Privacy and Data Security Resource Center
Introduction
Buckley provides regulatory, strategic advice and litigation advocacy to financial services clients on matters involving the full spectrum of privacy and data security issues affecting their business operations. Our attorneys assist clients in addressing privacy and data security issues by proactively identifying and managing risks to the organization and its customers, aggressively addressing data security incidents, and responding to regulatory examinations, enforcement actions and litigation involving privacy or data security compliance.
Members of the group frequently speak at privacy and data security and financial institutions conferences including those of the International Association of Privacy Professionals, the RSA Conference, the American Conference Institute, the Practising Law Institute, the Information System Security Association, and the International Information Systems Security Certification Consortium. Group members also have authored articles and papers on privacy and data security topics.
Thought Leadership & Analysis
CFTC speech highlights new executives, dataset use, and AI Task Force
On November 16, the Chairman of the CFTC, Rostin Behnam, delivered a speech during the 2023 U.S. Treasury Market Conference held in New York where he showcased the CFTC’s plans to better use data and roll out an internal AI task force. One of the CFTC’s initiatives comes with the hiring of two new...
InfoBytesFTC approves amendment to Safeguards Rule requiring nonbanks to report data breaches
On October 27, the FTC approved an amendment to the Safeguards Rule to require nonbanks to report data breaches. Under the amended rule, financial institutions, including mortgage brokers, motor vehicle dealers, and payday lenders, will be required to notify the FTC of data breaches as soon as...
InfoBytesPresident Biden issues Executive Order targeting AI safety
On October 30, President Biden issued an Executive Order (EO) outlining how the federal government can promote artifical intelligence (AI) safety and security to protect US citizens’ rights by: (i) directing AI developers to share critical information and test results with the U.S. government; (ii...
InfoBytesCalifornia enacts new data broker regulations
The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion...
InfoBytesCalifornia enacts two privacy bills AB 1194 and AB 947
On October 8, the California governor signed two bills, AB 947 amending the California Consumer Privacy Act of 2018, and AB 1194 amending the California Privacy Rights Act (CPRA) of 2020. AB 947 amends the definition of “sensitive personal information” to include any personal information that...
InfoBytesDelaware Personal Data Privacy Act to protect consumers
On September 11, Delaware’s governor signed HB 154 (the “Act”), which creates the Delaware Personal Data Privacy Act. The Act ensures that residents of Delaware have the right to be informed about the collection of their personal information, access that information, rectify any inaccuracies, or...
InfoBytesNIST updates its Cybersecurity Framework
The National Institute of Standards and Technology (NIST) recently unveiled a proposed update to its Cybersecurity Framework , which was originally developed to provide information security guidelines for “critical infrastructure” like banking and energy industries. (Covered by InfoBytes here )...
InfoBytesDistrict court declines to reconsider BIPA accrual ruling
On August 14, an Illinois District Court denied in part and granted in part a tech company’s motion to dismiss a class-action suit that alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”). The complaint alleged that the tech giant failed to safeguard the facial data in its...
InfoBytesDFPI launches actions against crypto scams, initiates education campaign
On August 9, the California Department of Financial Protection and Innovation (DFPI) announced that it issued cease and desist orders against three entities (orders here , here , and here ) for allegedly offering and selling unqualified securities, and making material misrepresentations and...
InfoBytesGovernor Hochul unveils statewide cybersecurity strategy for New York
On August 9, Governor Hochul announced New York’s first-ever statewide cybersecurity strategy to protect the state’s digital infrastructure from cyber threats. The cybersecurity strategy articulates a set of high-level objectives and agency roles and responsibilities, as well as outlines how...
InfoBytesCalifornia Privacy Protection Agency announces its first inquiry
On July 31, the California Privacy Protection Agency (CPPA) announced a review of the data privacy practices of “connected vehicle” manufacturers and related technologies. Executive Director of the CCPA Ashkan Soltani stated in the press release that the agency is “making inquiries into the...
InfoBytesSEC adopts breach-reporting rules, establishes requirements for cybersecurity risk management
On July 26, a divided SEC adopted a final rule outlining disclosure requirements for publicly traded companies in the event of a material cybersecurity incident. The final rule (proposed last year and covered by InfoBytes here ) also requires companies to periodically disclose their cybersecurity...
InfoBytesFTC, HHS say tracking technology may impermissibly disclose personal health data
On July 20, the FTC and U.S. Department of Health and Human Services for Civil Rights issued a joint letter cautioning hospitals and telehealth providers of the risks related to the use of online tracking technologies within their systems that may impermissibly disclose consumers’ personal data to...
InfoBytesE-commerce company fined $25 million for alleged COPPA violations
On July 19, the DOJ and FTC announced that a global e-commerce tech company has agreed to pay a penalty for alleged privacy violations related to its smart voice assistant’s data collection and retention practices. The agencies sued the company at the end of May for violating the Children’s Online...
InfoBytesFTC proposal would allow facial recognition for consent under COPPA
On July 19, the FTC announced it is seeking public feedback on whether it should approve an application that proposes to create a new method for obtaining parental consent under the Children’s Online Privacy Protection Act (COPPA). The new method would involve analyzing a user’s facial geometry to...
InfoBytesEuropean Data Protection Board clarifies GDPR transfers
On July 18, the European Data Protection Board (EDPB) published an information note to provide clarity on data transfers under the GDPR to the United States following the European Commission’s adoption of the adequacy decision as part of the EU-U.S. Data Privacy Framework on July 10. The...
InfoBytesIllinois Supreme Court declines to reconsider BIPA accrual ruling
On July 18, the Illinois Supreme Court declined to reconsider its February ruling, which held that under the state’s Biometric Information Privacy Act (BIPA or the Act), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent...
InfoBytesOregon is 11th state to enact comprehensive privacy legislation
On July 18, the Oregon governor signed SB 619 (the Act) to establish a framework for controlling and processing consumer personal data in the state. Oregon follows California , Colorado , Connecticut , Virginia , Utah , Iowa , Indiana , Tennessee , Montana , and Texas in enacting comprehensive...
InfoBytes11th Circuit orders reexamination of breach class boundaries
On July 11, a split U.S. Court of Appeals for the Eleventh Circuit partially vacated the greenlighting of two data breach class actions, holding that a district court must re-analyze the boundaries of the classes. Both the nationwide and California classes are individuals who sued a restaurant...
InfoBytesEuropean Commission approves transatlantic data-transfer framework
On July 10, the European Commission adopted an adequacy decision as part of the EU-U.S. Data Privacy Framework, concluding that the U.S. “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to U.S. companies under the new...
InfoBytesSenators demand that CFPB address voice-cloning risks
On July 6, four Democrats on the Senate Banking Committee sent a letter to CFPB Director Rohit Chopra, in which they expressed their concerns about the emergence of voice cloning technology. The senators observed that “voice cloning, the process of reproducing an individual’s voice with high...
InfoBytes1st Circuit confirms standing for data breach victims
On June 30, the U.S. Court of Appeals for the First Circuit overruled a district court’s dismissal of a putative class action against a home delivery pharmacy service for allegedly failing to prevent a 2021 data breach that exposed the personally identifiable information (PII) of over 75,000...
InfoBytesTexas enacts data broker requirements
The Texas governor recently signed SB 2105 (the “Act”) to regulate data brokers operating in the state. The Act defines a “data broker” as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not...
InfoBytesNCUA annual report to Congress covers cybersecurity
On June 28, the NCUA released its annual report on cybersecurity and credit union system resilience to the House and Senate banking committees. The report outlines measures the agency has taken to strengthen cybersecurity within the credit union system, outlines significant risks and challenges...
InfoBytesCourt delays enforcement of California privacy regulations
The Superior Court for the County of Sacramento adopted a ruling during a hearing held June 30, granting the California Chamber of Commerce’s (Chamber of Commerce) request to enjoin the California Privacy Protection Agency (CPPA) from enforcing its California Privacy Rights Act (CPRA) regulations...
InfoBytesFTC sues genetic testing company over privacy failures
On June 16, the FTC filed an administrative complaint against a California-based genetic testing company for allegedly deceiving consumers about its privacy and data security practices. Marking the FTC’s first case to focus on both the privacy and security of genetic information, the complaint...
InfoBytesTexas enacts digital services bill to protect minors
On June 13, the Texas governor signed HB 18 to enact the Securing Children Online through Parental Empowerment (SCOPE) Act. The Act will require digital service providers to register a person’s age and, if the user is determined to be a minor (younger than 18 years of age), the provider is required...
InfoBytesNew York reaches settlement with medical management company over patient data
On May 23, the New York attorney general announced a settlement with a medical management company, for allegedly failing to protect over 428,000 New Yorkers’ personal and health data from a 2020 ransomware cyberattack affecting roughly 1.2 million consumers nationwide. According to the AG’s...
InfoBytesMontana becomes the ninth state to enact comprehensive privacy legislation
On May 19, the Montana governor signed SB 384 to enact the Consumer Data Privacy Act (CDPA) and establish a framework for controlling and processing consumer personal data in the state. Montana is now the ninth state in the nation to enact comprehensive consumer privacy measures, following...
InfoBytesFTC, DOJ sue maker of health app over data sharing
On May 17, the DOJ filed a complaint on behalf of the FTC against a health app for violating the Health Breach Notification Rule (HBNR) by allegedly sharing users’ sensitive personal information with third parties, disclosing sensitive health data, and failing to notify users of these unauthorized...
InfoBytesFTC proposes changes to Health Breach Notification Rule
On May 18, the FTC issued a notice of proposed rulemaking (NPRM) and request for public comment on changes to its Health Breach Notification Rule (Rule), following a notice issued last September (covered by InfoBytes here ) warning health apps and connected devices collecting or using consumers’...
InfoBytesTennessee becomes 8th state to enact comprehensive privacy legislation
On May 11, the Tennessee governor signed HB 1181 to enact the Tennessee Information Protection Act (TIPA) and establish a framework for controlling and processing consumers’ personal data in the state. Tennessee is now the eighth state in the nation to enact comprehensive consumer privacy measures...
InfoBytesFrance fines facial recognition company additional €5.2 million for noncompliance
On May 10, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a facial recognition company an overdue penalty payment in the amount of €5.2 million for failing to comply with an October order. As previously covered by InfoBytes , last fall CNIL...
InfoBytesCFPB general counsel highlights risks in payments industry
On May 9, CFPB General Counsel and Senior Advisor to the Director, Seth Frotman, discussed the evolution of the payments system and its significant impact on consumer financial protection. Speaking before the Innovative Payments Association, Frotman commented that over the past few years, growth in...
InfoBytesCrypto platform reaches $1.2 million settlement on alleged compliance failures
On May 1, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of the state’s cybersecurity regulation (23 NYCRR Part 500). According to the consent order, during examinations conducted in 2018 and 2020, NYDFS identified multiple alleged...
InfoBytesDistrict Court dismisses FTC’s privacy claims in geolocation action
On May 4, the U.S. District Court for the District of Ohio issued two separate rulings in a pair of related disputes between the FTC and a data broker. The disputes center around accusations made by the FTC last August that the data broker violated Section 5 of the FTC Act by unfairly selling...
InfoBytesEU court says non-material damages in unlawful data processing may be eligible for compensation
On May 4, the Court of Justice of the European Union (CJEU) issued a judgment concluding that while not every infringement of the EU’s data protection law gives rise, by itself, to a right to compensation, non-material damage resulting from unlawful processing of data can be eligible for...
InfoBytesID verifier to pay $28.5 million to settle BIPA allegations
On May 5, the U.S. District Court for the Northern District of Illinois preliminarily approved an amended class action settlement in which an identification verification service provider agreed to pay $28.5 million to settle allegations that it violated the Illinois Biometric Information Privacy...
InfoBytesIndiana becomes seventh state to enact comprehensive privacy legislation
On May 1, the Indiana governor signed SB 5 to establish a framework for controlling and processing consumers’ personal data in the state. Indiana is now the seventh state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, and...
InfoBytesHouse committee continues federal privacy legislation discussions
On April 27, the House Subcommittee on Innovation, Data, and Commerce, a subcommittee of the House Energy and Commerce Committee, held a hearing entitled “Addressing America’s Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans’ Personal Information” to continue...
InfoBytesWashington State passes new health data privacy measures
On April 27, the Washington State governor signed HB 1155 to enact the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data. The Act is intended to cover health data not covered by the Health Insurance Portability and...
InfoBytesWashington enacts robocall measures
On April 20, the Washington governor signed HB 1051 to expand existing provisions regulating robocalls and telephone solicitations and prohibit abusive telephone communications that mislead or harm state residents. In doing so, the Act extends liability to “persons who provide substantial...
InfoBytesKansas enacts financial institutions information security act
On April 20, the Kansas governor signed SB 44 to enact the Kansas financial institutions information security act. The Act establishes information security standards for covered entities, and applies to credit service organizations, mortgage companies, supervised lenders, money transmitters, trust...
InfoBytesFTC testifies on privacy efforts
On April 18, FTC Chair Lina M. Khan and Commissioners Rebecca Slaughter and Alvaro Bedoya testified before the House Energy and Commerce Subcommittee on Innovation, Data, and Commerce on the agency’s efforts to protect consumers from unfair or deceptive practices and unfair methods of competition...
InfoBytesNew York AG releases guide for businesses to protect consumer’s personal information
On April 19, the New York attorney general released a data security guide to help businesses adopt effective data security measures for protecting state residents’ personal information. The guide outlines recommendations for preventing data breaches and securing personal information, and discusses...
InfoBytesFSB: Greater convergence needed in cyber-incident reporting
On April 13, the Financial Stability Board (FSB) released a series of recommendations for achieving “greater convergence” in cyber-incident reporting (CIR). Issued at the request of the G-20, the final report draws from FSB’s body of work on cybersecurity, as well as its engagement with external...
InfoBytesNYDFS, crypto payment company reach AML/cybersecurity settlement
On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200...
InfoBytesDistrict Court upholds arbitration in website terms of use
On March 28, the U.S. District Court for the Western District of North Carolina ruled that class members must arbitrate their claims against an online lending marketplace relating to a 2022 data breach that affected current, former, and prospective customers. The court found that a mandatory...
InfoBytesIowa becomes sixth state to enact comprehensive privacy legislation
On March 28, the Iowa governor signed SF 262 , establishing a framework for controlling and processing consumers’ personal data in the state. Iowa is now the sixth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, and Utah (...
InfoBytesCalifornia OAL approves CCPA regulations
On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately...
InfoBytesLaw firm settles breach claims related to health care data
On March 27, the New York attorney general announced a settlement with a law firm to resolve claims that it allegedly failed to protect individuals’ personal and health care data. According to the announcement, an attacker was able to exploit a vulnerability in the law firm’s email server and...
InfoBytesUtah amends disclosure requirements for data breaches
On March 23, the Utah governor signed SB 127 , which, among other things, requires additional disclosure requirements for system security breaches and creates the Utah Cyber Center. For example, it mandates additional notice requirements to the office of the Utah attorney general (AG) and the Utah...
InfoBytesFTC finalizes gaming company order on dark patterns
On March 14, the FTC finalized an administrative order requiring a video game developer to pay $245 million in refunds to consumers allegedly tricked into making unwanted in-game purchases. As previously covered by InfoBytes , the FTC filed an administrative complaint claiming players were able to...
InfoBytesFTC asks how cloud computing affects competition and data security
On March 22, the FTC announced it is seeking information on cloud computing providers’ business practices with respect to the potential impact on competition and data security. FTC staff noted that the agency is also interested in how cloud computing is impacting specific industries, including...
InfoBytesColorado finalizes privacy rules
On March 15, the Colorado attorney general’s office finalized rules to implement and enforce the Colorado Privacy Act (CPA). The final rules , which went through three draft versions (covered by InfoBytes here ), were filed with the Colorado Secretary of State following completion of a review by...
InfoBytesFCC regulations target scam robotexts
On March 16, the FCC adopted its first regulations specifically targeting scam text messages sent to consumers. Recognizing that robotexts are generally covered under the TCPA’s limits against unwanted calls to mobile phones, the FCC stated that the new regulations will require mobile service...
InfoBytesSEC proposes new cybersecurity requirements
On March 15, a divided SEC issued several proposed amendments to the agency’s cybersecurity-related rules. The first is a proposed rule that would implement cybersecurity requirements for participants in the securities market, including broker-dealers, clearing agencies, and major security-based...
InfoBytesSoftware company to pay $3 million to SEC for misleading disclosures about ransomware attack
On March 9, the SEC charged a South Carolina-based donor data management software company with allegedly making materially misleading disclosures about a 2020 ransomware attack. According to the SEC’s cease-and-desist order , the company issued statements that the ransomware attack did not affect...
InfoBytesDesign firm to settle False Claims Act allegations related to cybersecurity failures
On March 14, the DOJ announced a $293,771 settlement with a design company to resolve alleged False Claims Act (FCA) violations related to failures in its cybersecurity practices. According to the DOJ, the company failed to secure personal information on a federally-funded Florida children’s health...
InfoBytesDistrict Court approves $1.75 million data breach settlement
On March 3, the U.S. District Court for the Central District of California granted final approval of a $1.75 million class action settlement resolving allegations related to a 2020 data breach that compromised nearly 100,000 individuals’ personally identifiable information, including financial...
InfoBytesHHS releases health care cybersecurity guide
On March 8, the Department of Health and Human Services (HHS) released a cybersecurity implementation guide to assist public and private health care sectors prevent cybersecurity incidents. The Cybersecurity Framework Implementation Guide was developed jointly with the Administration for Strategic...
InfoBytesDistrict Court says EFTA applies to cryptocurrency
On February 22, the U.S. District Court for the Southern District of New York partially granted a cryptocurrency exchange’s motion to dismiss allegations that its inadequate security practices allowed unauthorized users to drain customers’ cryptocurrency savings. Plaintiffs claimed the exchange and...
InfoBytesHouse committees move forward on data privacy
On March 1, the House Subcommittee on Innovation, Data, and Commerce, a subcommittee of the House Energy and Commerce Committee, held a hearing entitled “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy” to continue discussions on the need for...
InfoBytes4th Circuit remands privacy suit to state court
On February 21, the U.S. Court of Appeals for the Fourth Circuit held that a proposed class action over website login procedures belongs in state court. Plaintiff alleged that after a nonparty credit reporting agency experienced a data breach, it used the defendant subsidiary’s website to inform...
InfoBytesFTC orders refunds over compromised health data
On March 2, the FTC filed a complaint against an online counseling service alleging the respondent violated the FTC Act by monetizing consumers’ sensitive health data for targeted advertising purposes. As part of the process to sign up for the respondent’s counseling services, consumers are...
InfoBytesBiden administration releases National Cybersecurity Strategy
On March 2, the Biden administration announced the release of its National Cybersecurity Strategy (Strategy) in a continued effort to provide a safe and secure digital ecosystem for Americans. The Strategy, which expands on other steps taken by the administration in this space (covered by InfoBytes...
InfoBytesIllinois Supreme Court says BIPA claims accrue with every transmission
On February 17, the Illinois Supreme Court issued a split decision holding that under the state’s Biometric Information Privacy Act (BIPA), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” The plaintiff filed a...
InfoBytesTreasury official highlights fintech, crypto assets, and cloud services challenges
On February 15, Treasury Assistant Secretary for Financial Institutions Graham Steele delivered remarks before the Exchequer Club of Washington, D.C., during which he discussed the U.S. Treasury Department’s financial institutions agenda on fintech, cryptocurrency, and cloud service providers...
InfoBytesNCUA approves final cyber incident reporting rule
On February 16, the NCUA approved a final rule that requires federally-insured credit unions (FICUs) to notify the agency as soon as possible (and no later than 72 hours) after a FICU “reasonably believes that a reportable cyber incident has occurred.” Specifically, the rule requires FICUs to...
InfoBytesEU says EU-US Data Privacy Framework lacks adequate protections
On February 14, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs released a draft motion for a resolution concerning the adequacy of protections afforded under the EU-US Data Privacy Framework. As previously covered by InfoBytes , last October President Biden signed...
