Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC announces settlement with California company over EU-U.S. Privacy Shield false certification claims

    Privacy, Cyber Risk & Data Security

    On July 2, the FTC announced it had reached a settlement with a California-based company over allegations that it falsely claimed participation in the European Union-U.S. Privacy Shield framework, EU-U.S. Privacy Shield. According to the FTC, the company’s false claim that it was in the process of certification is a violation of the FTC Act’s prohibition against deceptive acts or practices. The settlement prohibits the company from misrepresenting its participation in “any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization” and requires the submission of timely compliance notices. This action marks the fourth FTC EU-U.S. Privacy Shield enforcement action following the EU’s finalization and adoption in July 2016 (see previous InfoBytes coverage here) of the EU-U.S. Privacy Shield, which established a mechanism for companies to transfer consumer data between the EU and the U.S. in compliance with specified obligations.

    Privacy/Cyber Risk & Data Security FTC Enforcement Settlement

    Share page with AddThis
  • Buckley Sandler Special Alert: California governor signs significant data privacy bill into law

    Privacy, Cyber Risk & Data Security

    On June 28, California Governor Jerry Brown signed the California Consumer Privacy Act (the “Consumer Privacy Act” or the “Act”) into law. The Act was enacted largely in response to a more restrictive ballot initiative (“Ballot Initiative”) that appeared to have gained a sufficient number of signatures to appear on the November 2018 ballot in the state. Both the Act and the Ballot Initiative were a reaction to high-profile news stories involving large-scale consumer data collection and sharing by online companies, often done without notice to or consent from consumers.

    The Ballot Initiative, driven and funded by a coalition of privacy advocates, proposed both expanding consumer privacy rights under existing state laws such as the California Online Privacy Protection Act and the “Shine the Light” law, and giving new consumer rights with regard to information sharing. The Ballot Initiative, which was withdrawn in response to the enactment of the Act, would have provided state residents with increased rights regarding the types of information online companies possess about them, the purposes for which the information is used, and the entities with which the information is shared. Consumers would also have been given the right to stop certain sharing of their personal information. Critics asserted that the Ballot Initiative was poorly crafted and would stifle innovation in data services. Last minute revisions to the language of the Act, which generally follows the requirements of the Ballot Initiative, sought to address some of these concerns and several industry groups that had opposed the Ballot Initiative did not lobby against the quick passage of the Act.

     

    * * *

    Click here to read the full special alert.

    If you have questions about the act or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley Sandler attorney with whom you have worked in the past.

    Privacy/Cyber Risk & Data Security State Issues Special Alerts

    Share page with AddThis
  • Credit reporting agency agrees to cybersecurity corrective action with eight state regulators

    Privacy, Cyber Risk & Data Security

    On June 27, the New York Department of Financial Services (NYDFS) announced that a major credit reporting agency has agreed to cybersecurity and internal control corrective action following its 2017 data breach, which reportedly affected 143 million American consumers. The consent order, which was entered into with NYDFS and seven other state regulators, requires a wide range of corrective actions. The company must: (i) review and approve a written risk assessment which identifies data breach risks and the likelihood of threats; (ii) establish and oversee a formal internal audit program; (iii) improve oversight of its information security program; and (iv) improve oversight and ensure sufficient controls are developed for critical vendors. The consent order does not include any monetary penalties.

    The consent order follows the June 25 announcement by NYDFS that credit reporting agencies will be required to register annually with the state and comply with the state’s cybersecurity regulation (covered by InfoBytes here).

    Privacy/Cyber Risk & Data Security State Issues Data Breach NYDFS

    Share page with AddThis
  • Rhode Island and New Hampshire prohibit security freeze fees

    Privacy, Cyber Risk & Data Security

    On June 14, the governor of Rhode Island signed S2562, which prohibits consumer reporting agencies from charging a fee for security freeze services, including the placement, removal, or temporary lifting of a security freeze for a consumer. The law also prohibits the charging of a fee in connection with issuing or reissuing a personal identification number that is used by a consumer to authorize the use of his or her credit or to remove the freeze. Previously, Rhode Island allowed credit reporting agencies to charge a fee up to $10 dollars for security freeze services and $5 for reissuances of personal identification numbers, although customers were entitled to a free initial reissuance of their personal identification numbers. The law is effective September 1.

