoBytesNYDFS addresses use of cyber assessment framework in risk assessment process
On December 9, NYDFS updated its FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on 23 NYCRR Part 500 here .) New FAQ 41 addressed whether covered entities should use a...
InfoBytes6th Circuit affirms decision compelling arbitration in data breach case
On December 2, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s decision dismissing a nationwide putative class action against an e-commerce provider, holding that challenges raised to the validity of an agreement to arbitrate were for the arbitrator to decide, not the...
InfoBytesFINRA fines financial firms $2.25 million for alleged improper storage of customer data
On December 6, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), which requires two units of a national bank (respondents) to jointly and severally pay a $2.25 million fine for allegedly failing to store customer information in the...
InfoBytesNYDFS addresses multi-factor authentication weaknesses
On December 7, NYDFS issued guidance on multi-factor authentication (MFA) to all regulated entities. According to NYDFS, “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies,” affecting both large companies and small businesses. The regulator noted that,...
InfoBytesOCC warns of key cybersecurity and climate-related banking risks
On December 6, the OCC reported in its Semiannual Risk Perspective for Fall 2021 the key issues facing national banks and federal savings associations and the effects of Covid-19 on the federal banking industry. The agency reported that although banks showed resilience in the current environment...
InfoBytesFTC releases 2021 National Do Not Call Registry Data Book
On November 23, the FTC released the National Do Not Call Registry Data Book for Fiscal Year 2021 . The Data Book provides the most recent fiscal year information available on telemarketing sales calls and robocall complaints, including the types of calls reported to the FTC and a state-by-state...
InfoBytesDistrict Court grants preliminary approval in TCPA settlement
On November 23, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving allegations that a publishing company utilized a third party telemarketer to place newspaper delivery service advertising calls with individuals who had...
InfoBytesVirginia Consumer Data Protection Act Work Group issues final report
Recently, the Virginia Consumer Data Protection Act Work Group (Work Group) released its final report addressing several privacy topics related to enforcement, definitions and rulemaking authority, and consumer rights and education. The Virginia Consumer Data Protection Act (VCDPA), enacted in...
InfoBytesDistrict Court grants preliminary approval of privacy class action settlement
On November 19, the U.S. District Court for the Northern District of California granted preliminary approval of a $58 million settlement in a class action against a fintech company (defendant) alleged to have accessed the personal banking data of users without first obtaining consent, in violation...
InfoBytesChamber of Commerce requests access to FTC privacy-related communications
On November 19, the U.S. Chamber of Commerce sent FOIA requests to the FTC seeking, among other things, communications on consumer data privacy policies the FTC has discussed or considered as ordered by President Biden’s broad July 9 executive order, which tasked the FTC with establishing rules to...
InfoBytes11th Circuit to rehear Hunstein v. Preferred Collection & Management Services
On November 17, the U.S. Court of Appeals for the Eleventh Circuit vacated an opinion in Hunstein v. Preferred Collection & Management Services , ordering an en banc rehearing of the case. The order vacates an 11th Circuit decision to revive claims that the defendant’s use of a third-party mail...
InfoBytesNew rule gives banks 36 hours to disclose cybersecurity incidents
On November 18, the FDIC, Federal Reserve Board, and the OCC issued a final rule intended to enhance information sharing about cyber incidents that may affect the U.S. banking system. The final rule, among other things, requires a banking organization to timely notify its primary federal regulator...
InfoBytesDistrict Court approves e-commerce platform data breach settlement
On November 4, the U.S. District Court for the District of Massachusetts granted final approval to a settlement in a class action against an alcohol e-commerce platform stemming from a data breach that allegedly compromised customers’ personally identifiable information. The plaintiffs’ memorandum...
InfoBytesDistrict Court grants tech company’s motion to arbitrate smartphone data monitoring claims
On November 9, the U.S. District Court for the Northern District of California issued an order granting, among other things, a global technology company defendant’s motion to compel individual arbitration in a privacy class action and dismissing the action without prejudice. As outlined in a May...
InfoBytesFTC releases draft strategic plan for FY 2022 - 2026
On November 12, the FTC released a preliminary draft of the Strategic Plan for Fiscal Years 2022 to 2026 for public review and comment. Recognizing that protecting the public from unfair or deceptive acts or practices in the marketplace is a key FTC strategic goal, the draft Strategic Plan outlines...
InfoBytesU.S. and Israel form partnership to combat ransomware; U.S. enters cybersecurity initiative with France
On November 14, the U.S. Treasury Department announced the establishment of a bilateral partnership with the Israeli Ministry of Finance as part of the Biden Administration’s efforts to crackdown on ransomware. The partnership is part of the U.S.-Israeli Task Force on Fintech Innovation and...
InfoBytesMaryland appoints officials to oversee cybersecurity and data privacy
On November 10, the Maryland governor announced the appointments of a new chief privacy officer and chief data officer, both of which are newly-created roles, as part of the state’s commitment to cybersecurity and data privacy. The chief privacy officer will lead state initiatives with respect to...
InfoBytesDistrict Court dismisses data breach claims due to lack of jurisdiction
On November 8, the U.S. District Court for the Northern District of California dismissed a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor after determining that the court does not have jurisdiction over the companies. Plaintiffs—customers who...
InfoBytesDept. of Defense announces version 2.0 of cybersecurity maturity model certification program
On November 4, the Department of Defense (DoD) announced the completion of an internal assessment of its Cybersecurity Maturity Model Certification (CMMC) program and enhancements to that program. While CMMC 2.0 remains focused on safeguarding sensitive national security information, it updates...
InfoBytesUK Supreme Court rules claimant cannot bring privacy claims against U.S. tech company
On November 10, the UK Supreme Court issued a judgment in an appeal addressing whether a claimant can bring data privacy claims in a representative capacity against a global technology company in a class action suit. The claimant sought compensation on behalf of a class under section 13 of the Data...
InfoBytes9th Circuit: Israeli company is not entitled to foreign sovereign immunity over malware claims
On November 8, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a private Israeli company’s motion to dismiss claims based on foreign sovereign immunity. The Israeli company (defendant) designs and licenses surveillance technology to governments and...
InfoBytesDistrict Court grants $5 million settlement for alleged data breach
On November 5, the U.S. District Court for the Northern District of California granted preliminary approval of a class action settlement resolving claims against a grocery store chain after a data breach allegedly compromised personal information in its software. According to the plaintiffs’ notice...
InfoBytesTreasury and DOJ announce sanctions and charges in ransomware attacks, FinCEN updates ransomware guidance
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13694 as amended against two ransomware operators and a virtual currency exchange network. According to OFAC, the virtual currency exchange, and its associated...
InfoBytesIllinois enacts the Protecting Household Privacy Act
Earlier this year, the Illinois governor signed HB 2553 to create the Protecting Household Privacy Act. Among other things, the act specifies when state law enforcement agencies may acquire and use data from household electronic devices. The act defines “household electronic data” as information or...
InfoBytesNew York enacts robocall measures
On November 8, the New York governor signed measures to help prevent robocalls and increase consumer protections. The measures build upon federal actions to combat robocalls and “will enable telecom companies to prevent these calls from coming in in the first place, as well as empower our state...
InfoBytesNew York requires private employers to provide electronic monitoring notice
On November 8, the New York governor signed S.2628 , which requires employers to notify their employees in writing upon hiring of their intention to monitor or intercept telephone or email conversations or transmissions, or monitor the use or access of other electronic devices. Employers must...
InfoBytesKansas AG fines companies for unlawful data disposal
On November 1, the Kansas attorney general ordered three national companies that manage business documents to pay fines totaling nearly $500,000 for the alleged unlawful disposal of records containing consumers’ personal information. According to the Kansas AG, the companies violated the Kansas...
InfoBytesDistrict Court grants preliminary approval in BIPA settlement
On November 4, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims that a plasma donation center (defendant) unlawfully collected and stored the fingerprints of blood plasma donors. According to the memorandum of...
InfoBytesCFPB seeks comments on recent orders to U.S. tech companies
On November 5, the CFPB published a notice in the Federal Register seeking public comments on recently issued orders to six large U.S. technology companies requesting information and data on their payment system business practices (covered by InfoBytes here ). According to the notice, the Bureau...
InfoBytesHouse subcommittee holds hearing on cybersecurity
On November 3, the House Financial Services Subcommittee on Consumer Protection and Financial Institutions held a hearing titled “Cyber Threats, Consumer Data, and the Financial System.” The hearing examined cybersecurity and consumer data protection challenges for financial institutions, discussed...
InfoBytesNYDFS provides affiliate cybersecurity program guidance
Recently, NYDFS issued an industry letter to regulated entities advising that a covered entity may adopt the cybersecurity program of an affiliate. New York’s Cybersecurity Regulation (23 NYCRR Part 500) requires regulated entities (Covered Entities) to implement risk-based cybersecurity programs...
InfoBytesDistrict Court approves CCPA class action settlement
On October 27, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims against an Illinois-based insurance provider and its subsidiary (collectively, defendants) for allegedly failing to adequately protect plaintiffs’...
InfoBytesDistrict Court denies defendant’s motion to dismiss Illinois BIPA class action
On October 28, the U.S. District Court for the Northern District of Illinois denied a Delaware-based technology management service defendant’s motion to dismiss a putative class action that alleged it stored and collected biometric data from employees of companies that utilized the defendant’s...
InfoBytesFTC increases dark patterns enforcement
On October 28, the FTC announced a new enforcement policy statement warning companies against using illegal dark patterns that could “trick or trap consumers into subscription services” which are sometimes used by sellers in automatic renewal subscriptions, continuity plans, free-to-pay or free-to-...
InfoBytesElizabeth E. McGinn quoted in Cyberscoop article, “FTC wants to know when financial data is compromised, will require encryption”
Elizabeth E. McGinn was quoted in a Cyberscoop article, “FTC wants to know when financial data is compromised, will require encryption,” which examined updated rules the Federal Trade Commission is considering that would require financial institutions to report within 30 days any security incidents...
In The NewsFTC updates Safeguards Rule for financial institutions
On October 27, the FTC announced a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. The final rule follows a 2019 notice of proposed rulemaking (covered by InfoBytes here ) and...
InfoBytes11th Circuit’s new opinion says plaintiff still has standing to sue in outsourced debt collection letter action
On October 28, the U.S. Court of Appeals for the Eleventh Circuit issued a split opinion in Hunstein v. Preferred Collection & Management Services , vacating its April 21 decision but still finding that the plaintiff had standing to sue. As previously covered by InfoBytes , last April the 11th...
InfoBytes9th Circuit denies bid to block Arizona’s dealer data privacy law
On October 25, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a motion for preliminary injunction against enforcement of an Arizona statute designed to strengthen privacy protections for consumers whose data is collected by auto dealers. Under the Dealer...
InfoBytesOffice of Science and Technology issues RFI on biometric technology
Earlier this month, the Office of Science and Technology (OSTP) issued a request for information (RFI) on the use of biometric technology. Specifically, the RFI seeks to assist OSTP in understanding “the extent and variety of biometric technologies in past, current, or planned use; the domains in...
InfoBytesFTC says ISPs provide limited protections for consumer data
On October 21, the FTC reported that internet service providers (ISPs) are able to gather and share large pools of sensitive consumer data while providing limited privacy protections. According to an FTC staff report , ISPs’ data collection and use practices allow them to monitor and record their...
InfoBytesDistrict Court preliminarily approves $85 million class action privacy settlement
On October 21, the U.S. District Court for the Northern District of California preliminarily approved an $85 million class action settlement to resolve privacy and data security allegations against a video conferencing provider. Class members claimed the company violated several California laws,...
InfoBytesDistrict Court partially denies company’s motion to dismiss in data breach class action
On October 19, the U.S. District Court for the District of South Carolina granted in part and denied in part a defendant software company’s motion to dismiss a putative class action, which alleged the company had a “deficient security program” in place that led to a ransomware attack. The...
InfoBytesNIST issues draft cybersecurity framework to mitigate ransomware events
Recently, the National Institute of Standards and Technology (NIST) issued a draft version of its Cybersecurity Framework Profile for Ransomware Risk Management , which proposes recommended steps for organizations to follow to prevent and mitigate ransomware events. The profile identifies...
InfoBytesFinancial Stability Board calls for uniformity in cyber-breach reporting
On October 19, the Financial Stability Board (FSB) released a report calling for a convergence in the reporting of cyber incidents given the digitalization of financial services and the growing use of third-party service providers. According to FSB’s report, Cyber Incident Reporting: Existing...
InfoBytesAgencies announce new measures to combat ransomware
On October 15, the U.S. Treasury Department announced additional steps to help the virtual currency industry combat ransomware and prevent exploitation by illicit actors. The guidance builds upon recent “whole-of-government” actions focused on confronting “criminal networks and virtual currency...
InfoBytesDistrict Court grants final approval in BIPA settlement
On October 13, the U.S. District Court for the Northern District of Illinois granted final approval to a $2.6 million class action settlement between a sports entertainment chain (defendant) and a class of former employees, resolving allegations that the defendant was responsible for improperly...
InfoBytesNew York designates October as Cyber Security Awareness Month
On October 14, New York’s Governor Hochul announced a proclamation designating October 2021 as “Cyber Security Awareness Month” in the state as part of an effort to enhance cyber security practices and to encourage awareness about online habits as internet threats continue to grow. According to the...
InfoBytesNew Jersey settles CFA and HIPAA matter with fertility clinic
On October 12, the New Jersey attorney general and the Division of Consumer Affairs announced an action against a healthcare provider alleging that the defendant violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, and the...
InfoBytesCalifornia clarifies CPRA rulemaking authority timing
On October 5, the California governor signed AB 694 . The bill clarifies that the California Privacy Protection Agency (which was given “full administrative power, authority, and jurisdiction to implement and enforce the [California Consumer Privacy Act]”) would assume responsibility for rulemaking...
InfoBytesDems urge FTC to enforce children and teen privacy compliance
On October 8, Senator Ed Markey (D-MA) and Representatives Kathy Castor (D-FL) and Lori Trahan (D-MA) sent a letter to FTC Chair Lina Khan urging the Commission to ensure that technology companies comply with their own policies regarding the protection of children’s and teen’s privacy. Among other...
InfoBytesCalifornia expands consumer privacy rights to include genetic data
On October 6, the California governor signed SB 41 , which requires direct-to-consumer genetic testing companies to provide consumers with information about the collection, use, maintenance, and disclosure of genetic data. Under the Genetic Information Privacy Act (GIPA), companies are required to...