InfoBytesBowman discusses bank and third-party cyber risk management expectations
On February 15, Federal Reserve Board Governor Michelle W. Bowman delivered remarks at the Midwest Cyber Workshop, during which she discussed topics related to third-party service provider reliance and regulatory expectations concerning cyber risk management. “While we expect banks to be in touch...
InfoBytesColorado releases privacy act updates
Last month, the Colorado attorney general released a third version of draft rules to implement and enforce the Colorado Privacy Act (CPA). A hearing on the proposed draft rules was held February 1. As previously covered by a Special Alert , the CPA was enacted in July 2021 to establish a framework...
InfoBytesSEC proposes revisions to Privacy Act
On February 14, the SEC issued a proposed rule to revise the Commission’s regulations under the Privacy Act of 1974, as amended. The Privacy Act governs the collection, maintenance, use, and dissemination of information about individuals that is maintained by the federal agencies. Under the Privacy...
InfoBytesCalifornia’s privacy agency finalizes CPRA regulations
On February 3, the California Privacy Protection Agency (CPPA) Board voted unanimously to adopt and approve updated regulations for implementing the California Privacy Rights Act (CPRA). The proposed final regulations will now go to the Office of Administrative Law, who will have 30 working days to...
InfoBytesTreasury reports on risks to financial firms adopting cloud services
On February 8, the U.S. Treasury Department launched the interagency Cloud Services Steering Committee in an effort to improve regulatory and private sector cooperation and develop best practices for cloud-adoption frameworks and contracts. As part of the announcement, Treasury released a first-of-...
InfoBytesFTC bans health vendor from sharing consumer info with advertiser
On February 1, the DOJ filed a complaint on behalf of the FTC against a telehealth and prescription drug discount provider for allegedly violating the FTC Act and the Health Breach Notification Rule by failing to notify consumers that it was disclosing their personal health information to third...
InfoBytesIllinois Supreme Court sets five-year SOL for section 15 BIPA violations
On February 2, the Illinois Supreme Court held that under the state’s Biometric Information Privacy Act (BIPA), individuals have five years to assert violations of section 15 of the statute. The plaintiff sued his former employer claiming that by scanning his fingerprints, the company violated...
InfoBytesFTC finalizes data-security order with ed tech provider
On January 27, the FTC finalized an order with an education technology (ed tech) provider which claimed that the provider’s lax data security practices led to the exposure of millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords...
InfoBytesNIST releases new AI framework to help organizations mitigate risk
On January 26, the National Institute of Standards and Technology (NIST) released voluntary guidance to help organizations that design, deploy, or use artificial intelligence (AI) systems mitigate risk. The Artificial Intelligence Risk Management Framework (developed in close collaboration with the...
InfoBytesCalifornia investigating mobile apps’ CCPA compliance
On January 27, the California attorney general announced an investigation into mobile applications’ compliance with the California Consumer Privacy Act (CCPA). The AG sent letters to businesses in the retail, travel, and food service industries who maintain popular mobile apps that allegedly fail...
InfoBytesU.S. messaging service fined €5.5 million for GDPR violations
On January 19, the Irish Data Protection Commission (DPC) announced the conclusion of an inquiry into the data processing practices of a U.S.-based messaging service’s Ireland operations and fined the messaging service €5.5 million. The investigation was part of a broader GDPR compliance inquiry...
InfoBytes9th Circuit reverses decision in COPPA suit
In December, the U.S. Court of Appeals for the Ninth Circuit reversed and remanded a district court’s decision to dismiss a suit alleging that a multinational technology company used persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their...
InfoBytesFTC finalizes data breach order with online alcohol marketplace
On January 10, the FTC announced it has finalized an order with a company that operates an online alcohol marketplace, along with its CEO, related to a data breach that allegedly exposed the personal information of roughly 2.5 million consumers. As previously covered by InfoBytes , the FTC alleged...
InfoBytesDistrict Court approves $11 million data breach settlement
On January 4, the U.S. District Court for the Northern District of Texas granted final approval of an $11 million class action settlement resolving allegations related to a February 2021 data breach that compromised more than 4.3 million customers’ personally identifiable information, including...
InfoBytesDistrict Court preliminarily approves data breach suit
On January 9, the U.S. District Court for the District of New Mexico granted preliminary approval of a class action settlement in a data breach suit that allegedly compromised approximately 191,000 individuals’ personally identifiable information (PII). According to the plaintiffs’ motion , the...
InfoBytesFCC chair asks Congress to act on robocalls
In December, FCC Chair Jessica Rosenworcel sent a letter to twelve senators in response to their June 2022 letter inquiring about combating robocalls. In the letter, Rosenworcel highlighted the FCC’s efforts to combat robocalls by discussing the agency’s “important” proposed rules , adopted in May...
InfoBytesAgencies highlight downpayment assistance, child privacy in regulatory agendas
Recently, the Office of Information and Regulatory Affairs released fall 2022 regulatory agendas for the FTC and HUD. With respect to an FTC review of the Children’s Online Privacy Protection Rule (COPPA) that was commenced in 2019 (covered by InfoBytes here ), the Commission stated in its...
InfoBytesSocial media users denied preliminary injunction in privacy suit
On December 22, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for preliminary injunction in a privacy suit. According to the order, the plaintiffs alleged that the social media company improperly acquired their confidential health information in violation...
InfoBytesFCC proposes new data breach notification requirements
On January 6, the FCC announced a notice of proposed rulemaking (NPRM) to launch a formal proceeding for strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI). FCC Chairwoman Jessica Rosenworcel noted...
InfoBytesFrance fines software company €60 million for data violations
In December, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €60 million penalty against a global software development company accused of making it harder for users of its search engine to reject cookies than to accept them. Based on...
InfoBytesIrish DPC fines global social media company €390 million over targeted ads
On January 4, the Irish Data Protection Commission (DPC) announced the conclusion of two inquiries into the data processing practices of a global social media company’s European operations. Collectively, the DPC imposed fines totaling €390 million against the company for allegedly requiring users...
InfoBytesColorado releases second draft of Colorado Privacy Act rules
On December 21, the Colorado attorney general released a second set of draft rules for the Colorado Privacy Act (CPA). As previously covered by a Buckley Special Alert , the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1,...
InfoBytesCalifornia privacy agency holds public meeting on CPRA
On December 16, the California Privacy Protection Agency (CPPA) Board held a public meeting to discuss the ongoing status of the California Privacy Rights Act (CPRA). As previously covered by InfoBytes , the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was...
InfoBytesGaming company to pay $520 million to resolve FTC allegations
On December 19, the DOJ filed a complaint on behalf of the FTC against a video game developer for allegedly violating the Children’s Online Privacy Protection Act (COPPA) by failing to protect underage players’ privacy. The FTC also alleged in a separate administrative complaint that the company...
InfoBytesFINRA alerts firms about rising ransomware risks
On December 14, FINRA issued Regulatory Notice 22-29, alerting member firms about the increasing number and sophistication of ransomware incidents. FINRA explained that the proliferation in ransomware attacks can be attributed in part to the increased use of technology and continued adoption of...
InfoBytesG7 Cyber Expert Group releases reports on ransomware and third-party risk
On December 8, the G7 Cyber Expert Group (CEG) – co-chaired by the Bank of England and the U.S. Treasury Department’s Office of Cybersecurity and Critical Infrastructure – released two reports addressing ransomware and third-party risk in the financial sector. According to the announcement, the...
InfoBytesParties reach agreement to resolve data scraping allegations
On December 8, the U.S. District Court for the Northern District of California issued a consent judgment and permanent injunction against a now-defunct plaintiff data analytics company in an action concerning whether the plaintiff breached a user agreement with a defendant professional networking...
InfoBytesSocial media platform awarded $365,000 in scraping suit
On December 8, the U.S. District Court for the Northern District of California enjoined a data trading company (defendant) from accessing a social media platform (plaintiff), and ordered it to pay $361,790 in attorney fees and $3,640 in court costs to the platform. According to the complaint , the...
InfoBytesOCC warns of crypto-asset and cybersecurity risks facing the federal banking system
On December 8, the OCC released its Semiannual Risk Perspective for Fall 2022 , which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that, in the aggregate, banks “remain well capitalized...
InfoBytesAppellate court reverses BIPA decision
On November 30, the Illinois Court of Appeal for the Fourth Appellate District reversed and remanded a trial court’s decision to grant a defendant plating company’s motion for summary judgment in a Biometric Information Privacy Act (BIPA) suit. The plaintiff began working for the defendant in 2014...
InfoBytes9th Circuit revives data breach class action against French cryptocurrency wallet provider
On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by...
InfoBytesRepublicans say social media company made misleading statements on China data-sharing practices
On November 22, Ranking Member James Comer (R-KY), Committee on Oversight and Reform, and Ranking Member Cathy McMorris Rodgers (R-WA), Committee on Energy and Commerce, sent a follow-up letter to a global social media company claiming it may have provided misleading or false information about its...
InfoBytesHair clinic must pay $500,000 to resolve data breach
On November 21, the U.S. District Court for the Central District of California granted final approval to a $500,000 class action settlement resolving allegations that a ransomware attack and data breach exposed the personal information of over 100,000 of the defendant hair-restoration clinic’s...
InfoBytesIrish DPC fines global social media company €265 million over data scraping claims
On November 28, the Irish Data Protection Commission (DPC) announced the conclusion of a “data scraping” inquiry into the practices of a global social media company’s European operations. The inquiry, which included cooperation from all of the other data protection supervisory authorities in the EU...
InfoBytesEU increases financial sector cybersecurity
On November 28, the Council of the European Union (EU) announced that it adopted legislation for a new cybersecurity directive intended to improve resilience and incident response capacities across the EU by replacing the NIS, the current directive on the security of network and information systems...
InfoBytesStates ask FTC to increase consumer data privacy protections
On November 17, the Massachusetts attorney general announced that a coalition of more than 30 state AGs sent a letter to the FTC urging the Commission to consider the heightened sensitivity around consumers’ medical data, biometric data, and location data, along with other dangers that arise from...
InfoBytesECJ invalidates AML directive granting public access to beneficial ownership information
On November 22, the European Court of Justice (ECJ) announced a ruling invalidating a provision of the 2018 amended EU anti-money laundering directive that guaranteed public access to the beneficial ownership information of legal entities incorporated within member states. The case was referred to...
InfoBytesSenators urge FTC to investigate social media company’s privacy compliance
On November 17, seven Democratic senators sent a letter to FTC Chair Lina Khan requesting that the Commission investigate whether recent changes made to a global social media company will impact the company’s compliance with privacy and security regulations. The senators also encouraged Khan to...
InfoBytesFCC says consent is required for ringless voicemails
On November 21, the FCC issued a declaratory ruling that entities using ringless voicemail products must first obtain a consumer's consent prior to using the product to leave voicemails. According to the FCC, it receives “dozens of consumer complaints annually related to ringless voicemail.” The...
InfoBytesSenate Banking grills regulators on crypto
On November 15, the Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Oversight of Financial Regulators: A Strong Banking and Credit Union System for Main Street” to hear from federal financial regulators about growing risks related to bank mergers, bailouts, climate...
InfoBytesFTC extends compliance on some Safeguards provisions
On November 15, the FTC announced that covered financial institutions now have until June 9, 2023, to comply with certain updated Safeguards Rule requirements. The Commission issued this extension based on reports, including a letter from the SBA’s Office of Advocacy, that a shortage of qualified...
InfoBytesDistrict Court says university is a financial institution exempt from state privacy law
On November 4, the U.S. District Court for the Northern District of Illinois granted a defendant university’s motion to dismiss Illinois’ Biometric Information Privacy Act claims (BIPA), ruling that because the defendant participates in the Department of Education’s Federal Student Aid Program, it...
InfoBytesTech company to pay $391.5 million to resolve data tracking allegations
On November 10, forty states and a multinational technology company reached a $391.5 million settlement resolving allegations that the company tracked users’ locations even after they believed the feature was turned off. According to the assurance of voluntary compliance , the company allegedly...
InfoBytesNYDFS amends cybersecurity regs
On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’...
InfoBytesStates reach multi-million dollar CRA data breach settlement
On November 7, a coalition of 40 state attorneys general, co-led by Massachusetts and Illinois, reached settlements with a credit reporting agency (CRA) and a telecommunications company related to data breaches in 2012 and 2015 that impacted the personal information of millions of consumers...
InfoBytesDistrict Court preliminarily approves $2.35 million settlement for card data breach
On November 8, the U.S. District Court for the Northern District of Texas issued an order accepting a magistrate judge’s report preliminarily approving a consolidated class action settlement related to a restaurant chain’s payment card data breach. Class members alleged that hackers gained...
InfoBytesDistrict Court: Unclear when networking site became aware of data scraping
On November 3, the U.S. District Court for the Northern District of California issued an order ruling on cross-motions for summary judgment in an action concerning whether a now-defunct plaintiff data analytics company breached a user agreement with a defendant professional networking site by using...
InfoBytesDistrict Court preliminary approves $4.3 million data breach settlement
On November 4, the U.S. District Court for the Eastern District of Michigan granted preliminary approval of a $4.3 million class action settlement regarding a data breach, following the filing of the plaintiffs’ unopposed motion for preliminary approval of class action settlement. After a plaintiff...
InfoBytesPennsylvania amends privacy bill
On November 3, the Pennsylvania governor signed SB 696 to amend the Breach of Personal Information Notification Act. The bill, among other things, prohibits employees of the Commonwealth from using non-secured Internet connections. The bill also includes data storage policy provisions, which...
InfoBytesCPPA says comments on modified draft privacy rules due November 21
On November 3, the California Privacy Protection Agency (CPPA) Board officially posted updated draft rules for implementing the Consumer Privacy Rights Act of 2020, which amends and builds on the California Consumer Privacy Act of 2018. The draft rules were previously released in advance of a CPPA...
InfoBytesFTC’s annual PrivacyCon focuses on consumer privacy and security issues
On November 1, the FTC held its annual PrivacyCon event, which hosted research presentations on a wide range of consumer privacy and security issues. Opening the event, FTC Chair Lina Khan stressed the importance of hearing from the academic community on topics related to a range of privacy issues...
InfoBytesPlaintiff wins $148,000 in data breach suit
On November 3, the U.S. District Court for the District of Minnesota granted a plaintiff technical consulting and software development company’s motion for summary judgment in a data breach suit. According to the order, an unknown bad actor gained unauthorized access to the email account of a...
InfoBytesRepublican senators oppose FTC’s ANPR on data privacy and security
On November 3, three Republican Senators sent a letter to FTC Chair Lina Khan expressing their opposition to the FTC’s Advanced Notice of Proposed Rulemaking (ANPR) for the Trade Regulation Rule on Commercial Surveillance and Data Security. As previously covered by InfoBytes, in August the FTC...
InfoBytesFTC takes action against ed tech provider for lax data security
On October 31, the FTC announced an administrative action against an education technology (ed tech) provider claiming that the company’s allegedly poor data security practices exposed millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and...
InfoBytesTreasury official discusses cyber threats to financial sector
On November 1, Deputy Secretary of the Treasury Wally Adeyemo provided an update during the semi-annual joint session of the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC) on Treasury’s efforts to protect the agency...
InfoBytesFinCEN reports significant increase in ransomware-related BSA filings in 2021
On November 1, FinCEN reported that ransomware continues to pose a significant threat to U.S. infrastructure, businesses, and the public, with ransomware-related Bank Secrecy Act (BSA) filings in 2021 accounting for nearly $1.2 billion. Issued pursuant to the Anti-Money Laundering Act of 2020,...
InfoBytesEU Court of Justice says controllers of personal data must take reasonable steps to inform third parties when consumer consent is withdrawn
On October 27, the European Court of Justice (ECJ) held that controllers of personal data must take reasonable steps to inform other controllers when a data subject withdraws consent. The decision stems from a request made by a subscriber to a Belgian telecommunications provider to not have his...
InfoBytesCISA releases new cybersecurity performance goals
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) released a new report outlining baseline cross-sector cybersecurity performance goals (CPGs) for all critical infrastructure sectors. The report follows a July 2021 national security memorandum issued by President Biden, which...
InfoBytesFFIEC updates 2018 Cybersecurity Resource Guide for Financial Institutions
On October 27, the FDIC issued FIL-50-2022 related to recent updates made to the Federal Financial Institutions Examination Council’s (FFIEC) 2018 Cybersecurity Resource Guide for Financial Institutions . The FFIEC guide is designed to assist financial institutions in meeting their security control...
InfoBytesCFPB seeks additional public input on big tech payment platforms
On October 31, the CFPB announced it will reopen the public comment period for 30 days on a 2021 notice and request for comment related to the Bureau’s inquiry into big tech payment platforms. In October 2021, the Bureau issued orders to six large U.S. technology companies seeking information and...
InfoBytesCFPB launches rulemaking on consumers’ rights to their data
On October 27, the CFPB released a 71-page outline of proposals and alternatives under consideration related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts. The outline describes proposals under consideration that “would specify rules requiring certain covered persons that are data...
InfoBytesDistrict Court approves data scrape settlement
On October 20, the U.S. District Court for the Northern District of California granted final approval to a class action settlement resolving claims that a social media platform (defendant) scraped consumer data for advertising purposes. According to the plaintiffs’ motion for preliminary approval,...
InfoBytesDistrict Court preliminarily approves data breach settlement
On October 24, the U.S. District Court for the District Court of Colorado granted preliminary approval of a class action settlement resolving claims that a defendant failed to safeguard personally identifiable information (PII) during a data breach. According to the plaintiffs’ unopposed motion for...
InfoBytesFTC’s proposed breach order would apply personally to CEO
On October 24, the FTC announced an action against a company operating an online alcohol marketplace and its CEO related to a data breach that allegedly exposed the personal information of roughly 2.5 million consumers. The FTC alleged in its complaint that the respondents were alerted to problems...
InfoBytesFrance fines facial recognition company €20 million for GDPR violations
On October 20, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €20 million penalty against a facial recognition company for violating the EU’s General Data Protection Regulation (GDPR). In 2020, CNIL opened an investigation after receiving...
InfoBytesUK Information Commissioner fines company £4.4 million for data breach
On October 24, the UK Information Commissioner fined a construction company £4.4 million for a data breach that allegedly allowed hackers to access thousands of employees’ personal data. According to the monetary penalty notice , the company failed to process personal data in a manner that ensured...
InfoBytesCalifornia’s privacy agency amends draft privacy rules ahead of meeting
In advance of an upcoming meeting of the California Privacy Protection Agency Board (CPPA) scheduled for October 28-29, the agency posted updated draft rules for implementing the California Privacy Rights Act (CPRA). As previously covered by InfoBytes , the CPRA (largely effective January 1, 2023,...
InfoBytesNYDFS reaches $4.5 million settlement over cybersecurity violations
On October 18, NYDFS announced a $4.5 million settlement with a licensed health insurance company for alleged violations of the Department’s Cybersecurity Regulation (23 NYCRR Part 500), which contributed to the exposure of consumers’ sensitive non-public information (NPI). According to NYDFS, a...
InfoBytesFSB outlines steps to promote convergence in cyber incident reporting
On October 17, the Financial Stability Board (FSB) released a series of recommendations for promoting convergence in cyber incident reporting (CIR). Recognizing that a “one-size-fits-all approach” is neither feasible nor preferable, FSB noted that financial authorities and financial institutions...
InfoBytesDistrict Court enters $228 million judgment in BIPA class action
On October 12, the U.S. District Court for the Northern District of Illinois entered a judgment for $228 million after a jury found that a defendant railway company committed 45,600 reckless or intentional violations of the Illinois Biometric Information Privacy Act (BIPA). The jury’s judgment ,...
InfoBytesNew York announces $1.9 million data breach settlement with global retailer
On October 12, the New York attorney general announced a $1.9 million settlement with an international e-commerce retailer for failing to properly handle a 2018 data breach. According to the settlement, the e-commerce owns and operates two brands (collectively, “respondents”), which experienced a...
