Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • 50-State Class Action Complaint Filed Against Credit Reporting Company in Response to September Data Breach Announcement

    Privacy, Cyber Risk & Data Security

    On November 10, plaintiffs, and the members of the class and subclasses they seek to represent, filed a complaint in the Northern District of Georgia against a major credit reporting company, consolidating individual suits filed against the company since September in each of the 50 states and the District of Columbia. The plaintiffs allege that the company’s data breach (covered previously in InfoBytes)—in which hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers—has led to, among other things, identity theft, unauthorized credit and debit card charges, and applications for unauthorized student loans.

    The complaint alleges a series of missteps by the company before, during, and after the breach, including: (i) not applying a recommended security patch; (ii) failing to recognize the breach for over three months; (iii) not warning consumers for another month after discovering the breach, thus preventing timely credit freezes or other protection methods; (iv) sending confusing emails and notices to consumers about whose data was compromised and how to protect themselves after the breach; and (v) creating confusion as to whether an arbitration clause included in the terms of service for the company’s credit monitoring website would apply to consumers using the service.

    The plaintiffs seek, among other things, class certification; permanent injunctive relief; disgorgement and restitutions of earnings; compensatory, consequential, general, statutory, and punitive damages; declaratory relief; and attorneys’ fees.

    Privacy/Cyber Risk & Data Security Data Breach Consumer Finance Class Action State Issues

    Share page with AddThis
  • District of Columbia Mayor Signs Emergency Legislation Temporarily Prohibiting Credit Freeze Fees

    Privacy, Cyber Risk & Data Security

    On October 23, District of Columbia Mayor Muriel Bowser signed emergency legislation (Act 22 155) that prohibits credit reporting agencies (CRAs) from charging consumers fees for security credit freezes. The Credit Protection Fee Waiver Emergency Amendment Act of 2017 requires CRAs to provide security freeze services and one-time reissuances of passwords or PINs to consumers for free, but permits charging up to $10 for subsequent instances of password or PIN requests. The Act took effect immediately and will remain in effect for a maximum of 90 days.

    As previously covered in InfoBytes, a coalition of state attorneys general recently petitioned two major CRAs to cease charging fees for credit freezes.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Consumer Finance State Legislation Data Breach

    Share page with AddThis
  • European Commission Releases First Annual E.U.-U.S. Privacy Shield Review; Framework Works Well With Room for Improvement

    Privacy, Cyber Risk & Data Security

    On October 18, the European Commission (Commission) released its first annual review of the E.U.-U.S. Privacy Shield (Privacy Shield) framework for transatlantic data transfers, citing the Privacy Shield “ensures an adequate level of protection for personal data,” but “there is some room for improving its implementation.” In the report, the Commission’s findings and conclusions cover topics including: (i) redress options for EU individuals; (ii) complaint handling and enforcement procedures to “safeguard individual rights”; (iii) cooperation with European Data protection authorities; and (iv) the process for  certifying companies under the Privacy Shield. However, the report also makes recommendations for improvement, such as (i) increasing U.S. oversight into whether U.S. companies are complying with the Privacy Shield’s requirements to protect European’s personal data; (ii) conducting regular reviews to ensure companies are not making false claims about their participation in the Privacy Shield; and (iii) establishing a closer means of communication between “privacy enforcers” to develop guidance.

    Acting FTC Chairman Maureen K. Ohlhausen commented on the Commission’s review: “Enforcing international privacy frameworks such as Privacy Shield is an integral part of our Privacy and Data Security program, as highlighted in three recently announced Privacy Shield enforcement actions. We look forward to continuing to work with our European counterparts to ensure that the Privacy Shield remains a robust mechanism for protecting privacy and enabling transatlantic data flows.” (See InfoBytes coverage of the three FTC enforcement actions here, and refer here for previous InfoBytes coverage of the Privacy Shield.)

    Privacy/Cyber Risk & Data Security FTC Enforcement International

    Share page with AddThis
  • CFPB Issues Principles Concerning Security and Transparency for Financial Data Sharing and Third-Party Aggregation

    Privacy, Cyber Risk & Data Security

    On October 18, the CFPB published guidelines entitled “Consumer Protection Principles” (Principles), which are “intended to reiterate the importance of protecting consumers” when companies, including “fintech” firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide products and services. Earlier this year, industry groups responded to a CFPB request for information and weighed in on the benefits and risks associated with consumers authorizing third parties to access their financial and account information held by financial service providers. (See previous InfoBytes summary here.) Along with the Principles, the CFPB published a summary of stakeholder insights, which highlights the feedback received by the Bureau. Separately, on October 16, Senator Edward J. Markey (D-Mass.) sent a letter to Director Richard Cordray raising concerns about data security during the transfer of consumer data to third-party aggregators and highlighting the need for transparency concerning the use of the data.

    The Principles address the following areas: (i) data access; (ii) data scope and usability; (iii) control of data and informed consent; (iv) payment authorizations; (v) data security; (vi) transparency on data access rights; (vii) data inaccuracies; (viii) dispute rights and unauthorized access resolution; and (ix) mechanisms for efficient and effective accountability.

    Notably, the Bureau recognized that there already exist statutes and regulations that apply to consumer protections in this market. As such, the Principles “are not intended to alter, interpret, or otherwise provide guidance on—although they may accord with—the scope of those existing protections,” and therefore do not establish “binding requirements.”

