Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • SEC Releases FY 2017 Annual Report on Enforcement Priorities and Results

    Federal Issues

    On November 15, the SEC Division of Enforcement released a report highlighting the division’s priorities for the coming year and summarizing the enforcement actions from FY 2017. Division Co-Directors Stephanie Avakian and Steven Peikin identify and discuss the five core principles that guide their decision making: (i) “Focus on the Main Street Investor”; (ii) “Focus on Individual Accountability”; (iii) “Keep Pace With Technological Change”; (iv) “Impose Sanctions That Most Effectively Further Enforcement Goals”; and (v) “Constantly Assess the Allocation of [the Division’s] Resources.”

    The report highlights the two new initiatives announced in 2017 as key priorities: the Cyber Unit and Retail Strategy Task Force (previously covered by InfoBytes). The report also gives an overview of the 754 FY 2017 enforcement actions, including a summary of the various remedies the Division sought.

    Federal Issues SEC Privacy/Cyber Risk & Data Security Enforcement Financial Crimes

    Share page with AddThis
  • Missouri AG Announces Investigation Into Tech Company’s Privacy Policies and Use of Consumer Data

    State Issues

    On November 13, Missouri Attorney General Joshua Hawley announced that his office has issued a civil investigative demand (CID) to a major California-based technology company as part of an investigation into suspected violations of the Missouri Merchandising Practices Act and the state’s antitrust laws. The investigation is focused on certain business practices, including, with respect to privacy issues, the company’s collection, use, retention, storage, sale, and dissemination of information and data about its users and their online activities. The CID requests documents and communications related to, among other things, (i) the company’s privacy policies; (ii) the collection and sharing of data that constitutes “personal information” related to the company’s users; (iii) disclosures concerning the collection of consumers’ credit or debit card transactions; (iv) data the company discloses or shares with third parties, and the identification of third-party partners; and (v) how the company tracks users’ online activities. The company has until January 22, 2018 to comply.

    State Issues Privacy/Cyber Risk & Data Security Consumer Data State AG Third-Party

    Share page with AddThis
  • 50-State Class Action Complaint Filed Against Credit Reporting Company in Response to September Data Breach Announcement

    Privacy, Cyber Risk & Data Security

    On November 10, plaintiffs, and the members of the class and subclasses they seek to represent, filed a complaint in the Northern District of Georgia against a major credit reporting company, consolidating individual suits filed against the company since September in each of the 50 states and the District of Columbia. The plaintiffs allege that the company’s data breach (covered previously in InfoBytes)—in which hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers—has led to, among other things, identity theft, unauthorized credit and debit card charges, and applications for unauthorized student loans.

    The complaint alleges a series of missteps by the company before, during, and after the breach, including: (i) not applying a recommended security patch; (ii) failing to recognize the breach for over three months; (iii) not warning consumers for another month after discovering the breach, thus preventing timely credit freezes or other protection methods; (iv) sending confusing emails and notices to consumers about whose data was compromised and how to protect themselves after the breach; and (v) creating confusion as to whether an arbitration clause included in the terms of service for the company’s credit monitoring website would apply to consumers using the service.

    The plaintiffs seek, among other things, class certification; permanent injunctive relief; disgorgement and restitutions of earnings; compensatory, consequential, general, statutory, and punitive damages; declaratory relief; and attorneys’ fees.

    Privacy/Cyber Risk & Data Security Data Breach Consumer Finance Class Action State Issues

    Share page with AddThis
  • House Energy and Commerce Subcommittee Examines Consumer Data Security

    Federal Issues

    On November 1, the House Subcommittee on Digital Commerce and Consumer Protection (Subcommittee) held a hearing entitled “Securing Consumers’ Credit Data in the Age of Digital Commerce” to examine: (i) the legal and regulatory framework for consumer reporting agencies, including the Gramm-Leach-Bliley Act and Fair Credit Reporting Act; (ii) current cybersecurity standards, best practices, threats, and vulnerabilities; and (iii) how data breaches relate to incidences of identity theft and fraud. In introductory remarks, Subcommittee Chairman, Bob Latta (R-Ohio), acknowledged the need to understand ways to protect against data breaches and secure consumer data. This sentiment was echoed by Full Committee Chairman, Greg Walden (R-Or.), who noted in his opening statement that recent data breaches “demonstrate the challenges of protecting consumer information in the digital age.” The full list of witnesses, testimony, and committee background memo is available here.