InfoBytesBiden outlines aggressive approach for strengthening U.S. cybersecurity
On October 11, President Biden outlined actions for strengthening and safeguarding the nation’s cybersecurity. In addition to stressing the importance of improving cybersecurity and resilience measures for critical infrastructure owners and operators, the Biden administration outlined additional...
InfoBytesBiden issues executive order on EU-U.S. privacy shield replacement
On October 7, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) to address the facilitation of transatlantic data flows between the EU and the U.S. The E.O. outlines commitments the U.S. will take under the EU-U.S. Data...
InfoBytesFINRA alerts firms about rising ACATS fraud
On October 6, FINRA issued Regulatory Notice 22-21, alerting member firms to the rising trend of fraudulent account transfers of customer accounts using the Automated Customer Account Transfer Service (ACATS)—an automated system that facilitates the transfer of customer account assets from one...
InfoBytesTreasury requests feedback on cyberinsurance
On October 7, the U.S. Treasury Department published its Annual Report on the Insurance Industry , as required by the Dodd-Frank Act. The report discussed the U.S. insurance industry’s financial performance and its financial condition for the year ending December 31, 2021, and provided a domestic...
InfoBytesOCC releases bank supervision operating plan for FY 2023
On October 6, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2023. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) strategic and operational planning; (ii) operational...
InfoBytesOCC announces updated FFIEC cyber resource guide
On October 6, the OCC announced that the Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC Cybersecurity Resource Guide for Financial Institutions . According to the OCC, the 2022 FFIEC Cybersecurity Resource Guide for Financial Institutions provides a list of...
InfoBytesColorado releases draft Colorado Privacy Act rules
On September 29, the Colorado attorney general published proposed draft Colorado Privacy Act (CPA) rules with the Colorado Department of Regulatory Agencies. (See Colorado Register here .) As covered by a Buckley Special Alert , the CPA was enacted last July to establish a framework for personal...
InfoBytesDistrict Court grants preliminary approval of data breach class action
On October 3, the U.S. District Court for the Eastern District of Wisconsin granted preliminary approval of a data breach class action settlement. According to the plaintiff’s unopposed motion for preliminary approval, a ransomware attack on the company potentially allowed an unauthorized actor to...
InfoBytesArizona reaches $85 million settlement in location tracking suit
On October 4, the Arizona attorney general announced an $85 million settlement with an internet technology company to resolve allegations that it collected individuals’ location data for targeted advertising without users’ knowledge or consent or after users opted out of the feature through the...
InfoBytesWhite House proposes AI “Bill of Rights”
Recently, the Biden administration’s Office of Science and Technology Policy released a Blueprint for an AI Bill of Rights . The blueprint’s proposed framework identifies five principles for guiding the design, use, and deployment of automated systems to protect the public as the use of artificial...
InfoBytesDistrict Court grants plaintiff’s injunction in data scraping suit
On September 30, the U.S. District Court for the Northern District of California certified a stipulation and proposed order regarding a permanent injunction and dismissal to abandon remaining allegations against an Israel-based company and a Delaware company (collectively, defendants) related to...
InfoBytesU.S.-UK Data Access Agreement now in effect
On October 3, the DOJ announced that the U.S.-UK Data Access Agreement (Agreement) is now in effect. According to the DOJ, the Agreement, authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, is the first of its kind and will allow investigators from each country to gain better...
InfoBytesDemocrats urge FTC to update COPPA
On September 29, Senator Edward J. Markey (D-MA), along with three other Congressional Democrats, sent a letter to FTC Chair Lina Khan requesting that the Commission update its regulations under the Children’s Online Privacy Protection Act (COPPA). The Senators encouraged the FTC to use its...
InfoBytesFCC proposes rulemaking to combat unlawful text messages
On September 27, the FCC announced a notice of proposed rulemaking (NPRM) to target and eliminate unlawful text messages. According to the FCC, the number of consumer complaints received related to unwanted text messages has increased by 146 percent between 2019 and 2020, and continues to grow in...
InfoBytesCISA urges companies to take action to combat malicious cyber activity
On September 14, the Cybersecurity and Infrastructure Security Agency, along with several other federal agencies and international partners, released a joint cybersecurity advisory (CSA) highlighting continued malicious cyber activity taken by advanced persistent threat actors affiliated with the...
InfoBytesCalifornia adopts “first-in-nation” act to safeguard children’s online data and privacy
On September 15, the California governor signed into law the California Age-Appropriate Design Code Act (the Act), calling it the “first-in-nation” bill to protect children’s online data and privacy. AB 2273 establishes new legal requirements for businesses that provide online products and services...
InfoBytesFTC proposes rulemaking to combat impersonation fraud
On September 15, the FTC issued a notice of proposed rulemaking (NPRM) to prohibit the impersonation of government, businesses, or their officials. According to the FTC, reported losses due to impersonation fraud spiked at the beginning the Covid-19 pandemic, and more than 2.5 million scams were...
InfoBytesDistrict Court denies defendant summary judgment in data breach suit
On September 8, the U.S. District Court for the District of Maryland denied a defendant hotel corporation’s summary judgment motion, concluding that an economic expert’s opinion that the City of Chicago (plaintiff) experienced a loss in tax revenue due to a security breach of the defendant’s guest...
InfoBytesDistrict Court grants final approval in data breach suit
On September 13, the U.S. District Court for the Eastern District of Virginia granted final approval of a class action settlement in a data breach suit. As previously covered by InfoBytes , in July 2019, a national bank (defendant) announced that an unauthorized individual had obtained the personal...
InfoBytesOFAC sanctions individuals and entities connected to IRGC-QF
On September 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions as part of a joint action with the DOJ, Department of State, FBI, U.S. Cyber Command, National Security Agency, and Cybersecurity and Infrastructure Security Agency, against ten individuals...
InfoBytesFDIC, FinCEN release results of digital identity tech sprint
On September 9, the FDIC and FinCEN announced key takeaways and solution summaries from a recent “Tech Sprint” to develop solutions for banks and regulators to help measure the effectiveness of digital identity proofing. As previously covered in InfoBytes , in January, the FDIC’s technology lab,...
InfoBytesCISA issues RFI on new cyber incident reporting requirements
On September 9, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) from critical infrastructure owners and operators on how to develop new data breach reporting regulations related to ransomware and other malicious attacks. The RFI will inform CISA’s...
InfoBytesDistrict Court grants final approval in BIPA class action
On September 1, the U.S. District Court for the Northern District of Illinois granted final approval of a $6.8 million class action settlement in a biometric privacy data suit. According to the plaintiff’s memorandum of law in support of her unopposed motion for final approval of the settlement,...
InfoBytesFTC hosts forum on commercial surveillance and lax data security practices
On September 8, the FTC hosted a forum regarding its Advance Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security practices. As previously covered by InfoBytes , the ANPR was issued in August to solicit public comment on “the harms stemming from commercial surveillance...
InfoBytes11th Circuit says plaintiff lacks standing in collection letter case
On September 8, the U.S. Court of Appeals for the Eleventh Circuit issued an en banc decision in Hunstein v. Preferred Collection & Management Services, dismissing the case after determining the plaintiff lacked standing to sue. The majority determined that “[b]ecause Hunstein has alleged only...
InfoBytesOCC issues expectations for protecting non-public information
On September 7, the OCC issued Bulletin 2022-21, Information Security: Expectations for Protecting Non-public OCC Information on Institution- or Other Non-OCC-Owned or Managed Video Teleconferencing Services, outlining its expectations for protecting non-public OCC information shared on video...
InfoBytes11th Circuit affirms denial of title company’s cyber fraud claim
On September 6, the U.S. Court of Appeals for the Eleventh Circuit upheld a district court’s decision to deny insurance coverage to a Florida title company under its Cyber Protection Insurance Policy after it was allegedly “fraudulently induced—by an unknown actor impersonating a mortgage lender—to...
InfoBytesCARU orders app company to correct violations of children’s privacy rules
On September 7, the Children’s Advertising Review Unit (CARU) announced that the owner of a cartoon-themed app company has agreed to correct alleged violations of the Children’s Online Privacy Protection Act (COPPA) and CARU’s Self-Regulatory Guidelines for Advertising and for Children’s Online...
InfoBytesDistrict Court says tech company not liable for app in crypto theft
On September 2, the U.S. District Court for the Northern District of California granted a defendant California tech company’s motion to dismiss a putative class action filed by users who claimed their cryptocurrency was stolen after they downloaded a “phishing” program that posed as a legitimate...
InfoBytesDistrict Court preliminarily approves TCPA class action settlement
On March 3, the U.S. District for the Central District of California granted final approval of a TCPA class action settlement with a satellite TV company. According to a memorandum in support of plaintiff’s motion for preliminary approval of class action settlement and certification, the plaintiff...
InfoBytesDistrict Court grants final approval in TCPA class action
On September 1, the U.S. District Court for the Central District of California granted final approval of a class action settlement in a TCPA suit. According to the plaintiffs’ motion for preliminary approval of the class action settlement , the plaintiffs are non-customers who the defendant...
InfoBytesOFAC amends cyber-related sanctions regulations
On September 2, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced that it is amending, and reissuing in their entirety, the Cyber-Related Sanctions Regulations . OFAC noted that this administrative action replaces regulations that were published in abbreviated form on...
InfoBytes3rd Circuit vacates dismissal of data breach suit
On September 2, the U.S. Court of Appeals for the Third Circuit vacated the dismissal of a class action alleging that a defendant pharmaceutical research company’s negligence led to a data breach. According to the opinion, the plaintiff, who is a former employee of the defendant’s subsidiary,...
InfoBytesPelosi cites preemption concerns in federal privacy bill
On September 1, Speaker of the House Nancy Pelosi (D-CA) released a statement commending the House Energy and Commerce Committee’s work on advancing the American Data Privacy and Protection Act (ADPPA) to the House floor (covered by InfoBytes here ). However, Pelosi also recognized preemption...
InfoBytesTemporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023
The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1,...
InfoBytes11th Circuit says one-year statutory notice period cannot be varied
On August 26, the U.S. Court of Appeals for the Eleventh Circuit vacated and remanded a district court’s summary judgment in favor of a bank after determining that the plaintiff-appellants’ claim for statutory repayment is not time-barred. Plaintiffs (Venezuelan citizens residing in Venezuela)...
InfoBytesDistrict Court dismisses ransomware suit alleging negligence
On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020...
InfoBytesFTC sues data broker for unfair sale of sensitive data
On August 29, the FTC announced an action taken against a data broker accused of allegedly selling precise geolocation data from hundreds of millions of mobile devices that can be used to trace individuals’ movements to and from sensitive locations. According to the complaint , the defendant...
InfoBytesDistrict Court approves class action settlement against securities trading platform and broker-dealer
On May 16, the U.S. District Court for the Northern District of California granted final approval of a settlement in a class action against a securities trading platform and broker-dealer (defendant) for allegedly allowing unauthorized users access to customers’ accounts. As described in plaintiffs...
InfoBytesTreasury announces MOU with Israel
On August 25, the U.S. Treasury Department announced a bilateral Memorandum of Understanding (MOU) on Cybersecurity Cooperation with the Ministry of Finance of the State of Israel (MOF). According to Treasury, the MOU “builds on U.S. Deputy Secretary of the Treasury Wally Adeyemo’s visit to Israel...
InfoBytesCalifornia fines cosmetics chain for privacy violations
On August 24, the California attorney general announced that following an investigative sweep into online retailers, it entered into a $1.2 million settlement with a cosmetics chain for its alleged failure to disclose to consumers that it was selling their personal information, failure to process...
InfoBytesDistrict Court preliminarily approves data breach class action settlement
On August 24, the U.S. District Court for the Southern District of New York preliminarily approved a putative consolidated class action settlement that would reimburse members for out-of-pocket costs or expenditures actually incurred in connection with a February 2020 data breach. According to...
InfoBytesFCC signs robocall enforcement MOU with Canada
Recently, the FCC announced that it entered into a memorandum of understanding (MOU) with the Canadian Radio-television and Telecommunications Commission (CRTC) to develop a global and coordinated approach for addressing unlawful automated telephone calls. According to the MOU, the FCC and CRTC...
InfoBytes3rd Circuit overturns decision in WESCA suit
On August 16, the U.S. Court of Appeals for the Third Circuit overturned a district court’s decision in a Wiretapping and Electronic Surveillance Control Act (WESCA) suit against a retailer and third-party marketing company (collectively, “defendants”). According to the opinion, the plaintiff...
InfoBytesCalifornia Privacy Protection Agency opposes federal privacy bill
On August 15, the California Privacy Protection Agency (CPPA) sent a letter to House Speaker Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) opposing H.R.8152 , the American Data Privacy and Protection Act (ADPPA). The CPPA expressed concerns that the proposed legislation “could...
InfoBytesDem chairs request info on agency data use
On August 16, Chairman of the Committee on the Judiciary Jerrold Nadler (D-NY) and Chairman of the Committee on Homeland Security Bennie Thompson (D-MS) sent a letter to multiple government agency leaders, requesting information on their purchases and use of personal data from data brokers...
InfoBytesElizabeth E. McGinn quoted in a CSO article, “FTC begins sweeping commercial surveillance and lax data security rulemaking process”
The CSO article, “FTC begins sweeping commercial surveillance and lax data security rulemaking process,” discussed the persistence of data breaches exposing consumers’ sensitive information even as organizations are selling troves of consumers’ personal, financial, and location data to a thriving...
In The NewsNew York proposes new cybersecurity reporting requirements for financial institutions
Recently, NYDFS released proposed second amendments to New York’s Cybersecurity Regulation (23 NYCRR Part 500), which would, if adopted, require a financial institution’s senior officer or board of directors to approve the entity’s cybersecurity policy. Entities would also be required to disclose...
InfoBytesDistrict Court grants final approval of data breach settlement
On August 9, the U.S. District Court for the Western District of North Carolina granted final approval of a class action settlement resolving allegations that two hemp companies (collectively, “defendants”) were involved in data breaches. According to the plaintiffs’ unopposed motion for final...
InfoBytesChopra considers banking to be “under threat”
On August 10, CFPB Director Rohit Chopra discussed the digital market before the 2022 National Association of Attorneys General Presidential Summit. In his remarks, Chopra first discussed the evolution of advertising models over time, describing how the persuasion of advertising continues to be...
InfoBytesFTC seeks feedback on commercial surveillance and data security rulemaking
On August 11, the FTC announced that it issued an advanced notice of proposed rulemaking (ANPR) on a wide range of concerns about commercial surveillance practices. According to the FTC, it is exploring “rules to crack down on harmful commercial surveillance and lax data security.” The FTC...
InfoBytesFTC probes cryptocurrency exchange operators
On August 9, the FTC issued an order denying a petition to quash a civil investigative demand (CID) against the operators of a cryptocurrency exchange regarding allegations of a December 2021 data breach. According to the order, the FTC “is investigating potential law violations arising out of [the...
InfoBytesCSBS releases nonbank cybersecurity examination tools
On August 9, the Conference of State Bank Supervisors (CSBS) released two new tools used by state examiners to assess nonbank financial services companies’ cyber preparedness. Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and...
InfoBytesElizabeth E. McGinn extensively quoted in Cybersecurity Law Report article, “SEC cyber rules: How to prepare for the new 8-K incident mandate”
The Cybersecurity Law Report article, “SEC cyber rules: How to prepare for the new 8-K incident mandate,” examined the SEC’s proposed rules to give investors a better view of how public companies are tackling risks around cybersecurity and better compare companies’ cyber efforts. The new mandate...
In The NewsAgencies seek comment on renewing FFIEC’s cybersecurity assessment tool
On August 8, the OCC, the Federal Reserve Board, the FDIC, and the NCUA (collectively, “Agencies”) issued a notice in the Federal Register soliciting comments on the renewal of the Federal Financial Institutions Examination Council’s cybersecurity assessment tool. According to the notice, the...
InfoBytes"Companies doing business in China caught in a double bind" by Michael Rosenberg
Continuing tensions between the U.S. and China are creating concerns for multinational companies doing business in China. Last June, China enacted the Anti-Foreign Sanctions Law, designed to counteract “discriminatory restrictive measures employed by foreign nations” against Chinese citizens or...
Buckley Commentary & AnalysisSpecial Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank...
InfoBytesHsu discusses cybersecurity risks to financial sector
On August 2, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the Joint Meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council focusing on cybersecurity risks to the financial services sector. Hsu...
InfoBytesNYDFS imposes $30 million fine against trading platform for cybersecurity, BSA/AML violations
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (3 NYCRR Part 504),...
InfoBytesState AGs announce settlement to resolve alleged data security breach
On July 26, a coalition of state attorneys general, co-led by the New Jersey AG and Pennsylvania AG, announced a settlement with a Pennsylvania-based convenience store chain related to an alleged data breach that compromised payment cards of consumers. According to the Assurance of Voluntary...
InfoBytesOCC reports on cybersecurity and financial system resilience
Recently, the OCC released its annual report on cybersecurity and financial system resilience, which describes its cybersecurity policies and procedures, including those adopted in accordance with the Federal Information Security Modernization Act. According to the report, cybersecurity and...
InfoBytesCourt grants final approval of privacy class action settlement
On July 20, the U.S. District Court for the Northern District of California granted final approval of a class action settlement in a suit against a fintech company alleged to have accessed the personal banking data of users without first obtaining consent, in violation of California privacy, anti-...
InfoBytesHouse committee advances comprehensive consumer privacy bill
On July 20, the U.S. House Committee on Energy and Commerce voted 53-2 to send H.R. 8152 , the American Data Privacy and Protection Act, to the House floor. As previously covered by a Buckley Special Alert , a draft of the bill was released in June, which would, among other things, require...
InfoBytesDOJ reports on cybersecurity and announces seizure of $500,000 from hackers
On July 19, Deputy Attorney General Lisa O. Monaco spoke before the International Conference on Cyber Security (ICCS) 2022 regarding DOJ’s efforts to combat the increase of cyberattacks. Monaco also announced the release of the Comprehensive Cyber Review , which reflects “the need to prioritize...
InfoBytesCalifornia’s privacy agency initiates formal CPRA rulemaking
On July 8, the California Privacy Protection Agency (CPPA) initiated formal rulemaking procedures to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA), a law amending and building on the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes...
InfoBytesFTC seeks to protect highly sensitive data
On July 11, the FTC’s Division of Privacy & Identity Protection published a blog post addressing risks associated with the sharing of highly personal information with strangers, particularly with respect to the use of technology that directly observes or derives sensitive information about...
InfoBytesFed discusses cybersecurity risk management and emerging threats
On July 7, the Federal Reserve Board published its 2022 Cybersecurity and Financial System Resilience Report . Issued pursuant to the Consolidated Appropriations Act, the Fed’s report described measures it has taken to strengthen cybersecurity in the financial services sector. The report identified...
InfoBytesDistrict Court approves contact tracing suit settlement
On October 31, the U.S. District Court for the Northern District of California granted plaintiffs’ motion for attorneys' fees, expenses, and service awards related to a class action settlement alleging that an internet platform (defendant) violated the California Confidentiality of Medical...
InfoBytesDistrict Court preliminarily approves $3.7 million data breach settlement
On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of...
InfoBytesNew York fines supermarket chain $400,000 for mishandled consumer data
On June 30, the New York attorney general announced a settlement with a New York-based supermarket chain (respondent) for allegedly leaving more than three million customers’ personal information in unsecured, misconfigured cloud storage containers, which made the data potentially easy to access...
InfoBytesInsurers consider biometric exclusions as privacy cases increase
According to sources, some insurers are considering adding biometric exclusions to their insurance policies as privacy lawsuits increase. An article on the recent evolution of biometric privacy lawsuits noted an apparent increase in class actions claiming violations of the Illinois Biometric...
