Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • 8th Circuit affirms $17 million class settlement for retailer data breach

    Courts

    On June 13, the U.S. Court of Appeals for the 8th Circuit affirmed the district court’s ruling approving a $17 million class settlement to resolve consumer claims related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. The settlement, which consists of $10 million in consumer redress and almost $7 million in plaintiffs’ attorney fees, was preliminarily approved in 2015 by the district court (previously covered by InfoBytes here) but was remanded back to the court by the 8th Circuit for failing to conduct the appropriate pre-certification analysis. After the district court recertified the class, two settlement challengers appealed, arguing that the class was not properly certified as there were not separate counsel for the subclasses and that the court erred in approving the settlement because the award of attorney’s fees was not reasonable. The appellate court disagreed, holding that no fundamental conflict of interest required separate representation for named class members and class members who suffered no actual losses. The court also concluded that the 29 percent in total monetary payment to the plaintiffs’ attorneys was “well within the amounts [the court] has deemed reasonable in the past” and therefore, the district court did not error in its discretion.

     

    Courts Appellate Eighth Circuit Class Action Data Breach Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Illinois, Connecticut, and Hawaii pass security freeze legislation

    Privacy, Cyber Risk & Data Security

    On June 8, the Illinois governor approved HB 4095, which amends the Consumer Fraud and Deceptive Business Practices Act to prohibit consumer reporting agencies (CRAs) from charging consumers a fee for placing, removing, or temporarily lifting a security freeze. The act takes effect immediately.  The Act also permits a consumer to request a security freeze by phone or electronic means, in addition to a request in writing.

    This followed a similar action by the Connecticut governor, who on June 4 signed SB 472 to prohibit CRAs from charging a fee to consumers to place, remove, or temporarily lift a security freeze on a consumer's account. The legislation also, among other things, (i) prohibits CRAs from—as a condition of placing the freeze—requiring that consumers agree to limit their claims against the agency; (ii) increases the length of time that identity theft prevention and mitigation services must be provided to a consumer after a security breach from 12 to 24 months; and (iii) provides that the banking commissioner will adopt regulations that require CRAs to provide it with “dedicated points of contact” to allow the Department of Banking to assist consumers when a data breach occurs. The act takes effect October 1.

    On June 6, the Hawaii governor signed HB 2342 to enhance protection of consumer information by expanding the methods consumers may use to request security freezes, and by prohibiting credit reporting agencies (CRAs) from charging consumers a fee to place, remove, or temporarily lift a security freeze on a consumer's credit report or records. Among other things, the act now permits a consumer or a “protected consumer’s representative” to request a security freeze via first-class mail, a telephone call, or through a CRA’s designated secure website, and also preserves the CRA’s ability to lift a security freeze when the freeze was executed due to material misrepresentation by the consumer. When lifting a security freeze, CRAs are required to send written confirmation to the affected consumer within five business days. The act takes effect July 1.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Security Freeze Data Breach Credit Reporting Agency

    Share page with AddThis
  • District Court grants preliminary injunction in FTC search engine suit

    Courts

    On June 6, the U.S. District Court for the Southern District of Florida granted the FTC’s request for preliminary injunction against an individual defendant and the company he owns and manages (stipulating defendants) for allegedly violating the FTC Act by making robocalls to small business owners claiming they represented a global search engine and could guarantee top search result placements. The stipulating defendants are part of a larger group of Florida-based companies, affiliates, and representatives (defendants) identified in the FTC’s 2018 complaint. According to the FTC’s May 23 press release, the defendants—who allegedly have no relationship with the search engine—threatened to remove companies from the search engine’s results or label them as “permanently closed” unless they accepted the robocall and paid a fee to participate in the defendants’ program. The complaint also claimed that the defendants—who lost the ability to accept payments by credit card after their merchant account was closed due to high chargeback rates—allegedly “took money, usually $100, from at least 250 of their prior or existing customers’ checking accounts without those customers’ advance knowledge, consent, or authorization, and with no apparent reason or justification.”

    In granting the preliminary injunction, the court found that there exists “good cause” to believe the FTC’s allegations against the stipulating defendants, and that the FTC is “likely to prevail on the merits of this action.” The injunction, among other things, blocks the stipulating defendants from continuing with their business, freezes their assets and records, and orders the appointment of a receiver to take control over those assets. A temporary restraining order was also issued against all defendants on May 8.

    Courts FTC Robocalls Privacy/Cyber Risk & Data Security FTC Act

    Share page with AddThis
  • 11th Circuit vacates FTC data security cease and desist order issued against medical testing laboratory

    Courts

    On June 6, the U.S. Court of Appeals for the 11th Circuit vacated an FTC cease and desist order (Order) that directed a Georgia-based medical testing laboratory to overhaul its data security program, ruling that the Order was unenforceable because it lacked specifics on how the overhaul should be accomplished. In 2013, the FTC claimed that the laboratory’s violation of Section 5(a) of the FTC Act constituted an “unfair act or practice” by allegedly failing to implement and provide reasonable and appropriate data security for patient information. The now defunct laboratory argued, among other things, that the FTC did not have the authority under Section 5 to regulate how it handled its data security measures. But the three-judge panel chose not to rule on the broader question about the scope of the FTC’s Section 5 data security authority, choosing to focus its decision on the Order. As previously covered in InfoBytes, in 2016 the FTC reversed an Administrative Law Judge’s Initial Decision to dismiss the 2013 FTC complaint, ordering the laboratory to, among other things, employ reasonable security practices that complied with FTC standards.