InfoBytesDelaware Chancery Court rules hotel corporation plaintiff failed to allege particular facts
On October 5, the Court of Chancery of the State of Delaware dismissed a stockholder derivative suit filed against directors of an international hotel corporation arising out of massive data breach. The court held that the plaintiff was not excused from making a demand on the board because he...
InfoBytesFTC finalizes settlement with movie subscription service
On October 5, the FTC finalized a settlement with the operators of a movie subscription service, resolving allegations that the respondents violated the FTC Act by denying subscribers access to paid-for services and failed to secure subscribers’ personal information. As previously covered by...
InfoBytesFTC gives Congress report on privacy and security
Recently, the FTC released a report to Congress regarding the Commission’s actions in strengthening measures to link data privacy and competition enforcement, among other things. The report responds to the Joint Explanatory Statement accompanying the Consolidated Appropriations Act of 2021, P.L...
InfoBytesDistrict Court grants final approval of $92 million class action settlement over privacy violations
On August 22, the U.S. District Court for the Northern District of Illinois granted final approval of a class action settlement, resolving claims that a China-based technology company and its subsidiaries (collectively, “defendants”) violated Illinois’ Biometric Information Privacy Act (BIPA),...
InfoBytesDistrict Court: Company must face CCPA class action after ransomware attack
Earlier this summer, the U.S. District Court for the Central District of California denied a motion to dismiss a putative class action accusing a legal services company and its subsidiaries of failing to implement and maintain reasonable security procedures and practices to protect consumers’ data...
InfoBytesSoltani to head the California Privacy Protection Agency
According to sources, Ashkan Soltani, a former chief technologist at the FTC, has been named Executive Director of the California Privacy Protection Agency (CPPA). Among other things, Soltani was an architect of the California Consumer Privacy Act (CCPA). According to CPPA Chair Jennifer Urban,...
InfoBytesCalifornia Privacy Protection Agency seeks preliminary comments on CPRA proposed rulemaking
On September 22, the California Privacy Protection Agency (CPPA) formally called on stakeholders to provide preliminary comments on proposed rulemaking under the California Privacy Rights Act (CPRA). The CPRA, which established the CPPA to administer, implement, and enforce the act, was approved by...
InfoBytesCalifornia governor signs legislation on identity theft
On September 23, California’s governor signed AB 430 , which requires a debt collector to pause collection activities until completion of a review if the debt collector receives a copy of an FTC identity theft report and a written statement from the debtor. Among other things, the bill: (i) alters...
InfoBytesDemocratic senators ask FTC to reconsider privacy rulemaking
On September 20, nine Democratic Senators sent a letter to FTC Chair Lina M. Khan requesting that the FTC draft new rules that better protect consumers’ personal data and privacy. The Senators argued that ongoing data breaches and privacy violations have “shown the limits of the FTC's general...
InfoBytesIllinois state appellate court applies different limitation periods under BIPA
On September 17, the First District Appellate Court of Illinois held that different limitation periods should be applied to the Biometric Information Privacy Act (BIPA), concluding that while Section 15 imposes various duties that all concern privacy, “each duty is separate and distinct.”...
InfoBytesDistrict Court denies company’s bid to arbitrate in class action
On September 15, the U.S. District Court for the Southern District of California denied a defendant tech company’s motion to compel arbitration, dismiss or stay a class action lawsuit alleging that it violated the California Invasion of Privacy Act, among other things, by monitoring certain...
InfoBytesMassachusetts investigating data breach
On September 14, the Massachusetts attorney general announced the launch of an investigation to determine if an international wireless carrier had proper safeguards in place to protect consumer and mobile device information after a major data breach that allegedly compromised personally-identifying...
InfoBytesFTC says health apps must comply with Health Breach Notification Rule
On September 15, the FTC warned health apps and connected devices collecting or using consumers’ health information that they must comply with the FTC’s Health Breach Notification Rule (Rule). The Rule requires companies to notify consumers and others if consumers’ health data is breached, and...
InfoBytesSEC takes action against firms for cybersecurity procedures
On August 30, the SEC announced sanctions against eight firms in three actions for alleged failures in their cybersecurity policies and procedures that resulted in email account takeovers of employee email accounts, which exposed the personal information of thousands of customers and clients at...
InfoBytesFinCEN to host workshop on privacy enhancing digital identity
On August 31, the Financial Crimes Enforcement Network (FinCEN) announced it will host a special Innovations Hours Program on October 14, “focusing on the important role of digital identity to enhance financial services inclusion while supporting efforts to counter illicit activity that undermine...
InfoBytesIreland fines U.S. messaging service €225 million for GDPR violations
On September 2, the Irish Data Protection Commission (Commission) announced that a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based messaging service’s handling of individuals’ personal information. The final Article 65 decision , published...
InfoBytesFTC bans respondents from surveillance business
On September 1, the FTC announced that a data monitoring application and its CEO (collectively, “respondents”) will be permanently banned from the surveillance industry for failing to provide reasonable data security for consumers’ personal information by allegedly “secretly harvesting and sharing...
InfoBytesNew Mexico sues gaming app maker for COPPA violations
On August 25, the New Mexico attorney general filed a lawsuit against an entertainment corporation for allegedly violating the Children’s Online Privacy Protection Act Rule (COPPA) and New Mexico’s Unfair Practices Act by knowingly collecting and selling personal information from children under the...
InfoBytesTreasury, Singapore sign cybersecurity cooperation MOU
On August 23, the U.S. Treasury Department and the Monetary Authority of Singapore finalized a bilateral Memorandum of Understanding (MOU) on cybersecurity cooperation. The MOU formalizes and strengthens a strong cybersecurity partnership between the two countries and, among other things, enhances...
InfoBytesDistrict Court approves $28 million class action settlement over recorded calls
On August 16, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement , resolving allegations that a call center hired by a national bank and its merchant processing servicer (collectively, “defendants”) violated California’s Invasion...
InfoBytesSEC settles with company over data breach
On August 16, the SEC announced charges against a London-based educational publishing company for its role in allegedly misleading investors regarding a cyber breach that involved millions of student records and had inadequate disclosure controls and procedures in place. According to the SEC’s...
InfoBytesDistrict Court: Cloud computing company must face class action CCPA claims in data breach suit
On August 12, the U.S. District Court for the District of South Carolina issued a ruling in a consolidated putative class action against a cloud software company alleging several state consumer protection and data reporting law violations related to a 2020 data breach. The plaintiffs asserted that...
InfoBytesFFIEC gives authentication and access guidance to financial institutions
On August 11, the Federal Financial Institutions Examinations Council (FFIEC) published guidance, on behalf of its members, to provide financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties...
InfoBytesState AGs ask for faster implementation of STIR/SHAKEN
On August 9, state attorneys general from all 50 states and the District of Columbia, through the National Association of Attorneys General, sent a letter to the FCC urging the Commission to confront illegal robocalls by moving the deadline for smaller telephone companies to implement caller ID...
InfoBytesFCC takes action against robocalls
On August 5, the FCC announced a “fair and consistent” process for reviewing actions regarding a voice service provider’s ability to comply with the FCC’s anti-spoofing caller ID authentication rules. FCC rules require broad implementation of the STIR/SHAKEN caller ID authentication framework on...
InfoBytesDistrict Court grants preliminary approval of class action settlement against national convenience store chain
On July 30, the U.S. District Court for the Eastern District of Pennsylvania granted preliminary approval of a settlement in a class action against a national convenience store chain (defendant) for a 2019 data security incident that allegedly compromised consumers’ credit and debit card...
InfoBytesGlobal tech corporation fined $888 million for GDPR violations
Recently, a global technology corporation disclosed a $746 million euro (approximately $888 million USD) fine issued by the Luxembourg National Commission for Data Protection (CNPD) for alleged violations of the EU’s General Data Protection Regulations (GDPR). The corporation’s Form 10-Q for second...
InfoBytes"Shedding light on dark patterns: What financial institutions need to know" by Elizabeth E. McGinn, Amanda R. Lawrence, and Sherry-Maria Safchuk (Cybersecurity Law Report)
Regulators, legislators and private litigants are increasingly looking at how companies attract and conduct business with consumers in online settings, and particularly whether these companies are designing user experiences to manipulate behavior in a way that can prove harmful to the consumer. The...
Articles5th Circuit overturns ruling that insurer must defend data breach
On July 21, the U.S. Court of Appeals for the Fifth Circuit reversed a lower court’s decision to grant summary judgement for a Houston-based insurer (defendant), finding that publication of material that violates a person’s right of privacy under the insurer’s policy can include making credit card...
InfoBytesDistrict Court grants final approval to grocery chain data breach settlement
On July 21, the U.S. District Court for the Central District of Illinois granted final approval to a class action data breach settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The final settlement (which...
InfoBytesNew York expands definition of telemarketing to include text messages
On July 13, the New York governor signed S.3941 , which expands the state’s definition of telemarketing to include marketing by text message. A press release issued by the governor noted that expanding the definition closes a loophole in state law that previously limited the definition to phone...
InfoBytesConnecticut incentivizes businesses to adopt cybersecurity standards
On July 6, the Connecticut governor signed HB 6607 , which is intended to incentivize businesses to adopt cybersecurity standards. Among other things, the act provides a complete defense to punitive damages for a cause of action founded in tort claiming a business’ failure to “implement reasonable...
InfoBytesBiden orders federal agencies to evaluate banking, consumer protections
On July 9, President Biden issued a broad Executive Order (E.O.) that includes provisions related to the financial services industry. CFPB. The E.O. encourages the CFPB director to issue rules under Section 1033 of Dodd-Frank “to facilitate the portability of consumer financial transaction data so...
InfoBytesDistrict Court grants summary judgment for defendant in identity theft case
On June 30, the U.S. District Court for the Eastern District of Pennsylvania granted a motion for summary judgment in favor of a debt collection agency (defendant) with respect to a plaintiff’s FCRA and FDCPA allegations. The plaintiff alleged that the defendant, among other things, violated the...
InfoBytesSpecial Alert: Colorado enacts comprehensive consumer privacy law
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became...
InfoBytesSpecial Alert: Colorado enacts comprehensive consumer privacy law
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became...
Special AlertsFTC settles with app for violating COPPA
On July 1, the FTC announced a settlement with the operators of a coloring book app (collectively, “defendants”) for allegedly engaging in unfair or deceptive acts or practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). The DOJ, on behalf of the FTC, filed a complaint...
InfoBytesNYDFS issues ransomware guidance
On June 30, NYDFS announced new guidance for preventing ransomware attacks. In the guidance, NYDFS identified cybersecurity controls that decrease the risk of a ransomware attack. In examining ransomware incidents reported by its regulated entities over the past year and a half, NYDFS observed that...
InfoBytesFlorida issues telephone solicitation restrictions
On June 29, the Florida governor signed SB 1120 , which prohibits telephone solicitations and sales calls involving an “automated system for the selection or dialing of telephone numbers or the playing of a recorded message” without first receiving the prior express written consent of the called...
InfoBytes9th Circuit partially reverses lower court’s ruling based on tech company's misleading statements
On June 16, the U.S. Court of Appeals for the Ninth Circuit partially revived a securities fraud action brought by the state of Rhode Island on behalf of its employees’ retirement system against a California-based technology company, its holding company, and several individuals (collectively, “...
InfoBytesConnecticut amends data security breach provisions
On June 16, the Connecticut governor signed H.B. 5310 to establish new data breach notification requirements related to state residents. Among other things, the act updates the definition of “personal information” to also include (i) taxpayer identification numbers; (ii) IRS identity protection...
InfoBytesFTC settles with fertility-tracking app
On June 22, the FTC issued a decision and order against a company operating a fertility-tracking mobile app. The order resolved claims that the company shared user’s sensitive health data with various marketing and analytics service providers to the company. The FTC filed a complaint in January...
InfoBytesDistrict Court: Applying Michigan law is contrary to California’s interest in protecting citizens in data breach case
On June 15, the U.S. District Court for the Eastern District of Michigan denied an e-commerce company’s request to compel arbitration after reviewing whether Michigan or California state law applied to class claims concerning a 2019 data breach. After four actions against the company were...
InfoBytesJeffrey P. Naimon quoted in American Banker article, “Banks, consumer advocates unite against tax reporting proposal”
The American Banker discussed in their article, “Banks, consumer advocates unite against tax reporting proposal,” that the financial industry is opposed to the Biden administration’s plan — which would require financial institutions to report customers’ account flow data to the Internal Revenue...
In The NewsSEC charges settlement company with cybersecurity disclosure violations
On June 15, the SEC announced charges against a real estate settlement services company for its role in allegedly failing to disclose controls and procedures related to a cybersecurity vulnerability that exposed sensitive customer information. According to the SEC’s order , an independent...
InfoBytesNevada updates consumer privacy framework
On June 2, the Nevada governor signed SB 260 , which revises certain provisions under the state’s existing privacy law. Among other things, the act (i) adds “data broker” to the existing privacy framework; (ii) exempts certain persons and information collected about a consumer in the state from...
InfoBytes11th Circuit affirms majority of $380 million data breach settlement
On June 3, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s approval of a roughly $380.5 million settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (CRA), which resolved allegations arising from a 2017 cyberattack that caused a...
InfoBytesFCC signs robocall enforcement MOU with Australia
On June 3, the FCC announced that it entered into a memorandum of understanding (MOU) with the Australian Communications and Media Authority (ACMA) on providing mutual assistance in the enforcement of laws on certain unlawful communications, such as robocall, robotexts, and “spoofing.” FCC Acting...
InfoBytesFTC alleges subscription service failed to provide access to paid-for services or secure personal data
On June 7, the FTC announced a complaint and proposed consent order against the operators of a movie subscription service to settle allegations that the respondents denied subscribers access to paid-for services and failed to secure subscribers’ personal information. The FTC alleges in its...
InfoBytesFinCEN to host workshop on privacy enhancing technologies
On May 26, the Financial Crimes Enforcement Network (FinCEN) announced it will host a special Innovations Hours Program in September “focusing on the important role of privacy-preserving principles in developing technical solutions that enhance financial services innovation while countering illicit...
InfoBytesNew York AG reaches agreement with online retailer to resolve data breach
On May 18, the New York attorney general announced an agreement with an online water filtration retailer to resolve an investigation into a 2019 data breach that allegedly compromised the sensitive personal information of roughly 324,000 customers. According to the AG, the data breach impacted the...