InfoBytesDistrict Court says Massachusetts law will apply in choice-of-law privacy dispute
On June 28, the U.S. District Court for the District of South Carolina ruled that it will apply Massachusetts law to negligence claims in a putative class action concerning a cloud-based services provider’s allegedly lax data-security practices. The plaintiffs claimed that the defendant’s “security...
InfoBytesNYDFS imposes $5 million fine against cruise line for cybersecurity violations
On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity...
InfoBytesOCC reports on key risks facing the federal banking system
On June 23, the OCC released its Semiannual Risk Perspective for Spring 2022 , which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that as “banks continue to navigate the operational-...
InfoBytesFTC finalizes action against e-commerce platform for data breach cover up
On June 24, the FTC announced a final decision and order against two limited liability companies (respondents) accused of allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. As previously covered by InfoBytes , the respondents—former and current owners of...
InfoBytesRep. McHenry introduces draft privacy legislation based on GLBA
On June 23, House Financial Services Ranking Member Patrick McHenry (R-NC) released a discussion draft of new federal legislation intended to modernize financial data privacy laws and provide consumers more control over the collection and use of their personal information. (See overview of the...
InfoBytesStates reach $1.25 million data breach settlement with cruise line
On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According...
InfoBytesU.S. and EU collaborate to combat ransomware attacks
On June 16, the DOJ announced that representatives from the U.S. and EU met at a recent workshop in the Hague to share best practices and to plan enhanced collaboration efforts to confront ransomware attacks. According to the DOJ, attorneys from the DOJ’s Computer Crime and Intellectual Property...
InfoBytesDistrict Court grants preliminary approval of class action settlement in data breach case
On June 21, the U.S. District Court for the Southern District of New York granted preliminary approval of a class settlement in an action against a cable TV and communications provider (defendant) for failing to protect current and former employees’ (plaintiffs) personal information and prevent a...
InfoBytesSpecial Alert: House subcommittee hears testimony on privacy bill
The House Subcommittee on Consumer Protection and Commerce held a June 14 hearing , “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security,” to listen to testimony from consumer advocates and industry representatives on the recently proposed American Data...
InfoBytesFTC issues report to Congress on use of AI
On June 16, the FTC issued a report to Congress regarding the use of artificial intelligence (AI), warning that policymakers should use caution when relying on AI to combat the spread of harmful online conduct. In the 2021 Appropriations Act, Congress directed the FTC to study and report on whether...
InfoBytesU.S., UK collaborate on privacy-enhancing tech prize challenges
On June 13, the White House announced that the U.S. and UK governments are developing privacy-enhancing technology prize challenges to help address cross-border money laundering. The White House highlighted that the estimated $2 trillion of cross-border money laundering which happens annually could...
InfoBytesDistrict Court approves data breach settlement
On June 8, the U.S. District Court for the Southern District of New York granted a plaintiffs’ motion for final approval of a class action settlement resolving claims that several retail businesses failed to establish reasonable safeguards that led to a data breach. According to the opinion, the...
InfoBytesSpecial Alert: Congress releases draft privacy bill
A comprehensive federal privacy law drew one step closer to reality earlier this month when a bipartisan group of representatives and senators released a draft of the proposed American Data Privacy and Protection Act. Passage of the ADPPA, which combines elements of prior proposals in an effort to...
InfoBytesDistrict Court granted final approval of a $63 million data breach settlement
On June 7, the U.S. District Court for the District of Columbia granted final approval of a class action settlement resolving claims that a government agency and its contractor (collectively, defendants) did not detect hackers because they failed to establish reasonable safeguards that led to a...
InfoBytesSenate Banking Committee sends letter to Yellen on consumer data activities
On June 7, Chairman of the Senate Committee on Banking, Housing, and Urban Affairs, Senator Sherrod Brown sent a letter to Treasury Secretary Janet Yellen requesting that the Financial Stability Oversight Council conduct a review on the effect of the collection and sale of consumer data by...
InfoBytesDistrict Court: Company must face data breach claims
On June 1, the U.S. District Court for the District of Arizona ruled that a health care company must face a proposed class action related to claims that its failure to implement cybersecurity safeguards led to a data breach that compromised individuals’ personal health information. In granting in...
InfoBytesCalifornia’s privacy agency posts CPRA proposal
Recently, in advance of its June 8 board meeting, the California Privacy Protection Agency (CPPA) Board posted draft regulations to implement the California Privacy Rights Act (CPRA). As previously covered by InfoBytes , the CPRA (largely effective January 1, 2023, with enforcement delayed until...
InfoBytesMaryland amends security procedures standards
On May 29, Maryland HB 962 was enacted under Article II, Section 17(c) of the Maryland Constitution - Chapter 502, which amends the Maryland Personal Information Protection Act. The bill, among other things, expands the types of businesses that are required to implement and maintain reasonable...
InfoBytesNAAG establishes cyber training center to help states understand emerging and evolving technologies
Recently, the National Association of Attorneys General (NAAG) established a new center dedicated to the development of programs and resources for supporting states’ understanding of emerging and evolving technologies. The Center on Cyber and Technology will also assist with cybercrime...
InfoBytesSocial media company to pay $150 million to settle FTC, DOJ data security probe
On May 25, the DOJ filed a complaint on behalf of the FTC against a global social media company for allegedly misusing users’ phone numbers and email addresses uploaded for security purposes to target users with ads. (See also FTC press release here .) According to the complaint, the defendant...
InfoBytesFTC addresses importance of effective incident response and breach disclosure
On May 20, the FTC’s Team CTO and the Division of Privacy and Identity Protection published a blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures . The blog noted that the FTC Act creates a de facto data breach notification requirement because failure to...
InfoBytesFDIC highlights operational risks in 2022 Risk Review
On May 20, the FDIC released its 2022 Risk Review , summarizing emerging risks in the U.S. banking system observed during 2021 in four broad categories: credit risk, market risk, operational risk, and climate-related financial risk. According to the FDIC, the current risk review expands upon...
InfoBytesDOJ will not charge researchers who report cybersecurity flaws in “good faith”
On May 19, the DOJ revised its policy for charging cases under the Computer Fraud and Abuse Act (CFAA), directing prosecutors to not charge researchers who report cybersecurity flaws in “good faith.” The policy directive informs prosecutors that the DOJ will not prosecute security researchers that...
InfoBytesFCC acts to stop international robocalls
On May 19, the FCC unanimously adopted proposed rules to ensure gateway providers that channel international call traffic comply with STIR/SHAKEN caller ID authentication protocols and validate the identity of the providers whose traffic they are routing to help weed out robocalls. As part of the...
InfoBytesFTC cracks down on ed tech providers’ COPPA compliance
On May 19, the FTC warned providers of education technology (ed tech) tools for children that they must fully comply with all provisions of the Children’s Online Privacy Protection Act (COPPA). The Commission voted unanimously to approve a policy statement clarifying how COPPA applies to ed tech...
InfoBytesOklahoma establishes telephone solicitation restrictions
On May 20, the Oklahoma governor signed HB 3168 , which establishes the Telephone Solicitation Act of 2022. The bill, among other things, prohibits (i) certain sales calls without the prior express written consent of the called party; (ii) commercial telephone sellers or salespersons from using...
InfoBytesIllinois amendments address confidentiality of customer financial records
On May 13, the Illinois governor signed SB 3971 , which makes various amendments to Illinois Banking Act and Savings Bank Act provisions concerning the confidentiality of customer financial records. Among other things, the Act provides that a bank must disclose financial records “only after the...
InfoBytesU.S. signs protocol to strengthen international efforts to combat cybercrime
On May 12, the U.S. signaled its commitment to fight cybercrime by signing the Second Additional Protocol to the Convention on Cybercrime to obtain access to needed electronic evidence. Deputy Assistant Attorney General Richard Downing of the DOJ’s Criminal Division signed the new protocol to...
InfoBytesSenate confirms Bedoya as FTC commissioner; Powell to serve second term as Fed chair
On May 11, the U.S. Senate voted along party lines to confirm Alvaro Bedoya as an FTC Commissioner. Bedoya, who brings a background in privacy and data security, fills the FTC commissioner seat vacated by current CFPB Director Rohit Chopra. A Georgetown University visiting professor of law, Bedoya...
InfoBytesConnecticut becomes fifth state to enact comprehensive privacy legislation
On May 10, the Connecticut governor signed SB 6 , establishing a framework for controlling and processing consumers’ personal data in the state. Connecticut is now the fifth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Virginia, and Utah (...
InfoBytesDistrict Court settles data scraping lawsuit
On May 9, the U.S. District Court for the Northern District of California issued a final judgment on consent resolving a lawsuit concerning data scraping allegations. A professional networking site (plaintiff) sued a Singapore-based company and three company founders (collectively, “defendants”)...
InfoBytesFed updates synthetic identity fraud mitigation toolkit
Recently, the Federal Reserve updated a synthetic identity fraud mitigation toolkit offering new information regarding fraud detection technology and data sharing and discussing the value of fraud information sharing within the industry to help fight synthetic identity fraud. As previously covered...
InfoBytesDistrict Court dismisses privacy class action claims citing absence of jurisdiction
On May 5, the U.S. District Court for the Northern District of California granted defendants’ motions to dismiss a putative class action concerning invasion of privacy claims related to the collection of consumer data over an online shopping platform. The Canada-based e-commerce company and two of...
InfoBytesDefendants to pay $5.7 million for alleged data breach
On October 17, the U.S. District Court for the Northern District of Ohio granted final approval of a $5.7 million settlement in a class action against a fast-food chain (defendant) resolving allegations that it acted negligently for failing to protect customers’ data when hackers stole payment card...
InfoBytesDistrict Court allows data sharing invasion of privacy claims to proceed
On May 4, the U.S. District Court for the Central District of California partially dismissed the majority of a putative class action accusing several large retailers and a data analytics company (collectively, “defendants”) of illegally sharing their consumer transaction data, allowing only an...
InfoBytesDistrict Court partially certifies data breach suit
On May 3, the U.S. District Court for the District of Maryland granted in part and denied in part certification of eight class actions against a hotel corporation (defendant) alleging that it misled consumers regarding a major breach of customers’ personal information. According to the opinion, the...
InfoBytes9th Circuit: Data release did not violate defendant’s Fourth Amendment rights
On April 27, the U.S. Court of Appeals for the Ninth Circuit concluded that limited digital data uncovered online that was not collected at the behest of the government did not violate the Fourth Amendment, which protects individuals from unreasonable government searches and seizures. According to...
InfoBytesDistrict Court approves final class action privacy settlement
On April 29, the U.S. District Court for the Western District of New York granted final approval of a class action settlement resolving privacy and data security allegations against a health insurance company and several related health insurance entities (collectively, “defendants”). According to...
InfoBytesEU Court of Justice rules consumer protection agencies can sue companies for GDPR violations
On April 28, the Court of Justice of the European Union (CJEU) issued an opinion concluding that consumer protection associations are permitted to bring representative actions against infringements of personal data protection “independently of the specific infringement of a data subject’s right to...
InfoBytesConnecticut legislature passes consumer data privacy bill
Recently, the Connecticut legislature passed SB 6 , which would enact provisions related to consumer data privacy and online monitoring. Highlights of the bill include: Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for...
InfoBytes4th Circuit will not revive investors’ data breach case
On April 21, the U.S. Court of Appeals for the Fourth Circuit affirmed a district court’s dismissal of a securities suit against a hotel corporation (defendant) alleging that they misled the plaintiffs regarding data vulnerabilities connected to a major breach of customers’ personal information...
InfoBytesNYDFS encourages virtual currency licensees to use blockchain analytics tools for sanctions and AML compliance
On April 28, NYDFS announced new guidance on virtual currency entities that are establishing the use of blockchain analytics tools. NYDFS explained that virtual currency activities can involve, among other things, different sources, destinations, and types of funds flows than are found in more...
InfoBytesDistrict Court dismisses state law claims concerning scanned email allegations
On April 26, the U.S District Court for the Northern District of California granted a defendant tech company’s motion for reconsideration to dismiss a plaintiffs’ Washington Privacy Act (WPA) claims that it shared customer data with third parties without first obtaining consent. According to the...
InfoBytesDistrict Court allows state claims concerning the use of individuals’ likenesses in online ads to proceed
On April 19, the U.S. District Court for the Northern District of California denied a motion to dismiss in a putative class action alleging a California-based website operator violated various Ohio, Indiana, and California state laws by appropriating individuals’ names and likenesses and using this...
InfoBytesDistrict Court approves final $85 million class action privacy settlement despite objections
On April 21, the U.S. District Court for the Northern District of California granted final approval of an $85 million class action settlement resolving privacy and data security allegations against a video conferencing provider. As previously covered by InfoBytes , consolidated class members...
InfoBytesDistrict Court denies class cert in data breach suit
On April 20, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for class certification in a lawsuit alleging a defendant hotel and restaurant group breached its contract when a data breach exposed the plaintiffs’ credit card account numbers and other private...
InfoBytesDefendants to pay $5 million for alleged data breach
On April 20, the U.S. District Court for the Southern District of California granted preliminary approval of a proposed class settlement, resolving claims against a medical supplier company after a data breach allegedly compromised personal information of its consumers in its database. According to...
InfoBytesCRS report raises privacy concerns regarding digital wallets
On April 18, the Congressional Research Service released an overview of digital wallet technology and related cybersecurity, data privacy and consumer protection policy considerations. Digital wallets are software applications that store payment or account details to facilitate traditional payments...
InfoBytes9th Circuit: Networking site cannot deny data scraping access to publicly available profiles
On April 18, on remand from the U.S. Supreme Court, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order preliminarily enjoining a professional networking site from denying a data analytics company access to publicly available member profiles. At issue are allegations...
InfoBytesColorado seeks comments on privacy rulemaking; draft regulations to come this fall
Recently, the Colorado attorney general released pre-rulemaking considerations for the Colorado Privacy Act (CPA). The considerations seek informal public input on any area of the CPA, including those “that need clarification, consumer concerns, anticipated compliance challenges, impacts of the CPA...
InfoBytesVirginia enacts additional consumer data protections
On April 11, the Virginia governor signed legislation enacting additional amendments to the Virginia Consumer Data Protection Act (VCDPA). Both bills take effect July 1. HB 714 (identical bill SB 534) expands the definition of a nonprofit organization to include political and certain tax-exempt 501...
InfoBytesKhan outlines FTC’s plans to enforce privacy, data security
On April 11, FTC Chair Lina Khan spoke at the Opening General Session of the IAPP Global Privacy Summit 2022, focusing on the Commission’s’ approach to privacy and data security enforcement strategy. In her remarks , Khan offered observations on “the new political economy” of how American consumers...
InfoBytesDistrict Court approves $90 million settlement in data tracking suit
On March 31, the U.S. District Court for the Northern District of California granted final approval to a $90 million class action settlement resolving claims that a social media platform unlawfully tracked consumers’ browsing data. According to the settlement agreement , the defendant obtained and...
InfoBytesArizona amends data breach notification requirements
On March 29, the Arizona governor signed HB 2146 , amending the Arizona Revised Statutes’ security breach notification requirements. Specifically, if a person conducting business in the state that “owns, maintains or licenses unencrypted and unredacted computerized personal information becomes...
InfoBytesDistrict Court refuses to enforce choice-of-law provision, allows individual state data privacy claims to proceed
On March 30, the U.S. District Court for the Northern District of Illinois denied a global tech company’s bid to dismiss class action Illinois Biometric Information Privacy Act (BIPA) claims. Plaintiffs (Illinois residents) sued the company alleging it violated BIPA by applying image recognition...
InfoBytesSEC 2022 examination priorities include information security, emerging technologies, and crypto-assets
On March 30, the SEC’s Division of Examinations announced that its 2022 examination priorities will focus on key risk factors related to private funds, environmental, social and governance investing, retail investor protections, information security and operational resiliency, emerging technologies...
InfoBytesEU and U.S. agree in principle on new Trans-Atlantic Data Privacy Framework
On March 25, the U.S. and the European Commission announced their agreement in principle on a new Trans-Atlantic Data Privacy Framework (Framework) to foster cross-border transfers of personal data from the EU to the U.S. (See also White House and European Commission fact sheets here and here .)...
InfoBytesAgencies provide points of contact for computer security incident notifications
On March 29, the FDIC, OCC, and Federal Reserve Board issued guidance related to a final rule issued last November by the agencies along with the Federal Reserve Board, which requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-...
InfoBytesSocial networking apps settle minors' data claims for $1.1 million
On March 25, the U.S. District Court for the Northern District of Illinois granted final approval to a $1.1 million class action settlement resolving claims that the operators of two video social networking apps (defendants) “‘surreptitiously tracked, collected, and disclosed the personally...
InfoBytesInsurers obligated to indemnify retailer’s payment card claims following data breach
On March 22, the U.S. District Court for the District of Minnesota ordered two insurance companies to cover a major retailer’s 2013 data breach settlement liability under commercial general liability policies. As previously covered by InfoBytes , in 2018 the retailer reached a $17 million class...
InfoBytesUtah becomes fourth state to enact comprehensive privacy legislation
On March 24, the Utah governor enacted the Utah Consumer Privacy Act (UCPA), which establishes a framework for controlling and processing consumers’ personal data in the state. Utah is now the fourth state in the nation to enact comprehensive consumer privacy measures, following California,...
InfoBytesBiden urges private-sector businesses to strengthen cyber defenses
On March 21, President Biden issued a fact sheet warning private-sector businesses of potential retaliatory Russian cyberattacks. Biden reiterated previous “warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks” against the U.S. in “...
InfoBytesDistrict Court denies defendant’s motion to certify an interlocutory appeal in BIPA case
On March 18, the U.S. District Court for the Northern District of Illinois denied a retailer’s motion to certify for interlocutory appeal the court’s earlier ruling denying, in part, the retailer’s motion to dismiss. This multi-district litigation involves allegations that the retailer used a...
InfoBytesDistrict Court grants final approval in data breach case
On January 4, the U.S. District Court for the Eastern District of Texas granted final approval of a settlement in a class action resolving claims that a software company and its subsidiary (collectively, “defendants”) failed to properly safeguard customers' personally identifiable information (PII...
InfoBytesIndiana enacts data breach disclosure requirements
On March 18, the Indiana governor signed HB 1351 , which provides that in the event of the discovery of a data breach, persons are required to disclose or provide notification “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” The bill provides...
InfoBytesDistrict Court approves $17 million data breach settlement
On March 15, the U.S. District Court for the Northern District of Illinois granted final approval of a class settlement to resolve claims alleging two defendant insurance companies failed to protect over six million employee/customers’ personal and private identifying information, including names,...
InfoBytesIrish DPC fines global social media company €17 million for GDPR violations
On March 15, the Irish Data Protection Commission (DPC) adopted a decision fining a global social media company €17 million (approximately $18.6 million) after finding that the company failed to prevent a series of data breaches in 2018. The DPC conducted an inquiry into a series of 12 data breach...
InfoBytesFTC settles action against e-commerce platform for data breach cover up
On March 15, the FTC announced a proposed settlement with two limited liability companies, the former and current owners, of an online customized merchandise platform (collectively, “respondents”) for allegedly failing to secure consumers’ sensitive personal data and covering up a major breach...
InfoBytesBiden signs $1.5 trillion omnibus package
On March 15, President Biden signed H.R. 2471 the “Consolidated Appropriations Act, 2022” (Act) into law. According to House Appropriations Committee Chair Rosa DeLauro’s press release , the Act is an omnibus spending measure that provides $1.5 trillion in discretionary resources across the 12...
InfoBytesWyoming enacts genetic data privacy provisions
On March 8, the Wyoming governor signed HB 86 , which requires businesses that collect genetic data to obtain consent from a consumer or a consumer’s authorized representative before collecting genetic data, performing genetic testing, or retaining or disclosing a consumer’s genetic data. To...
InfoBytesCalifornia clarifies that internally generated inferences are “personal information” under the CCPA
On March 10, the California Office of the Attorney General (OAG) issued an opinion on the question of whether, under the California Consumer Privacy Act (CCPA), a consumer’s right to know the specific pieces of personal information collected by a covered business about that consumer applies to...
