Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Ninth Circuit: payday lenders not vicariously liable under TCPA for text messages

    Privacy, Cyber Risk & Data Security

    On January 10, the U.S. Court of Appeals for the Ninth Circuit affirmed that three payday lenders and two marketing companies (together, the defendants) did not indirectly violate the Telephone Consumer Protection Act (TCPA) by accepting marketing help from a separate lead generator company that used a program to send text-messaged advertisements. In upholding the district court’s decision, the three judge panel concluded that “it is undisputed” that the defendants did not enter into a contract with the lead generator company, and further, that the lead generator company did not act as their agent or purported agent. The plaintiff-appellant that received the text-messaged advertisement—which directed consumers who clicked on the link within the message to a loan application website controlled by one of the defendants—filed a putative class action complaint, certified by the district court, against the defendants to allege that they were vicariously liable for sending the text messages in violation of the TCPA. Specifically, the plaintiff-appellant claimed the defendants ratified the lead generator company’s actions when they accepted leads even though they knew the leads were being generated through text messages. The district court granted summary judgments for all the defendants, and ruled they were not vicariously liable for the lead generator company’s actions, and that additionally, the plaintiff-appellant failed to present evidence that defendants had actual knowledge that the texts were being sent in violation of the TCPA. The appellate panel also noted that because one of the defendants—a contracted lead provider—had “no ‘knowledge of facts that would have led a reasonable person to investigate further,’ . . . [the defendant] cannot be deemed to have ratified [the] actions and therefore is not vicariously liable.”

    Privacy/Cyber Risk & Data Security Courts Ninth Circuit Appellate TCPA Payday Lending

    Share page with AddThis
  • NYDFS updates cybersecurity regulation FAQs

    Privacy, Cyber Risk & Data Security

    Recently, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500. As previously covered in InfoBytes, 23 NYCRR Part 500 took effect March 1 and establishes cybersecurity requirements for banks, insurance companies, and other financial services companies. The December updates to the FAQs address risk-based requirements affecting covered entities, including the following topics; (i) penetration testing and vulnerability assessments; (ii) third-party service provider due diligence requirements; (iii) limited notices of exemption; and (iv) record requirements.

    Privacy/Cyber Risk & Data Security State Issues NYDFS

    Share page with AddThis
  • Credit Reporting Agencies Must Comply With Emergency Regulations

    Privacy, Cyber Risk & Data Security

    On Tuesday, New York State adopted emergency regulations intended to “provide consumers with the means to protect themselves against identity theft” and assist those consumers who have fallen victim to such theft.  The New York Department of State’s Division of Consumer Protection (the Division), which has the authority to promulgate rules and regulations related to consumer protection activities of all state agencies, announced the adoption of regulations as part of its Identify Theft Prevention and Mitigation Program (the Program). In a press release issued December 12 by the office of New York Governor Andrew M. Cuomo, the regulations will require consumer credit reporting agencies to comply with the following, among other things:

    • provide responses within 10 days to information requests made by the Division when investigating, mediating, or mitigating a consumer’s identity theft complaint;
    • identify dedicated points of contact to assist the Division’s effective administering of the program;
    • make available to the Division a list and description of all business affiliations and contractual relationships that provide identity theft and credit monitoring-related products or services; and
    • clearly disclose all fees associated with offered products and services marketed to prevent identity theft, and inform consumers of trial and cancellation provisions.

    Consumer credit reporting agencies will be required to comply with these regulations, effective immediately. A to-be-announced public comment period will occur prior to the regulations’ final adoption.

    As previously covered by InfoBytes, New York Department of Financial Services (NYDFS) has taken several steps to address cybersecurity concerns, including a September 18 announcement that the state would expand cybersecurity standards to cover credit reporting agencies. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations, would be required to initially register with NYDFS, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule.