    Federal Issues Privacy/Cyber Risk & Data Security House Energy and Commerce Committee Data Breach

    Share page with AddThis
  • District of Columbia Mayor Signs Emergency Legislation Temporarily Prohibiting Credit Freeze Fees

    Privacy, Cyber Risk & Data Security

    On October 23, District of Columbia Mayor Muriel Bowser signed emergency legislation (Act 22 155) that prohibits credit reporting agencies (CRAs) from charging consumers fees for security credit freezes. The Credit Protection Fee Waiver Emergency Amendment Act of 2017 requires CRAs to provide security freeze services and one-time reissuances of passwords or PINs to consumers for free, but permits charging up to $10 for subsequent instances of password or PIN requests. The Act took effect immediately and will remain in effect for a maximum of 90 days.

    As previously covered in InfoBytes, a coalition of state attorneys general recently petitioned two major CRAs to cease charging fees for credit freezes.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Consumer Finance State Legislation Data Breach

    Share page with AddThis
  • European Commission Releases First Annual E.U.-U.S. Privacy Shield Review; Framework Works Well With Room for Improvement

    Privacy, Cyber Risk & Data Security

    On October 18, the European Commission (Commission) released its first annual review of the E.U.-U.S. Privacy Shield (Privacy Shield) framework for transatlantic data transfers, citing the Privacy Shield “ensures an adequate level of protection for personal data,” but “there is some room for improving its implementation.” In the report, the Commission’s findings and conclusions cover topics including: (i) redress options for EU individuals; (ii) complaint handling and enforcement procedures to “safeguard individual rights”; (iii) cooperation with European Data protection authorities; and (iv) the process for  certifying companies under the Privacy Shield. However, the report also makes recommendations for improvement, such as (i) increasing U.S. oversight into whether U.S. companies are complying with the Privacy Shield’s requirements to protect European’s personal data; (ii) conducting regular reviews to ensure companies are not making false claims about their participation in the Privacy Shield; and (iii) establishing a closer means of communication between “privacy enforcers” to develop guidance.

    Acting FTC Chairman Maureen K. Ohlhausen commented on the Commission’s review: “Enforcing international privacy frameworks such as Privacy Shield is an integral part of our Privacy and Data Security program, as highlighted in three recently announced Privacy Shield enforcement actions. We look forward to continuing to work with our European counterparts to ensure that the Privacy Shield remains a robust mechanism for protecting privacy and enabling transatlantic data flows.” (See InfoBytes coverage of the three FTC enforcement actions here, and refer here for previous InfoBytes coverage of the Privacy Shield.)

    Privacy/Cyber Risk & Data Security FTC Enforcement International

    Share page with AddThis
  • CFPB Issues Principles Concerning Security and Transparency for Financial Data Sharing and Third-Party Aggregation

    Privacy, Cyber Risk & Data Security

    On October 18, the CFPB published guidelines entitled “Consumer Protection Principles” (Principles), which are “intended to reiterate the importance of protecting consumers” when companies, including “fintech” firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide products and services. Earlier this year, industry groups responded to a CFPB request for information and weighed in on the benefits and risks associated with consumers authorizing third parties to access their financial and account information held by financial service providers. (See previous InfoBytes summary here.) Along with the Principles, the CFPB published a summary of stakeholder insights, which highlights the feedback received by the Bureau. Separately, on October 16, Senator Edward J. Markey (D-Mass.) sent a letter to Director Richard Cordray raising concerns about data security during the transfer of consumer data to third-party aggregators and highlighting the need for transparency concerning the use of the data.

    The Principles address the following areas: (i) data access; (ii) data scope and usability; (iii) control of data and informed consent; (iv) payment authorizations; (v) data security; (vi) transparency on data access rights; (vii) data inaccuracies; (viii) dispute rights and unauthorized access resolution; and (ix) mechanisms for efficient and effective accountability.

    Notably, the Bureau recognized that there already exist statutes and regulations that apply to consumer protections in this market. As such, the Principles “are not intended to alter, interpret, or otherwise provide guidance on—although they may accord with—the scope of those existing protections,” and therefore do not establish “binding requirements.”