InfoBytesDFPI reminds financial institutions of their sanctions compliance obligations
On March 4, the California Department of Financial Protection and Innovation (DFPI) issued guidance, in light of the evolving situation in Ukraine, to remind financial institutions of their sanctions compliance obligations under state and federal law. Licensees are reminded that they are prohibited...
InfoBytesSEC proposes amendments to cybersecurity risk management
On March 9, the SEC announced proposed amendments to its standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed amendments would require, among other things, “current reporting about material cybersecurity...
InfoBytesBiden calls for coordinated approach to digital asset innovation
On March 9, President Biden issued an Executive Order (E.O.) on digital assets outlining the first “whole-of-government” strategy to coordinate a comprehensive approach for ensuring responsible innovation in digital assets policy. ( See also White House fact sheet here .) The White House...
InfoBytesCARU orders app company to correct violations of children’s privacy rules
On March 8, the Children’s Advertising Review Unit (CARU) announced that a smart watch phone operator has agreed to take actions to correct alleged violations of the Children’s Online Privacy Protection Act (COPPA) and CARU’s Self-Regulatory Guidelines for Children’s Online Privacy Protection...
InfoBytesDistrict Court preliminarily approves $4.75 million data breach settlement
On March 3, the U.S. District Court for the Western District of Texas preliminarily approved a $4.75 million class action settlement resolving claims between a pharmacy benefits manager and consumers in six different proposed class actions filed in Texas and California. The court also conditionally...
InfoBytesVirginia passes additional VCDPA amendments
On March 7, the Virginia House and Senate passed HB 714 , which amends Sections 59.1-575 and 59.1-584 and repeals Section 59.1-585 of the Virginia Consumer Data Protection Act (VCDPA). Specifically, the amendments expand the definition of a nonprofit organization to include political and certain...
InfoBytes9th Circuit affirms dismissal of investors’ data breach disclosures suit
On March 2, the U.S. Court of Appeals for the Ninth Circuit affirmed the dismissal of a class action suit for failure to state a claim, concluding that investors had failed to adequately allege that statements about the defendant company’s cybersecurity practices in the company’s 2018 Form 10-K...
InfoBytesFTC, DOJ reach $1.5 million settlement with weight-loss companies
On March 4, the FTC and DOJ announced a $1.5 million settlement with an international weight loss service organization and its subsidiary (collectively, “defendants”) accused of allegedly using unfair and deceptive practices to obtain personal information of underage users without parental consent...
InfoBytesState AGs investigate streaming service for privacy violations
On March 2, a coalition of state attorneys general, led by California Attorney General Rob Bonta, announced a nationwide investigation into a video streaming service regarding whether it is violating state consumer protection laws and putting children at risk by promoting its social media platform...
InfoBytesFlorida house tries again on consumer privacy legislation
On March 2, the Florida house passed HB 9 , which would, among other things, regulate the sale and sharing of consumers’ personal data and provide consumers the right to sue over alleged violations. This is the state’s latest attempt to pass comprehensive consumer privacy legislation. Last year,...
InfoBytesFCC launches inquiry to reduce cyber risks
On February 25, the FCC adopted a Notice of Inquiry proposed by FCC Chairwoman Jessica Rosenworcel that would launch an inquiry into the vulnerabilities of the internet’s global routing system, in response to the increasing risk of cyberattacks stemming from Russia’s invasion of Ukraine. The...
InfoBytesUtah legislature passes privacy bill
Recently, the Utah legislature passed SB 227 , which would enact the Utah Consumer Privacy Act and establish a framework for controlling and processing consumers’ personal data in the state. (See also senate and house approved amendments here .) Highlights of the bill include: Applicability. The...
InfoBytesVirginia passes amendments on CDPA for data deletion
On February 25, the Virginia House and Senate passed HB 381 , which amends Section 59.1-577 of the Virginia Consumer Data Protection Act (VCDPA) related to consumers’ data deletion requests. Specifically, the amendment provides that a controller that has obtained a consumer’s personal data from a...
InfoBytesIrish DPC releases annual report
On February 24, the Irish Data Protection Commission (DPC) released their 2021 Annual Report. According to the report, the EU’s General Data Protection Regulations (GDPR) enforcement efforts have gained “significant momentum” by, among other things: (i) “resolving thousands of complaints”; (ii) “...
InfoBytesSpecial Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing...
Special AlertsDistrict Court: Employees are not “customers” under California Customer Records Act in breach lawsuit
On February 24, the U.S. District Court for the Southern District of New York granted a waste management company’s motion to dismiss putative class action data breach claims after determining, in part, that the plaintiffs failed to allege how the company breached any duty of care. Plaintiffs,...
InfoBytesWisconsin assembly passes comprehensive data privacy bill
On February 23, the Wisconsin assembly passed AB 957 , which establishes requirements for controllers and processors of consumer personal data. An assembly amendment to the bill making various changes was adopted the same day. Highlights of the bill include: Applicability. The bill will apply to...
InfoBytesSpecial Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing...
InfoBytesDistrict Court grants motion to dismiss in privacy suit
On February 17, the U.S. District Court for the District of Delaware granted a motion to dismiss a putative class action suit for lack of Article III standing, in which plaintiffs alleged that the defendant violated their privacy rights by intercepting and recording mouse clicks and other website...
InfoBytesDistrict Court approves $15 million class action settlement over BIPA violations
On February 18, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving allegations that a workplace management software company (defendant) violated the Illinois Biometric Information Privacy Act (BIPA) by collecting data...
InfoBytesDistrict Court: California privacy laws do not absolve discovery obligations in federal litigation
Last month, the U.S. District Court for the Central District of California granted plaintiffs’ motion to compel defendants’ responses to a request for production of documents after determining that defendants may not rely on the California Consumer Protection Act (CCPA) or other state laws to avoid...
InfoBytesNew York to coordinate state cybersecurity efforts
On February 22, New York Governor Kathy Hochul announced the creation of the Joint Security Operations Center (JSOC) to coordinate state efforts to anticipate potential cybersecurity threats and respond to security incidents. Calling the center the “first-of-its-kind” in the U.S., Houchel stated...
InfoBytesNIST to update cybersecurity framework with a focus on supply chain risk
On February 22, the National Institute of Standards and Technology (NIST) published a notice and request for information (RFI) in the Federal Register seeking information to assist in the evaluation and improvement of the agency’s “Framework for Improving Critical Infrastructure Cybersecurity,” as...
InfoBytesDistrict Court approves settlement in data breach suit
On February 22, the U.S. District Court for the Central District of California granted final approval of a class settlement and ordered a final judgment between a plaintiff class and a provider of outpatient imaging (defendant) resolving allegations that the defendant was responsible for failing to...
InfoBytesDistrict Court approves $14.8 million cloud subscription settlement
On August 4, the U.S. District Court for the Northern District of California approved a $14.8 million class action settlement resolving claims that a major technology company allegedly misled users about its cloud storage practices. In 2020, plaintiffs filed an amended complaint alleging the...
InfoBytesCalifornia Privacy Protection Agency plans to finish rulemaking by Q4 of 2022
On February 17, the California Privacy Protection Agency (CPPA) Board held a public meeting to provide an update on the California Privacy Rights Act (CPRA or the Act) rulemaking process. According to sources, the CPPA, which was established under the CPRA, stated it intends to finalize rulemaking...
InfoBytesConsulting firm agrees to $4.95 million settlement to resolve class data breach claims
On February 16, the U.S. District Court for the Southern District of New York granted final approval of a $4.95 million class action settlement, resolving allegations that a consulting firm failed to use reasonable data security measures when designing web-based portals for state employment...
InfoBytesTexas AG issues CID to video streaming company
On February 18, the Texas attorney general issued two Civil Investigative Demands (CIDs) to a video streaming company that focus on the company’s potential facilitation of human trafficking and child privacy violations, as well as other potential unlawful conduct. According to the CIDs, the company...
InfoBytesFCC proposes record $45 million fine against robocaller
On February 18, the FCC released a proposed $45 million fine against a lead generator accused of conducting an illegal robocall campaign that made false claims about the Covid-19 pandemic to induce consumers into purchasing health insurance. This is the FCC’s largest ever proposed robocall fine to...
InfoBytesFTC sues weight-loss companies alleging COPPA and FTC Act violations
On February 16, the FTC filed a complaint for permanent injunction in the U.S. District Court for the Northern District of California against an international weight loss service organization and its subsidy (collectively, “defendants”) for allegedly using unfair and deceptive practices to obtain...
InfoBytesDistrict Court approves settlement of class claiming privacy violations
On February 11, the U.S. District Court for the Central District of California granted approval of a $217 million class action settlement, resolving allegations that the Transportation Corridor Agencies (TCA) and their contractors (collectively, “defendants”) allegedly repeatedly used their access...
InfoBytesUK accepts multinational tech company’s privacy sandbox proposals
On February 11, the UK Competition and Markets Authority (CMA) issued a decision accepting a multinational technology company’s offer to provide more transparency and oversight to its privacy sandbox proposals. The purpose of these proposals is to remove cross-site tracking of certain users through...
InfoBytesFrance says tool for EU-U.S. data transfers is unsafe
On February 10, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), issued a decision related to a multinational technology company’s practice of transferring data collected through its analytics tool to the U.S. The analytics tool, which measures the...
InfoBytesFed releases synthetic identity fraud mitigation toolkit
Recently, the Federal Reserve released a synthetic identity fraud mitigation toolkit to help financial institutions, businesses, and consumers improve awareness, detection, measurement, and mitigation of identity fraud. The Fed emphasized that synthetic identity fraud (in which fictitious people...
InfoBytesSEC proposes cybersecurity risk management rules and amendments
On February 9, a divided SEC voted to release proposed cybersecurity risk management rules and amendments to certain requirements for registered investment advisers and funds. (See SEC fact sheet here .) Commissioner Hester Peirce voted against the proposal, stressing that because “an adviser’s or...
InfoBytesIllinois Supreme Court rules Workers’ Compensation Act does not bar BIPA privacy claims
On February 3, the Illinois Supreme Court unanimously ruled that the Illinois Workers’ Compensation Act (Compensation Act) does not bar claims for statutory damages under the state’s Biometric Information Privacy Act (BIPA). According to the opinion, the plaintiff sued the defendant and several...
InfoBytesColorado releases guidance on data privacy and security in advance of CPA implementation
On January 28, the Colorado attorney general issued prepared remarks and guidance on data security best practices in advance of the implementation of the Colorado Privacy Act (CPA). As covered by a Buckley Special Alert , the CPA was enacted last July to establish a framework for personal data...
InfoBytesDistrict Court partially grants summary judgment to defendants in FCA case
On February 1, the U.S. District Court for the Eastern District of California denied a relator’s (plaintiff’s) motion for summary judgment on an allegation of promissory fraud in violation of the False Claims Act (FCA) in a case against a rocket manufacturer and its subsidy (defendants). The court...
InfoBytesFCC proposes to classify ringless voicemails as “calls” under the TCPA
On February 2, FCC Chairwoman Jessica Rosenworcel announced a proposal that would classify technology that leaves ringless voicemails on consumers’ cell phones as “calls” under the TCPA and therefore subject to the FCC’s robocalling restrictions. If adopted by the full Commission, callers using...
InfoBytesDistrict Court approves class settlement in data breach
On January 28, the U.S. District Court for the Northern District of California granted a plaintiffs’ motion for final approval in a class action settlement alleging an online support services provider (defendant) failed to adequately secure and safeguard the payment card data and other personally...
InfoBytesFrench Council of State confirms €100 million fine against tech company
On January 28, the French Council of State confirmed the French data protection agency Commission Nationale de l’Informatique et des Libertés’s (CNIL) jurisdiction to impose sanctions on a multinational technology company and its Irish affiliate related to the companies’ process for managing...
InfoBytesCalifornia investigating loyalty programs for CCPA compliance
On January 28, the California attorney general announced an “investigative sweep” of businesses operating loyalty programs in the state. The California Consumer Privacy Act (CCPA), which became effective January 1, 2020, requires businesses that offer financial incentives in exchange for personal...
InfoBytesDistrict Court grants motion to dismiss in CIPA class action
On January 25, the U.S. District Court for the Northern District of California granted a motion to dismiss a class action suit, in which plaintiffs alleged that the defendant continued to monitor mobile users’ browsing history even after being asked to cease and desist. In their third amended...
InfoBytesSEC chair considers updating cybersecurity rules
On January 24, SEC Chair Gary Gensler discussed the agency’s cybersecurity policy work before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute. Gensler commented that the SEC is working to improve the overall cybersecurity resiliency of the financial sector with a...
InfoBytesDistrict Court finalizes BIPA class action settlement
On January 24, the U.S. District Court for the Northern District of Illinois granted final approval to a nearly $877,000 class action settlement to resolve allegations that a food manufacturer’s fingerprint-based timekeeping system violated Illinois’ Biometric Information Privacy Act (BIPA). Class...
InfoBytesFed examines ramifications of U.S. central bank digital currency
On January 20, the Federal Reserve Board published a discussion paper, Money and Payments: The U.S. Dollar in the Age of Digital Transformation , which calls for public comments on questions related to the possibility of a U.S. central bank digital currency, or CBDC. “The introduction of a CBDC...
InfoBytesSBA rolls out small business cybersecurity pilot program
On January 21, the SBA announced $3 million in funding for the agency’s Cybersecurity for Small Business Pilot Program. The funding is intended to help state governments assist emerging small businesses develop their cybersecurity infrastructures to combat increasing and evolving threats...
InfoBytesDistrict Court dismisses data breach class action
On January 19, the U.S. District Court for the Southern District of New York dismissed a class action against a menswear company (defendant) accused of exposing personal information in a December 2020 data breach. According to the opinion, the plaintiff bought items on the defendant’s website in...
InfoBytesFDIC and FinCEN launch Tech Sprint to help digital identity proofing
On January 11, the FDIC’s technology lab, FDiTech , and FinCEN announced the launch of a Tech Sprint challenging participants “to develop solutions for financial institutions and regulators to help measure the effectiveness of digital identity proofing—the process used to collect, validate, and...
InfoBytesFCC proposes new reporting on telecom data breaches
On January 12, the FCC announced that it shared , among the FCC staff, a notice of proposed rulemaking (NPRM) to strengthen the rules for notifying consumers and federal law enforcement of breaches of customer proprietary network information. According to the FCC, the NPRM “would better align the...
InfoBytes2nd Circuit addresses TCPA’s definition of “unsolicited advertisement”
On January 6, the U.S. Court of Appeals for the Second Circuit held that an unsolicited fax asking recipients to participate in a market research survey in exchange for money does not constitute as an “unsolicited advertisement” under the TCPA. According to the opinion, the plaintiff medical...
InfoBytesFrench data protection agency issues privacy fines over cookies
On January 6, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a multinational technology company 150 million euros and a global social media company 60 million euros (approximately $170 and $68 million USD respectively) for failure to comply...
InfoBytesFTC says robocall violations top consumers’ do-not-call complaints
On January 5, the FTC issued its National Do Not Call (DNC) Registry biennial report to Congress. According to the report, more than 244 million consumers have now placed their telephone numbers on the DNC Registry over the past two years. The report also highlighted that in FY 2021, the Commission...
InfoBytesNew York AG alerts companies on “credential stuffing” cyberattacks
On January 5, the New York attorney general issued a report , which highlights the results of an investigation into “credential stuffing.” The investigation discovered over 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. The report, Business Guide for Credential...
InfoBytesDistrict Court temporarily halts enforcement of New York’s user data-sharing ordinances
On December 27, the U.S. District Court for the Southern District of New York issued a stipulation and order in a consolidated action, temporarily reprieving three delivery app companies from complying with New York City’s Administrative Code §§ 20-847.3 and 20-563.7 (collectively, “the ordinances...
InfoBytesDistrict Court preliminarily approves TCPA class action
On December 27, the U.S. District Court for the Eastern District of Washington granted class certification and preliminarily approved a putative class action settlement alleging two Washington cannabis companies violated the TCPA by sending unsolicited promotional text messages without consumer...
InfoBytesNew Jersey settles CFA and HIPAA violations following 2019 data breach
On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by...
InfoBytesFTC settles with mortgage analytics company
On December 22, the FTC announced the final approval of a settlement with a mortgage industry data analytics firm (defendant) for allegedly failing to develop, implement, and maintain a comprehensive information security program and ensure third-party vendors are capable of implementing and...
InfoBytesNew Mexico settles with technology company over COPPA violations
On December 13, the New Mexico attorney general announced a settlement in two federal court cases filed against a multinational technology company both of which resolve allegations against the company under the federal Children’s Online Privacy Protection Act (COPPA) and other state consumer...
InfoBytesFTC finalizes decision banning respondents from surveillance business
On December 21, the FTC announced a decision banning a data monitoring application and its CEO (collectively, “respondents”) from the surveillance industry. As previously covered by InfoBytes , the respondents allegedly violated Section 5 of the FTC Act by failing to provide reasonable data...
InfoBytesGlobal tech corporation fined for GDPR violations fends off daily fines
According to sources, the Luxembourg President of the Administrative Tribunal issued an ordinance on December 17 partially suspending a July decision issued by the Luxembourg National Commission for Data Protection (CNPD) against a global technology corporation for alleged violations of the EU’s...
InfoBytesFSOC highlights potential risks in 2021 annual report
On December 17, the Financial Stability Oversight Council (FSOC) released its annual report highlighting significant financial market and regulatory developments, potential financial risks, and recommendations for promoting U.S. financial stability. The report focused on several recommendations...
InfoBytesFTC proposes rule to combat impersonation fraud
On December 16, the FTC issued an advanced notice of proposed rulemaking (ANPR) seeking comments on a wide-range of questions related to government and business impersonation fraud. According to the FTC, reported losses due to impersonation fraud have spiked during the Covid-19 pandemic, with data...
InfoBytesNorwegian Data Protection Authority fines U.S. dating app $7.1 million for alleged GDPR violations
On December 13, the Norwegian Data Protection Authority issued a reduced administrative fine against a U.S. company operating a GPS-based mobile dating app for allegedly violating the EU’s General Data Protection Regulation (GDPR). The regulator’s 2020 complaint stated that the company allegedly...
InfoBytesFTC settles with advertising platform for COPPA violations
On December 15, the FTC announced a settlement with a California-based online advertising platform for allegedly engaging in deceptive acts of practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). (See also DOJ press release here .) According to the FTC, the defendant...
InfoBytesFTC publishes 2022 regulatory priorities
On December 10, the FTC published a statement disclosing its regulatory priorities for 2022. Among other things, the statement highlights; (i) newly initiated and upcoming periodic reviews of rules and guides; (ii) ongoing periodic reviews of rules and guides; (iii) proposed rules; and (iv) final...
InfoBytesNYDFS addresses use of cyber assessment framework in risk assessment process
On December 9, NYDFS updated its FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on 23 NYCRR Part 500 here .) New FAQ 41 addressed whether covered entities should use a...
InfoBytes6th Circuit affirms decision compelling arbitration in data breach case
On December 2, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s decision dismissing a nationwide putative class action against an e-commerce provider, holding that challenges raised to the validity of an agreement to arbitrate were for the arbitrator to decide, not the...
InfoBytesFINRA fines financial firms $2.25 million for alleged improper storage of customer data
On December 6, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), which requires two units of a national bank (respondents) to jointly and severally pay a $2.25 million fine for allegedly failing to store customer information in the...
InfoBytesNYDFS addresses multi-factor authentication weaknesses
On December 7, NYDFS issued guidance on multi-factor authentication (MFA) to all regulated entities. According to NYDFS, “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies,” affecting both large companies and small businesses. The regulator noted that,...
InfoBytesOCC warns of key cybersecurity and climate-related banking risks
On December 6, the OCC reported in its Semiannual Risk Perspective for Fall 2021 the key issues facing national banks and federal savings associations and the effects of Covid-19 on the federal banking industry. The agency reported that although banks showed resilience in the current environment...