InfoBytesDistrict Court approves online marketplace data breach settlement
On May 13, the U.S. District Court for the Northern District California preliminarily approved a class action settlement , resolving allegations that a California-based online designer marketplace failed to protect customers’ personal information from a computer hacking group in a May 2020 data...
InfoBytesNYDFS, insurance company reach $1.8 million cyber breach settlement
On May 13, NYDFS announced a settlement with an insurance company to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to implement multi-factor authentication or reasonably equivalent or more secure access controls. Under Part 500.12(b...
InfoBytes6th Circuit affirms dismissal of FACTA credit card receipt suit
On May 11, the U.S. Court of Appeals for the Sixth Circuit affirmed dismissal of a putative class action for lack of subject matter jurisdiction, holding that while a merchant technically violated the Fair and Accurate Credit Transactions Act (FACTA) by including 10 credit card digits on a customer...
InfoBytesDefendant obligated to indemnify bank in data breach suit
On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data...
InfoBytesData breach claims against convenience store chain can proceed
On May 6, the U.S. District Court for the Eastern District of Pennsylvania ruled that a defendant nationwide convenience store chain must face certain claims filed by a group of financial institutions as a result of a 2019 data security incident that allegedly compromised consumers’ credit and...
InfoBytesFTC settles with photo app developer over its facial recognition technology
On May 7, the FTC announced a final settlement with the developer of a California-based photo app (defendant) for allegedly deceiving consumers concerning its use of facial recognition technology and its retention of the photos and videos of users who previously deactivated their accounts. The FTC...
InfoBytes2nd Circuit: No standing if PII is uncompromised
On April 26, the U.S. Court of Appeals for the Second Circuit affirmed a district court’s dismissal of a proposed class action settlement, concluding that although, “in the context of unauthorized data disclosures,” plaintiffs may establish Article III standing on the theory that a data breach...
InfoBytes9th Circuit: Company cannot compel minor children to arbitration
On April 23, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s refusal to compel arbitration against a technology company, concluding that children are not bound by arbitration provisions in their parents’ service contracts with the company. The appeals court held that the...
InfoBytesFCC issues $4.1 million fine for deceptive robocalls
On April 22, the FCC imposed a $4.1 million fine against a phone carrier for allegedly impersonating other carriers in telemarketing calls and deceiving consumers into changing carriers without consent. The FCC first proposed the fine in 2018 after the agency, state regulators, and the Better...
InfoBytesCourt rules software service provider did not eavesdrop when capturing website data for retailer
On April 15, the U.S. District Court for the Northern District of California dismissed class claims alleging a software-services provider for a clothing retailer wiretapped consumers’ communication with the retailer in violation of California’s Invasion of Privacy Act and the California...
InfoBytesCourt certifies two classes in restaurant chain data breach
On April 15, the U.S. District Court for the Middle District of Florida certified a nationwide class and a California-only class of restaurant customers who claim the restaurant chain’s negligence led to a 2018 data breach that compromised their credit card information. The two classes of consumers...
InfoBytesNYDFS, insurance broker reach $3 million cyber breach settlement
On April 14, NYDFS announced a settlement with an insurance broker to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of two cyber breaches between 2018 and 2020. Under Part 500.17, regulated entities are...
InfoBytesFCC pushes on robocall blocking
On April 13, the FCC took several actions associated with blocking illegal and unsolicited robocalls, including sending cease and desist letters (see here and here ) to two carriers that “appear to be transmitting multiple unlawful robocall campaigns” and seeking updated information from all...
InfoBytesNYDFS updates cybersecurity fraud alert
On March 30, NYDFS issued an updated cybersecurity fraud alert that warns of other techniques used in a widespread cybercrime campaign targeting public-facing websites. As previously covered in InfoBytes , the update stems from NYDFS’ February 16 cybersecurity fraud alert sent to regulated entities...
InfoBytesUtah creates certain affirmative defenses for data breaches
On March 11, the Utah governor signed HB 80 , which provides entities an affirmative defense for a data breach if they follow certain cybersecurity industry standards. Among other things, a “person that creates, maintains, and reasonably complies with a written cybersecurity program” that meets...
InfoBytesSherry-Maria Safchuk quoted in Bloomberg Law article, “Additional bills introduced in Illinois, Massachusetts, Minnesota; Virginia law’s approval may up the ante in other states, federally”
Sherry-Maria Safchuk discussed in the Bloomberg Law article “Additional bills introduced in Illinois, Massachusetts, Minnesota; Virginia law’s approval may up the ante in other states, federally” how the recent Massachusetts privacy bill is different than Virginia’s Consumer Data Protection Act...
In The NewsCalifornia again modifies CCPA regs; appoints privacy agency’s board
On March 15, the California attorney general announced approval of additional regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended several times—became effective January 1, 2020. According to the...
InfoBytesStates reach data breach settlement with debt collector
On March 11, a coalition of 41 state attorneys general, led by the New York attorney general, announced a settlement with a bankrupt debt collection agency to resolve a multistate investigation into a 2019 data breach that allegedly exposed the personal information of more than 21 million...
InfoBytesNon-signatory may not arbitrate privacy claims
On March 9, the U.S. District Court for the Southern District of New York denied a global technology company’s motion to compel arbitration in a putative consumer privacy class action, ruling that the technology company is not party to a co-defendant telecommunications company’s terms and...
InfoBytesAmanda R. Lawrence and Sasha Leonhardt extensively quoted in Cybersecurity Law Report article, “Familiar and fresh mandates in Virginia’s new privacy law”
Amanda R. Lawrence and Sasha Leonhardt were extensively quoted in the Cybersecurity Law Report article, “Familiar and fresh mandates in Virginia’s new privacy law,” which reported on the recently enacted Virginia Consumer Data Protection Act and how it is similar to and yet differs from the...
In The NewsNYDFS, mortgage lender reach $1.5 million cyber breach settlement
On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide...
InfoBytesVirginia enacts comprehensive consumer data privacy framework
On March 2, the Virginia governor enacted the Consumer Data Protection Act (VCDPA), which establishes a framework for controlling and processing consumers’ personal data in the Commonwealth. Virginia is now the second state in the nation to enact a comprehensive consumer privacy law. In 2018,...
InfoBytesCourt approves $650 million biometric privacy class action settlement
On February 26, the U.S. District Court for the Northern District of California granted final approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. The settlement resolves consolidated class action claims that the social media...
InfoBytes"Empire state of privacy: Recent developments in New York’s privacy and cybersecurity laws" by Elizabeth E. McGinn, Amanda R. Lawrence, Sasha Leonhardt, and Magda Gathani (New York Law Journal)
New York over the past few years has steadily raised the bar on privacy and cybersecurity standards for commercial enterprises, and, along with the European Union and California, is increasingly seen as a pacesetter in this fast-developing area of law. Proposed legislation before its General...
ArticlesConvenience store chain agrees to pay $12 million to resolve data security incident
On February 19, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement in the U.S. District Court for the Eastern District of Pennsylvania to resolve data security incident claims. Class members—comprised of a nationwide group of consumers whose...
InfoBytesCSBS announces new nonbank cybersecurity exam tool
On February 24, during the Nationwide Multistate Licensing System Annual Conference, the Conference of State Bank Supervisors (CSBS) released an updated cybersecurity examination tool designed for nonbank financial company supervision. The tool is intended for state regulators to use during...
InfoBytesNYDFS: Global social media company must prevent app developers from transmitting users’ sensitive data
On February 18, New York Governor Andrew M. Cuomo accepted a report detailing the findings of an NYDFS investigation into whether sensitive personal information, including medical and personal data, was shared with a global social media company by application and website developers without users’...
InfoBytesFlorida legislature introduces comprehensive privacy bill
On February 15, the Florida legislature filed HB 969 , which would, among other things, regulate the sale and sharing of consumers’ personal data. Highlights of the bill include: Applicability. The bill will apply to for profit businesses that do business in the state, collect consumers’ personal...
InfoBytesNYDFS announces cybersecurity fraud alert
On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits...
InfoBytes"What the new information security reporting standards mean for financial institutions" by Jeffrey P. Naimon and James C. Chou (Cybersecurity Law Report)
Regulators recently proposed new rules that would require banking institutions to notify their primary regulators of some computer-security incidents within 36 hours, and service providers to notify regulated entities as soon as possible of any incident affecting its operations for four hours or...
ArticlesInsurance company not obligated to indemnify retailer’s payment card claims following data breach
On February 8, the U.S. District Court for the District of Minnesota granted defendant’s motion for summary judgment, ruling that an insurance company is not obligated to indemnify a national retailer (plaintiff) for settlements paid to multiple banks to resolve claims over the costs of canceling...
InfoBytes11th Circuit: Future identity theft risk does not confer standing
On February 4, the U.S. Court of Appeals for the Eleventh Circuit affirmed dismissal of a class action complaint, which raised several claims against a restaurant following a data breach that exposed customers’ financial information, for the named plaintiff’s lack of standing. According to the...
InfoBytesNYDFS issues Cybersecurity Insurance Risk Framework
On February 4, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance. The new Cyber Insurance Risk Framework provides guidance for effectively managing cyber insurance risk and is the first guidance released by a U.S...
InfoBytesVirginia legislature advances privacy bill
Recently, the Virginia Senate and House advanced identical bills (see SB 1392 and HB 2307 ), which would establish a framework for controlling and processing consumers’ personal data in the Commonwealth. Highlights of the bill include: Applicability. The bill will apply to “persons that conduct...
InfoBytesCourt denies tech company's second request for COPPA claim dismissal
On February 2, the U.S. District Court for the District of New Mexico granted a technology company’s motion for reconsideration in part, but denied dismissal of the New Mexico attorney general’s action alleging the company designed and marketed mobile gaming applications (apps) targeted towards...
InfoBytesFTC finalizes settlement with video conferencing company
On February 1, the FTC finalized a settlement with a video conferencing provider, resolving allegations that the company violated the FTC Act by misleading users about the levels of encryption offered for securing communications during meetings. As previously covered by InfoBytes , in November 2020...
InfoBytesCourt addresses alternative theories of liability in BIPA class action
On January 28, the U.S. District Court for the Northern District of Illinois denied a motion to reconsider and a motion to certify questions for appeal and stay proceedings pending appeal in a matter concerning class claims that an auto leasing company and its parent company (collectively, “...
InfoBytesWashington Department of Financial Institutions once again extends “work from home” guidance
On January 29, the Washington Department of Financial Institutions issued interim regulatory guidance to licensed mortgage loan originators and companies that sponsor them relating to temporary remote work. The guidance extends earlier interim guidance (previously covered here , here , here , and...
InfoBytesWashington Department of Financial Institutions once again extends “work from home” guidance
On January 29, the Washington Department of Financial Institutions issued interim regulatory guidance to licensed mortgage loan originators and companies that sponsor them relating to temporary remote work. The guidance extends earlier interim guidance (previously covered here , here , here , and...
InfoBytesCourt approves grocery store data breach settlement
On January 25, the U.S. District Court for the Central District of Illinois preliminarily approved a class action settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The preliminary settlement would allow...
InfoBytesElizabeth E. McGinn quoted in Bloomberg Law article, “New FTC leadership likely to put consumer privacy in crosshairs”
Elizabeth E. McGinn was quoted in a Bloomberg Law article, “New FTC leadership likely to put consumer privacy in crosshairs,” which examined how the agency will now approach privacy enforcement. “There were significant settlements related to data security issues under Trump, but we’re likely to see...
In The NewsLaw firm ordered to produce cyberattack report in malpractice action
On January 12, the U.S. District Court for the District of Columbia ordered a law firm to produce a forensic report generated by a consultant retained by the firm’s outside counsel in the wake of the plaintiff’s data breach, concluding that the report and associated materials were neither protected...
InfoBytesNew York introduces biometric privacy act
On January 6, New York Assembly Bill A 27 was prefiled in the 2021-22 state legislative session, which would establish the Biometric Privacy Act and establish provisions regarding the retention, collection, disclosure and destruction of biometric identifiers or biometric information. Highlights of...
InfoBytesUpdated Washington State Privacy Act re-introduced
On January 5, the Washington State Privacy Act , SB 5062, (referred to as “2021 WPA” or “bill”) was re-introduced for the 2021-22 state legislative session with some notable changes from the 2020 version. (InfoBytes coverage of the 2020 Washington Privacy Act, SB 6281, available here .) Highlights...
InfoBytesCourt dismisses data breach claims citing lack of compromised sensitive information
On January 12, the U.S. District Court for the Central District of California dismissed a data breach lawsuit brought against a hotel chain, ruling the plaintiff lacked standing. The plaintiff claimed class members were victims of a data breach when hotel employees at a franchise in Russia...
InfoBytesState AGs reach $2 million settlement to resolve data breach
On December 18, state attorneys general from Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York and Oregon announced a $2 million settlement with an online retailer concerning allegations that the retailer failed to promptly and adequately respond to a 2019 data breach that compromised...
InfoBytesCourt grants preliminary approval of CCPA class action settlement
On December 29, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed settlement in a class action alleging a children’s clothing company and cloud technology service provider (collectively, “defendants”) violated, among other things, the...
InfoBytes9th Circuit affirms dismissal of data breach class action against online payment firm
On December 17, the U.S. Court of Appeals for the Ninth Circuit affirmed dismissal of a class action suit brought against an online payments firm and associated entities and individuals (collectively, “defendants”) for allegedly misleading investors (plaintiffs) about a 2017 data breach. As...
InfoBytesFTC settles with company for data security lapses
On December 16, the FTC announced a settlement with a Nevada-based travel emergency services provider, resolving allegations that the company violated the FTC Act by failing to implement a comprehensive security program to ensure the security of personal consumer information, including sensitive...
InfoBytesIrish Data Protection Commission fines U.S. social networking company for violating GDPR
On December 15, the Irish Data Protection Commission (Commission) announced a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based social networking tech company’s actions related to a 2019 data breach that affected users across the European...
InfoBytesAgencies propose computer-security incident notification rule
On December 18, the FDIC, Federal Reserve Board, and the OCC (collectively, “agencies”) issued a joint notice of proposed rulemaking (NPRM), which would require supervised banking organizations to promptly notify their primary regulator within 36 hours of becoming aware that a “‘computer-security...
InfoBytesFTC settles with mortgage analytics company over vendor oversight deficiencies
On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform...