    Similarly, on June 8, the governor of New Hampshire signed HB1700, which prohibits a consumer reporting agency from charging a fee to place, remove, or temporarily lift a security freeze. The law also prohibits a consumer reporting agency from charging a fee to issue or replace a consumer’s personal identification number used in connection with the security freeze. The law requires the consumer reporting agencies to place the freeze within three business days after receiving a consumer request, if the consumer makes the request via mail and within 24 hours after receiving a consumer request, if made electronically or by telephone. The law is effective January 1, 2019.

    Privacy/Cyber Risk & Data Security Security Freeze State Issues State Legislation Credit Reporting Agency

    Share page with AddThis
  • Illinois, Connecticut, and Hawaii pass security freeze legislation

    Privacy, Cyber Risk & Data Security

    On June 8, the Illinois governor approved HB 4095, which amends the Consumer Fraud and Deceptive Business Practices Act to prohibit consumer reporting agencies (CRAs) from charging consumers a fee for placing, removing, or temporarily lifting a security freeze. The act takes effect immediately.  The Act also permits a consumer to request a security freeze by phone or electronic means, in addition to a request in writing.

    This followed a similar action by the Connecticut governor, who on June 4 signed SB 472 to prohibit CRAs from charging a fee to consumers to place, remove, or temporarily lift a security freeze on a consumer's account. The legislation also, among other things, (i) prohibits CRAs from—as a condition of placing the freeze—requiring that consumers agree to limit their claims against the agency; (ii) increases the length of time that identity theft prevention and mitigation services must be provided to a consumer after a security breach from 12 to 24 months; and (iii) provides that the banking commissioner will adopt regulations that require CRAs to provide it with “dedicated points of contact” to allow the Department of Banking to assist consumers when a data breach occurs. The act takes effect October 1.

    On June 6, the Hawaii governor signed HB 2342 to enhance protection of consumer information by expanding the methods consumers may use to request security freezes, and by prohibiting credit reporting agencies (CRAs) from charging consumers a fee to place, remove, or temporarily lift a security freeze on a consumer's credit report or records. Among other things, the act now permits a consumer or a “protected consumer’s representative” to request a security freeze via first-class mail, a telephone call, or through a CRA’s designated secure website, and also preserves the CRA’s ability to lift a security freeze when the freeze was executed due to material misrepresentation by the consumer. When lifting a security freeze, CRAs are required to send written confirmation to the affected consumer within five business days. The act takes effect July 1.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Security Freeze Data Breach Credit Reporting Agency

    Share page with AddThis
  • FTC files complaint against two operations allegedly responsible for making billions of illegal robocalls

    Privacy, Cyber Risk & Data Security

    On June 5, the FTC announced charges filed against two individuals and their related operations (defendants) for allegedly facilitating billions of robocalls to consumers across the country through a telephone dialing platform in violation of the FTC Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and the Telemarketing Sales Rule. According to the complaint filed in the U.S. District Court for the Central District of California, the alleged misconduct—dating back to 2001—centered around the principal and owner of a group of companies that operated and developed a computer-based telephone dialing platform, and a second individual defendant and his group of call center businesses that paid for the development and use of software designed to make autodial telephone calls and deliver prerecorded messages. The FTC alleged that for many years the two individual defendants jointly owned and operated businesses that resold access to a “bundle of services”—referred to as a “one-stop-shop for illegal telemarketers”—that provided, among other things, (i) servers to host the autodialing software, as well as the physical space housing the servers; and (ii) the ability to make calls using “spoofed” caller ID numbers, which made it look as if the calls came from a consumer’s local area code. According to the FTC, this “bundle of services” became so widely used within the industry that it has been named in at least eight other FTC lawsuits centered on the facilitation of unlawful calls. Among other things, the charges against the defendants include assisting with illegal robocalls, calling with prerecorded messages, calling numbers on the National Do Not Call Registry, calling with spoofed caller IDs, and abandoning calls. The FTC seeks civil monetary penalties, a permanent injunction against the defendants to prevent future violations, and reimbursement of costs for bringing the action.

