InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
U.S. and EU collaborate to combat ransomware attacks
On June 16, the DOJ announced that representatives from the U.S. and EU met at a recent workshop in the Hague to share best practices and to plan enhanced collaboration efforts to confront ransomware attacks. According to the DOJ, attorneys from the DOJ’s Computer Crime and Intellectual Property Section, along with representatives from the FBI, the U.S. Secret Service, the U.S. Homeland Security Investigations, European Judicial Cybercrime Network, Eurojust’s Cybercrime Team, and Europol’s European Cybercrime Centre shared “experiences, best practices, and lessons learned in directing an investigation to a successful outcome including collaborating with the tech and private sector.” Participants also discussed “relevant changes in the law, including issues related to electronic evidence, charging options, and cross-border considerations."
District Court grants preliminary approval of class action settlement in data breach case
On June 21, the U.S. District Court for the Southern District of New York granted preliminary approval of a class settlement in an action against a cable TV and communications provider (defendant) for failing to protect current and former employees’ (plaintiffs) personal information and prevent a 2019 phishing attack. According to the plaintiffs’ supplemental memorandum in support of preliminary approval of settlement, the defendant notified the plaintiffs (as well as the attorneys general of several states) that a successful phishing campaign was launched against them. The phishing scheme resulted in cybercriminals being able to “access” and “download” a report containing the unencrypted personally identifiable information (PII) of 52,846 plaintiffs. The plaintiffs alleged that as a result of the data security incident they suffered concrete injuries, including, inter alia, identity theft, the exposure of their PII to cybercriminals, a substantial risk of identity theft, and actual losses. Under the terms of the preliminarily approved settlement, class members are eligible to enroll in three years of identity protection and credit monitoring, and may receive reimbursement of out-of-pocket expenses and compensation for up to three hours spent dealing with the security incident.
Special Alert: House subcommittee hears testimony on privacy bill
The House Subcommittee on Consumer Protection and Commerce held a June 14 hearing, “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security,” to listen to testimony from consumer advocates and industry representatives on the recently proposed American Data Privacy and Protection Act (ADPPA).
The bipartisan initiative faces new headwinds following June 22 remarks by Senate Commerce Chair Maria Cantwell (D-WA), who cited “major enforcement holes” in the legislation on preemption issues — but expressed hope that the sponsors could offer revisions.
FTC issues report to Congress on use of AI
On June 16, the FTC issued a report to Congress regarding the use of artificial intelligence (AI), warning that policymakers should use caution when relying on AI to combat the spread of harmful online conduct. In the 2021 Appropriations Act, Congress directed the FTC to study and report on whether and how AI “may be used to identify, remove, or take any other appropriate action necessary to address” a wide variety of specified “online harms,” referring specifically to content that is deceptive, fraudulent, manipulated, or illegal. The report suggests that adoption of AI could be problematic, as AI tools can be biased, discriminatory, or inaccurate, and could rely on invasive forms of surveillance. To avoid introducing these additional harms, the report suggests lawmakers instead focus on developing legal frameworks to ensure no additional harm is caused by AI tools used by major technology platforms and others. The report further suggests that Congress, regulators, platforms, scientists, and others focus their attention on creating frameworks to address the following related considerations, among others: (i) the need for human intervention in connection with monitoring the use and decisions of AI tools intended to address harmful content; (ii) the need for meaningful transparency, “which includes the need for it to be explainable and contestable, especially when people’s rights are involved or when personal data is being collected or used”; and (iii) the need for accountability with respect to the data practices and results of the use of AI tools by platforms and other companies. Other recommendations include use of authentication tools, responsible use of inputs and outputs by data scientist, and using interventions, such as tools that slow the viral spread or otherwise limit the impact of certain harmful content.
The Commission voted 4-1 at an open meeting to send the report to Congress. Commissioner Noah Joshua Phillips issued a dissenting statement, finding that the report provides “short shrift to how and why AI is being used to combat the online harms identified by Congress,” and instead “reads as a general indictment of the technology itself.”
U.S., UK collaborate on privacy-enhancing tech prize challenges
On June 13, the White House announced that the U.S. and UK governments are developing privacy-enhancing technology prize challenges to help address cross-border money laundering. The White House highlighted that the estimated $2 trillion of cross-border money laundering which happens annually could be better detected if improvements were made to information sharing and collaborative analytic efforts. However, research shows that this process “is hindered by the legal, technical and ethical challenges involved in jointly analyzing sensitive information,” the White House said. Privacy-enhancing technologies (PETs) could play a transformative role in addressing the global challenges of financial crime, the White House explained, noting that PETs can allow “machine learning models to be trained on high quality datasets collaboratively among organizations, without the data leaving safe environments.” Moreover, “[s]uch technologies have the potential to help facilitate privacy-preserving financial information sharing and analytics,” thus “allowing suspicious types of behavior to be identified without compromising the privacy of individuals, or requiring the transfer of data between institutions or across borders.”