InfoBytesFCC: Contractors must get consent to make robocalls under TCPA
On December 14, the FCC released an order concluding that federal and state contractors are subject to the restrictions of the TCPA and must obtain prior express consent to call consumers. The order reverses a 2016 decision, which extended the presumption that “the word ‘person’ [in the TCPA] does...
InfoBytesFTC orders social media and video streaming companies to provide data on privacy practices
On December 14, the FTC issued orders to nine social media and video streaming companies requiring each company to provide information on their collection, use, and presentation of personal information, including their data gathering and advertising practices. The orders are issued pursuant to...
InfoBytesMinnesota regulator issues telework guidance
On December 15, the Minnesota Commerce Department issued guidance regarding non-depository financial institution telework. The guidance provides that if the licensed location is still offering financial products or services, employees can work from home to perform tasks as long as the following are...
InfoBytesCalifornia proposes modifying CCPA regs again
On December 10, the California Department of Justice (Department) released a fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , on October 12, the Department released a third set of proposed...
InfoBytesFSOC annual report highlights Covid-19 impact on financial stability
On December 3, the Financial Stability Oversight Council (FSOC) released its 2020 annual report . The report reviews financial market developments, identifies emerging risks, and offers recommendations to enhance financial stability. The report also highlights the impact of Covid-19 on the economy...
InfoBytesOklahoma extends working from home guidance
On December 7, the Oklahoma Department of Consumer Credit extended, for the sixth time, its interim guidance to regulated entities on working from home (see here , here , here , here , here , and here for previous coverage). The guidance sets forth data security standards required for regulated...
InfoBytesNYDFS announces cybersecurity toolkit for small businesses
On November 17, NYDFS announced a partnership with a non-profit company to provide a free cybersecurity toolkit to small businesses, including those in the financial services sector. The toolkit is intended to help small businesses strengthen their cybersecurity and to protect themselves and their...
InfoBytesFTC requires video conferencing provider to improve security safeguards
On November 9, the FTC announced a settlement with a video conferencing provider, resolving allegations that the company violated the FTC Act by misleading users about the levels of encryption and security offered for securing communications during meetings. The FTC’s complaint alleges that, since...
InfoBytesCalifornia voters approve expanded privacy rights
On November 3, California voters approved a ballot initiative , the California Privacy Rights Act of 2020 (CPRA), that expands on the California Consumer Privacy Act (CCPA). While there are a number of differences between the CPRA and the CCPA, some key provisions include: Adding expanded consumer...
InfoBytesNYDFS urges regulating social media companies following hacks
On October 14, NYDFS released a report detailing the Department’s investigation into the July 2020 social media hacks of public figures and cryptocurrency firms, concluding that the social media platform lacked adequate cybersecurity protections and recommending increased regulation of large social...
InfoBytesOklahoma regulator extends working from home guidance through end of year
On October 22, the Oklahoma Department of Consumer Credit extended, for the fifth time, its interim guidance to regulated entities on working from home (see here , here , here , here , and here for previous coverage). The guidance sets forth data security standards for regulated entities with...
InfoBytesCalifornia modifying CCPA regs again
On October 12, the California Department of Justice released a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , on August 14, the regulations went into effect after being approved by the Office of...
InfoBytesG7 urges financial services sector to mitigate ransomware attacks
On October 13, the member nations of the G7 issued a joint statement stressing their commitment to working with the financial services sector to address and mitigate ransomware attacks. The statement highlights the recent increase in ransomware attacks over the last few years and notes that the...
InfoBytesCSBS and others release ransomware mitigation tool
On October 13, the Conference of State Bank Supervisors (CSBS), joined by the Bankers Electronic Crimes Task Force and the U.S. Secret Service, released a self-assessment tool to help supervised financial institutions mitigate the risk of ransomware attacks. The tool will also help financial...
InfoBytesFCC seeks comment on TCPA exemptions
On October 1, the FCC issued a Notice of Proposed Rulemaking (NPRM), seeking comment on exemptions already granted under the TCPA allowing certain entities and types of calls to be made using an automatic telephone dialing system. The FCC is required by Section 8 of The Pallone-Thune Telephone...
InfoBytesHealth insurer to pay $48 million to resolve 2014 data breach
On September 30, a multistate settlement was reached between a health insurance company and a collation of 42 state attorneys general and the District of Columbia to resolve a 2014 data breach that allegedly comprised the personal information of more than 78 million customers nationwide. According...
InfoBytesCertain business and employment CCPA exemptions extended to 2022
On September 29, the California governor signed AB 1281 , which extends certain exemptions under the California Consumer Privacy Act (CCPA) from January 1, 2021 to January 1, 2022. As previously covered by InfoBytes , the CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended...
InfoBytesRhode Island regulator extends work from home guidance for lenders
On September 28, the Rhode Island Department of Business Regulation, Banking Division, extended previous guidance (previously covered here and here ) issued to mortgage loan originators, lenders, loan brokers, and exempt company registrants. The guidance permits working from home, even if the home...
InfoBytes"6 key ways the California Privacy Rights Act of 2020 would revise the CCPA" by Amanda R. Lawrence and Sherry-Maria Safchuk (Corporate Compliance Insights)
The California Consumer Privacy Act (CCPA), the state’s landmark privacy regulation, became effective only eight months ago – and yet, the California Privacy Rights Act of 2020 (CPRA), a modified version of the CCPA, has garnered enough support to appear on the November 2020 ballot in California...
ArticlesOklahoma regulator amends working from home guidance
On September 23, the Oklahoma Department of Consumer Credit extended, for the third time, its interim guidance to regulated entities on working from home (see here , here , here and here for previous coverage). The guidance sets forth data security standards that regulated entities must meet in...
InfoBytesOklahoma regulator extends working from home guidance
On September 23, the Oklahoma Department of Consumer Credit extended, for the fourth time, its interim guidance to regulated entities on working from home (see here , here , here , and here for previous coverage). The guidance sets forth data security standards for regulated entities with employees...
InfoBytesCalifornia AG enters into privacy settlement with fertility-tracking mobile app
On September 17, the California attorney general announced a settlement with a technology company that operates a fertility-tracking mobile app to resolve claims that security flaws put users’ sensitive personal and medical information at risk in violation of state consumer protection and privacy...
InfoBytesNew York AG settles data breach lawsuit with national coffee chain
On September 15, the New York attorney general announced a settlement with a national franchisor of a coffee retail chain to resolve allegations that the company violated New York’s data breach notification statute and several state consumer protection laws by failing to protect thousands of...
InfoBytes"Implementing the CCPA regulations: Are you ready?" by Amanda R. Lawrence, Elizabeth E. McGinn, and Sherry-Maria Safchuk (Cybersecurity Law Report)
The final regulations under the California Consumer Privacy Act, introduced by the California Attorney General last October, became effective on August 14, 2020. The AG has already implemented many of the changes suggested in the public comments, but there are still several open questions that...
Articles"Data security best practices for licensed lenders' telework" by Sherry-Maria Safchuk and James C. Chou (Law360)
State-licensed/registered brokers, lenders and servicers have increased their focus on data security as the spread of COVID-19 has extended work-from-home orders, and what now seems to be a lasting acceptance of remote work means that the tools used to secure data will remain relevant when the...
ArticlesDistrict court preliminarily approves $650 million biometric privacy class action settlement
On August 19, the U.S. District Court for the Northern District of California granted preliminary approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. If granted final approval, the settlement would resolve consolidated class...
InfoBytesDistrict court: BIPA does not violate Illinois constitution
On August 19, the U.S. District Court for the Southern District of Illinois denied defendants’ motion to dismiss claims that they unlawfully collected individuals’ biometric fingerprint data without first receiving informed consent. The court also addressed an argument as to whether the Illinois...
InfoBytesFinal CCPA regulations approved: Overview of changes
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , the CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended...
InfoBytesDistrict court: $925 million statutory damages award not constitutionally excessive
On August 14, the U.S. District Court for the District of Oregon refused to reduce a $925 million statutory damages award against a company found to have violated the TCPA by sending almost two million unsolicited robocalls to consumers. The company argued that the statutory damages award violates...
InfoBytesArkansas Securities Department extends work-from-home guidance
On August 18, the Arkansas Securities Department further extended interim regulatory guidance previously issued to licensed mortgage companies, mortgage loan officers, and branch managers. The original interim regulatory guidance, previously covered here , and extended in May , permits mortgage...
InfoBytesFinal CCPA regulations approved
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , the CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended...
InfoBytes"Reopening well: Balancing employee privacy with employee safety" by Elizabeth E. McGinn, Amanda R. Lawrence, and James C. Chou (Corporate Compliance Insights)
Consumer privacy has been a key area of focus over the past several years, but as companies begin return-to-work operations, they discover that employee privacy looms large as well. Well-intentioned companies seeking to keep employees safe risk incurring penalties from a variety of agencies based...
Articles"Confusion surrounding the Privacy Shield rollback" by Amanda R. Lawrence, Elizabeth E. McGinn, and Magda Gathani
The Court of Justice of the European Union (CJEU) last month invalidated the EU-U.S. Privacy Shield, which over 5,000 companies have relied on as a legal mechanism of transferring data from the EU to the United States.
The European Data Protection Board (EDPB) did not provide a grace...
Buckley Commentary & AnalysisFTC continues to enforce Privacy Shield
On August 5, the FTC Commissioners testified before the Senate Committee on Commerce, Science, and Transportation and discussed, among other things, the agency’s continued enforcement of the EU-U.S. Privacy Shield, despite the recent Court of Justice of the European Union (CJEU) invalidation of the...
InfoBytesDistrict court approves MDL data breach settlement
On July 21, the U.S. District Court for the Northern District of California issued an order approving a $117.5 million class action settlement, including $23 million in attorneys’ fees, with a global internet company to resolve multidistrict litigation concerning the exposure of class members’...
InfoBytesNYDFS enforces its cybersecurity regulation for the first time
On July 22, NYDFS filed a statement of charges against a title insurer for allegedly failing to safeguard mortgage documents, including bank account numbers, mortgage and tax records, and other sensitive personal information. This is the first enforcement action alleging violations of NYDFS’...
InfoBytesFCC provides safe harbors for blocking illegal robocalls
On July 16, the FCC issued an order adopting rules to further encourage phone companies to block illegal and unwanted robocalls and to continue the Commission’s implementation of the TRACED Act (covered by InfoBytes here ). The rule establishes two safe harbors from liability for the unintended or...
InfoBytes"Put bank exam council in charge of data privacy" by Jeremiah S. Buckley (American Banker)
From the European Union to California and now other states and countries, data protection and privacy standards going into effect often share the same objectives, but have separate and different regulatory requirements. This creates a confusing array of legal requirements that pose compliance and...
ArticlesCourt of Justice of the European Union invalidates EU-U.S. Privacy Shield; standard contractual clauses survive (for now)
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its opinion in the Schrems II case (Case C-311/18). In its opinion, the CJEU concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established...
InfoBytesDistrict court allows data breach claim to proceed against national credit reporting agency
On July 8, the U.S. District Court for the Eastern District of New York allowed a consumer’s claim under New York’s consumer protection law (N.Y. G.B.L. § 349) to proceed against a national credit reporting agency (CRA) for grievances stemming from a 2017 data breach that compromised the consumer’s...
InfoBytes"Adjusting information security for long-term telework" by Amanda R. Lawrence, Elizabeth E. McGinn, and James C. Chou (Bloomberg Law)
Amid a fast-moving pandemic in the spring of 2020, many companies were forced to adopt remote-work operations almost overnight to maintain critical business functions. This approach initially seemed like a temporary and imperfect solution to maintaining workforce safety while continuing essential...
ArticlesCalifornia AG publishes CCPA FAQs
The California attorney general recently published a set of frequently asked questions providing general consumer information on the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended several times—became effective January 1...
InfoBytesDistrict court preliminarily approves $6.8 million TCPA settlement
On July 6, the U.S. District Court for the Eastern District of California granted preliminary approval to a nearly $6.8 million settlement between class members and a collection agency that allegedly violated the TCPA, FDCPA, and California’s Rosenthal Fair Debt Collection Practices Act by making...
InfoBytesSupreme Court keeps TCPA, severs government-debt exception as unconstitutional
On July 6, the U.S. Supreme Court held in Barr v. American Association of Political Consultants Inc. that the TCPA’s government-debt exception is an unconstitutional content-based speech restriction and severed the provision from the remainder of the statute. As previously covered by InfoBytes ,...
InfoBytesFCC narrows “autodialer” definition
On June 25, the FCC narrowed the Commission’s definition of an “autodialer,” providing that “if a calling platform is not capable of originating a call or sending a text without a person actively and affirmatively manually dialing each one, that platform is not an autodialer and calls or texts made...
InfoBytesOklahoma regulator amends working from home guidance
On June 30, the Oklahoma Department of Consumer Credit extended, for the third time, its interim guidance to regulated entities on working from home (see here , here , and here for previous coverage). The guidance sets forth data security standards that regulated entities must meet in order for the...
InfoBytesAmanda R. Lawrence quoted in American Banker article, “Referendum on data privacy coming to California in November”
Amanda R. Lawrence was quoted on June 28, 2020 in an American Banker article, “Referendum on data privacy coming to California in November,” which discussed how the state is giving voters the opportunity to expand the protections of the California Consumer Privacy Act with a new proposal ─ the...
In The NewsPrivacy initiative makes California ballot
On June 24, the California Privacy Rights Act of 2020 (CPRA) ballot initiative was submitted to the California Country Clerk’s office as an initiative qualified for the November 2020 General Election ballot after receiving more than the 623,212 valid signatures required to qualify. The initiative...
InfoBytes"What constitutes reasonable security per Calif. privacy law?" by Amanda R. Lawrence and James C. Chou (Law360)
California Consumer Privacy Act compliance has been focused on developing the policies, procedures and infrastructure to support new privacy rights for California residents, which include, among other things, the right to know what personal information companies have on them, the right to delete...
ArticlesFTC settlement requires retailer to provide transaction records to identity theft victims
On June 10, the FTC announced a settlement to resolve Fair Credit Reporting Act (FCRA) allegations against a Wisconsin-based retailer for failing to provide the proper transaction records to identify theft victims. According to the FTC, this is the first time the Commission has used its authority...
InfoBytesFBI warns of increased mobile banking cyber threats
On June 10, the Federal Bureau of Investigation issued a Public Service Announcement (PSA) cautioning mobile banking application users to remain vigilant of cyber activity. Specifically, the PSA indicated, with a more than 50 percent increase in mobile web application usage since the start of the...
