Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Virginia governor enacts amendment relating to security freeze fees

    State Issues

    On March 9, the governor of Virginia signed House Bill 1027, which amends sections of the Code of Virginia relating to security freezes and lowers the maximum amount that a credit reporting agency may charge to place, remove, or lift a security freeze on a protected consumer’s credit report from $10 to $5. Victims of identity theft remain exempt from the fee. The amendment takes effect July 1.

    State Issues State Legislation Data Breach Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • California judge limits plaintiffs’ ability to seek certain punitive damages in internet data breach

    Privacy, Cyber Risk & Data Security

    On March 9, the U.S. District Court for the Northern District of California partially granted a motion to dismiss limiting plaintiffs’ ability to seek certain punitive damages for data breaches. The court also held that the plaintiffs cannot seek claims under the California Customer Records Act (CRA). The consolidated litigation results from announcements that hackers had breached the defendant’s systems and accessed users’ personal information in multiple attacks between 2013 and 2016. While the court kept several claims alive, including one alleging company executives purposefully concealed the hacks and others related to good faith and fair dealing, the court found the plaintiffs had failed to establish when the company learned about the 2013 and 2014 hacks, which warranted dismissal of most of the claims brought under the CRA. With respect to the limit on punitive damages, the court held that there is no punitive remedy for the alleged breaches relating to the breach of contract and CRA claims. However, the court did allow the plaintiffs to seek punitive damages for concealment, negligence, and misrepresentation related to the executives’ alleged suppression of the breach. 

    Privacy/Cyber Risk & Data Security Courts Damages Data Breach

    Share page with AddThis
  • 9th Circuit reinstates class action data breach lawsuit against online retailer


    On March 8, the U.S. Court of Appeals for the 9th Circuit reinstated a putative class action lawsuit against an online retailer, concluding that the increased risk of identity theft resulting from a 2012 data breach affecting over 24 million shoppers gave consumers Article III standing to sue. The three-judge panel held that the district court erred in dismissing claims brought by consumers who did not allege financial losses as a result of the data breach because the stolen information provided hackers the “means to commit fraud or identity theft.” The panel noted that evidence that another group of consumers had suffered financial losses from the same data breach undermined the argument that the data stolen would not lead to fraud or identity theft. In addition, although the defendant asserted that too much time had passed since the data breach for any harm to be considered imminent, the panel found that determining jurisdiction requires an assessment of a plaintiff’s standing at the time the suit was filed, and that the risk of harm was sufficiently imminent at the time of filing. The 9th Circuit remanded the case back to the lower court for review.

    The panel also addressed a separate appeal by the class on the district court’s decision not to enforce a purported settlement agreement, affirming the lower court’s decision “because the parties did not have a meeting of the minds on all essential terms of the agreement.”

    Courts Ninth Circuit Appellate Privacy/Cyber Risk & Data Security Data Breach Class Action

    Share page with AddThis
  • House Financial Services Committee holds hearing on data security, breach notifications

    Privacy, Cyber Risk & Data Security

    On March 7, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime” to discuss data security and breach notification rules and cybersecurity supervision and examination standards for reporting agencies. Subcommittee Chairman Blaine Luetkemeyer, R-Mo., opened the hearing by stating that “[f]orty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted differing laws requiring private companies to notify individuals of breaches of personal information,” and emphasized the need for a “national solution” to create data security safeguards and responsible notification processes.

    Legislation. The hearing discussed two legislative proposals sponsored by Representatives Luetkemeyer and Patrick McHenry, R-NC, respectively: the “Data Acquisition and Technology Accountability and Security Act” (DATAS Act) and the “Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017” (PROTECT Act). The DATAS Act would, among other things, (i) establish broad standards for data protection across industries; (ii) create new federal post-data breach notification requirements; and (iii) establish steps that covered entities must take to notify regulators, law enforcement, and victims after certain types of data breaches. Included within the PROTECT Act are provisions that would (i) subject large consumer reporting agencies to cybersecurity supervision and examination measures; (ii) amend the FCRA to allow consumers to request security freezes be placed, removed, or temporarily lifted on their credit reports; (iii) provide provisions for fees and exceptions from such fees; and (iv) prohibit consumer reporting agencies from including a consumer’s Social Security number in a credit report or being used as a method to identify a consumer.