    After the Order was issued, the laboratory asked the 11th Circuit to decide whether the FTC’s Order was “unenforceable because it does not direct it to cease committing an unfair ‘act or practice’ within the meaning of Section 5(a).” The 11th Circuit agreed to stay enforcement of the Order and ultimately permanently vacated it. “In the case at hand, the cease and desist order contains no prohibitions,” the panel wrote. “It does not instruct [the laboratory] to stop committing a specific act or practice. Rather, it commands [the laboratory] to overhaul and replace its data security program to meet an indeterminable standard of reasonableness. This command is unenforceable.” The court concluded that “[t]his is a scheme that Congress could not have envisioned.”

    Courts FTC Privacy/Cyber Risk & Data Security Eleventh Circuit Appellate FTC Act

    Share page with AddThis
  • FTC files complaint against two operations allegedly responsible for making billions of illegal robocalls

    Privacy, Cyber Risk & Data Security

    On June 5, the FTC announced charges filed against two individuals and their related operations (defendants) for allegedly facilitating billions of robocalls to consumers across the country through a telephone dialing platform in violation of the FTC Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and the Telemarketing Sales Rule. According to the complaint filed in the U.S. District Court for the Central District of California, the alleged misconduct—dating back to 2001—centered around the principal and owner of a group of companies that operated and developed a computer-based telephone dialing platform, and a second individual defendant and his group of call center businesses that paid for the development and use of software designed to make autodial telephone calls and deliver prerecorded messages. The FTC alleged that for many years the two individual defendants jointly owned and operated businesses that resold access to a “bundle of services”—referred to as a “one-stop-shop for illegal telemarketers”—that provided, among other things, (i) servers to host the autodialing software, as well as the physical space housing the servers; and (ii) the ability to make calls using “spoofed” caller ID numbers, which made it look as if the calls came from a consumer’s local area code. According to the FTC, this “bundle of services” became so widely used within the industry that it has been named in at least eight other FTC lawsuits centered on the facilitation of unlawful calls. Among other things, the charges against the defendants include assisting with illegal robocalls, calling with prerecorded messages, calling numbers on the National Do Not Call Registry, calling with spoofed caller IDs, and abandoning calls. The FTC seeks civil monetary penalties, a permanent injunction against the defendants to prevent future violations, and reimbursement of costs for bringing the action.

    Privacy/Cyber Risk & Data Security FTC Robocalls FTC Act Telemarketing Sales Rule Telemarketing and Consumer Fraud and Abuse Prevention Act

    Share page with AddThis
  • Colorado enacts expansive consumer data protection law, includes 30-day breach notification requirement

    Privacy, Cyber Risk & Data Security

    On May 29, the Colorado governor signed HB1128, which significantly expands Colorado’s consumer data protection laws to include a broader definition of personal information and a 30-day notice requirement regarding data breaches. The law, which is effective on September 1, requires covered entities—defined in the statute as, “a person . . . that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation”— to notify affected Colorado residents within 30 days after the determination that a security breach occurred. The notice to residents must include, among other things, (i) the date range of the security breach; (ii) a description of the personal information that was part of the security breach; (iii) contact information for the entity; and (iv) contact information for credit reporting agencies and the FTC. The act defines personal information to include a Colorado resident’s first name or first initial and last name in combination with the following non-encrypted or redacted items: “social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.” Other key elements of the law include:

    • In addition to notifying affected residents, covered entities must notify the Colorado Attorney General within 30 days if the entity determines 500 or more people have been affected by the security breach, unless the entity determines that misuse of the information has not and is not likely to occur.
    • If the covered entity determines 1000 or more people are affected by the security breach, “in the most expedient time possible and without unreasonable delay” the entity must notify all consumer reporting agencies.
    • Covered entities are required to implement and maintain reasonable security procedures that are “appropriate to the nature of the personal identifying information and to the nature and size of the business and its operations.”
    • If a covered entity discloses a consumer’s personal information to a third-party service provider, the covered entity must require the third-party to implement and maintain reasonable security procedures.