InfoBytesDistrict court: Plaintiffs whose search terms were disclosed to third parties have standing under Spokeo
On June 5, the U.S. District Court for the Northern District of California issued an order denying a global search engine’s (defendant) motion to dismiss class action claims, ruling that the plaintiffs’ claims met the standing requirement under Spokeo, Inc. v. Robins . The court determined that the...
InfoBytesFTC settles with app developer for COPPA violations
On June 4, the FTC announced that a children’s mobile application developer agreed to pay $150,000 and to delete the personal information it allegedly unlawfully collected from children under the age of 13 to resolve allegations that the developer violated the Children’s Online Privacy Protection...
InfoBytesVirginia Bureau of Financial Institutions issues policy statement regarding Covid-19
The Virginia Bureau of Financial Institutions issued a policy statement encouraging supervised financial institutions to work constructively to mitigate the impacts of Covid-19 on Virginia consumers and businesses. The bureau advised licensees that data security, internal controls, and adherence to...
InfoBytes9th Circuit upholds TCPA liability for reassigned number
On June 2, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s judgment in a TCPA action against a bank, concluding that consent from the person intended to call does not exempt the bank from liability under the TCPA. According to the opinion, the bank’s vendors made over...
InfoBytesCalifornia AG finalizes proposed CCPA regulations, requests expedited review
On June 1, the California attorney general submitted final proposed regulations implementing the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended several times—became...
InfoBytesDistrict court denies arbitration in mobile app BIPA suit
On June 1, the U.S. District Court for the Northern District of Illinois denied a mobile application company’s motion to, among other things, compel arbitration in a class action alleging the company used face-geometry scan technology in violation of the Illinois Biometric Information Privacy Act (...
InfoBytesOklahoma Department of Consumer Credit issues an extension to interim guidance regarding temporary operations from home or alternate locations
On June 1, the Oklahoma Department of Consumer Credit issued a Second Amended Interim Guidance that extends previous guidance permitting mortgage loan originators and employees of regulated entities to work from home or an alternate site, as long as certain data security precautions are taken (...
InfoBytesDistrict court requires bank to produce consultant’s data breach report
On May 26, a magistrate judge of the U.S. District Court for the Eastern District of Virginia ordered a national bank to produce to plaintiffs in litigation a forensic analysis performed by a cybersecurity consulting firm regarding the bank’s 2019 data breach, concluding the report was not entitled...
InfoBytes"TCPA relief for Covid-19 communications could extend to financial institutions" by Ali M. Abugheida and Geoffrey L. Warner (Bloomberg Law)
Financial institutions face unprecedented and rapidly evolving challenges in the wake of the Covid-19 pandemic, including the need to communicate quickly and efficiently with customers in the face of government-issued stay-at-home orders. But the Telephone Consumer Protection Act, with its steep...
Articles"Privacy and cybersecurity issues in 2020 – What to expect" by Amanda R. Lawrence, Elizabeth E. McGinn, and James C. Chou (Journal of Banking and Finance Law and Practice)
A steady drumbeat of data breaches and growing concern among consumers about how companies are using their personal information will keep regulators, policy-makers and private litigants focused on cybersecurity and privacy in 2020 and beyond. While Congress tentatively explores comprehensive...
ArticlesDistrict court allows class autodialer claims to proceed against mortgage lender
On May 18, the U.S. District Court for the Eastern District of Michigan denied a request to dismiss a putative class action concerning alleged violations of the TCPA, ruling that the plaintiff plausibly alleged the mortgage lender (defendant) sent unsolicited texts through the use of an automatic...
InfoBytesFinancial institutions, CRA reach settlement over 2017 data breach
On May 15, a putative class of financial institutions filed an unopposed motion for preliminary approval of a settlement in a multidistrict litigation stemming from a credit reporting agency’s (CRA) 2017 data breach. The class, comprised of financial institutions that issued credit or debit cards...
InfoBytesDistrict court compels arbitration of biometric privacy suit
On May 15, the U.S. District Court for the Northern District of Illinois granted an online photography company’s motion to compel arbitration in a biometric privacy lawsuit, notwithstanding the company’s unilateral modification of arbitration terms after the lawsuit was filed. According to the...
InfoBytes$550 million preliminary settlement reached in biometric privacy class action
On May 8, plaintiffs in a biometric privacy class action in the U.S. District Court for the Northern District of California filed a motion requesting preliminary approval of a $550 million settlement deal. The preliminary settlement, reached between a global social media company and a class of...
InfoBytes"Ruling on anti-hacking law may guide fair lending tests" by Jeffrey P. Naimon (Law360)
Regulators, consumer groups, academics and private litigants are grappling with the fair lending implications of the credit models powering the explosive growth in online lending by banks and financial technology firms. The U.S. District Court for the District of Columbia in late March concluded...
ArticlesFFIEC discusses cloud computing risk management practices
On April 30, the FFIEC released a statement on risk management principles for cloud computing security in the financial services sector. The FFIEC emphasizes that the statement does not contain new regulatory expectations, but rather highlights examples of risk management practices for the safe and...
InfoBytesCourt approves $5 billion FTC settlement with social media company
On April 23, the U.S. District Court for the District of Columbia approved a $5 billion settlement between the FTC and a global social media company, resolving allegations that the company violated consumer protection laws by using deceptive disclosures and settings to undermine users’ privacy...
InfoBytesMulti-jurisdiction settlement reached with credit reporting agency over 2017 data breach
On April 17, the Massachusetts attorney general announced a settlement with a credit reporting agency (CRA) to resolve a state investigation into a 2017 data breach that reportedly compromised the personal information of nearly three million Massachusetts residents. According to the AG’s 2017...
InfoBytesData breach exposes SBA Emergency Injury Disaster Loan program applicants
On April 21, according to reports, the Small Business Association (SBA) acknowledged that it notified almost 8,000 applicants of the Economic Injury Disaster Loan (EIDL) program that their information may have been exposed as part of a data breach. Specifically, the agency stated that on March 25,...
InfoBytesSupreme Court schedules oral arguments to review TCPA debt collection exemption
On April 15, the U.S. Supreme Court announced it will hear oral arguments via telephone conference on May 6 in a case concerning an exemption to the TCPA that allows debt collectors to use an autodialer to contact individuals on their cell phones without obtaining prior consent to do so when...
InfoBytesMissouri extends duration of “Stay Home Missouri” order
On April 16, the Missouri Department of Health extended the duration of a prior “Stay Home Missouri” order to May 3, 2020, unless extended or modified. Relying on the Cybersecurity and Infrastructure Security Agency (CISA) advisory memorandum , financial services are considered essential.
InfoBytesFTC provides guidance on managing consumer protection risks when using AI and algorithms
On April 8, the FTC’s Bureau of Consumer Protection wrote a blog post discussing ways for companies to manage the consumer protection risks of artificial intelligence (AI) technology and algorithms. According to the FTC, over the years the Commission has dealt with the challenges presented by the...
InfoBytesNew York Department of Financial Services issues Covid-19 cybersecurity guidance
On April 13, the New York Department of Financial Services issued guidance on cybersecurity awareness during the Covid-19 pandemic. The guidance identifies three areas of heightened risk: (i) remote working, including the risks associated with less secure internet connections, expanded use of less...
InfoBytes2nd Circuit joins 9th Circuit in broadening the definition of an autodialer under TCPA
On April 7, the U.S. Court of Appeals for the Second Circuit vacated a district court’s order granting summary judgment in favor of a defendant in a TCPA action. The decision results from a lawsuit filed by a plaintiff who claimed to have received more than 300 unsolicited text messages from the...
InfoBytesD.C. enacts data breach requirements and consumer protections
On March 26, the mayor of the District of Columbia signed Act 23-268 to expand data privacy and consumer protection measures. Among other things, the “Security Breach Protection Amendment Act of 2020” (i) expands the definition of personal information subject to the Act; (ii) specifies the required...
InfoBytesFTC and FCC warn VoIP service providers about illegal Covid-19 robocalls
On April 3, the FTC and the FCC sent letters to three Voice over Internet Protocol (VoIP) service providers, warning the companies to stop sending spam robocall campaigns promoting Covid-19 related scams. According to the agencies, “routing and transmitting illegal robocalls, including Coronavirus-...
InfoBytes"Preparing for private right of action under Calif. privacy law" by Amanda R. Lawrence (Law360)
The California Consumer Privacy Act went into effect at the beginning of this year, and while the California attorney general will not begin enforcing it until July, the private right of action that the CCPA created is available to consumers now. The CCPA expressly provides for a private right of...
ArticlesDistrict of Columbia permits mortgage brokers and originators to work from home, delays reporting deadlines
On March 27, the District of Columbia Department of Insurance, Securities and Banking issued guidance to mortgage lenders, mortgage brokers and mortgage loan originators permitting them to work from non-licensed branches or locations during the Covid-19 outbreak. The guidance requires the...
InfoBytesFINRA provides cybersecurity alert containing measures firms should consider in adjusting to Covid-19
On March 26, FINRA released a cybersecurity alert providing FINRA firms and associated persons with measures they can take to help strengthen their cybersecurity controls in areas where risks may increase in the current environment. The alert contains recommendations concerning the security of...
InfoBytes"The truth about the California Consumer Privacy Act: Debunking three common misconceptions" by Amanda R. Lawrence, Sherry-Maria Safchuk, and Doris Yuen (Equipment Leasing & Finance Magazine)
The highly-anticipated California Consumer Privacy Act (CCPA) took effect on Jan. 1, 2020, and many businesses are scrambling to understand the applicability of the CCPA’s expansive obligations. The CCPA provides California consumers with the following rights: The right to know and access the...
ArticlesFDIC posts Covid-19 FAQs for bankers and bank customers
On March 19, the FDIC issued FIL-18-2020 , which highlights frequently asked questions for bank customers and banks affected by Covid-19. The FAQs, are available on the FDIC’s Covid-19 webpage . Bank customer FAQs cover questions regarding (i) deposit insurance; (ii) customer access to money; (iii...
InfoBytes11th Circuit reverses dismissal of “shotgun” FDCPA, FCRA, TCPA pleadings
On March 16, the U.S. Court of Appeals for the Eleventh Circuit partially reversed a district court’s dismissal of a lawsuit against several defendants for alleged violations of the FDCPA, the FCRA, and the TCPA, holding that the plaintiff’s third amended complaint was not filled with “shotgun...
InfoBytesDistrict court grants summary judgment in favor of bank in TCPA robocall suit
On March 13, the U.S. District Court for the District of New Jersey granted a large bank’s (defendant) motion for summary judgment in a proposed class action alleging that the plaintiff received an unsolicited telemarketing call. The plaintiff—who was himself a TCPA investigator for an attorney—was...
InfoBytesVermont enacts data privacy and consumer protections
On March 5, the Vermont governor signed SB 110 to expand data privacy and consumer protection measures in the state. Among other things, SB 110 (i) expands the definition of personally identifiable information (PII) subject to the Security Breach Notice Act to also include taxpayer identification...
InfoBytesMaine Bureau of Consumer Credit Protection provides guidance to MLOs
On March 18, the Maine Bureau of Consumer Credit Protection provided interim guidance to MLOs, allowing employees to work from home as long as data security provisions are in place, and physical business records are stored only at the licensed main office. The guidance will be effective through May...
InfoBytesCalifornia AG releases second set of modified proposed CCPA regulations
On March 11, the California attorney general released a second set of draft modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications follow the initial proposed regulations published last October and the first set of draft modifications...
InfoBytesVirginia eliminates fee for credit report security freezes
On March 10, the Virginia governor signed HB 509 , which amends certain statutory provisions related to fees for security freezes on credit reports. Currently, a credit reporting agency (CRA) may charge a fee of not more than $5 when a consumer or his representative requests a security freeze on...
InfoBytes"Mitigating crypto UDAAP risk after Ripple ICO ruling" by Ali M. Abugheida (Law360)
Cryptocurrency advocates have long argued that cryptocurrencies are not securities, and therefore not subject to state and federal securities laws. But a district court in California just shed light on whether advocates’ desired outcome also carries a substantial downside: application of state and...
Articles7th Circuit rejects request to void $17.5 million TCPA settlement
On February 25, the U.S. Court of Appeals for the Seventh Circuit denied a request to overturn a $17.5 million settlement agreement arising out of a national bank’s alleged violations of the TCPA. Six different class actions had been filed against the bank in different federal courts, all alleging...
InfoBytesCFPB holds symposium on consumer access to financial records
On February 26, the CFPB held a symposium covering consumer access to financial records and Section 1033 of the Dodd-Frank Act, which deals with consumers’ rights to access information about their financial accounts. In her opening remarks, Director Kathy Kraninger pointed out three major changes...
InfoBytesCalifornia AG says federal privacy legislation should not include preemption
On February 25, California Attorney General Xavier Becerra sent a letter to the chairmen and ranking members of the Senate Committee on Commerce, Science and Transportation and the House Committee on Energy and Commerce, asking lawmakers to not preempt state laws as they draft federal privacy...
InfoBytesAmanda R. Lawrence quoted in American Banker article, “State privacy bills try to cut banks a break, but not completely”
Amanda R. Lawrence was quoted on January 24, 2020 in an American Banker article, “State privacy bills try to cut banks a break, but not completely,” which discussed how state legislatures are trying to ease the impact of various data privacy and cybersecurity laws on banks, though the proposals all...
In The NewsFTC report highlights 2019 privacy and data security work
On February 25, the FTC released its annual report highlighting the agency’s privacy and data security work in 2019. Among other items, the report highlights consumer-related enforcement activities in 2018, including: A $5 billion penalty—the largest consumer privacy penalty to date—against a...
InfoBytesHospitality company’s bid to dismiss data breach suit denied
On February 21, the U.S. District Court for the District of Maryland denied an international hospitality company’s motion to dismiss multidistrict litigation resulting from its 2018 data breach. As previously covered by InfoBytes , the court also recently denied the company’s motion to dismiss in a...
InfoBytes7th Circuit: Dialing system that cannot generate random or sequential numbers is not an autodialer under the TCPA
On February 19, the U.S. Court of Appeals for the Seventh Circuit affirmed a district court’s ruling that a dialing system that lacks the capacity to generate random or sequential numbers does not meet the definition of an automatic telephone dialing system (autodialer) under the TCPA. According to...