    Hearing Testimony. The hearing’s four witnesses provided testimony related to current issues with data beaches and protecting consumer information, and commented on the inconsistencies in data breach laws. Among the issues discussed were (i) the challenges of creating a “universal, unique identifier” separate from a Social Security number; (ii) efforts to establish streamlined, uniform, national data breach notification, security, and credit freeze standards; and (iii) the need for U.S. businesses that handle sensitive financial information to implement measures to protect the data and maintain consumers’ trust. Massachusetts Assistant Attorney General and Director of Data Privacy & Security for the Attorney General’s Consumer Protection Division, Sara Cable, stated in her written testimony and during the hearing that the proposed DATAS Act’s consumer notice provisions would “leave consumers in a worse position than the status quo.” She also expressed concern that the bill “allows entities to push the cost of the data security crisis onto consumers without providing any meaningful remedy, strips the state Attorneys General of the authority they are presently and actively using to protect their consumers from breaches, and hamstrings efforts of the States to enact laws in response to future risks in an era of increasing and rapidly evolving technology.” 

    Privacy/Cyber Risk & Data Security House Financial Services Committee Data Breach FCRA Federal Legislation

    Share page with AddThis
  • Pennsylvania Attorney General sues ride-sharing company for 2016 data breach

    State Issues

    On March 5, Pennsylvania Attorney General filed a lawsuit against a ride-sharing company for violating Pennsylvania’s Breach of Personal Information Notification Act (BPINA) because of its failure to disclose a 2016 data breach caused by hackers. The complaint alleges that after the company became aware of the breach, it “paid the hackers at least $100,000 to delete the acquired consumer data and keep quiet.”  According to the complaint, the breached data included the private information of at least 13,500 Pennsylvania drivers. The Attorney General asserts that, under the BPINA, the company must provide notice to the affected residents without unreasonable delay. Instead, the company waited until November 2017 to disclose the incident. Among other things, the complaint seeks civil penalties in the amount of $1,000 or $3,000, depending on the consumer’s age, for each individual BPINA violation.

    The Pennsylvania lawsuit follows similar lawsuits by the City of Chicago and Washington State, previously covered by InfoBytes here.

    State Issues Privacy/Cyber Risk & Data Security Data Breach State Attorney General Courts

    Share page with AddThis
  • Nebraska, South Dakota enact legislation relating to security breaches and credit freezes

    Privacy, Cyber Risk & Data Security

    On March 1, the governor of South Dakota signed House Bill 1078 to revise certain provisions addressing the removal of credit security freezes. The amended act states that a security freeze will remain in place until a consumer requests the removal from the consumer reporting agency. The consumer reporting agency is then required to remove the freeze within three business days. Separately, on February 27, the governor signed House Bill 1127 (HB 1127) to revise certain provisions concerning fees charged for security freezes. Among other things, HB 1127 prohibits consumer reporting agencies from charging a fee for placing or removing a security freeze, and stipulates that a consumer reporting agency may advise a third party that a consumer’s credit report has been frozen.

    On February 28, the governor of Nebraska approved Legislative Bill 757 strengthening certain provisions of the state’s Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006. Among other things, the amendments state that (i) any individual or commercial entity in the state that possesses computerized data containing personal information of Nebraska residents must maintain reasonable security and disposal procedures and practices; (ii) nonaffiliated third-parties with access to personal information must also maintain reasonable security and disposal procedures; and (iii) consumer reporting agencies must provide services free-of-charge for the placement or removal of a credit security freeze. The legislation also outlines additional violations under which the Nebraska Attorney General can 

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach

    Share page with AddThis
  • House Financial Services Committee holds hearing on current data security regulatory regime

    Privacy, Cyber Risk & Data Security

    On February 14, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Examining the Current Data Security and Breach Notification Regulatory Regime” to discuss opportunities to reform data security regulations at the federal and state level in order to close gaps in the regulations and reduce vulnerabilities in the system. Subcommittee Chairman Blaine Luetkemeyer (R-Mo.) opened the hearing by stating that (1) technological advancements are paired with increasingly sophisticated threats to data security; and (2) data breaches seem to be increasing in number and severity. Luetkemeyer emphasized that the time has come to consider regulatory reform to address these complex issues.