    Privacy/Cyber Risk & Data Security Consumer Finance CFPB Vendor Management Third-Party Fintech eCommerce

    Share page with AddThis
  • G-7 Releases Follow-Up Report on Fundamental Elements for Cybersecurity Assessment

    Privacy, Cyber Risk & Data Security

    On October 13, G-7 finance ministers and central bank governors released a report titled G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector to provide guidance on G-7 countries’ (Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States) expectations for effective cybersecurity assessments for the financial sector. The non-binding fundamental building blocks contained within the report build upon guidance issued last year by G-7, and provide tools for institutions to evaluate the performance and assessment of cybersecurity practices. (See previous InfoBytes coverage here.) In the current report, G-7 outlines five desirable outcomes organizations can strive to achieve when developing cybersecurity capabilities, along with five assessment components assessors can use when developing effective practices for cyber risk management.

    “Cybersecurity, particularly in the financial sector, is a top priority for the United States, and we are pleased to work with the members of the G-7 to advance a common approach that enhances resiliency," Treasury Secretary Steven T. Mnuchin stated in a press release announcing the report. “Technology has become the global engine driving innovation and economic growth, and it provides a channel for the financial sector to engage customers and counterparties. However, this trend brings increased cyber risk, which is real, dynamic, and evolving.”

    Privacy/Cyber Risk & Data Security Department of Treasury G-7

    Share page with AddThis
  • Coalition of State Attorneys General Urge Credit Reporting Agencies to Offer No-Fee Credit Freeze

    Privacy, Cyber Risk & Data Security

    On October 10, a coalition of 37 state attorneys general sent letters (here and here) to the CEOs of two major credit reporting agencies (CRAs), urging them to stop charging fees to consumers seeking credit freezes as a measure to protect against identity theft in light of a third CRA’s massive data breach. On September 15, as previously reported in InfoBytes, 34 state attorneys general sent a letter to the breached CRA’s legal counsel requesting it disable fee-based credit monitoring services. The October 10 letters note that currently seven states prohibit CRAs from charging fees to consumers for credit freezes and at least two other states have proposed legislation that would require CRAs to offer free credit freezes.

    Privacy/Cyber Risk & Data Security State AG Consumer Finance

    Share page with AddThis
  • FTC, Department of Education Announce Education Technology Workshop to Explore Privacy Issues

    Privacy, Cyber Risk & Data Security

    On October 4, the FTC and the Department of Education issued a notice announcing a joint Ed Tech (education technology) workshop to examine the challenges concerning privacy implications as more schools are using school-issued personal computing devices. The workshop will discuss issues surrounding the FTC’s Children’s Online Privacy Protection Act Rule (COPPA) as it applies to schools and how it intersects with the Department of Education’s Family Educational Rights and Privacy Act, which is designed to protect the privacy of students’ education records. The workshop, which is open to the public, will be held in Washington, D.C., on December 1.

    As previously covered in InfoBytes, the FTC made modifications to COPPA’s safe harbor program this past July that now require all participants to conduct a comprehensive annual internal assessment of any third-party or service provider that collects personal information from children on their websites or through online services, in addition to issuing updates in June regarding resources companies can use to ensure COPPA compliance.

    Privacy/Cyber Risk & Data Security Agency Rule-Making & Guidance FTC Department of Education COPPA

    Share page with AddThis
  • FTC to Hold Informational Injury Workshop

    Privacy, Cyber Risk & Data Security

    On September 29, the FTC announced it will host an “informational injury” workshop on December 12 to examine the types of injuries consumers face when information about them is misused , as well as the tradeoffs when collecting, using, or sharing consumers’ personal information. In preparation for the workshop, the FTC is seeking public input concerning a range of issues such as (i) the types of qualitative consumer injuries resulting from privacy and data security incidents; (ii) the best ways to assess or quantify injury; and (iii) the cost benefit analysis of collecting, using, and sharing information when facing potential injury. The FTC will accept comments through October 27.

    Privacy/Cyber Risk & Data Security FTC Enforcement

    Share page with AddThis
  • White House Releases Proclamation Announcing National Cybersecurity Awareness Month

    Privacy, Cyber Risk & Data Security

    On September 30, President Trump issued a Proclamation announcing October 2017 as National Cybersecurity Awareness Month. As part of the initiative, the Department of Homeland Security (DHS) issued tools and resources for both consumers and organizations to manage cybersecurity risk. As previously covered in InfoBytes, the President issued an Executive Order earlier this year entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” that requires agencies to submit risk management reports to DHS and develop recommendations for cybersecurity improvements affecting all critical infrastructure, including the financial services industry.

    Privacy/Cyber Risk & Data Security Federal Issues Risk Management Trump Department of Homeland Security Executive Order

    Share page with AddThis
  • Senate Judiciary Tech Subcommittee to Hold Hearing on Data Breach; New Credit Reporting Agency CEO Speaks Out

    Privacy, Cyber Risk & Data Security

    On September 27, interim CEO, Paulino do Rego Barros Jr., spoke out for the first time since a major credit reporting agency (agency) appointed him to the role the previous day. In addition to issuing an apology, Barros stated that the agency is extending the deadline to sign up for their credit monitoring services and free credit freezes through the end of January 2018. He also made the commitment that by January 31, the agency will offer a new service for consumers to control access to their personal credit data. As previously reported in InfoBytes, the agency is still in the process of responding to the data breach that impacted approximately 143 million U.S. consumers.

    On October 4, the Senate Judiciary Subcommittee on Privacy, Technology and the Law will hold a hearing on the agency’s data breach to continue to monitor data-broker cybersecurity. The hearing is scheduled for 2:30 pm in the Dirksen Senate Office Building 226.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Data Breach Senate Judiciary Subcommittee Consumer Finance

    Share page with AddThis

Pages