Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • California Company Settles FTC Charges, Agrees to Provide Effective Opt-Out for Consumers

    Privacy, Cyber Risk & Data Security

    On April 21, the FTC announced that it had reached a settlement with a California company, which enables sellers to target digital advertisements to consumers, over allegations in violation of the FTC Act that the company deceived consumers by tracking them online and through their mobile devices even after consumers elected to opt out of such tracking. According to the 2016 complaint, the company’s privacy policy conveyed to consumers that its “opt-out mechanism would be effective in blocking tailored, anonymous ads on websites and apps. However, the opt-out cookie applied only to mobile browsers, and was not effective in blocking tailored, anonymous ads on mobile applications.” Moreover, the complaint also alleged that the company used unique identifiers to track specific consumers, even after they had blocked or deleted cookies.

    Following a 30-day public comment period, the Commission voted 2-0 to approve the final order. The order prohibits the company from misrepresenting “the extent to which [it] collects, uses, discloses, retains, or shares” consumers’ information and the ability of consumers to limit, control, or prevent the ways the company uses their data. Furthermore, the company must direct consumers to a disclosure explaining the types of information the company collects and how it uses it for targeted advertising. Clear, easily-accessible opt-out options for consumers who choose not to have their information used in targeted advertising must also be featured. Notably, the Commission stated in letter-responses to two commenters that while it lacks the authority to obtain civil penalties for initial violations under Section 5 of the FTC Act, the company would risk civil penalties of up to $40,654 per violation per day as a compliance incentive and to deter other companies from engaging in similar conduct.

    Privacy / Cyber Risk & Data Security FTC

    Share page with AddThis
  • FTC Approves Final Orders to Settle Allegations That Companies Misrepresented Participation in International Privacy Program

    Privacy, Cyber Risk & Data Security

    On April 14, the FTC announced  final orders against three U.S. companies, resolving allegations that the companies had falsely represented their participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) system in their online privacy policies (see previous InfoBytes post). Following a 30-day public comment period, the Commission voted 2-0 to approve the final orders, which prohibit the companies from “misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.” Furthermore, the Commission issued a response letter to one of the commenters stating that although the Commission is not authorized to seek civil penalties for an initial violation, upon approval of the final order, one of the companies “will be subject to civil penalties of up to $40,654 per violation per day,” as a compliance incentive and to  deter other companies from engaging in similar conduct.

    Privacy / Cyber Risk & Data Security FTC APEC CBPR

    Share page with AddThis
  • New Mexico Enacts Data Breach Notification Act

    Privacy, Cyber Risk & Data Security

    On April 6, New Mexico Governor Susana Martinez signed into law the Data Breach Notification Act (H.B. 15), making New Mexico the 48th state to pass a data breach notification law. Under the new law—which is scheduled to take effect on June 16—companies are now required to notify any New Mexico residents (and in certain circumstances consumer reporting agencies and the state’s attorney general) following the discovery of a “security breach” involving that resident’s “personal identifying information.”  The Act—which unanimously cleared both New Mexico’s House and Senate—also establishes standards for the secure storage and disposal of data containing personal identifying information and provides for civil penalties for violations.

    According to the Act, “personal identifying information” consists of an individual’s first name or first initial and last name in combination with any one or more of the following data elements: (i) Social Security number; (ii) driver's license number or government issued identification number; (iii) account number, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (iv) biometric data. As with many other states’ breach notice laws, the term “security breach” is defined as “the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.” However, notice to affected residents is not required if the entity “determines that the security breach does not give rise to a significant risk of identity theft or fraud.” The Act also sets out the required contents of, and methods for providing, notification—which generally must be made no later than 45 days after the breach was discovered—including substitute methods if certain criteria are met. Certain entities, including those subject to GLBA or HIPAA, are exempt from the requirements of the Act.

    Notably, the Act does not provide its citizens with a private right of action, but rather charges the state’s attorney general with enforcing the Act through legal actions on behalf of affected individuals. The Act provides for the issuance of injunctive relief and/or damages for actual losses including consequential financial losses. For knowing or reckless violations of the Act, a Court also may impose civil penalties of $25,000, or in the case of a failure to notify, a penalty of $10 per instance up to a maximum penalty of $150,000.