    The law also includes security and notification requirements for Colorado governmental entities.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Consumer Protection

    Share page with AddThis
  • Louisiana governor amends data breach notification law; passes security freeze legislation

    Privacy, Cyber Risk & Data Security

    On May 20, the Louisiana governor signed SB361 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state or that own or license computerized data to (i) “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure,” and (ii) take “all reasonable steps” to destroy documents containing personal information once they no longer need to be retained. Key amendment highlights are as follows:

    • revises definitions, which include (i) defining “breach of the security of the system” to now apply to “the compromise… of computerized data that results in, or there is a reasonable likelihood to result in. . .” unauthorized acquisition and access; and (ii) revising the definition of “personal information” to include residents of the state, and include passport numbers and biometric data;
    • requires entities to notify affected individuals within 60 days of the discovery of a data breach—pending the needs of law enforcement—and further stipulates that if a determination is made to delay notification, the Attorney General must be notified in writing within the 60-day period to receive an extension of time;
    • provides that substitute notification—consisting of email notification, a notice posted to the entity’s website, and notifications to major statewide media—may be provided should the entity demonstrate that (i) the cost of the notification would exceed $100,000; (ii) the affected class of persons exceeds 100,000; or (iii) the entities lack sufficient contact information; and
    • states that violations of the Database Security Breach Notification Law constitute an unfair act or practice.

    The amendments take effect August 1.

    Separately, on May 15, the governor signed SB127, which prohibits credit reporting agencies from charging a fee for placing, reinstating, temporarily lifting, or revoking a security freeze. The bill became effective upon signature by the governor.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Security Freeze Data Breach

    Share page with AddThis
  • OCC highlights key risks affecting the federal banking system in spring 2018 semiannual risk report

    Federal Issues

    On May 24, the OCC released its Semiannual Risk Perspective for Spring 2018, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. Priorities focus on credit, operational, compliance, and interest risk, and while the OCC commented on the improved financial performance of banks from 2016 to early 2018, in addition to the “incremental improvement in banks’ overall risk management practices,” the agency also noted that risks previously highlighted in its Fall 2017 report have “changed only modestly.” (See previous InfoBytes coverage here.)

    Specific areas of concern noted by the OCC include: (i) easing of commercial credit underwriting practices; (ii) increasing complexity and severity of cybersecurity threats; (iii) use of third-party service providers for critical operations; (iv) compliance challenges under the Bank Secrecy Act; (v) challenges in risk management involving consumer compliance regulations; and (vi) rising market interest rates, including certain risks associated with the “potential effects of rising interest rates, increasing competition for retail and commercial deposits, and post-crisis liquidity regulations for banks with total assets of $250 billion or more, on the mix and cost of deposits.” Additionally, concerns related to integrated mortgage disclosure requirements under TILA and RESPA previously considered a key risk have been downgraded to an issue to be monitored.

    Federal Issues Agency Rule-Making & Guidance OCC Risk Management Bank Regulatory Third-Party Bank Secrecy Act Anti-Money Laundering TILA RESPA Privacy/Cyber Risk & Data Security Vendor Management

    Share page with AddThis
  • Court denies plaintiff’s motion for summary judgment in TCPA action, questions accuracy of report citing number of robocalls

    Courts

    On May 21, the U.S. District Court for the Southern District of California denied a plaintiff’s motion for summary judgment against a solar company that she claimed made multiple unwanted robocalls to her cell phone, holding that questions remained about the accuracy of a report identifying the number of illegal calls the company allegedly placed. The plaintiff filed a putative class action complaint asserting that the company, in order to market products and services, violated the Telephone Consumer Protection Act (TCPA) when it used a “predictive dialer” to contact cell phone numbers the company bought from third parties. The plaintiff further claimed that none of the alleged call recipients had provided prior express consent to receive the calls, and that an expert retained by the plaintiff found that the company had made 897,534 calls to 220,007 unique cell phones. After the class was certified, the plaintiff moved for summary judgment, requesting that class members be awarded damages available under the TCPA of $1,500, or $500 per call.

    While the court determined that there is no argument as to the plaintiff’s TCPA claim concerning whether the company made telemarketing calls (and failed to receive prior express consent), a dispute remained over whether the plaintiff had “carried its burden of demonstrating” that the high number of calls cited in the report were actually made. First, the court stated that, because the company “stipulated that the [p]laintiff’s expert in fact reached a certain conclusion, it does not follow that [the company] stipulated to the accuracy of the conclusion.” Second, the court held that, since a reasonable jury could find the report’s “conclusions are flawed for any number of reasons,” a fact issue as to the report’s accuracy remained. A settlement conference has been set for June 6.

    Courts TCPA Class Action Robocalls Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Vermont legislation regulates data brokers and provides consumer protections

    Privacy, Cyber Risk & Data Security

    On May 22, a Vermont bill, established to regulate data brokers and provide consumers with protections against companies that collect, analyze, and sell their personal information, was enacted without the governor’s signature. Among other things, H.764: (i) requires data brokers to pay a $100 fee to register annually with the Vermont Secretary of State and publicly disclose information about data collection practices and opt-out policies; (ii) requires companies to implement measures to ensure they have “adequate security standards” to safeguard against data breaches; (iii) prohibits the “acquisition of personal information with the intent to commit wrongful acts”; and (iv) prohibits credit reporting agencies from charging consumers fees for the placement, removal, or temporary lift of a security freeze. The credit freeze provisions became effective upon passage. The data broker provisions take effect January 1, 2019.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Data Brokers

    Share page with AddThis

Pages