InfoBytesFTC releases 2021 National Do Not Call Registry Data Book
On November 23, the FTC released the National Do Not Call Registry Data Book for Fiscal Year 2021 . The Data Book provides the most recent fiscal year information available on telemarketing sales calls and robocall complaints, including the types of calls reported to the FTC and a state-by-state...
InfoBytesDistrict Court grants preliminary approval in TCPA settlement
On November 23, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving allegations that a publishing company utilized a third party telemarketer to place newspaper delivery service advertising calls with individuals who had...
InfoBytesVirginia Consumer Data Protection Act Work Group issues final report
Recently, the Virginia Consumer Data Protection Act Work Group (Work Group) released its final report addressing several privacy topics related to enforcement, definitions and rulemaking authority, and consumer rights and education. The Virginia Consumer Data Protection Act (VCDPA), enacted in...
InfoBytesDistrict Court grants preliminary approval of privacy class action settlement
On November 19, the U.S. District Court for the Northern District of California granted preliminary approval of a $58 million settlement in a class action against a fintech company (defendant) alleged to have accessed the personal banking data of users without first obtaining consent, in violation...
InfoBytesChamber of Commerce requests access to FTC privacy-related communications
On November 19, the U.S. Chamber of Commerce sent FOIA requests to the FTC seeking, among other things, communications on consumer data privacy policies the FTC has discussed or considered as ordered by President Biden’s broad July 9 executive order, which tasked the FTC with establishing rules to...
InfoBytes11th Circuit to rehear Hunstein v. Preferred Collection & Management Services
On November 17, the U.S. Court of Appeals for the Eleventh Circuit vacated an opinion in Hunstein v. Preferred Collection & Management Services , ordering an en banc rehearing of the case. The order vacates an 11th Circuit decision to revive claims that the defendant’s use of a third-party mail...
InfoBytesNew rule gives banks 36 hours to disclose cybersecurity incidents
On November 18, the FDIC, Federal Reserve Board, and the OCC issued a final rule intended to enhance information sharing about cyber incidents that may affect the U.S. banking system. The final rule, among other things, requires a banking organization to timely notify its primary federal regulator...
InfoBytesDistrict Court approves e-commerce platform data breach settlement
On November 4, the U.S. District Court for the District of Massachusetts granted final approval to a settlement in a class action against an alcohol e-commerce platform stemming from a data breach that allegedly compromised customers’ personally identifiable information. The plaintiffs’ memorandum...
InfoBytesDistrict Court grants tech company’s motion to arbitrate smartphone data monitoring claims
On November 9, the U.S. District Court for the Northern District of California issued an order granting, among other things, a global technology company defendant’s motion to compel individual arbitration in a privacy class action and dismissing the action without prejudice. As outlined in a May...
InfoBytesFTC releases draft strategic plan for FY 2022 - 2026
On November 12, the FTC released a preliminary draft of the Strategic Plan for Fiscal Years 2022 to 2026 for public review and comment. Recognizing that protecting the public from unfair or deceptive acts or practices in the marketplace is a key FTC strategic goal, the draft Strategic Plan outlines...
InfoBytesU.S. and Israel form partnership to combat ransomware; U.S. enters cybersecurity initiative with France
On November 14, the U.S. Treasury Department announced the establishment of a bilateral partnership with the Israeli Ministry of Finance as part of the Biden Administration’s efforts to crackdown on ransomware. The partnership is part of the U.S.-Israeli Task Force on Fintech Innovation and...
InfoBytesMaryland appoints officials to oversee cybersecurity and data privacy
On November 10, the Maryland governor announced the appointments of a new chief privacy officer and chief data officer, both of which are newly-created roles, as part of the state’s commitment to cybersecurity and data privacy. The chief privacy officer will lead state initiatives with respect to...
InfoBytesDistrict Court dismisses data breach claims due to lack of jurisdiction
On November 8, the U.S. District Court for the Northern District of California dismissed a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor after determining that the court does not have jurisdiction over the companies. Plaintiffs—customers who...
InfoBytesDept. of Defense announces version 2.0 of cybersecurity maturity model certification program
On November 4, the Department of Defense (DoD) announced the completion of an internal assessment of its Cybersecurity Maturity Model Certification (CMMC) program and enhancements to that program. While CMMC 2.0 remains focused on safeguarding sensitive national security information, it updates...
InfoBytesUK Supreme Court rules claimant cannot bring privacy claims against U.S. tech company
On November 10, the UK Supreme Court issued a judgment in an appeal addressing whether a claimant can bring data privacy claims in a representative capacity against a global technology company in a class action suit. The claimant sought compensation on behalf of a class under section 13 of the Data...
InfoBytes9th Circuit: Israeli company is not entitled to foreign sovereign immunity over malware claims
On November 8, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a private Israeli company’s motion to dismiss claims based on foreign sovereign immunity. The Israeli company (defendant) designs and licenses surveillance technology to governments and...
InfoBytesDistrict Court grants $5 million settlement for alleged data breach
On November 5, the U.S. District Court for the Northern District of California granted preliminary approval of a class action settlement resolving claims against a grocery store chain after a data breach allegedly compromised personal information in its software. According to the plaintiffs’ notice...
InfoBytesTreasury and DOJ announce sanctions and charges in ransomware attacks, FinCEN updates ransomware guidance
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13694 as amended against two ransomware operators and a virtual currency exchange network. According to OFAC, the virtual currency exchange, and its associated...
InfoBytesIllinois enacts the Protecting Household Privacy Act
Earlier this year, the Illinois governor signed HB 2553 to create the Protecting Household Privacy Act. Among other things, the act specifies when state law enforcement agencies may acquire and use data from household electronic devices. The act defines “household electronic data” as information or...
InfoBytesNew York enacts robocall measures
On November 8, the New York governor signed measures to help prevent robocalls and increase consumer protections. The measures build upon federal actions to combat robocalls and “will enable telecom companies to prevent these calls from coming in in the first place, as well as empower our state...
InfoBytesNew York requires private employers to provide electronic monitoring notice
On November 8, the New York governor signed S.2628 , which requires employers to notify their employees in writing upon hiring of their intention to monitor or intercept telephone or email conversations or transmissions, or monitor the use or access of other electronic devices. Employers must...
InfoBytesKansas AG fines companies for unlawful data disposal
On November 1, the Kansas attorney general ordered three national companies that manage business documents to pay fines totaling nearly $500,000 for the alleged unlawful disposal of records containing consumers’ personal information. According to the Kansas AG, the companies violated the Kansas...
InfoBytesDistrict Court grants preliminary approval in BIPA settlement
On November 4, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims that a plasma donation center (defendant) unlawfully collected and stored the fingerprints of blood plasma donors. According to the memorandum of...
InfoBytesCFPB seeks comments on recent orders to U.S. tech companies
On November 5, the CFPB published a notice in the Federal Register seeking public comments on recently issued orders to six large U.S. technology companies requesting information and data on their payment system business practices (covered by InfoBytes here ). According to the notice, the Bureau...
InfoBytesHouse subcommittee holds hearing on cybersecurity
On November 3, the House Financial Services Subcommittee on Consumer Protection and Financial Institutions held a hearing titled “Cyber Threats, Consumer Data, and the Financial System.” The hearing examined cybersecurity and consumer data protection challenges for financial institutions, discussed...
InfoBytesNYDFS provides affiliate cybersecurity program guidance
Recently, NYDFS issued an industry letter to regulated entities advising that a covered entity may adopt the cybersecurity program of an affiliate. New York’s Cybersecurity Regulation (23 NYCRR Part 500) requires regulated entities (Covered Entities) to implement risk-based cybersecurity programs...
InfoBytesDistrict Court approves CCPA class action settlement
On October 27, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims against an Illinois-based insurance provider and its subsidiary (collectively, defendants) for allegedly failing to adequately protect plaintiffs’...
InfoBytesDistrict Court denies defendant’s motion to dismiss Illinois BIPA class action
On October 28, the U.S. District Court for the Northern District of Illinois denied a Delaware-based technology management service defendant’s motion to dismiss a putative class action that alleged it stored and collected biometric data from employees of companies that utilized the defendant’s...
InfoBytesFTC increases dark patterns enforcement
On October 28, the FTC announced a new enforcement policy statement warning companies against using illegal dark patterns that could “trick or trap consumers into subscription services” which are sometimes used by sellers in automatic renewal subscriptions, continuity plans, free-to-pay or free-to-...
InfoBytesElizabeth E. McGinn quoted in Cyberscoop article, “FTC wants to know when financial data is compromised, will require encryption”
Elizabeth E. McGinn was quoted in a Cyberscoop article, “FTC wants to know when financial data is compromised, will require encryption,” which examined updated rules the Federal Trade Commission is considering that would require financial institutions to report within 30 days any security incidents...
In The NewsFTC updates Safeguards Rule for financial institutions
On October 27, the FTC announced a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. The final rule follows a 2019 notice of proposed rulemaking (covered by InfoBytes here ) and...
InfoBytes11th Circuit’s new opinion says plaintiff still has standing to sue in outsourced debt collection letter action
On October 28, the U.S. Court of Appeals for the Eleventh Circuit issued a split opinion in Hunstein v. Preferred Collection & Management Services , vacating its April 21 decision but still finding that the plaintiff had standing to sue. As previously covered by InfoBytes , last April the 11th...
InfoBytes9th Circuit denies bid to block Arizona’s dealer data privacy law
On October 25, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a motion for preliminary injunction against enforcement of an Arizona statute designed to strengthen privacy protections for consumers whose data is collected by auto dealers. Under the Dealer...
InfoBytesOffice of Science and Technology issues RFI on biometric technology
Earlier this month, the Office of Science and Technology (OSTP) issued a request for information (RFI) on the use of biometric technology. Specifically, the RFI seeks to assist OSTP in understanding “the extent and variety of biometric technologies in past, current, or planned use; the domains in...
InfoBytesFTC says ISPs provide limited protections for consumer data
On October 21, the FTC reported that internet service providers (ISPs) are able to gather and share large pools of sensitive consumer data while providing limited privacy protections. According to an FTC staff report , ISPs’ data collection and use practices allow them to monitor and record their...
InfoBytesDistrict Court preliminarily approves $85 million class action privacy settlement
On October 21, the U.S. District Court for the Northern District of California preliminarily approved an $85 million class action settlement to resolve privacy and data security allegations against a video conferencing provider. Class members claimed the company violated several California laws,...
InfoBytesDistrict Court partially denies company’s motion to dismiss in data breach class action
On October 19, the U.S. District Court for the District of South Carolina granted in part and denied in part a defendant software company’s motion to dismiss a putative class action, which alleged the company had a “deficient security program” in place that led to a ransomware attack. The...
InfoBytesNIST issues draft cybersecurity framework to mitigate ransomware events
Recently, the National Institute of Standards and Technology (NIST) issued a draft version of its Cybersecurity Framework Profile for Ransomware Risk Management , which proposes recommended steps for organizations to follow to prevent and mitigate ransomware events. The profile identifies...
InfoBytesFinancial Stability Board calls for uniformity in cyber-breach reporting
On October 19, the Financial Stability Board (FSB) released a report calling for a convergence in the reporting of cyber incidents given the digitalization of financial services and the growing use of third-party service providers. According to FSB’s report, Cyber Incident Reporting: Existing...
InfoBytesAgencies announce new measures to combat ransomware
On October 15, the U.S. Treasury Department announced additional steps to help the virtual currency industry combat ransomware and prevent exploitation by illicit actors. The guidance builds upon recent “whole-of-government” actions focused on confronting “criminal networks and virtual currency...
InfoBytesDistrict Court grants final approval in BIPA settlement
On October 13, the U.S. District Court for the Northern District of Illinois granted final approval to a $2.6 million class action settlement between a sports entertainment chain (defendant) and a class of former employees, resolving allegations that the defendant was responsible for improperly...
InfoBytesNew York designates October as Cyber Security Awareness Month
On October 14, New York’s Governor Hochul announced a proclamation designating October 2021 as “Cyber Security Awareness Month” in the state as part of an effort to enhance cyber security practices and to encourage awareness about online habits as internet threats continue to grow. According to the...
InfoBytesNew Jersey settles CFA and HIPAA matter with fertility clinic
On October 12, the New Jersey attorney general and the Division of Consumer Affairs announced an action against a healthcare provider alleging that the defendant violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, and the...
InfoBytesCalifornia clarifies CPRA rulemaking authority timing
On October 5, the California governor signed AB 694 . The bill clarifies that the California Privacy Protection Agency (which was given “full administrative power, authority, and jurisdiction to implement and enforce the [California Consumer Privacy Act]”) would assume responsibility for rulemaking...
InfoBytesDems urge FTC to enforce children and teen privacy compliance
On October 8, Senator Ed Markey (D-MA) and Representatives Kathy Castor (D-FL) and Lori Trahan (D-MA) sent a letter to FTC Chair Lina Khan urging the Commission to ensure that technology companies comply with their own policies regarding the protection of children’s and teen’s privacy. Among other...
InfoBytesCalifornia expands consumer privacy rights to include genetic data
On October 6, the California governor signed SB 41 , which requires direct-to-consumer genetic testing companies to provide consumers with information about the collection, use, maintenance, and disclosure of genetic data. Under the Genetic Information Privacy Act (GIPA), companies are required to...
InfoBytesDelaware Chancery Court rules hotel corporation plaintiff failed to allege particular facts
On October 5, the Court of Chancery of the State of Delaware dismissed a stockholder derivative suit filed against directors of an international hotel corporation arising out of massive data breach. The court held that the plaintiff was not excused from making a demand on the board because he...
InfoBytesFTC finalizes settlement with movie subscription service
On October 5, the FTC finalized a settlement with the operators of a movie subscription service, resolving allegations that the respondents violated the FTC Act by denying subscribers access to paid-for services and failed to secure subscribers’ personal information. As previously covered by...
InfoBytesFTC gives Congress report on privacy and security
Recently, the FTC released a report to Congress regarding the Commission’s actions in strengthening measures to link data privacy and competition enforcement, among other things. The report responds to the Joint Explanatory Statement accompanying the Consolidated Appropriations Act of 2021, P.L...
InfoBytesDistrict Court grants final approval of $92 million class action settlement over privacy violations
On August 22, the U.S. District Court for the Northern District of Illinois granted final approval of a class action settlement, resolving claims that a China-based technology company and its subsidiaries (collectively, “defendants”) violated Illinois’ Biometric Information Privacy Act (BIPA),...
InfoBytesDistrict Court: Company must face CCPA class action after ransomware attack
Earlier this summer, the U.S. District Court for the Central District of California denied a motion to dismiss a putative class action accusing a legal services company and its subsidiaries of failing to implement and maintain reasonable security procedures and practices to protect consumers’ data...
InfoBytesSoltani to head the California Privacy Protection Agency
According to sources, Ashkan Soltani, a former chief technologist at the FTC, has been named Executive Director of the California Privacy Protection Agency (CPPA). Among other things, Soltani was an architect of the California Consumer Privacy Act (CCPA). According to CPPA Chair Jennifer Urban,...
InfoBytesCalifornia Privacy Protection Agency seeks preliminary comments on CPRA proposed rulemaking
On September 22, the California Privacy Protection Agency (CPPA) formally called on stakeholders to provide preliminary comments on proposed rulemaking under the California Privacy Rights Act (CPRA). The CPRA, which established the CPPA to administer, implement, and enforce the act, was approved by...
InfoBytesCalifornia governor signs legislation on identity theft
On September 23, California’s governor signed AB 430 , which requires a debt collector to pause collection activities until completion of a review if the debt collector receives a copy of an FTC identity theft report and a written statement from the debtor. Among other things, the bill: (i) alters...
InfoBytesDemocratic senators ask FTC to reconsider privacy rulemaking
On September 20, nine Democratic Senators sent a letter to FTC Chair Lina M. Khan requesting that the FTC draft new rules that better protect consumers’ personal data and privacy. The Senators argued that ongoing data breaches and privacy violations have “shown the limits of the FTC's general...
InfoBytesIllinois state appellate court applies different limitation periods under BIPA
On September 17, the First District Appellate Court of Illinois held that different limitation periods should be applied to the Biometric Information Privacy Act (BIPA), concluding that while Section 15 imposes various duties that all concern privacy, “each duty is separate and distinct.”...
InfoBytesDistrict Court denies company’s bid to arbitrate in class action
On September 15, the U.S. District Court for the Southern District of California denied a defendant tech company’s motion to compel arbitration, dismiss or stay a class action lawsuit alleging that it violated the California Invasion of Privacy Act, among other things, by monitoring certain...
InfoBytesMassachusetts investigating data breach
On September 14, the Massachusetts attorney general announced the launch of an investigation to determine if an international wireless carrier had proper safeguards in place to protect consumer and mobile device information after a major data breach that allegedly compromised personally-identifying...
InfoBytesFTC says health apps must comply with Health Breach Notification Rule
On September 15, the FTC warned health apps and connected devices collecting or using consumers’ health information that they must comply with the FTC’s Health Breach Notification Rule (Rule). The Rule requires companies to notify consumers and others if consumers’ health data is breached, and...
InfoBytesSEC takes action against firms for cybersecurity procedures
On August 30, the SEC announced sanctions against eight firms in three actions for alleged failures in their cybersecurity policies and procedures that resulted in email account takeovers of employee email accounts, which exposed the personal information of thousands of customers and clients at...
InfoBytesFinCEN to host workshop on privacy enhancing digital identity
On August 31, the Financial Crimes Enforcement Network (FinCEN) announced it will host a special Innovations Hours Program on October 14, “focusing on the important role of digital identity to enhance financial services inclusion while supporting efforts to counter illicit activity that undermine...
InfoBytesIreland fines U.S. messaging service €225 million for GDPR violations
On September 2, the Irish Data Protection Commission (Commission) announced that a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based messaging service’s handling of individuals’ personal information. The final Article 65 decision , published...
InfoBytesFTC bans respondents from surveillance business
On September 1, the FTC announced that a data monitoring application and its CEO (collectively, “respondents”) will be permanently banned from the surveillance industry for failing to provide reasonable data security for consumers’ personal information by allegedly “secretly harvesting and sharing...
InfoBytesNew Mexico sues gaming app maker for COPPA violations
On August 25, the New Mexico attorney general filed a lawsuit against an entertainment corporation for allegedly violating the Children’s Online Privacy Protection Act Rule (COPPA) and New Mexico’s Unfair Practices Act by knowingly collecting and selling personal information from children under the...
InfoBytesTreasury, Singapore sign cybersecurity cooperation MOU
On August 23, the U.S. Treasury Department and the Monetary Authority of Singapore finalized a bilateral Memorandum of Understanding (MOU) on cybersecurity cooperation. The MOU formalizes and strengthens a strong cybersecurity partnership between the two countries and, among other things, enhances...
InfoBytesDistrict Court approves $28 million class action settlement over recorded calls
On August 16, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement , resolving allegations that a call center hired by a national bank and its merchant processing servicer (collectively, “defendants”) violated California’s Invasion...
InfoBytesSEC settles with company over data breach
On August 16, the SEC announced charges against a London-based educational publishing company for its role in allegedly misleading investors regarding a cyber breach that involved millions of student records and had inadequate disclosure controls and procedures in place. According to the SEC’s...
InfoBytesDistrict Court: Cloud computing company must face class action CCPA claims in data breach suit
On August 12, the U.S. District Court for the District of South Carolina issued a ruling in a consolidated putative class action against a cloud software company alleging several state consumer protection and data reporting law violations related to a 2020 data breach. The plaintiffs asserted that...
InfoBytesFFIEC gives authentication and access guidance to financial institutions
On August 11, the Federal Financial Institutions Examinations Council (FFIEC) published guidance, on behalf of its members, to provide financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties...