    Privacy/Cyber Risk & Data Security State Issues Data Breach Credit Rating Agencies NYDFS

    Share page with AddThis
  • FTC Announces Final Approval of Settlements With Companies Over EU-U.S. Privacy Shield False Certification Claims

    Privacy, Cyber Risk & Data Security

    On November 29, the FTC announced it had approved final settlements with three companies over allegations that they falsely claimed  participation in the European Union-U.S. Privacy Shield (EU-U.S. Privacy Shield) framework. (See previous InfoBytes coverage here.) The settlements mark the FTC’s first EU-U.S. Privacy Shield enforcement actions following the EU’s finalization and adoption in July 2016 (as covered by InfoBytes) of the EU-U.S. Privacy Shield Framework, which established a mechanism for companies to transfer consumer data between the EU and the U.S. in compliance with specified obligations.

    Privacy/Cyber Risk & Data Security Enforcement FTC Settlement

    Share page with AddThis
  • FCC Adopts Rules Allowing Voice Service Providers to Block Illegal Robocalls

    Privacy, Cyber Risk & Data Security

    On November 16, the FCC approved new rules allowing phone companies to proactively block illegal robocalls originating from certain types of phone numbers.

    Pursuant to the report and order released on November 17, providers may block calls that: (i) are made from telephone numbers that are not designed to make outgoing calls; (ii) originate from telephone numbers listed on a subscriber’s “do not originate” list; or (iii) originate from telephone numbers with non-existent area codes, no provider assignment, or that are not currently in use. The FCC is seeking public comments from phone service providers by January 23, 2018, to minimize the possibility of blocking “lawful calls” by establishing procedures for identifying and fixing erroneous blocks.

    Privacy/Cyber Risk & Data Security FCC Robocalls

    Share page with AddThis
  • 50-State Class Action Complaint Filed Against Credit Reporting Company in Response to September Data Breach Announcement

    Privacy, Cyber Risk & Data Security

    On November 10, plaintiffs, and the members of the class and subclasses they seek to represent, filed a complaint in the Northern District of Georgia against a major credit reporting company, consolidating individual suits filed against the company since September in each of the 50 states and the District of Columbia. The plaintiffs allege that the company’s data breach (covered previously in InfoBytes)—in which hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers—has led to, among other things, identity theft, unauthorized credit and debit card charges, and applications for unauthorized student loans.

    The complaint alleges a series of missteps by the company before, during, and after the breach, including: (i) not applying a recommended security patch; (ii) failing to recognize the breach for over three months; (iii) not warning consumers for another month after discovering the breach, thus preventing timely credit freezes or other protection methods; (iv) sending confusing emails and notices to consumers about whose data was compromised and how to protect themselves after the breach; and (v) creating confusion as to whether an arbitration clause included in the terms of service for the company’s credit monitoring website would apply to consumers using the service.

    The plaintiffs seek, among other things, class certification; permanent injunctive relief; disgorgement and restitutions of earnings; compensatory, consequential, general, statutory, and punitive damages; declaratory relief; and attorneys’ fees.

    Privacy/Cyber Risk & Data Security Data Breach Consumer Finance Class Action State Issues

    Share page with AddThis
  • District of Columbia Mayor Signs Emergency Legislation Temporarily Prohibiting Credit Freeze Fees

    Privacy, Cyber Risk & Data Security

    On October 23, District of Columbia Mayor Muriel Bowser signed emergency legislation (Act 22 155) that prohibits credit reporting agencies (CRAs) from charging consumers fees for security credit freezes. The Credit Protection Fee Waiver Emergency Amendment Act of 2017 requires CRAs to provide security freeze services and one-time reissuances of passwords or PINs to consumers for free, but permits charging up to $10 for subsequent instances of password or PIN requests. The Act took effect immediately and will remain in effect for a maximum of 90 days.

    As previously covered in InfoBytes, a coalition of state attorneys general recently petitioned two major CRAs to cease charging fees for credit freezes.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Consumer Finance State Legislation Data Breach

    Share page with AddThis
  • European Commission Releases First Annual E.U.-U.S. Privacy Shield Review; Framework Works Well With Room for Improvement