    Privacy/Cyber Risk & Data Security Consumer Finance CFPB Vendor Management Third-Party Fintech eCommerce

    Share page with AddThis
  • G-7 Releases Follow-Up Report on Fundamental Elements for Cybersecurity Assessment

    Privacy, Cyber Risk & Data Security

    On October 13, G-7 finance ministers and central bank governors released a report titled G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector to provide guidance on G-7 countries’ (Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States) expectations for effective cybersecurity assessments for the financial sector. The non-binding fundamental building blocks contained within the report build upon guidance issued last year by G-7, and provide tools for institutions to evaluate the performance and assessment of cybersecurity practices. (See previous InfoBytes coverage here.) In the current report, G-7 outlines five desirable outcomes organizations can strive to achieve when developing cybersecurity capabilities, along with five assessment components assessors can use when developing effective practices for cyber risk management.

    “Cybersecurity, particularly in the financial sector, is a top priority for the United States, and we are pleased to work with the members of the G-7 to advance a common approach that enhances resiliency," Treasury Secretary Steven T. Mnuchin stated in a press release announcing the report. “Technology has become the global engine driving innovation and economic growth, and it provides a channel for the financial sector to engage customers and counterparties. However, this trend brings increased cyber risk, which is real, dynamic, and evolving.”

    Privacy/Cyber Risk & Data Security Department of Treasury G-7

    Share page with AddThis
  • OCC Acting Comptroller Shares Thoughts on Opportunities to Reduce Regulatory Burdens

    Federal Issues

    On October 5, OCC Acting Comptroller of the Currency Keith Noreika spoke before the 2017 Midsize Bank Coalition of America Chief Risk Officer Meeting to discuss opportunities for regulatory reform.

    According to Noreika, one area of concern relates to the adverse effect arbitrary asset thresholds pose to the annual stress test requirements required under the Dodd-Frank Act because the burden “is not commensurate with the systemic risks presented by an institution.” Given the amount of diversity in the business models of banks who have around $10 billion in assets, “regulators need the ability and authority to tailor their supervision to the unique risks presented by individual banks.” Noreika suggested an approach that would give federal banking agencies the authority to tailor statutory stress testing requirements without an asset threshold, thus reducing the risk of banks growing beyond the threshold to offset increased costs or staying below the threshold to avoid unwelcome scrutiny.

    Noreika also urged for interagency harmonization of guidance and policies to avoid conflicting regulatory guidance when addressing cybersecurity issues.

    Additionally, Noreika addressed the CFPB’s arbitration rule as an example of the need to work “to ensure regulation is balanced and appropriate by speaking up when we see proposed rules that may adversely affect the business of banking, have systemic effects, or result in perverse unintended consequences.” Noreika stated that prior to the publication of the final arbitration rule, the OCC requested access to the data the CFPB used to develop and support the rule in order to conduct an independent review. However, it was not until after the rule was published that the CFPB made the data available. According to OCC findings, the rule will adversely impact consumers by increasing costs. Community banks, Noreika noted, will also bear the burden of increased legal costs from defending lawsuits.

    Finally, Noreika commented that banks continue to face challenges when trying to implement Bank Secrecy Act compliance programs and adapt to new requirements under TRID, HMDA, and the Military Lending Act.

    Federal Issues Agency Rule-Making & Guidance OCC Bank Compliance Dodd-Frank Stress Test Arbitration CFPB Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Coalition of State Attorneys General Urge Credit Reporting Agencies to Offer No-Fee Credit Freeze

    Privacy, Cyber Risk & Data Security

    On October 10, a coalition of 37 state attorneys general sent letters (here and here) to the CEOs of two major credit reporting agencies (CRAs), urging them to stop charging fees to consumers seeking credit freezes as a measure to protect against identity theft in light of a third CRA’s massive data breach. On September 15, as previously reported in InfoBytes, 34 state attorneys general sent a letter to the breached CRA’s legal counsel requesting it disable fee-based credit monitoring services. The October 10 letters note that currently seven states prohibit CRAs from charging fees to consumers for credit freezes and at least two other states have proposed legislation that would require CRAs to offer free credit freezes.

    Privacy/Cyber Risk & Data Security State AG Consumer Finance

    Share page with AddThis

Pages