InfoBytesState AGs ask for faster implementation of STIR/SHAKEN
On August 9, state attorneys general from all 50 states and the District of Columbia, through the National Association of Attorneys General, sent a letter to the FCC urging the Commission to confront illegal robocalls by moving the deadline for smaller telephone companies to implement caller ID...
InfoBytesFCC takes action against robocalls
On August 5, the FCC announced a “fair and consistent” process for reviewing actions regarding a voice service provider’s ability to comply with the FCC’s anti-spoofing caller ID authentication rules. FCC rules require broad implementation of the STIR/SHAKEN caller ID authentication framework on...
InfoBytesDistrict Court grants preliminary approval of class action settlement against national convenience store chain
On July 30, the U.S. District Court for the Eastern District of Pennsylvania granted preliminary approval of a settlement in a class action against a national convenience store chain (defendant) for a 2019 data security incident that allegedly compromised consumers’ credit and debit card...
InfoBytesGlobal tech corporation fined $888 million for GDPR violations
Recently, a global technology corporation disclosed a $746 million euro (approximately $888 million USD) fine issued by the Luxembourg National Commission for Data Protection (CNPD) for alleged violations of the EU’s General Data Protection Regulations (GDPR). The corporation’s Form 10-Q for second...
InfoBytes"Shedding light on dark patterns: What financial institutions need to know" by Elizabeth E. McGinn, Amanda R. Lawrence, and Sherry-Maria Safchuk (Cybersecurity Law Report)
Regulators, legislators and private litigants are increasingly looking at how companies attract and conduct business with consumers in online settings, and particularly whether these companies are designing user experiences to manipulate behavior in a way that can prove harmful to the consumer. The...
Articles5th Circuit overturns ruling that insurer must defend data breach
On July 21, the U.S. Court of Appeals for the Fifth Circuit reversed a lower court’s decision to grant summary judgement for a Houston-based insurer (defendant), finding that publication of material that violates a person’s right of privacy under the insurer’s policy can include making credit card...
InfoBytesDistrict Court grants final approval to grocery chain data breach settlement
On July 21, the U.S. District Court for the Central District of Illinois granted final approval to a class action data breach settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The final settlement (which...
InfoBytesNew York expands definition of telemarketing to include text messages
On July 13, the New York governor signed S.3941 , which expands the state’s definition of telemarketing to include marketing by text message. A press release issued by the governor noted that expanding the definition closes a loophole in state law that previously limited the definition to phone...
InfoBytesConnecticut incentivizes businesses to adopt cybersecurity standards
On July 6, the Connecticut governor signed HB 6607 , which is intended to incentivize businesses to adopt cybersecurity standards. Among other things, the act provides a complete defense to punitive damages for a cause of action founded in tort claiming a business’ failure to “implement reasonable...
InfoBytesBiden orders federal agencies to evaluate banking, consumer protections
On July 9, President Biden issued a broad Executive Order (E.O.) that includes provisions related to the financial services industry. CFPB. The E.O. encourages the CFPB director to issue rules under Section 1033 of Dodd-Frank “to facilitate the portability of consumer financial transaction data so...
InfoBytesDistrict Court grants summary judgment for defendant in identity theft case
On June 30, the U.S. District Court for the Eastern District of Pennsylvania granted a motion for summary judgment in favor of a debt collection agency (defendant) with respect to a plaintiff’s FCRA and FDCPA allegations. The plaintiff alleged that the defendant, among other things, violated the...
InfoBytesSpecial Alert: Colorado enacts comprehensive consumer privacy law
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became...
InfoBytesSpecial Alert: Colorado enacts comprehensive consumer privacy law
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became...
Special AlertsFTC settles with app for violating COPPA
On July 1, the FTC announced a settlement with the operators of a coloring book app (collectively, “defendants”) for allegedly engaging in unfair or deceptive acts or practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). The DOJ, on behalf of the FTC, filed a complaint...
InfoBytesNYDFS issues ransomware guidance
On June 30, NYDFS announced new guidance for preventing ransomware attacks. In the guidance, NYDFS identified cybersecurity controls that decrease the risk of a ransomware attack. In examining ransomware incidents reported by its regulated entities over the past year and a half, NYDFS observed that...
InfoBytesFlorida issues telephone solicitation restrictions
On June 29, the Florida governor signed SB 1120 , which prohibits telephone solicitations and sales calls involving an “automated system for the selection or dialing of telephone numbers or the playing of a recorded message” without first receiving the prior express written consent of the called...
InfoBytes9th Circuit partially reverses lower court’s ruling based on tech company's misleading statements
On June 16, the U.S. Court of Appeals for the Ninth Circuit partially revived a securities fraud action brought by the state of Rhode Island on behalf of its employees’ retirement system against a California-based technology company, its holding company, and several individuals (collectively, “...
InfoBytesConnecticut amends data security breach provisions
On June 16, the Connecticut governor signed H.B. 5310 to establish new data breach notification requirements related to state residents. Among other things, the act updates the definition of “personal information” to also include (i) taxpayer identification numbers; (ii) IRS identity protection...
InfoBytesFTC settles with fertility-tracking app
On June 22, the FTC issued a decision and order against a company operating a fertility-tracking mobile app. The order resolved claims that the company shared user’s sensitive health data with various marketing and analytics service providers to the company. The FTC filed a complaint in January...
InfoBytesDistrict Court: Applying Michigan law is contrary to California’s interest in protecting citizens in data breach case
On June 15, the U.S. District Court for the Eastern District of Michigan denied an e-commerce company’s request to compel arbitration after reviewing whether Michigan or California state law applied to class claims concerning a 2019 data breach. After four actions against the company were...
InfoBytesJeffrey P. Naimon quoted in American Banker article, “Banks, consumer advocates unite against tax reporting proposal”
The American Banker discussed in their article, “Banks, consumer advocates unite against tax reporting proposal,” that the financial industry is opposed to the Biden administration’s plan — which would require financial institutions to report customers’ account flow data to the Internal Revenue...
In The NewsSEC charges settlement company with cybersecurity disclosure violations
On June 15, the SEC announced charges against a real estate settlement services company for its role in allegedly failing to disclose controls and procedures related to a cybersecurity vulnerability that exposed sensitive customer information. According to the SEC’s order , an independent...
InfoBytesNevada updates consumer privacy framework
On June 2, the Nevada governor signed SB 260 , which revises certain provisions under the state’s existing privacy law. Among other things, the act (i) adds “data broker” to the existing privacy framework; (ii) exempts certain persons and information collected about a consumer in the state from...
InfoBytes11th Circuit affirms majority of $380 million data breach settlement
On June 3, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s approval of a roughly $380.5 million settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (CRA), which resolved allegations arising from a 2017 cyberattack that caused a...
InfoBytesFCC signs robocall enforcement MOU with Australia
On June 3, the FCC announced that it entered into a memorandum of understanding (MOU) with the Australian Communications and Media Authority (ACMA) on providing mutual assistance in the enforcement of laws on certain unlawful communications, such as robocall, robotexts, and “spoofing.” FCC Acting...
InfoBytesFTC alleges subscription service failed to provide access to paid-for services or secure personal data
On June 7, the FTC announced a complaint and proposed consent order against the operators of a movie subscription service to settle allegations that the respondents denied subscribers access to paid-for services and failed to secure subscribers’ personal information. The FTC alleges in its...
InfoBytesFinCEN to host workshop on privacy enhancing technologies
On May 26, the Financial Crimes Enforcement Network (FinCEN) announced it will host a special Innovations Hours Program in September “focusing on the important role of privacy-preserving principles in developing technical solutions that enhance financial services innovation while countering illicit...
InfoBytesNew York AG reaches agreement with online retailer to resolve data breach
On May 18, the New York attorney general announced an agreement with an online water filtration retailer to resolve an investigation into a 2019 data breach that allegedly compromised the sensitive personal information of roughly 324,000 customers. According to the AG, the data breach impacted the...
InfoBytesDistrict Court approves online marketplace data breach settlement
On May 13, the U.S. District Court for the Northern District California preliminarily approved a class action settlement , resolving allegations that a California-based online designer marketplace failed to protect customers’ personal information from a computer hacking group in a May 2020 data...
InfoBytesNYDFS, insurance company reach $1.8 million cyber breach settlement
On May 13, NYDFS announced a settlement with an insurance company to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to implement multi-factor authentication or reasonably equivalent or more secure access controls. Under Part 500.12(b...
InfoBytes6th Circuit affirms dismissal of FACTA credit card receipt suit
On May 11, the U.S. Court of Appeals for the Sixth Circuit affirmed dismissal of a putative class action for lack of subject matter jurisdiction, holding that while a merchant technically violated the Fair and Accurate Credit Transactions Act (FACTA) by including 10 credit card digits on a customer...
InfoBytesDefendant obligated to indemnify bank in data breach suit
On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data...
InfoBytesData breach claims against convenience store chain can proceed
On May 6, the U.S. District Court for the Eastern District of Pennsylvania ruled that a defendant nationwide convenience store chain must face certain claims filed by a group of financial institutions as a result of a 2019 data security incident that allegedly compromised consumers’ credit and...
InfoBytesFTC settles with photo app developer over its facial recognition technology
On May 7, the FTC announced a final settlement with the developer of a California-based photo app (defendant) for allegedly deceiving consumers concerning its use of facial recognition technology and its retention of the photos and videos of users who previously deactivated their accounts. The FTC...
InfoBytes2nd Circuit: No standing if PII is uncompromised
On April 26, the U.S. Court of Appeals for the Second Circuit affirmed a district court’s dismissal of a proposed class action settlement, concluding that although, “in the context of unauthorized data disclosures,” plaintiffs may establish Article III standing on the theory that a data breach...
InfoBytes9th Circuit: Company cannot compel minor children to arbitration
On April 23, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s refusal to compel arbitration against a technology company, concluding that children are not bound by arbitration provisions in their parents’ service contracts with the company. The appeals court held that the...
InfoBytesFCC issues $4.1 million fine for deceptive robocalls
On April 22, the FCC imposed a $4.1 million fine against a phone carrier for allegedly impersonating other carriers in telemarketing calls and deceiving consumers into changing carriers without consent. The FCC first proposed the fine in 2018 after the agency, state regulators, and the Better...
InfoBytesCourt rules software service provider did not eavesdrop when capturing website data for retailer
On April 15, the U.S. District Court for the Northern District of California dismissed class claims alleging a software-services provider for a clothing retailer wiretapped consumers’ communication with the retailer in violation of California’s Invasion of Privacy Act and the California...
InfoBytesCourt certifies two classes in restaurant chain data breach
On April 15, the U.S. District Court for the Middle District of Florida certified a nationwide class and a California-only class of restaurant customers who claim the restaurant chain’s negligence led to a 2018 data breach that compromised their credit card information. The two classes of consumers...
InfoBytesNYDFS, insurance broker reach $3 million cyber breach settlement
On April 14, NYDFS announced a settlement with an insurance broker to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of two cyber breaches between 2018 and 2020. Under Part 500.17, regulated entities are...
InfoBytesFCC pushes on robocall blocking
On April 13, the FCC took several actions associated with blocking illegal and unsolicited robocalls, including sending cease and desist letters (see here and here ) to two carriers that “appear to be transmitting multiple unlawful robocall campaigns” and seeking updated information from all...
InfoBytesNYDFS updates cybersecurity fraud alert
On March 30, NYDFS issued an updated cybersecurity fraud alert that warns of other techniques used in a widespread cybercrime campaign targeting public-facing websites. As previously covered in InfoBytes , the update stems from NYDFS’ February 16 cybersecurity fraud alert sent to regulated entities...
InfoBytesUtah creates certain affirmative defenses for data breaches
On March 11, the Utah governor signed HB 80 , which provides entities an affirmative defense for a data breach if they follow certain cybersecurity industry standards. Among other things, a “person that creates, maintains, and reasonably complies with a written cybersecurity program” that meets...
InfoBytesSherry-Maria Safchuk quoted in Bloomberg Law article, “Additional bills introduced in Illinois, Massachusetts, Minnesota; Virginia law’s approval may up the ante in other states, federally”
Sherry-Maria Safchuk discussed in the Bloomberg Law article “Additional bills introduced in Illinois, Massachusetts, Minnesota; Virginia law’s approval may up the ante in other states, federally” how the recent Massachusetts privacy bill is different than Virginia’s Consumer Data Protection Act...
In The NewsCalifornia again modifies CCPA regs; appoints privacy agency’s board
On March 15, the California attorney general announced approval of additional regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended several times—became effective January 1, 2020. According to the...
InfoBytesStates reach data breach settlement with debt collector
On March 11, a coalition of 41 state attorneys general, led by the New York attorney general, announced a settlement with a bankrupt debt collection agency to resolve a multistate investigation into a 2019 data breach that allegedly exposed the personal information of more than 21 million...
InfoBytesNon-signatory may not arbitrate privacy claims
On March 9, the U.S. District Court for the Southern District of New York denied a global technology company’s motion to compel arbitration in a putative consumer privacy class action, ruling that the technology company is not party to a co-defendant telecommunications company’s terms and...
InfoBytesAmanda R. Lawrence and Sasha Leonhardt extensively quoted in Cybersecurity Law Report article, “Familiar and fresh mandates in Virginia’s new privacy law”
Amanda R. Lawrence and Sasha Leonhardt were extensively quoted in the Cybersecurity Law Report article, “Familiar and fresh mandates in Virginia’s new privacy law,” which reported on the recently enacted Virginia Consumer Data Protection Act and how it is similar to and yet differs from the...
In The NewsNYDFS, mortgage lender reach $1.5 million cyber breach settlement
On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide...
InfoBytesVirginia enacts comprehensive consumer data privacy framework
On March 2, the Virginia governor enacted the Consumer Data Protection Act (VCDPA), which establishes a framework for controlling and processing consumers’ personal data in the Commonwealth. Virginia is now the second state in the nation to enact a comprehensive consumer privacy law. In 2018,...
InfoBytesCourt approves $650 million biometric privacy class action settlement
On February 26, the U.S. District Court for the Northern District of California granted final approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. The settlement resolves consolidated class action claims that the social media...
InfoBytes"Empire state of privacy: Recent developments in New York’s privacy and cybersecurity laws" by Elizabeth E. McGinn, Amanda R. Lawrence, Sasha Leonhardt, and Magda Gathani (New York Law Journal)
New York over the past few years has steadily raised the bar on privacy and cybersecurity standards for commercial enterprises, and, along with the European Union and California, is increasingly seen as a pacesetter in this fast-developing area of law. Proposed legislation before its General...
ArticlesConvenience store chain agrees to pay $12 million to resolve data security incident
On February 19, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement in the U.S. District Court for the Eastern District of Pennsylvania to resolve data security incident claims. Class members—comprised of a nationwide group of consumers whose...
InfoBytesCSBS announces new nonbank cybersecurity exam tool
On February 24, during the Nationwide Multistate Licensing System Annual Conference, the Conference of State Bank Supervisors (CSBS) released an updated cybersecurity examination tool designed for nonbank financial company supervision. The tool is intended for state regulators to use during...
InfoBytesNYDFS: Global social media company must prevent app developers from transmitting users’ sensitive data
On February 18, New York Governor Andrew M. Cuomo accepted a report detailing the findings of an NYDFS investigation into whether sensitive personal information, including medical and personal data, was shared with a global social media company by application and website developers without users’...
InfoBytesFlorida legislature introduces comprehensive privacy bill
On February 15, the Florida legislature filed HB 969 , which would, among other things, regulate the sale and sharing of consumers’ personal data. Highlights of the bill include: Applicability. The bill will apply to for profit businesses that do business in the state, collect consumers’ personal...
InfoBytesNYDFS announces cybersecurity fraud alert
On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits...
InfoBytes"What the new information security reporting standards mean for financial institutions" by Jeffrey P. Naimon and James C. Chou (Cybersecurity Law Report)
Regulators recently proposed new rules that would require banking institutions to notify their primary regulators of some computer-security incidents within 36 hours, and service providers to notify regulated entities as soon as possible of any incident affecting its operations for four hours or...
ArticlesInsurance company not obligated to indemnify retailer’s payment card claims following data breach
On February 8, the U.S. District Court for the District of Minnesota granted defendant’s motion for summary judgment, ruling that an insurance company is not obligated to indemnify a national retailer (plaintiff) for settlements paid to multiple banks to resolve claims over the costs of canceling...
InfoBytes11th Circuit: Future identity theft risk does not confer standing
On February 4, the U.S. Court of Appeals for the Eleventh Circuit affirmed dismissal of a class action complaint, which raised several claims against a restaurant following a data breach that exposed customers’ financial information, for the named plaintiff’s lack of standing. According to the...
InfoBytesNYDFS issues Cybersecurity Insurance Risk Framework
On February 4, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance. The new Cyber Insurance Risk Framework provides guidance for effectively managing cyber insurance risk and is the first guidance released by a U.S...
InfoBytesVirginia legislature advances privacy bill
Recently, the Virginia Senate and House advanced identical bills (see SB 1392 and HB 2307 ), which would establish a framework for controlling and processing consumers’ personal data in the Commonwealth. Highlights of the bill include: Applicability. The bill will apply to “persons that conduct...
InfoBytesCourt denies tech company's second request for COPPA claim dismissal
On February 2, the U.S. District Court for the District of New Mexico granted a technology company’s motion for reconsideration in part, but denied dismissal of the New Mexico attorney general’s action alleging the company designed and marketed mobile gaming applications (apps) targeted towards...
InfoBytesFTC finalizes settlement with video conferencing company
On February 1, the FTC finalized a settlement with a video conferencing provider, resolving allegations that the company violated the FTC Act by misleading users about the levels of encryption offered for securing communications during meetings. As previously covered by InfoBytes , in November 2020...
InfoBytesCourt addresses alternative theories of liability in BIPA class action
On January 28, the U.S. District Court for the Northern District of Illinois denied a motion to reconsider and a motion to certify questions for appeal and stay proceedings pending appeal in a matter concerning class claims that an auto leasing company and its parent company (collectively, “...
InfoBytesWashington Department of Financial Institutions once again extends “work from home” guidance
On January 29, the Washington Department of Financial Institutions issued interim regulatory guidance to licensed mortgage loan originators and companies that sponsor them relating to temporary remote work. The guidance extends earlier interim guidance (previously covered here , here , here , and...
InfoBytesWashington Department of Financial Institutions once again extends “work from home” guidance
On January 29, the Washington Department of Financial Institutions issued interim regulatory guidance to licensed mortgage loan originators and companies that sponsor them relating to temporary remote work. The guidance extends earlier interim guidance (previously covered here , here , here , and...
InfoBytesCourt approves grocery store data breach settlement
On January 25, the U.S. District Court for the Central District of Illinois preliminarily approved a class action settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The preliminary settlement would allow...
InfoBytesElizabeth E. McGinn quoted in Bloomberg Law article, “New FTC leadership likely to put consumer privacy in crosshairs”
Elizabeth E. McGinn was quoted in a Bloomberg Law article, “New FTC leadership likely to put consumer privacy in crosshairs,” which examined how the agency will now approach privacy enforcement. “There were significant settlements related to data security issues under Trump, but we’re likely to see...
In The NewsLaw firm ordered to produce cyberattack report in malpractice action
On January 12, the U.S. District Court for the District of Columbia ordered a law firm to produce a forensic report generated by a consultant retained by the firm’s outside counsel in the wake of the plaintiff’s data breach, concluding that the report and associated materials were neither protected...
InfoBytesNew York introduces biometric privacy act
On January 6, New York Assembly Bill A 27 was prefiled in the 2021-22 state legislative session, which would establish the Biometric Privacy Act and establish provisions regarding the retention, collection, disclosure and destruction of biometric identifiers or biometric information. Highlights of...
InfoBytesUpdated Washington State Privacy Act re-introduced
On January 5, the Washington State Privacy Act , SB 5062, (referred to as “2021 WPA” or “bill”) was re-introduced for the 2021-22 state legislative session with some notable changes from the 2020 version. (InfoBytes coverage of the 2020 Washington Privacy Act, SB 6281, available here .) Highlights...