    Privacy, Cyber Risk & Data Security

    On October 18, the European Commission (Commission) released its first annual review of the E.U.-U.S. Privacy Shield (Privacy Shield) framework for transatlantic data transfers, citing the Privacy Shield “ensures an adequate level of protection for personal data,” but “there is some room for improving its implementation.” In the report, the Commission’s findings and conclusions cover topics including: (i) redress options for EU individuals; (ii) complaint handling and enforcement procedures to “safeguard individual rights”; (iii) cooperation with European Data protection authorities; and (iv) the process for  certifying companies under the Privacy Shield. However, the report also makes recommendations for improvement, such as (i) increasing U.S. oversight into whether U.S. companies are complying with the Privacy Shield’s requirements to protect European’s personal data; (ii) conducting regular reviews to ensure companies are not making false claims about their participation in the Privacy Shield; and (iii) establishing a closer means of communication between “privacy enforcers” to develop guidance.

    Acting FTC Chairman Maureen K. Ohlhausen commented on the Commission’s review: “Enforcing international privacy frameworks such as Privacy Shield is an integral part of our Privacy and Data Security program, as highlighted in three recently announced Privacy Shield enforcement actions. We look forward to continuing to work with our European counterparts to ensure that the Privacy Shield remains a robust mechanism for protecting privacy and enabling transatlantic data flows.” (See InfoBytes coverage of the three FTC enforcement actions here, and refer here for previous InfoBytes coverage of the Privacy Shield.)

    Privacy/Cyber Risk & Data Security FTC Enforcement International

    Share page with AddThis
  • CFPB Issues Principles Concerning Security and Transparency for Financial Data Sharing and Third-Party Aggregation

    Privacy, Cyber Risk & Data Security

    On October 18, the CFPB published guidelines entitled “Consumer Protection Principles” (Principles), which are “intended to reiterate the importance of protecting consumers” when companies, including “fintech” firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide products and services. Earlier this year, industry groups responded to a CFPB request for information and weighed in on the benefits and risks associated with consumers authorizing third parties to access their financial and account information held by financial service providers. (See previous InfoBytes summary here.) Along with the Principles, the CFPB published a summary of stakeholder insights, which highlights the feedback received by the Bureau. Separately, on October 16, Senator Edward J. Markey (D-Mass.) sent a letter to Director Richard Cordray raising concerns about data security during the transfer of consumer data to third-party aggregators and highlighting the need for transparency concerning the use of the data.

    The Principles address the following areas: (i) data access; (ii) data scope and usability; (iii) control of data and informed consent; (iv) payment authorizations; (v) data security; (vi) transparency on data access rights; (vii) data inaccuracies; (viii) dispute rights and unauthorized access resolution; and (ix) mechanisms for efficient and effective accountability.

    Notably, the Bureau recognized that there already exist statutes and regulations that apply to consumer protections in this market. As such, the Principles “are not intended to alter, interpret, or otherwise provide guidance on—although they may accord with—the scope of those existing protections,” and therefore do not establish “binding requirements.”

    Privacy/Cyber Risk & Data Security Consumer Finance CFPB Vendor Management Third-Party Fintech eCommerce

    Share page with AddThis
  • G-7 Releases Follow-Up Report on Fundamental Elements for Cybersecurity Assessment

    Privacy, Cyber Risk & Data Security

    On October 13, G-7 finance ministers and central bank governors released a report titled G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector to provide guidance on G-7 countries’ (Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States) expectations for effective cybersecurity assessments for the financial sector. The non-binding fundamental building blocks contained within the report build upon guidance issued last year by G-7, and provide tools for institutions to evaluate the performance and assessment of cybersecurity practices. (See previous InfoBytes coverage here.) In the current report, G-7 outlines five desirable outcomes organizations can strive to achieve when developing cybersecurity capabilities, along with five assessment components assessors can use when developing effective practices for cyber risk management.

    “Cybersecurity, particularly in the financial sector, is a top priority for the United States, and we are pleased to work with the members of the G-7 to advance a common approach that enhances resiliency," Treasury Secretary Steven T. Mnuchin stated in a press release announcing the report. “Technology has become the global engine driving innovation and economic growth, and it provides a channel for the financial sector to engage customers and counterparties. However, this trend brings increased cyber risk, which is real, dynamic, and evolving.”

    Privacy/Cyber Risk & Data Security Department of Treasury G-7

    Share page with AddThis

Pages