    Privacy / Cyber Risk & Data Security State Issues Data Breach State AG

    Share page with AddThis
  • Congress Approves Joint Resolution to Repeal FCC’s Broadband Privacy Rules, Signed into Law by President Trump

    Privacy, Cyber Risk & Data Security

    On April 3, President Trump signed into law a measure (S.J.Res. 34) rescinding the new Federal Communications Commission (FCC) broadband privacy rules related to Internet service providers (ISPs). As previously covered on InfoBytes, the privacy rules—passed last year in a 3-2 party-line vote under former Democratic FCC Chairman Tom Wheeler—require, among other things, that ISPs receive express consent from users concerning the use of their personal data for marketing purposes. FCC Chairman Ajit Pai has taken the position that the new FCC regulations are inconsistent with the Federal Trade Commission’s (FTC) framework. The rules had been partially stayed by the FCC in response to multiple reconsideration petitions. Approved last week in the Senate by a 50-48 margin, and subsequently passed by a 215-205 House vote, S.J.Res. 34 was sent to President Trump on Friday for his signature. The President signed the joint resolution into law on Monday evening, thereby repealing the FCC regulations pursuant to the Congressional Review Act, 5 U.S.C. §§ 801-808. Notably, per the language of the resolution—which was originally introduced by Sen. Jeff Flake (R-AZ) in early March—the FCC is also prohibited from re-issuing new rules without the passage of a new law authorizing them.

    Privacy / Cyber Risk & Data Security FCC FTC Trump

    Share page with AddThis
  • OFR Director Delivers “Reducing the Regulatory Reporting Burden” Remarks at the Financial Data Summit

    Privacy, Cyber Risk & Data Security

    On March 16, the Office of Financial Research (OFR) posted remarks made by Director Richard Berner at the third annual Financial Data Summit hosted by the Data Transparency Coalition. "Reducing the Regulatory Reporting Burden" outlines OFR’s mission to identify areas of “duplication, overlap, and inefficiency in regulatory reporting,” presents steps to be undertaken in partnership with the Financial Stability Oversight Council (and its member agencies) to “improve data quality and reduce the reporting burden [by] requiring standards, including precise and agreed-on definitions, identifiers, and formats; industry-regulator agreement on essential data elements; adherence to best practices in data collection; and more data sharing among regulators,” and seeks participation and input from the private sector.

    Privacy / Cyber Risk & Data Security OFR Data Collection / Aggregation

    Share page with AddThis
  • FCC, FTC Issue Joint Statement on Broadband Data Security Regulation; Senate Resolution Introduced to Repeal FCC Privacy Rules

    Privacy, Cyber Risk & Data Security

    On March 1, FCC Chairman Ajit Pai and acting FTC Chairman Maureen K. Ohlhausen issued a Joint Statement  announcing an FCC Order (Stay Order) staying the enactment of certain data security provisions (§ 64.2005) adopted by the Commission late last year as part of its Broadband Privacy Order while the Commission and Congress consider an appropriate resolution of the broader Net Neutrality proceeding. Absent a stay, the rule was set to go into effect on March 2.  Separate and apart from explaining the Stay Order, the Joint Statement effectively serves as a commitment by both the FCC and FTC to return “jurisdiction over broadband providers’ privacy and data security practices … to the FTC, the nation’s expert agency with respect to these important subjects.” Moreover, the statement also highlights what might be considered a guiding principle behind the new leadership at both the FCC and the FTC – namely, that “[a]ll actors . . . should be subject to the same rules” and “[t]he federal government shouldn’t favor one set of companies over another.”

    The Stay Order arose out of an October 2016 decision to amend the Broadband Privacy Order to include new “sector-specific privacy rules” that the FCC determined were “necessary to address the distinct characteristics of telecommunications services.”  This final version, the Broadband Privacy Order – was published in the Federal Register (81 Fed. Reg. 87,274) on December 2, 2016.

    This amendment marked a substantial change from the original language included in the order as proposed back in March 2016, where the Commission “propose[d] to apply the traditional privacy requirements of the Communications Act to . . . broadband Internet access service (BIAS).” Then-commissioner and current FCC Chairman Pai strongly disagreed with the amendment at the time, filing a dissenting statement in which he argued, that “it makes no sense” for the FCC to enact “rules that apply very different regulatory regimes based on the identity of the online actor” because, among other reasons,  it will inhibit competition in the online advertising market and also “lead to consumer confusion about which online companies can and cannot use their data.” Thereafter, eleven separate timely petitions to reconsider the October 2016 Order were filed, along with a petition requesting that the Commission stay the effective date of the Order. 