    The hearing’s five witnesses offered numerous insights related to the current issues with data security. Among the issues discussed included highlighting the significance of the global data threats the U.S. faces today and the cost they have on the public’s trust in technology. Several witnesses commented on the inconsistencies in state data breach laws and offered suggestions for future regulatory reform, such as federal legislation that (i) requires companies to maintain reasonable data security policies; (ii) implements prompt consumer notification requirements of suspected breaches; and (iii) contains a safe harbor for compliance with federal data security standards. The hearing also had significant discussion regarding whether a new federal law should preempt current state laws in their entirety. The discussion recognized the challenges of pursuing a preemption approach. On one hand, partial preemption would not solve the inconsistencies that exist today, but total preemption may override state laws that currently provide strong protections with a weaker national standard.

    Privacy/Cyber Risk & Data Security House Financial Services Committee Data Breach

    Share page with AddThis
  • Alabama attorney general establishes cybercrime lab

    State Issues

    On February 14, the Alabama Attorney General’s Office announced the establishment of the Cybercrime Lab, which was created in partnership with the U.S. Secret Service, the Federal Bureau of Investigation, U.S. Department of Homeland Security Investigations, the Alabama Fusion Center, the Alabama Office of Prosecution Services, and U.S. Attorney Louis Franklin. In addition to supporting cyber-related investigations in areas such as network intrusions and data breaches conducted by law enforcement in Alabama at the federal, state, and local levels, the Cybercrime Lab will provide assistance to agencies seeking access to digital evidence. Alabama Attorney General Steve Marshall commented that his office also has new resources for reporting suspected debit/credit card skimming devices.

    State Issues State Attorney General Data Breach Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Massachusetts attorney general launches data breach reporting portal

    Privacy, Cyber Risk & Data Security

    On February 1, Massachusetts Attorney General Maura Healey launched a Data Breach Reporting Online Portal, which is available through the agency’s Security Breaches site. Organizations can use the online portal to provide notice to the attorney general’s office of a data breach as required by the Massachusetts Data Breach Notification Law (law), M.G.L. c. 93H. According to the announcement, the law requires any entity that “owns or licenses a consumer’s personal information” to notify the attorney general’s office, among others, “any time personal information is accidentally or intentionally compromised.” The announcement notes that organizations are not required to use the online portal and may still send written notice to the attorney general’s office through the mail.

    The online portal announcement follows other recent actions by Healey in response to consumer data breaches. In September, Healey filed the first enforcement action in the nation against a major credit reporting agency after its significant data breach announcement (previously covered by InfoBytes here) and introduced proposed legislation, SB 130/HB 134, which, among other things, would eliminate fees for credit freezes and mandate encryption of personal information in credit reports.

    Privacy/Cyber Risk & Data Security State Issues State Attorney General Credit Reporting Agency Data Breach

    Share page with AddThis
  • Maryland issues bipartisan consumer protection recommendations

    State Issues

    On January 26, the Maryland Financial Consumer Protection Commission (the “Commission”) and ranking officials from the Maryland legislature announced bipartisan “Interim Recommendations” of the Commission for State and local action in response to the federal government’s “efforts to change or weaken […] important federal consumer protections.” New legislation in response to the recommendations is expected to be released in the near future. Key recommendations include, among other things: (i) requiring credit reporting agencies to provide an alert of data breaches promptly and provide free credit freezes; (ii) adopting new financial consumer protection laws in areas where the federal government may be weakening oversight; (iii) addressing potential issues with Maryland’s current payday and lending statutes; (iv) adopting the Model State Consumer and Employee Justice Enforcement Act that addresses forced arbitration clauses; and (v) adopting new laws that address new risk, such as, virtual currencies and financial technology.

    State Issues State Legislation Consumer Finance Data Breach Payday Lending Arbitration Virtual Currency Fintech Credit Reporting Agency

    Share page with AddThis