InfoBytesDistrict court denies auto lender’s “de minimis” $4 million TCPA class action settlement
On February 14, the U.S. District Court for the Eastern District of Pennsylvania denied the approval of a proposed $4 million class action settlement in a TCPA case based on a “confluence of a number of negative factors,” including that the court believed the defendant—a subprime auto lender—would...
InfoBytesFour trade groups sue Maine over privacy law
On February 14, four trade groups filed suit against Maine in the U.S. District Court for the District of Maine, alleging that a recently enacted state privacy law (covered by InfoBytes here ) infringes the rights of Internet Service Providers (ISPs). The complaint claims that L.D. 946 “imposes...
InfoBytes"Don’t let your shield down—FTC gets tough on EU-U.S. privacy shield framework" by Elizabeth E. McGinn and Magda Gathani (Bloomberg Law)
The Federal Trade Commission took more enforcement actions related to the EU-U.S. Privacy Shield Framework in 2019 and the beginning of 2020 than it did in the prior three years combined. The FTC also has alleged deception in many cases where there was no indication that any misrepresentations...
ArticlesSpecial Alert: California attorney general releases modified proposed CCPA regulations
The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Buckley Special Alert ) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Buckley Special Alert ) and amended...
Special AlertsSpecial Alert: California attorney general modifies proposed CCPA regulations
The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Buckley Special Alert ) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Buckley Special Alert ) and amended...
InfoBytes"2020 examination priorities: OCIE pushes again on information security"
The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations announced its annual examination priorities for...
Buckley Commentary & AnalysisDistrict court: Banks' claims against hospitality company for data breach may proceed
On February 7, the U.S. District Court for the District of Maryland ruled in a multidistrict litigation action that a proposed class of banks may proceed with negligence claims under Louisiana law and pursue declaratory and injunctive relief against an international hospitality company. In this...
InfoBytesElizabeth E. McGinn extensively quoted in three-part series in Cybersecurity Law Report, “The Rise of Facial Recognition Technology”
Elizabeth E. McGinn was extensively quoted in a three-part series in Cybersecurity Law Report, “The Rise of Facial Recognition Technology,” which discussed the uses, risks, and legal framework governing FRT. McGinn noted “If a company experiences a breach and has biometric data customers residing...
In The News"State privacy law initiatives to prepare for in 2020" by Amanda R. Lawrence, and Sasha Leonhardt (Law360)
The California Consumer Privacy Act, which went into effect on Jan. 1, gave California residents the broadest rights in the nation to learn what data a business has about them, to request that the business delete that data and to demand that the business not sell their data. The CCPA opened a...
ArticlesMaryland, Hawaii, and Virginia are latest states to introduce privacy legislation
Recently, Maryland, Hawaii, and Virginia introduced privacy legislation designed to strengthen consumer access and control over personal data, joining efforts by Washington and New York to pass privacy bills containing provisions that differ from those in the California Consumer Privacy Act (CCPA...
InfoBytesCFTC adopts NIST Privacy Framework
On January 28, the CFTC announced that it has adopted the National Institute of Standards and Technology (NIST) Privacy Framework , making it the first federal agency to do so. The September NIST release of a preliminary draft of the framework described it as “[a] Tool for Improving Privacy through...
InfoBytes"Managing legal risks to U.S. companies from foreign cyberattacks" by Amanda R. Lawrence, Sasha Leonhardt, and James C. Chou (Cybersecurity Law Report)
Protecting online systems against individual hackers has been a top priority for companies for several years, but as we begin a new decade, a new threat has risen to the forefront: well-funded and sophisticated foreign governments seeking to wage a new kind of warfare on the United States. In...
ArticlesSEC reports cybersecurity and resiliency observations
On January 27, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of a report entitled Cybersecurity and Resiliency Observations, compiled from an assessment of prior examinations. The report provides best practices for regulated entities to increase readiness...
InfoBytesAppellate Court reverses and remands FACTA action
On January 22, the Illinois Appellate Court, Second District, reversed the dismissal for lack of standing of a FACTA class action brought on behalf of the class by two individuals (consumers) who claimed that an entertainment company (defendant) violated the act when it printed more than the last...
InfoBytesTreasury seeks information on financial sector cybersecurity risks
On January 22, the Department of the Treasury published a request for comments on a proposed information collection designed to better understand cybersecurity risks facing the U.S. financial services sector and financial services critical infrastructure. The “Financial Sector Critical...
InfoBytesNew York Fed analyzes potential impact of cyber attacks on payments network
In January, the Federal Reserve Bank of New York (New York Fed) released a staff report that analyzes how a cyber attack transmitted through a payment network could be amplified throughout the U.S. financial system. According to the report, Cyber Risk and the U.S. Financial System: a Pre-Mortem...
InfoBytesDistrict Court: Michigan privacy law covers out-of-state residents
On January 16, the U.S. District Court for the Eastern District of Michigan denied a publishing company’s motion to dismiss putative class allegations that it disclosed subscribers’ personal information to third parties, ruling that the subscribers did not need to live in Michigan in order to bring...
InfoBytesFDIC, OCC issue joint notice of heightened cybersecurity risk
On January 16, the FDIC and the OCC announced (FDIC FIL-3-2020 , OCC Bulletin 2020-5 ) the issuance of a joint statement on risk management of current heightened cybersecurity risks. The statement reminds supervised financial institutions to maintain preventative controls and update and test...
InfoBytesData breach settlement of $380.5 million approved in consumer reporting agency class action
On January 13, the U.S. District Court for the Northern District of Virginia issued a final order and judgment in a class action settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (company) to resolve allegations arising from a 2017 cyberattack causing a data...
InfoBytesWashington state introduces comprehensive privacy bill
On January 13, Washington state lawmakers announced two bills designed to strengthen consumer access and control over personal data and regulate the use of facial recognition technology. Highlights of SB 6281 , the Washington Privacy Act, include the following: Applicability. SB 6281 will apply to...
InfoBytesSupreme Court to review TCPA debt collection exemption
On January 10, the U.S. Supreme Court announced it had granted a petition for a writ of certiorari filed by the U.S. government in Barr v. American Association of Political Consultants Inc. —a Telephone Consumer Protection Act (TCPA) case concerning an exemption that allows debt collectors to use...
InfoBytesRepresentatives urge financial regulators to strengthen cyber infrastructures
On January 7, Representatives Emanuel Cleaver II (D-MO) and Gregory Meeks D-NY) sent a letter to nine federal financial regulators urging them to strengthen their financial infrastructures against possible cyber-attacks in the wake of recent threats against the U.S. from Iran and its allies...
InfoBytesCalifornia outlines new data privacy rights
On January 6, the California attorney general issued an advisory explaining consumers’ rights under the California Consumer Privacy Act (CCPA), which took effect January 1. (See previous InfoBytes coverage on the CCPA here .) These rights include (i) the right to request from businesses what...
InfoBytesNCUA releases 2020 supervisory priorities
In January, the NCUA issued a letter to board of directors and chief executive officers at federally insured credit unions outlining the agency’s 2020 supervisory priorities. Top supervisory priorities include: Bank Secrecy Act/Anti-Money Laundering (BSA/AML). Examinations will continue to focus on...
InfoBytesMortgage broker allegedly violated federal laws by posting customers’ personal information on website
On January 7, the FTC announced a proposed settlement with a California mortgage broker and his company to resolve alleged violations of the FTC Act, FCRA, Regulation P, and the Safeguards Rule. According to a complaint filed by the DOJ on behalf of the FTC, the defendants published the personal...
InfoBytesFTC notes data security order improvements
On January 7, the Director of the FTC’s Bureau of Consumer Protection noted that the Commission has made “three major changes” in its data security orders to “improve data security practices and provide greater deterrence” by focusing on specificity, accountability, and responsibility. The first...
InfoBytesNYDFS encourages regulated entities to prepare for cyber attacks
On January 4, NYDFS issued an Industry Letter warning regulated entities about the “heightened risk” of cyberattacks by hackers affiliated with the Iranian government following the killing of Iranian official Qasem Soleimani, and strongly encouraging entities to undertake preparations to ensure...
InfoBytesTrump signs bill to combat robocalls
On December 30, President Trump signed S. 151 —the “Telephone Robocall Abuse Criminal Enforcement and Deterrence Act” (TRACED Act, Public Law 116-105)—which, among other things, grants the FCC authority to promulgate rules to combat illegal robocalls and requires voice service providers to develop...
InfoBytesPennsylvania reaches settlement with travel websites over data breach
On December 13, the Pennsylvania attorney general announced a settlement with two travel websites resolving allegations that a 2018 data breach may have exposed consumer data for more than 20,000 state customers, including 880,000 affected payment cards globally. According to the state’s...
InfoBytesStates recommend FTC “significantly” strengthen COPPA
On December 9, a coalition of 25 state attorneys general responded to the FTC’s request for comments on a wide range of issues related to the Children’s Online Privacy Protection Rule (COPPA). As previously covered by InfoBytes , the FTC released a notice in July seeking comments on all major...
InfoBytesHospitality company's bid to dismiss data breach suit rejected
On December 13, the U.S. District Court for the District of Maryland denied an international hospitality company’s motion to dismiss a data breach suit brought by the City of Chicago. According to the city’s complaint , the company violated the Illinois Consumer Fraud and Deceptive Business...
InfoBytesFTC says British data analytics firm misled consumers about collection of personal information
On December 6, the FTC issued an unanimous opinion against a British consulting and data analytics firm, finding that the firm violated the FTC Act by engaging in “deceptive practices to harvest personal information from tens of millions of [a social media company’s] users.” The information—which...
InfoBytesSenate holds hearing on privacy law proposals
On December 4, the Senate Commerce Committee held a hearing titled “Examining Legislative Proposals to Protect Consumer Data Privacy” to discuss how to “provide consumers with more security, transparency, choice, and control over personal information both online and offline.” Among the issues...
InfoBytesBuckley Insights: Trends show DDoS attacks continue to increase
On November 19, Neustar released a report showing a 241 percent increase in Distributed Denial of Service (DDoS) attacks in 3Q 2019 versus 3Q 2018. Notably, a couple of new and emerging methods of DDoS attacks have emerged, including: DDoS reflection/amplification attacks take advantage of IP...
InfoBytesFSOC issues final guidance on nonbank designations; highlights key risks in annual report
On December 4, the Financial Stability Oversight Council (FSOC) issued final interpretive guidance to revise and update 2012 guidance concerning nonbank financial company designations. According to Treasury Secretary Steven T. Mnuchin, the guidance “enhances [FSOC’s] ability to identify, assess,...
InfoBytesNew York considers privacy legislation broader than the CCPA
On November 22, the New York Senate’s Committee on Consumer Protection and Committee on Internet and Technology held a joint hearing titled, “Consumer Data and Privacy on Online Platforms,” which discussed the proposed New York Privacy Act , SB S5642 (the Act). The Act was introduced in May and...
InfoBytes11th Circuit vacates class certification in TCPA action against satellite TV provider
On November 15, the U.S. Court of Appeals for the Eleventh Circuit vacated the district court’s certification order of a class action alleging a national satellite TV company violated the TCPA by contacting individuals who had previously asked to not be contacted. According to the opinion, a...
InfoBytesBuckley Insights: Leveraging open source intelligence for cyber threat modeling
The FTC Safeguards Rule , FFIEC Cybersecurity and IT Guidance , and other OCC guidelines ( here and here ) emphasize the need for cyber threat intelligence (CIT) and threat identification to inform an organization’s overall cyber risk identification, assessment, and mitigation program. Indeed, to...
InfoBytesFCC seeks comment on whether an opt-out clarification text violates TCPA
On November 7, the FCC released a public notice seeking comment on a petition filed by a financial institution requesting a declaratory ruling on whether a company can send a follow-up clarification text message in response to an opt-out message from a consumer without violating the TCPA. More...
InfoBytesFTC settles with technology service provider on data security issues
On November 12, the FTC announced a proposed settlement , which requires a technology service provider to implement a comprehensive data security program to resolve allegations of security failures, which allegedly allowed a hacker to access the sensitive personal information of about one million...
InfoBytes"Website cookies and privacy—GDPR, CCPA, and evolving standards for online consent" by Amanda R. Lawrence, Sasha Leonhardt, and Magda Gathani (Bloomberg Law)
Virtually all companies with high-traffic websites use cookies to track visitors’ online experience, but global best practices in disclosing the use of cookies—and obtaining visitors’ consent to their use—have proven elusive despite intense scrutiny from privacy advocates. With requirements varying...
ArticlesDistrict Court approves $12.5 million settlement in TCPA class action
On October 28, the U.S. District Court for the Northern District of Illinois granted final approval of a $12.5 million TCPA class action settlement between a group of consumers and three cruise lines and their marketing group (collectively, “defendants”). According to the opinion, a consumer filed...
InfoBytesU.K. ICO and social media company settle privacy investigation
On October 30, the U.K. Information Commissioner’s Office (ICO) announced an agreement reached between the ICO and a social media company that resolves an investigation into the company’s alleged misuse of personal data. The company has agreed to withdraw its appeal of the £500,000 penalty issued...
InfoBytes"Congress needs to hurry up on data protection" by Jeremiah S. Buckley (American Banker)
Data is the lifeblood of the burgeoning digital economy. The debate about its use — and its protection — is now playing out globally. As big data, artificial intelligence and machine learning increasingly shape everyday lives, Congress will have some important policy choices to make, weighing how...
ArticlesNIST publishes updated Big Data Interoperability Framework
On October 21, the National Institute for Standards and Technology (NIST) released the second revision of its Big Data Interoperability Framework (NBDIF), which aims to “develop consensus on important, fundamental concepts related to Big Data” with the understanding that Big Data systems have the...
InfoBytesCalifornia governor signs CCPA amendments
On October 11, the California governor signed several amendments to the California Consumer Privacy Act (CCPA) and other privacy-related bills. As previously covered by a Buckley Special Alert , AB 874 , AB 1355 , AB 1146 , AB 25 , and AB 1564 leave the majority of the consumer’s rights intact in...
InfoBytesSpecial Alert: California attorney general releases proposed CCPA regulations
Buckley Special Alert Last week, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA — which was enacted in June 2018 (covered by a Buckley Special Alert ), amended several times and with the most...
InfoBytesCalifornia attorney general releases proposed CCPA regulations
On October 10, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—which was enacted in June 2018 (covered by a Buckley Special Alert ), amended in September 2018, amended again in October 2019 (...