    The decision to delay the enactment of the new privacy regulations relied on Chairman Pai’s earlier argument that the data security rule as amended is not consistent with current FTC privacy standards, and thus found the March 2 effective date to be based on the incorrect underlying assumption that “carriers should already be largely in compliance with these requirements because the reasonableness standard adopted in [the] Order . . . resemble[] the obligation to which they were previously subject pursuant to Section 5 of the FTC Act.” As made clear by Chairman Pai in the Joint Statement, “[t]he stay will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rule.”

    Notably, shortly after the release of the Joint Statement, on March 7, Sen. Jeff Flake (R-Ariz), chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, introduced a joint resolution to formally provide for “congressional disapproval” of 81 Fed. Reg. 87,274, i.e., the Broadband Privacy Order referenced above, under the Congressional Review Act (CRA).  The CRA is a 1996 law that empowers Congress to repeal federal regulations.  According to a statement released by his office, Sen. Flake—who has long opposed the privacy regulations at issue—sent a letter back in January of last year to FCC Chairman Tom Wheeler expressing concerns that the FCC is “overreaching its authority” with its planned broadband regulations. The Arizona Senator thereafter, on May 11, 2016, chaired a Privacy, Technology and the Law Subcommittee hearing seeking “answers on the legality of the proposed FCC rules and the consequences for consumers and the future of the internet.” And, most recently, on March 1, Sen. Flake wrote a Wall Street Journal op-ed laying out his position on the matter.

    Privacy / Cyber Risk & Data Security FCC FTC U.S. Senate

    Share page with AddThis
  • Industry Groups Submit Letters in Response to CFPB’s Request for Input on Comment Letter

    Consumer Finance

    As previously covered in InfoBytes, on November 17 the CFPB launched an inquiry into the benefits and risks associated with consumers authorizing third-parties to access their financial and account information held by financial service providers. In response to the Bureau’s Request for Information (Dkt No. CFPB-2016-0048), consumer and industry groups have offered their thoughts and positions concerning the issue. A summary of several comment letters is included below:

    American Bankers Association (ABA). The ABA submitted a comment letter in which it noted that “technology is fundamentally changing the way financial services are being delivered,” but urged the CFPB, subject to certain enumerated regulatory limitations, to “fairly address[] both the opportunities and risks” in order to “give consumers innovative services that they can trust.” Among other things, the ABA discussed the need for the Bureau to clarify data aggregator responsibility for maintaining the privacy and security of consumer financial data. Specifically, the ABA recommended that the CFPB: (i) impose breach notification obligations; (ii) confirm liability assignments under Regulation E; (iii) subject larger data aggregators to supervisory oversight; and (iv) educate consumers about the choices, responsibilities, and risks presented.

    Financial Services Roundtable (FSR). FSR and its technology policy division responded with a letter highlighting the importance of innovation and collaboration and outlining five core elements the group believes should be considered in assessing this "evolving ecosystem." These elements are: (i) security and privacy; (ii) data access and use transparency; (iii) clarity of liability; (iv) customer choice and control; and (v) technology neutrality. FSR also encouraged the CFPB to avoid unnecessary rulemaking or standard-setting that would “blunt innovation.”

    Independent Community Bankers of America (ICBA). The ICBA urged the CFPB, subject to certain enumerated regulatory limitations, to carefully consider the privacy, regulatory burden, data security, and legal implications posed by third-party account access. Among other things, the ICBA expressed concern that “non-bank entities” do not take the same care in protecting consumer privacy and data as community banks and stated that community banks “must be able to protect customer data without having to meet new regulatory mandates which increase the risk of breach and/or consumer loss.” ICBA’s letter also stated that consumers’ rights to have access to their own information should be balanced with ensuring that consumer privacy is not needlessly threatened.