    Privacy/Cyber Risk & Data Security FTC Robocalls FTC Act Telemarketing Sales Rule Telemarketing and Consumer Fraud and Abuse Prevention Act

    Share page with AddThis
  • Colorado enacts expansive consumer data protection law, includes 30-day breach notification requirement

    Privacy, Cyber Risk & Data Security

    On May 29, the Colorado governor signed HB1128, which significantly expands Colorado’s consumer data protection laws to include a broader definition of personal information and a 30-day notice requirement regarding data breaches. The law, which is effective on September 1, requires covered entities—defined in the statute as, “a person . . . that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation”— to notify affected Colorado residents within 30 days after the determination that a security breach occurred. The notice to residents must include, among other things, (i) the date range of the security breach; (ii) a description of the personal information that was part of the security breach; (iii) contact information for the entity; and (iv) contact information for credit reporting agencies and the FTC. The act defines personal information to include a Colorado resident’s first name or first initial and last name in combination with the following non-encrypted or redacted items: “social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.” Other key elements of the law include:

    • In addition to notifying affected residents, covered entities must notify the Colorado Attorney General within 30 days if the entity determines 500 or more people have been affected by the security breach, unless the entity determines that misuse of the information has not and is not likely to occur.
    • If the covered entity determines 1000 or more people are affected by the security breach, “in the most expedient time possible and without unreasonable delay” the entity must notify all consumer reporting agencies.
    • Covered entities are required to implement and maintain reasonable security procedures that are “appropriate to the nature of the personal identifying information and to the nature and size of the business and its operations.”
    • If a covered entity discloses a consumer’s personal information to a third-party service provider, the covered entity must require the third-party to implement and maintain reasonable security procedures.

    The law also includes security and notification requirements for Colorado governmental entities.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Consumer Protection

    Share page with AddThis
  • Louisiana governor amends data breach notification law; passes security freeze legislation

    Privacy, Cyber Risk & Data Security

    On May 20, the Louisiana governor signed SB361 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state or that own or license computerized data to (i) “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure,” and (ii) take “all reasonable steps” to destroy documents containing personal information once they no longer need to be retained. Key amendment highlights are as follows:

    • revises definitions, which include (i) defining “breach of the security of the system” to now apply to “the compromise… of computerized data that results in, or there is a reasonable likelihood to result in. . .” unauthorized acquisition and access; and (ii) revising the definition of “personal information” to include residents of the state, and include passport numbers and biometric data;
    • requires entities to notify affected individuals within 60 days of the discovery of a data breach—pending the needs of law enforcement—and further stipulates that if a determination is made to delay notification, the Attorney General must be notified in writing within the 60-day period to receive an extension of time;
    • provides that substitute notification—consisting of email notification, a notice posted to the entity’s website, and notifications to major statewide media—may be provided should the entity demonstrate that (i) the cost of the notification would exceed $100,000; (ii) the affected class of persons exceeds 100,000; or (iii) the entities lack sufficient contact information; and
    • states that violations of the Database Security Breach Notification Law constitute an unfair act or practice.

    The amendments take effect August 1.

    Separately, on May 15, the governor signed SB127, which prohibits credit reporting agencies from charging a fee for placing, reinstating, temporarily lifting, or revoking a security freeze. The bill became effective upon signature by the governor.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Security Freeze Data Breach

    Share page with AddThis
  • Vermont legislation regulates data brokers and provides consumer protections

    Privacy, Cyber Risk & Data Security

    On May 22, a Vermont bill, established to regulate data brokers and provide consumers with protections against companies that collect, analyze, and sell their personal information, was enacted without the governor’s signature. Among other things, H.764: (i) requires data brokers to pay a $100 fee to register annually with the Vermont Secretary of State and publicly disclose information about data collection practices and opt-out policies; (ii) requires companies to implement measures to ensure they have “adequate security standards” to safeguard against data breaches; (iii) prohibits the “acquisition of personal information with the intent to commit wrongful acts”; and (iv) prohibits credit reporting agencies from charging consumers fees for the placement, removal, or temporary lift of a security freeze. The credit freeze provisions became effective upon passage. The data broker provisions take effect January 1, 2019.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Data Brokers

    Share page with AddThis
  • Court preliminarily approves $80 million settlement for shareholders after global internet company data breach

    Privacy, Cyber Risk & Data Security

    On May 9, the U.S. District Court for the Northern District of California granted a preliminary approval of a settlement between a global internet media company and its shareholders over alleged securities law violations related to cybersecurity breaches in 2013 and 2014. The $80 million settlement resolves a consolidated shareholder action accusing the company of making misleading statements to shareholders about the company’s data security. According to the order, the settlement applies to all shareholders who acquired the company’s securities between April 30, 2013 and December 14, 2016. As previously covered by InfoBytes, the company was recently ordered by the SEC to pay $35 million to resolve allegations related to the same cybersecurity incidents.

    Privacy/Cyber Risk & Data Security Securities Data Breach Settlement SEC

    Share page with AddThis

Pages