InfoBytesDistrict Court denies TCPA class certification involving collection calls placed to wrong number
On September 27, the U.S. District Court for the Middle District of Florida denied class certification in an action alleging violations of the TCPA, the Florida Consumer Collection Practices Act, and the FDCPA brought against two companies. The action alleged that defendants used an automated...
InfoBytesEU Court of Justice: Orders to remove defamatory content issued by member state courts can be applied worldwide
On October 3, the European Court of Justice held that a social media company can be ordered to remove, worldwide, defamatory content previously declared to be unlawful “irrespective of who required the storage of that information.” The decision results from a 2016 challenge brought by a former...
InfoBytesCalifornia addresses robocall spoofing
On October 2, the California governor signed SB 208 , the “Consumer Call Protection Act of 2019,” which requires telecommunications service providers (TSPs) to implement specified technological protocols to verify and authenticate caller identification for calls carried over an internet protocol...
InfoBytesPre-checked box does not give consent to cookies under EU privacy directive and GDPR
On October 1, the European Court of Justice held that, under the Privacy and Electronic Communications Directive (ePrivacy Directive), a website user does not “consent” to the use of a cookie when a website provides a “pre-checked box” that needs to be deselected for a user to withdraw consent...
InfoBytesNew York AG sues national coffee chain over data breach
On September 26, the New York attorney general announced a lawsuit against a national franchisor of a coffee retail chain for allegedly failing to protect thousands of customer accounts from a series of cyberattacks. According to the complaint , the attorney general asserts that, beginning in 2015...
InfoBytes"Wearables present new realm of legal risks for teams" by Elizabeth E. McGinn and John B. Williams, III (Sports Business Journal)
Reaching peak athletic performance is an increasingly scientific and quantitative pursuit, and professional sports franchises, which have tremendous financial and emotional motivation to be the best, are at the forefront in gathering as much data about their assets as possible. FitBits, Apple...
ArticlesBallot initiative seeks to expand CCPA, create new enforcement agency
On September 25, Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy and the drafter of the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA), announced a newly filed ballot measure to further expand the CCPA (currently effective on...
InfoBytesEU's “right to be forgotten” law applies only in EU
On September 24, the European Court of Justice held that Europe’s “right to be forgotten” online privacy law — which allows individuals to request the deletion of personal information from online sources that the individual believes infringes on their right to privacy—can be applied only in the...
InfoBytesDistrict Court dismisses investors’ data breach claims
On September 18, the U.S. District Court for the Northern District of California dismissed with prejudice a class action suit brought against an online payments firm and associated entities and individuals (collectively, “defendants”) for allegedly misleading investors (plaintiffs) about a 2017...
InfoBytesCFTC orders FCM to pay $1.5 million for poor cybersecurity
On September 12, the CFTC issued an order against an Illinois-based futures commission merchant imposing a $1.5 million fine for allegedly failing to protect its systems from cybersecurity threats and not alerting its customers in a reasonable timeframe after a breach occurred. According to the...
InfoBytesSpecial Alert: California Legislature passes several amendments to the California Consumer Privacy Act and other privacy-related bills
Lawmakers in California last week amended the landmark California Consumer Privacy Act (CCPA or the Act), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers...
InfoBytesSpecial Alert: California Legislature passes several amendments to the California Consumer Privacy Act and other privacy-related bills
Lawmakers in California last week amended the landmark California Consumer Privacy Act (CCPA or the Act), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers...
Special AlertsDistrict Court: Debt collector must pay $267 million in robocall damages
On September 9, the U.S. District Court for the Northern District of California entered a final judgment against a debt collection agency that was found guilty of violating the TCPA by making more than 500,000 unsolicited robocalls using autodialers. The court’s final judgment is consistent with...
InfoBytesNIST requests comments on draft privacy framework
On September 6, the National Institute of Standards and Technology (NIST) released a preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management to help organizations assess and reduce risks. The draft framework is designed to align with NIST’s...
InfoBytesIllinois Appeals Court vacates $4.3 million FACTA class action settlement
On September 6, the Illinois Appellate Court, 5th District, vacated a circuit court’s $4.3 million settlement in a class action brought against a merchant for allegedly violating the Fair and Accurate Credit Transaction Act (FACTA) when it printed the first six and last four digits of customers’ 16...
InfoBytesDistrict Court allows majority of privacy invasion class action claims to proceed against social media company
On September 9, the U.S. District Court for the Northern District of California granted in part and denied in part a social media company’s motion to dismiss a multidistrict class action alleging the company failed to prevent third parties from accessing and misusing private data of its users, in...
InfoBytesFTC approves settlement with software provider over FTC Act and GLBA data security failures
On September 6, the FTC voted 5-0 to approve a final settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its...
InfoBytesDistrict Court says TCPA dismissal bid cannot rely upon Supreme Court ruling
On September 3, the U.S. District Court for the District of New Jersey denied a medical laboratory’s motion to dismiss, ruling that the company cannot use a Supreme Court ruling to avoid a proposed TCPA class action suit concerning allegations that it made unsolicited calls using an “autodialer.”...
InfoBytesVideo-sharing site reaches $170 million settlement with FTC and New York AG
On September 4, the FTC and the New York Attorney General announced (see here and here ) a combined $170 million proposed settlement with the world’s largest online search engine and its video-sharing site subsidiary concerning alleged violations of the Children’s Online Privacy Protection Act (...
InfoBytesDistrict Court allows TCPA class action to proceed against auto company
On August 27, the U.S. District Court for the Central District of California denied a car manufacturer’s motion to dismiss a class action alleging that it violated the TCPA by sending unwanted automated text messages. According to the opinion, after a consumer visited a car dealership, she...
InfoBytes11th Circuit: Unsolicited text message doesn't establish standing under TCPA
On August 28, the U.S. Court of Appeals for the 11th Circuit held that receiving one unsolicited text message is not enough of a concrete injury to establish standing under the TCPA. According to the opinion, a former client of an attorney received an unsolicited “multimedia text message” from the...
InfoBytesFFIEC urges standardized cybersecurity approach
On August 28, the FFIEC issued a press release emphasizing the benefits of implementing a standardized cybersecurity preparedness approach. The FFIEC noted that firms who adopt a standardized approach are “better able to track their progress over time, and share information and best practices with...
InfoBytesDemocratic members ask FSOC to deem cloud providers as "systemically important"
On August 22, two members of the U.S. House of Representatives, Katie Porter (D-Calif.) and Nydia Velázquez (D-N.Y.), sent a letter to the U.S. Department of Treasury requesting that the Financial Stability Oversight Council (FSOC) consider designating the three leading providers of cloud-based...
InfoBytesDistrict Court: No negligent misrepresentation claims in smart-TV privacy suit
On August 20, the U.S. District Court for the District of New Jersey dismissed without prejudice a proposed class action alleging consumer fraud claims. Specifically, in 2017, the plaintiffs filed a complaint alleging that smart televisions manufactured by the defendants surreptitiously collected...
InfoBytesState AGs and VSPs to collaborate on robocalls
On August 22, North Carolina Attorney General Josh Stein announced a bipartisan agreement between 51 state attorneys general and 12 voice service providers, adopting eight principles for fighting illegal robocalls and preventing consumer fraud. Under the principles, the voice providers will: (i)...
InfoBytesDistrict Court approves final call-taping settlement
On August 21, the U.S. District Court for the Central District of California issued an order granting final approval of a settlement reached between a class of California consumers and a mortgage company. The approval of the settlement resolves allegations that the company contacted delinquent...
InfoBytesCSBS launches online tools to navigate state rules
On August 21, the Conference of State Bank Supervisors (CSBS) launched three online tools designed to assist financial institutions navigate the state regulatory landscape and protect against cyber risks. The tools are: (i) a portal of state agency guidance for nonbank financial services companies...
InfoBytesDistrict Court upholds $925 million TCPA jury verdict against direct sales company
On August 21, the U.S. District Court for the District of Oregon upheld a $925 million jury verdict against a direct sales company in a TCPA class action lawsuit, denying the company’s motion to decertify the class. According to the opinion, the named plaintiff brought the 2015 class action lawsuit...
InfoBytesDistrict court concludes loan servicer violated TCPA
On August 19, the U.S. District Court for the Western District of Michigan held that a Pennsylvania-based student loan servicing agency violated the TCPA by calling the plaintiffs’ cell phones over 350 times using an automatic telephone dialing system (autodailer) after consent was revoked...
InfoBytesIllinois requires companies to report data breaches to attorney general
On August 9, the Illinois governor signed SB 1624 , which requires that a single data breach involving the personal information of more than 500 Illinois residents must be reported to the state attorney general. The notice must include: (i) a description of the nature of the breach of security or...
InfoBytesDistrict Court approves TCPA class action settlement
On August 15, the U.S. District Court for the Northern District of California entered a final approval order and judgment to resolve class action allegations claiming a security system company and its third-party dealer violated the TCPA through the use of an automatic telephone dialing system and...
InfoBytes9th Circuit: Plaintiffs’ face-scanning claims can proceed
On August 8, the U.S. Court of Appeals for the 9th Circuit affirmed a district court order certifying a class action suit that alleged a social media company’s face-scanning practices violated the Illinois Biometric Information Privacy Act (BIPA). The court found that the plaintiffs alleged a...
InfoBytesFCC adopts rules addressing spoofed texts and international robocalls
On August 1, the FCC announced the adoption of new rules that will extend the Truth in Caller ID’s prohibitions against robocalls to caller ID spoofing of text messages and international calls, and implement measures passed last year in the RAY BAUM’s Act. As previously covered by InfoBytes , the...
InfoBytesNational bank announces data breach
On July 29, a national bank announced a data breach affecting approximately 100 million individuals in the United States and approximately six million in Canada. According to the announcement, the incident occurred on July 19 when an unauthorized individual obtained personal information of credit...
InfoBytesNew York expands data breach notification laws
On July 25, the New York governor signed two bills designed to strengthen protections for consumers in the event their private information is compromised in a data breach. A 5635B , the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) updates the state’s privacy law by expanding the...
InfoBytesFTC and DOJ announce $5 billion privacy settlement with social media company; SEC settles for $100 million
On July 24, the FTC and the DOJ officially announced (see here and here ) that the world’s largest social media company will pay a $5 billion penalty to settle allegations that it mishandled its users’ personal information. As previously covered by InfoBytes , it was reported on July 12 that the...
InfoBytesCredit reporting agency agrees to multi-agency settlement over 2017 data breach
On July 22, the CFPB , FTC , and 48 states, the District of Columbia and Puerto Rico announced a settlement of up to $700 million with a major credit reporting agency to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for...
InfoBytesU.K.’s ICO fines real estate management company for data security failures
On July 19, the United Kingdom’s Information Commissioner’s Office (ICO) issued a £80,000 fine against a London-based real estate management company for allegedly leaving over 18,000 customers’ personal data exposed for almost two years. According to the ICO, when the company transferred personal...
InfoBytesDistrict Court strikes class certification from robocall suit
On July 18, the U.S. District Court for the Northern District of Illinois granted a rental car company’s (defendant) motion to strike class allegations in a TCPA suit over alleged robocalls. The plaintiff, whose telephone number was listed on a rental contract between his mother and the defendant...
InfoBytesFTC reportedly approves $5 billion privacy settlement with social media company
On July 12, it was reported that the FTC has approved a $5 billion penalty against the world’s largest social media company for allegedly mishandling its users’ personal information. The reported settlement would be the largest privacy penalty ever levied by the agency. According to reports, the...
InfoBytesFTC seeks comment on COPPA Rule
On July 17, the FTC released a notice seeking comment on a wide range of issues related to the Children’s Online Privacy Protection Rule (COPPA Rule). The FTC last amended COPPA in 2013, and while the FTC usually reviews its rules every 10 years, the FTC notes that “[r]apid changes in technology,...
InfoBytes8th Circuit affirms reduction in TCPA statutory damages from $1.6 billion to $32 million
On July 16, the U.S. Court of Appeals for the 8th Circuit affirmed a district court’s decision to reduce a $1.6 billion award in statutory damages for TCPA violations to $32.4 million after the court determined the original award violated the Fifth Amendment’s Due Process Clause. The named...
InfoBytesAmanda R. Lawrence quoted in American Banker article, “Will Libra force Congress to act on data protection?”
Amanda R. Lawrence was quoted on July 14, 2019 in an American Banker article, “Will Libra force Congress to act on data protection?” which discussed Libra, Facebook's cryptocurrency plan, and how it initiating debates over data security and privacy reform. The article stated, “One of the debates...
In The NewsU.K.’s ICO announces two GDPR data breach actions
On July 8 and 9, the United Kingdom’s Information Commissioner’s Office (ICO) issued two notices of its intention to fine companies for infringements of the General Data Protection Regulation (GDPR). On July 8, the ICO announced it intended to fine a U.K.-based airline £183.39M for a September 2018...
InfoBytesFCC Chairman proposes rules addressing spoofed texts and international robocalls
On July 8, FCC Chairman Ajit Pai proposed rules supported by a bipartisan group of more than 40 state attorneys general that would extend prohibitions against robocalls to caller ID spoofing of text messages and international calls, implementing measures passed last year in the RAY BAUM’s Act...
InfoBytesD.C. Circuit: Receipt containing complete credit card information constitutes concrete injury
On July 2, the U.S. Court of Appeals for the D.C. Circuit reversed a district court’s ruling that a consumer lacked Article III standing to allege a violation of the Fair and Accurate Credit Transaction Act (FACTA) when a merchant included all 16 digits of her credit card account number, her full...
InfoBytesFTC holds fourth annual PrivacyCon to address hot topics
On June 27, the FTC held its fourth annual PrivacyCon, which hosted research presentations on a wide range of consumer privacy and security issues. Following opening remarks by FTC Chairman Joseph Simons, the one-day conference featured four plenary sessions covering a number of hot topics: Session...
InfoBytes"3 key areas where the NYDFS ups the ante on cybersecurity" by Elizabeth E. McGinn (Westlaw Journal)
On March 1, the two-year transitional period under the New York State Department of Financial Services’ “Cybersecurity Requirements for Financial Services Companies” regulation expired, making all requirements effective. The cybersecurity regulation marks a shift in the governance of cybersecurity...
ArticlesFTC settles with software provider over data security failures
On June 12, the FTC announced a settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in...