    Americans for Financial Reform (AFR). AFR and a coalition of consumer groups set forth the organizations’ position that “the digital economy should ensure consumers can access and use records about themselves, and that consumers can choose to authorize third-parties to access such data on their behalf to support their financial health and facilitate competition among financial services providers.” Among other things, the letter stressed the need for “standards to enforce compliance with Section 1033 to benefit consumers who utilize online data aggregation and other applications.” Additionally, the letter urged the CFPB to confirm that consumers “retain their legal protections vis-a-vis account-holding institutions if unauthorized charges are made to their accounts when they use data aggregation services.”

    Financial Innovation Now (FIN). FIN expressed the organization’s belief that regulation of permissioned access to consumer financial account data is “not necessary at this time.” Rather, FIN argued for “standards for permissioned access to consumer financial account data,” which could be “developed by industry, regularly reviewed and updated.” Ultimately, FIN pushed for consumer access to consumer financial account data “securely and easily, using whatever secure application or technology they wish, without charges or restrictions that unreasonably favor any one application or technology over another.”

    Consumer Finance Privacy / Cyber Risk & Data Security CFPB

    Share page with AddThis
  • U.S. Companies Settle FTC Charges that They Deceived Consumers About International Privacy Program Participation


    On February 22, the FTC announced that it had reached settlements with three U.S. companies over charges that the companies falsely represented their participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) system in their online privacy policies. Participation requires an official review and certification, a process none of the three companies underwent according to the three complaints. The complaints alleged violations of the FTC Act due to deceptive statements made by the companies that they participated in the APEC CBPR system. The settlement terms bar the defendants from “misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.”

    Courts Privacy / Cyber Risk & Data Security FTC APEC CBPR

    Share page with AddThis
  • FDIC Releases 2016 Annual Report; Separately, FDIC’s OIG Issues Report Critical of Bank Service Provider Contracts

    Privacy, Cyber Risk & Data Security

    On February 15, the FDIC released  its 2016 Annual Report–which includes, among other things, the audited financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund. The report also provides an overview of key FDIC initiatives, performance results and other aspects of FDIC operations.

    Separately, on the same day, the FDIC’s Office of Inspector General (OIG) released an Audit Report (EVAL-17-004) on the adequacy of a small but random sample of contracts between FDIC-supervised institutions and their technology service providers (TSPs), in light of federal law and banking agency guidance on customer privacy-protection and how to properly manage third-party relationships. All sampled contracts had been designated as “critical” or “high” risk to the supervised institutions’ operations. The OIG specifically evaluated, and generally found insufficient, the clarity of contract provisions on TSP obligations regarding: (i) business continuity planning; and (ii) responding to and reporting on cybersecurity incidents. Despite the insufficiencies noted, the OIG acknowledged that because many contracts were negotiated before some of the relevant guidance was issued, “more time is needed to allow FDIC and FFIEC efforts to have a demonstrable” impact on contractual language.

    As a result of these findings, the OIG recommended—and FDIC management agreed—that the agency, after allowing appropriate time for current guidance to be implemented, conduct a “full horizontal review to assess” any continued presence of the contractual insufficiencies noted in the report. The FDIC will “prepare” that horizontal review in 2018.

    Privacy / Cyber Risk & Data Security FDIC FFIEC OIG

    Share page with AddThis
  • Federal Judge Sentences Hacker to Eight Years for Cyber Heists that Caused More than $55 Million in Losses


    On February 10, the United States Attorney for the Eastern District of New York announced that the Honorable Kiyo A. Matsumoto levied an eight year prison sentence against a Turkish citizen charged with organizing and carrying out three cyber-attacks on global financial institutions between 2011 and 2013 which resulted in more than $55 million in losses. Last March, the defendant pleaded  guilty to “computer intrusion conspiracy, access device fraud conspiracy, and effecting transactions with unauthorized access devices.” Specifically, the defendant and his associates were alleged to have repeatedly hacked into debit card processing systems, manipulated account balances, stole customers’ PINs, and transferred that information to associates who then encoded debit cards with the stolen data in order to make fraudulent ATM withdrawals. The DOJ further alleged that the hackers targeted databases companies maintained for prepaid debit cards and effectively eliminated the card accounts’ withdrawal limits in what are called “unlimited operations.” The defendant was also ordered to pay $55,080,226.14 in restitution as part of his sentence. 

    Courts Privacy / Cyber Risk & Data Security Cybersecurity Financial Crimes

    Share page with AddThis