InfoBytesCourt dismisses data breach claims citing lack of compromised sensitive information
On January 12, the U.S. District Court for the Central District of California dismissed a data breach lawsuit brought against a hotel chain, ruling the plaintiff lacked standing. The plaintiff claimed class members were victims of a data breach when hotel employees at a franchise in Russia...
InfoBytesState AGs reach $2 million settlement to resolve data breach
On December 18, state attorneys general from Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York and Oregon announced a $2 million settlement with an online retailer concerning allegations that the retailer failed to promptly and adequately respond to a 2019 data breach that compromised...
InfoBytesCourt grants preliminary approval of CCPA class action settlement
On December 29, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed settlement in a class action alleging a children’s clothing company and cloud technology service provider (collectively, “defendants”) violated, among other things, the...
InfoBytes9th Circuit affirms dismissal of data breach class action against online payment firm
On December 17, the U.S. Court of Appeals for the Ninth Circuit affirmed dismissal of a class action suit brought against an online payments firm and associated entities and individuals (collectively, “defendants”) for allegedly misleading investors (plaintiffs) about a 2017 data breach. As...
InfoBytesFTC settles with company for data security lapses
On December 16, the FTC announced a settlement with a Nevada-based travel emergency services provider, resolving allegations that the company violated the FTC Act by failing to implement a comprehensive security program to ensure the security of personal consumer information, including sensitive...
InfoBytesIrish Data Protection Commission fines U.S. social networking company for violating GDPR
On December 15, the Irish Data Protection Commission (Commission) announced a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based social networking tech company’s actions related to a 2019 data breach that affected users across the European...
InfoBytesAgencies propose computer-security incident notification rule
On December 18, the FDIC, Federal Reserve Board, and the OCC (collectively, “agencies”) issued a joint notice of proposed rulemaking (NPRM), which would require supervised banking organizations to promptly notify their primary regulator within 36 hours of becoming aware that a “‘computer-security...
InfoBytesFTC settles with mortgage analytics company over vendor oversight deficiencies
On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform...
InfoBytesFCC: Contractors must get consent to make robocalls under TCPA
On December 14, the FCC released an order concluding that federal and state contractors are subject to the restrictions of the TCPA and must obtain prior express consent to call consumers. The order reverses a 2016 decision, which extended the presumption that “the word ‘person’ [in the TCPA] does...
InfoBytesFTC orders social media and video streaming companies to provide data on privacy practices
On December 14, the FTC issued orders to nine social media and video streaming companies requiring each company to provide information on their collection, use, and presentation of personal information, including their data gathering and advertising practices. The orders are issued pursuant to...
InfoBytesMinnesota regulator issues telework guidance
On December 15, the Minnesota Commerce Department issued guidance regarding non-depository financial institution telework. The guidance provides that if the licensed location is still offering financial products or services, employees can work from home to perform tasks as long as the following are...
InfoBytesCalifornia proposes modifying CCPA regs again
On December 10, the California Department of Justice (Department) released a fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , on October 12, the Department released a third set of proposed...
InfoBytesFSOC annual report highlights Covid-19 impact on financial stability
On December 3, the Financial Stability Oversight Council (FSOC) released its 2020 annual report . The report reviews financial market developments, identifies emerging risks, and offers recommendations to enhance financial stability. The report also highlights the impact of Covid-19 on the economy...
InfoBytesOklahoma extends working from home guidance
On December 7, the Oklahoma Department of Consumer Credit extended, for the sixth time, its interim guidance to regulated entities on working from home (see here , here , here , here , here , and here for previous coverage). The guidance sets forth data security standards required for regulated...
InfoBytesNYDFS announces cybersecurity toolkit for small businesses
On November 17, NYDFS announced a partnership with a non-profit company to provide a free cybersecurity toolkit to small businesses, including those in the financial services sector. The toolkit is intended to help small businesses strengthen their cybersecurity and to protect themselves and their...
InfoBytesFTC requires video conferencing provider to improve security safeguards
On November 9, the FTC announced a settlement with a video conferencing provider, resolving allegations that the company violated the FTC Act by misleading users about the levels of encryption and security offered for securing communications during meetings. The FTC’s complaint alleges that, since...
InfoBytesCalifornia voters approve expanded privacy rights
On November 3, California voters approved a ballot initiative , the California Privacy Rights Act of 2020 (CPRA), that expands on the California Consumer Privacy Act (CCPA). While there are a number of differences between the CPRA and the CCPA, some key provisions include: Adding expanded consumer...
InfoBytesNYDFS urges regulating social media companies following hacks
On October 14, NYDFS released a report detailing the Department’s investigation into the July 2020 social media hacks of public figures and cryptocurrency firms, concluding that the social media platform lacked adequate cybersecurity protections and recommending increased regulation of large social...
InfoBytesOklahoma regulator extends working from home guidance through end of year
On October 22, the Oklahoma Department of Consumer Credit extended, for the fifth time, its interim guidance to regulated entities on working from home (see here , here , here , here , and here for previous coverage). The guidance sets forth data security standards for regulated entities with...
InfoBytesCalifornia modifying CCPA regs again
On October 12, the California Department of Justice released a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , on August 14, the regulations went into effect after being approved by the Office of...
InfoBytesG7 urges financial services sector to mitigate ransomware attacks
On October 13, the member nations of the G7 issued a joint statement stressing their commitment to working with the financial services sector to address and mitigate ransomware attacks. The statement highlights the recent increase in ransomware attacks over the last few years and notes that the...
InfoBytesCSBS and others release ransomware mitigation tool
On October 13, the Conference of State Bank Supervisors (CSBS), joined by the Bankers Electronic Crimes Task Force and the U.S. Secret Service, released a self-assessment tool to help supervised financial institutions mitigate the risk of ransomware attacks. The tool will also help financial...
InfoBytesFCC seeks comment on TCPA exemptions
On October 1, the FCC issued a Notice of Proposed Rulemaking (NPRM), seeking comment on exemptions already granted under the TCPA allowing certain entities and types of calls to be made using an automatic telephone dialing system. The FCC is required by Section 8 of The Pallone-Thune Telephone...
InfoBytesHealth insurer to pay $48 million to resolve 2014 data breach
On September 30, a multistate settlement was reached between a health insurance company and a collation of 42 state attorneys general and the District of Columbia to resolve a 2014 data breach that allegedly comprised the personal information of more than 78 million customers nationwide. According...
InfoBytesCertain business and employment CCPA exemptions extended to 2022
On September 29, the California governor signed AB 1281 , which extends certain exemptions under the California Consumer Privacy Act (CCPA) from January 1, 2021 to January 1, 2022. As previously covered by InfoBytes , the CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended...
InfoBytesRhode Island regulator extends work from home guidance for lenders
On September 28, the Rhode Island Department of Business Regulation, Banking Division, extended previous guidance (previously covered here and here ) issued to mortgage loan originators, lenders, loan brokers, and exempt company registrants. The guidance permits working from home, even if the home...
InfoBytes"6 key ways the California Privacy Rights Act of 2020 would revise the CCPA" by Amanda R. Lawrence and Sherry-Maria Safchuk (Corporate Compliance Insights)
The California Consumer Privacy Act (CCPA), the state’s landmark privacy regulation, became effective only eight months ago – and yet, the California Privacy Rights Act of 2020 (CPRA), a modified version of the CCPA, has garnered enough support to appear on the November 2020 ballot in California...
ArticlesOklahoma regulator amends working from home guidance
On September 23, the Oklahoma Department of Consumer Credit extended, for the third time, its interim guidance to regulated entities on working from home (see here , here , here and here for previous coverage). The guidance sets forth data security standards that regulated entities must meet in...
InfoBytesOklahoma regulator extends working from home guidance
On September 23, the Oklahoma Department of Consumer Credit extended, for the fourth time, its interim guidance to regulated entities on working from home (see here , here , here , and here for previous coverage). The guidance sets forth data security standards for regulated entities with employees...
InfoBytesCalifornia AG enters into privacy settlement with fertility-tracking mobile app
On September 17, the California attorney general announced a settlement with a technology company that operates a fertility-tracking mobile app to resolve claims that security flaws put users’ sensitive personal and medical information at risk in violation of state consumer protection and privacy...
InfoBytesNew York AG settles data breach lawsuit with national coffee chain
On September 15, the New York attorney general announced a settlement with a national franchisor of a coffee retail chain to resolve allegations that the company violated New York’s data breach notification statute and several state consumer protection laws by failing to protect thousands of...
InfoBytes"Implementing the CCPA regulations: Are you ready?" by Amanda R. Lawrence, Elizabeth E. McGinn, and Sherry-Maria Safchuk (Cybersecurity Law Report)
The final regulations under the California Consumer Privacy Act, introduced by the California Attorney General last October, became effective on August 14, 2020. The AG has already implemented many of the changes suggested in the public comments, but there are still several open questions that...
Articles"Data security best practices for licensed lenders' telework" by Sherry-Maria Safchuk and James C. Chou (Law360)
State-licensed/registered brokers, lenders and servicers have increased their focus on data security as the spread of COVID-19 has extended work-from-home orders, and what now seems to be a lasting acceptance of remote work means that the tools used to secure data will remain relevant when the...
ArticlesDistrict court preliminarily approves $650 million biometric privacy class action settlement
On August 19, the U.S. District Court for the Northern District of California granted preliminary approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. If granted final approval, the settlement would resolve consolidated class...
InfoBytesDistrict court: BIPA does not violate Illinois constitution
On August 19, the U.S. District Court for the Southern District of Illinois denied defendants’ motion to dismiss claims that they unlawfully collected individuals’ biometric fingerprint data without first receiving informed consent. The court also addressed an argument as to whether the Illinois...
InfoBytesFinal CCPA regulations approved: Overview of changes
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , the CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended...
InfoBytesDistrict court: $925 million statutory damages award not constitutionally excessive
On August 14, the U.S. District Court for the District of Oregon refused to reduce a $925 million statutory damages award against a company found to have violated the TCPA by sending almost two million unsolicited robocalls to consumers. The company argued that the statutory damages award violates...
InfoBytesArkansas Securities Department extends work-from-home guidance
On August 18, the Arkansas Securities Department further extended interim regulatory guidance previously issued to licensed mortgage companies, mortgage loan officers, and branch managers. The original interim regulatory guidance, previously covered here , and extended in May , permits mortgage...
InfoBytesFinal CCPA regulations approved
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes , the CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended...
InfoBytes"Reopening well: Balancing employee privacy with employee safety" by Elizabeth E. McGinn, Amanda R. Lawrence, and James C. Chou (Corporate Compliance Insights)
Consumer privacy has been a key area of focus over the past several years, but as companies begin return-to-work operations, they discover that employee privacy looms large as well. Well-intentioned companies seeking to keep employees safe risk incurring penalties from a variety of agencies based...
Articles"Confusion surrounding the Privacy Shield rollback" by Amanda R. Lawrence, Elizabeth E. McGinn, and Magda Gathani
The Court of Justice of the European Union (CJEU) last month invalidated the EU-U.S. Privacy Shield, which over 5,000 companies have relied on as a legal mechanism of transferring data from the EU to the United States.
The European Data Protection Board (EDPB) did not provide a grace...
Buckley Commentary & AnalysisFTC continues to enforce Privacy Shield
On August 5, the FTC Commissioners testified before the Senate Committee on Commerce, Science, and Transportation and discussed, among other things, the agency’s continued enforcement of the EU-U.S. Privacy Shield, despite the recent Court of Justice of the European Union (CJEU) invalidation of the...
InfoBytesDistrict court approves MDL data breach settlement
On July 21, the U.S. District Court for the Northern District of California issued an order approving a $117.5 million class action settlement, including $23 million in attorneys’ fees, with a global internet company to resolve multidistrict litigation concerning the exposure of class members’...
InfoBytesNYDFS enforces its cybersecurity regulation for the first time
On July 22, NYDFS filed a statement of charges against a title insurer for allegedly failing to safeguard mortgage documents, including bank account numbers, mortgage and tax records, and other sensitive personal information. This is the first enforcement action alleging violations of NYDFS’...
InfoBytesFCC provides safe harbors for blocking illegal robocalls
On July 16, the FCC issued an order adopting rules to further encourage phone companies to block illegal and unwanted robocalls and to continue the Commission’s implementation of the TRACED Act (covered by InfoBytes here ). The rule establishes two safe harbors from liability for the unintended or...
InfoBytes"Put bank exam council in charge of data privacy" by Jeremiah S. Buckley (American Banker)
From the European Union to California and now other states and countries, data protection and privacy standards going into effect often share the same objectives, but have separate and different regulatory requirements. This creates a confusing array of legal requirements that pose compliance and...
ArticlesCourt of Justice of the European Union invalidates EU-U.S. Privacy Shield; standard contractual clauses survive (for now)
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its opinion in the Schrems II case (Case C-311/18). In its opinion, the CJEU concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established...
InfoBytesDistrict court allows data breach claim to proceed against national credit reporting agency
On July 8, the U.S. District Court for the Eastern District of New York allowed a consumer’s claim under New York’s consumer protection law (N.Y. G.B.L. § 349) to proceed against a national credit reporting agency (CRA) for grievances stemming from a 2017 data breach that compromised the consumer’s...
InfoBytes"Adjusting information security for long-term telework" by Amanda R. Lawrence, Elizabeth E. McGinn, and James C. Chou (Bloomberg Law)
Amid a fast-moving pandemic in the spring of 2020, many companies were forced to adopt remote-work operations almost overnight to maintain critical business functions. This approach initially seemed like a temporary and imperfect solution to maintaining workforce safety while continuing essential...
ArticlesCalifornia AG publishes CCPA FAQs
The California attorney general recently published a set of frequently asked questions providing general consumer information on the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended several times—became effective January 1...
InfoBytesDistrict court preliminarily approves $6.8 million TCPA settlement
On July 6, the U.S. District Court for the Eastern District of California granted preliminary approval to a nearly $6.8 million settlement between class members and a collection agency that allegedly violated the TCPA, FDCPA, and California’s Rosenthal Fair Debt Collection Practices Act by making...
InfoBytesSupreme Court keeps TCPA, severs government-debt exception as unconstitutional
On July 6, the U.S. Supreme Court held in Barr v. American Association of Political Consultants Inc. that the TCPA’s government-debt exception is an unconstitutional content-based speech restriction and severed the provision from the remainder of the statute. As previously covered by InfoBytes ,...
InfoBytesFCC narrows “autodialer” definition
On June 25, the FCC narrowed the Commission’s definition of an “autodialer,” providing that “if a calling platform is not capable of originating a call or sending a text without a person actively and affirmatively manually dialing each one, that platform is not an autodialer and calls or texts made...
InfoBytesOklahoma regulator amends working from home guidance
On June 30, the Oklahoma Department of Consumer Credit extended, for the third time, its interim guidance to regulated entities on working from home (see here , here , and here for previous coverage). The guidance sets forth data security standards that regulated entities must meet in order for the...
InfoBytesAmanda R. Lawrence quoted in American Banker article, “Referendum on data privacy coming to California in November”
Amanda R. Lawrence was quoted on June 28, 2020 in an American Banker article, “Referendum on data privacy coming to California in November,” which discussed how the state is giving voters the opportunity to expand the protections of the California Consumer Privacy Act with a new proposal ─ the...
In The NewsPrivacy initiative makes California ballot
On June 24, the California Privacy Rights Act of 2020 (CPRA) ballot initiative was submitted to the California Country Clerk’s office as an initiative qualified for the November 2020 General Election ballot after receiving more than the 623,212 valid signatures required to qualify. The initiative...
InfoBytes"What constitutes reasonable security per Calif. privacy law?" by Amanda R. Lawrence and James C. Chou (Law360)
California Consumer Privacy Act compliance has been focused on developing the policies, procedures and infrastructure to support new privacy rights for California residents, which include, among other things, the right to know what personal information companies have on them, the right to delete...
ArticlesFTC settlement requires retailer to provide transaction records to identity theft victims
On June 10, the FTC announced a settlement to resolve Fair Credit Reporting Act (FCRA) allegations against a Wisconsin-based retailer for failing to provide the proper transaction records to identify theft victims. According to the FTC, this is the first time the Commission has used its authority...
InfoBytesFBI warns of increased mobile banking cyber threats
On June 10, the Federal Bureau of Investigation issued a Public Service Announcement (PSA) cautioning mobile banking application users to remain vigilant of cyber activity. Specifically, the PSA indicated, with a more than 50 percent increase in mobile web application usage since the start of the...
InfoBytesDistrict court: Plaintiffs whose search terms were disclosed to third parties have standing under Spokeo
On June 5, the U.S. District Court for the Northern District of California issued an order denying a global search engine’s (defendant) motion to dismiss class action claims, ruling that the plaintiffs’ claims met the standing requirement under Spokeo, Inc. v. Robins . The court determined that the...
InfoBytesFTC settles with app developer for COPPA violations
On June 4, the FTC announced that a children’s mobile application developer agreed to pay $150,000 and to delete the personal information it allegedly unlawfully collected from children under the age of 13 to resolve allegations that the developer violated the Children’s Online Privacy Protection...
InfoBytesVirginia Bureau of Financial Institutions issues policy statement regarding Covid-19
The Virginia Bureau of Financial Institutions issued a policy statement encouraging supervised financial institutions to work constructively to mitigate the impacts of Covid-19 on Virginia consumers and businesses. The bureau advised licensees that data security, internal controls, and adherence to...
InfoBytes9th Circuit upholds TCPA liability for reassigned number
On June 2, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s judgment in a TCPA action against a bank, concluding that consent from the person intended to call does not exempt the bank from liability under the TCPA. According to the opinion, the bank’s vendors made over...
InfoBytesCalifornia AG finalizes proposed CCPA regulations, requests expedited review
On June 1, the California attorney general submitted final proposed regulations implementing the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended several times—became...
InfoBytesDistrict court denies arbitration in mobile app BIPA suit
On June 1, the U.S. District Court for the Northern District of Illinois denied a mobile application company’s motion to, among other things, compel arbitration in a class action alleging the company used face-geometry scan technology in violation of the Illinois Biometric Information Privacy Act (...
InfoBytesOklahoma Department of Consumer Credit issues an extension to interim guidance regarding temporary operations from home or alternate locations
On June 1, the Oklahoma Department of Consumer Credit issued a Second Amended Interim Guidance that extends previous guidance permitting mortgage loan originators and employees of regulated entities to work from home or an alternate site, as long as certain data security precautions are taken (...
InfoBytesDistrict court requires bank to produce consultant’s data breach report
On May 26, a magistrate judge of the U.S. District Court for the Eastern District of Virginia ordered a national bank to produce to plaintiffs in litigation a forensic analysis performed by a cybersecurity consulting firm regarding the bank’s 2019 data breach, concluding the report was not entitled...
InfoBytes"TCPA relief for Covid-19 communications could extend to financial institutions" by Ali M. Abugheida and Geoffrey L. Warner (Bloomberg Law)
Financial institutions face unprecedented and rapidly evolving challenges in the wake of the Covid-19 pandemic, including the need to communicate quickly and efficiently with customers in the face of government-issued stay-at-home orders. But the Telephone Consumer Protection Act, with its steep...
Articles"Privacy and cybersecurity issues in 2020 – What to expect" by Amanda R. Lawrence, Elizabeth E. McGinn, and James C. Chou (Journal of Banking and Finance Law and Practice)
A steady drumbeat of data breaches and growing concern among consumers about how companies are using their personal information will keep regulators, policy-makers and private litigants focused on cybersecurity and privacy in 2020 and beyond. While Congress tentatively explores comprehensive...
ArticlesDistrict court allows class autodialer claims to proceed against mortgage lender
On May 18, the U.S. District Court for the Eastern District of Michigan denied a request to dismiss a putative class action concerning alleged violations of the TCPA, ruling that the plaintiff plausibly alleged the mortgage lender (defendant) sent unsolicited texts through the use of an automatic...