InfoBytesMaine enacts consumer privacy law for internet service providers
On June 6, the Maine governor signed S.P. 275/L.D. 946 , which requires certain broadband Internet access services to receive express, affirmative consent from a customer before disclosing, selling, or permitting access to a customer’s personal information. Among other things, the provisions...
InfoBytesFCC approves robocall blocking
On June 6, the FCC approved a Declaratory Ruling and Notice of Proposed Rulemaking to address unwanted robocalls to consumers. The Declaratory Ruling affirms that voice service providers may block unwanted robocalls “based on reasonable call analytics, as long as their customers are informed and...
InfoBytesOregon enacts new vendor data breach notification requirements
On May 24, the Oregon Governor signed SB 684 , which amends the state’s data breach notification provisions related to third-party vendors. Among other provisions, the amendments require vendors that are contracted to maintain or access personal information on behalf of a covered entity to (i)...
InfoBytes4th Circuit upholds certification of TCPA class action against satellite provider
On May 30, the U.S. Court of Appeals for the 4th Circuit held that a lower court correctly certified a class of individuals who claimed a satellite provider (defendant) violated the TCPA when its authorized sales representative routinely placed telemarketing calls to numbers on the national Do-Not-...
InfoBytesNYDFS creates Cybersecurity Division
On May 22, NYDFS announced its newly created Cybersecurity Division, led by Justin Herring as Executive Deputy Superintendent, that is, according to NYDFS, “the first of its kind to be established at a banking or insurance regulator.” The new division will focus on enforcing and issuing guidance on...
InfoBytes3rd Circuit: Commercial purpose does not make unsolicited fax an advertisement under TCPA
On May 28, the U.S. Court of Appeals for the 3rd Circuit, in a consolidated action, affirmed summary judgment that a health care provider database company’s (defendant) unsolicited fax did not violate the TCPA. According to the opinion, the defendant updated its database by sending unsolicited...
InfoBytesFTC Commissioners discuss state privacy preemption
On May 8, the FTC Commissioners participated in a subcommittee hearing before the House Committee on Energy and Commerce entitled, “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.” During the hearing, the Commissioners were questioned...
InfoBytesStates enact data breach notification requirements
On May 10, the New Jersey governor signed S 52 , which amends the state’s data breach notification provisions. The amendments expand the definition of “personal information” to include “user name, email address, or any other account holder identifying information, in combination with any password...
InfoBytesIndiana sues credit reporting agency over 2017 data breach
On May 6, the Indiana Attorney General announced a lawsuit filed against a national credit reporting agency in response to its 2017 data breach, alleging the company “chose increasing revenue over protecting the safety of consumers’ sensitive personal information.” According to the complaint , the...
InfoBytesMaryland amends security breach notification requirements
On April 30, the Maryland governor signed HB 1154 to amend current law related to security breach notification requirements. Among other provisions, HB 1154 (i) requires businesses that own, license, or maintain computerized data that includes a resident’s personal information to conduct a...
InfoBytes2nd Circuit: Unsolicited text messages are sufficient injury under TCPA
On April 30, the U.S. Court of Appeals for the 2nd Circuit held that the receipt of unsolicited text messages, absent any additional injury, is sufficient to demonstrate injury-in-fact in a TCPA class action. According to the opinion, consumers filed a class action lawsuit against a retail store...
InfoBytesWebsites settle FTC data security allegations
On April 24, the FTC announced separate settlements with the operators of an online rewards website and a dress-up games website to resolve allegations concerning poorly implemented data security measures and Children’s Online Privacy Protection Act (COPPA) violations. According to the FTC, the...
InfoBytes11th Circuit: Increased risk of identity theft is sufficient to bring FACTA claims
On April 22, the U.S. Court of Appeals for the 11th Circuit affirmed a district court’s ruling that including too many digits of a consumer’s credit card account number on a receipt was sufficient to constitute a concrete injury even if the consumer’s identity was not stolen. Under the Fair and...
InfoBytes4th Circuit: TCPA debt collection exemption is unconstitutional
On April 24, the U.S. Court of Appeals for the 4th Circuit vacated a district court’s decision to grant summary judgment in favor of the FCC, concluding that an exemption under the TCPA that allows debt collectors to use an autodialer to contact individuals on their cell phones when collecting...
InfoBytesDistrict Court rejects business owners’ Do Not Call Registry TCPA claims
On April 16, the U.S. District Court for the Eastern District of Pennsylvania granted in part and denied in part a telemarketing company’s motion to dismiss, concluding that the plaintiff did not have standing to bring some of his claims under the TCPA. According to the opinion, the plaintiff filed...
InfoBytesDistrict Court approves final $7.5 million TCPA class action settlement with payment processor
On April 16, the U.S. District Court for the Northern District of California granted final approval to a $7.5 million class action settlement resolving allegations that a payment processor and its sales representative violated the TCPA by using an autodialer for telemarketing purposes without first...
InfoBytesArkansas law stiffens criminal penalties for spoofing, robocalls
On April 4, the Arkansas governor signed SB 514 , which establishes a process for state regulation of telecommunications service providers and third-party spoofing providers, and stiffens criminal penalties for persons who engage in illegal robocalling and spoofing practices. The act reclassifies “...
InfoBytesMaryland Financial Consumer Protection Commission to disband June 30
On April 2, 10 out of the 11 Maryland Senate Finance Committee members voted in favor of a motion to consider SB 786 as “unfavorable.” The bill would have extended the effectiveness of the Maryland Financial Consumer Protection Commission (MFCPC) through June 30, 2021; however, because the bill...
InfoBytesDistrict Court finds text messages were not sent by autodialer
On March 29, the U.S. District Court for the Northern District of Illinois granted a telecommunication company’s summary judgment motion in a putative TCPA class action involving text messages. The plaintiff asserted that the company sent him text messages asking survey questions, even though he...
InfoBytesDistrict Court: “Ringless” voicemail is a “call” under the TCPA
On March 25, the U.S. District Court for the Southern District of Florida granted in part and denied in a part a motion to dismiss a putative class action alleging that an auto dealer violated the TCPA by using a “ringless” voicemail platform to leave pre-recorded telemarketing voicemails on...
InfoBytesFTC reaches settlements with mega-robocallers
On March 26, the FTC announced settlements issued against four separate operations for allegedly placing billions of illegal robocalls to consumers selling auto warranties, debt-relief services, home security systems, veterans’ charities and Google search results services. The actions are part of...
InfoBytesNorth Dakota expands personal identifying information law
On March 20, the North Dakota governor signed SB 2262 , which, among other things, amends the state’s law covering the unauthorized use of personal identifying information (PII). Specifically, the bill expands the definition of PII to include, (i) an individual’s payment card information; (ii) an...
InfoBytesVirginia requires breach of personal information notification
On March 18, the Virginia governor signed HB 2396 , which amends the Code of Virginia and requires an individual or entity owning or licensing computerized data that includes personal information to disclose all data breaches without “unreasonable delay” to the Virginia Attorney General and any...
InfoBytesFTC report highlights 2018 privacy and data security work
On March 15, the FTC released its annual report highlighting the agency’s privacy and data security work in 2018. Among other items, the report highlights consumer-related enforcement activities in 2018, including: an expanded settlement with a global ride-sharing company over allegations that the...
InfoBytesState AGs support bipartisan bill to combat illegal robocalls
On March 5, Attorneys General from all 50 states, as well as from the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands, sent a letter to the Senate Committee on Commerce, Science, and Transportation supporting a recently introduced bipartisan bill to combat illegal robocalls...
InfoBytesFTC seeks comments on Safeguards and Privacy rules
On March 5, the FTC released proposed amendments to two rules that protect the privacy and security of customer data held by financial institutions. The agency seeks comments on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule...
InfoBytesClass settles data breach claims over compromised payment card data
On February 26, the U.S. District Court for the Middle District of Florida granted final approval and class certification, following a final approval hearing, to a settlement resolving class action allegations concerning a data breach involving an international fast-food chain. According to the...
InfoBytesCalifornia AG seeks to strengthen the California Consumer Privacy Act
On February 25, the California Attorney General announced a legislative proposal that would amend several aspects of the California Consumer Privacy Act (CCPA). The CCPA was originally enacted in June 2018 (covered by a Buckley Special Alert ) and subsequently amended in September 2018 (covered by...
InfoBytesVideo social networking app settles COPPA allegations
On February 27, the FTC announced a $5.7 million settlement with the operators of a video social networking app concerning alleged violations of the Children’s Online Privacy Protection Act (COPPA). Among other things, the FTC claims the operators failed to provide parents notice of its information...
InfoBytesFCC proposes to strengthen enforcement of caller ID spoofing
On February 14, the FCC released a notice of proposed rulemaking intended to strengthen its rules against caller ID spoofing and expand the agency’s enforcement efforts against illegal spoofed text messages and phone calls, including those from overseas. The proposed rules would enact requirements...
InfoBytesSenate Banking Committee seeks data privacy feedback
On February 13, Senate Committee on Banking, Housing, and Urban Affairs Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) invited stakeholder feedback on “the collection, use and protection of sensitive information from financial regulators and private companies” as a means of...
InfoBytesDistrict Court concludes communications transmitter can be liable under the TCPA
On February 13, the U.S. District Court for the District of Nevada rejected a cloud communication company’s motion to dismiss a TCPA class action. According to the opinion, the plaintiffs’ alleged the company “collaborated as to the development, implementation, and maintenance of [a] telemarketing...
InfoBytesFDIC issues 2018 annual report
On February 14, the FDIC released its 2018 Annual Report , which includes, among other things, the audited financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund. The report also provides an overview of key FDIC initiatives...
InfoBytesState AGs urge FTC to update identity theft rules
On February 11, a bipartisan group of 29 state Attorneys General, the District of Columbia Attorney General, and an official from the Hawaii Office of Consumer Protection, responded to the FTC’s request for comment on whether the agency should make changes to its identity theft detection rules (the...
InfoBytesDistrict Court approves final $2.5 million TCPA class action settlement
On February 8, the U.S. District Court for the Eastern District of Virginia granted final approval to a $2.5 million putative class action settlement resolving allegations that a student loan servicer violated the TCPA by using an autodialer to contact student borrowers’ credit references without...
InfoBytesDistrict court orders TCPA suit to mediation, states FCC’s interpretation of autodialer may take years
On February 1, the U.S. District Court for the Eastern District of Missouri issued an order referring the parties in a putative TCPA class action to mediation. The plaintiff’s complaint alleges that the defendant’s insurance company sent her text messages without her consent using an automatic...
InfoBytesNYDFS’ cybersecurity FAQs provide process for covered entities that no longer qualify for exemptions
On February 2, NYDFS updated its answers to FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See here for previous InfoBytes coverage on updates to the FAQs.) Among other things, the update...
InfoBytesSpecial Alert: California governor signs significant data privacy bill into law
On June 28, California Governor Jerry Brown signed the California Consumer Privacy Act (the “Consumer Privacy Act” or the “Act”) into law. The Act was enacted largely in response to a more restrictive ballot initiative (“Ballot Initiative”) that appeared to have gained a sufficient number of...
Special AlertsFinal deadline approaching for NYDFS cybersecurity regulation
On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services...
InfoBytesDistrict Court: Approval of data breach settlement denied due to several deficiencies
On January 28, the U.S. District Court for the Northern District of California denied preliminary approval of a proposed class action settlement after identifying several deficiencies with the deal. The proposed settlement was intended to resolve allegations concerning security failures by a global...
InfoBytesFINRA provides 2019 risk monitoring and examination guidance
On January 22, the Financial Industry Regulatory Authority (FINRA) issued new guidance on areas member firms should consider when seeking to improve their compliance, supervisory, and risk management programs. The 2019 FINRA Risk Monitoring and Examination Priorities Letter (2019 Priorities Letter...
InfoBytes"The great data breach standing circuit split" by Amanda R. Lawrence (Law360)
Data breaches are back in the news in a big way. Over the past several weeks alone, prominent hotel chains, online platforms and retailers announced significant data breaches. Unsurprisingly, in the aftermath of these disclosures, consumers filed class actions alleging that the data breaches...
ArticlesDistrict Court allows TCPA action to proceed, citing 9th Circuit autodialer definition as binding law
On January 17, the U.S. District Court for the District of Arizona denied a cable company’s motion to stay a TCPA action, disagreeing with the company’s arguments that the court should wait until the FCC releases new guidance on what constitutes an automatic telephone dialing system (autodialer)...
InfoBytesDistrict Court dismisses TCPA action against ride-sharing company, allows plaintiff to correct deficiencies
On January 16, the U.S. District Court for the Southern District of California granted in part and denied in part a ride-sharing company’s motion to dismiss a proposed TCPA class action, holding that the plaintiff sufficiently alleged the company is vicariously liable for the sent text messages but...
InfoBytesMassachusetts amends legislation protecting consumers from security breaches
On January 10, the Massachusetts Governor signed HB 4806 , following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other...
InfoBytesDistrict Court: FCRA lawsuit passes Spokeo test, survives motion to dismiss
On January 8, the U.S. District Court for the Northern District of Illinois denied a bank’s motion to dismiss claims that it had obtained a credit report without a permissible purpose, ruling that the allegations rise above a mere procedural violation of the FCRA. According to the opinion, the...
InfoBytesRetailer settles multistate data breach investigation for $1.5 million
On January 8, a national retailer reached a $1.5 million multistate settlement with 43 states and the District of Columbia to resolve an investigation following a 2013 data breach of customer payment card information. According to the Illinois Attorney General’s announcement , the retailer will...
InfoBytesDistrict Court: Privacy claims related to incentive compensation sales program can proceed
On December 31, 2018, the U.S. District Court for the District of Utah granted in part and denied in part a national bank’s motion to dismiss putative class action claims concerning the bank’s use of confidential customer information to open deposit and credit card accounts as part of its incentive...
InfoBytesDistrict Court concludes company’s dialing system is not an autodialer under TCPA
On December 20, the U.S. District Court for the District of New Jersey granted a student loan company’s motion for summary judgment, holding that the plaintiff failed to establish the company’s phone system qualified as an automated telephone dialing system (autodialer) under the TCPA. The...
InfoBytesMassachusetts Attorney General settles with payment processor over data breach claims
On December 19, the Massachusetts Attorney General announced a $155,000 settlement with a California-based payment processor resolving allegations that the company exposed consumers’ personal information online in violation of consumer protection and data security laws. According to the...
InfoBytesDistrict Court holds “dead air” is indicative of a predictive dialer, denies TCPA dismissal bid
On December 10, the U.S. District Court for the District of