Opening this summer, the challenges (developed between the White House Office of Science and Technology Policy, the U.S. National Institute of Standards and Technology, the U.S. National Science Foundation, the UK’s Center for Data Ethics and Innovation, and Innovate UK) will allow innovators to develop state-of-the-art privacy-preserving federated learning solutions to help combat barriers to the wider use of these technologies without the uncertainty of potential regulatory implications. Innovators will engage with the U.K.’s Financial Conduct Authority and Information Commissioner’s Office and the Financial Crimes Enforcement Network. Acting FinCEN Director Himamauli Das announced that the agency “is pleased to support this important initiative to advance the development of a building block for protecting the U.S. financial system from illicit finance.”
District Court approves data breach settlement
On June 8, the U.S. District Court for the Southern District of New York granted a plaintiffs’ motion for final approval of a class action settlement resolving claims that several retail businesses failed to establish reasonable safeguards that led to a data breach. According to the opinion, the plaintiff alleged that a syndicate accessed cardholder information and sold it on the so-called dark web. The plaintiffs also claimed that the breach caused them to spend time monitoring their accounts, safeguarding account information, and, for some plaintiffs, resolving fraudulent charges and withdrawals. The settlement provides for two different levels of payments to affected consumers. Tier 1 claimants, who must provide proof of a payment transaction during the period of the breach and confirm that they spent time monitoring account information after the breach, will receive $30. Tier 2 claimants will be reimbursed for documented out-of-pocket expenses incurred as a result of the breach, such as costs and expenses related to identity theft or fraud, late fees, and unauthorized charges and withdrawals, in an amount not to exceed $5,000. The total amount to be paid to class members is approximately $278,000.
Special Alert: Congress releases draft privacy bill
A comprehensive federal privacy law drew one step closer to reality earlier this month when a bipartisan group of representatives and senators released a draft of the proposed American Data Privacy and Protection Act.
Passage of the ADPPA, which combines elements of prior proposals in an effort to reach a legislative compromise, is still far from assured. But it represents a meaningful starting point for further discussions, and is already shaping the long-running debate on national privacy standards. This alert looks closely at the proposed statutory text that seeks to define the breadth and scope of a federal privacy regime that policymakers have contemplated for years.
Greater clarity about bill text and its overall prospects for passage are likely to emerge at the House Energy and Commerce Committee’s hearing scheduled for tomorrow at 10:30 a.m. ET.
District Court granted final approval of a $63 million data breach settlement
On June 7, the U.S. District Court for the District of Columbia granted final approval of a class action settlement resolving claims that a government agency and its contractor (collectively, defendants) did not detect hackers because they failed to establish reasonable safeguards that led to a data breach. According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, a data breach occurred in June 2015 that compromised financial records, Social Security numbers, and other personal information of anyone who underwent a background check at the agency since 2000. The agency allegedly controlled numerous electronic systems without valid authorizations, failed to implement multi-factor authentication for accessing systems, failed to patch, segment, and continuously monitor systems, and failed to implement centralized data security protocols. According to the plaintiff’s motion, the settlement (if granted final approval) would require the U.S. government to pay $60 million of the settlement fund and the contractor to pay $3 million. The settlement agreement provides that “[e]ach valid claim will be paid at $700, except that if the actual amount of documented loss exceeds $700, the claim will be paid in that amount, up to $10,000.”
Senate Banking Committee sends letter to Yellen on consumer data activities
On June 7, Chairman of the Senate Committee on Banking, Housing, and Urban Affairs, Senator Sherrod Brown sent a letter to Treasury Secretary Janet Yellen requesting that the Financial Stability Oversight Council conduct a review on the effect of the collection and sale of consumer data by financial institutions to determine whether such activities pose a systemic threat to U.S. financial stability and security. The letter raised concerns that such data could be used for nefarious purposes including "glean[ing] consumers’ tolerance for price hikes, or using certain people’s spending patterns to target them for blackmail or ransomware.”
District Court: Company must face data breach claims
On June 1, the U.S. District Court for the District of Arizona ruled that a health care company must face a proposed class action related to claims that its failure to implement cybersecurity safeguards led to a data breach that compromised individuals’ personal health information. In granting in part and denying in part defendant’s motion to dismiss, the court declined to dismiss several of the plaintiffs’ claims for negligence, ruling that the second amended complaint sufficiently alleged that the defendant employed inadequate data security and that plaintiffs suffered an actual injury as a result of the data breach because the monitoring services offered by the defendant were insufficient and offered for too short of time causing certain plaintiffs to purchase additional identity protection products and/or services. However, other negligence claims were dismissed after the court determined that some of the plaintiffs failed to allege any actual damages or out-of-pocket expenses. Additionally, while the court allowed several state law claims to proceed, it dismissed claims brought under the California Consumer Protection Act due to the plaintiff’s failure to provide the requisite pre-suit notice within the 30-day time period as required by law, finding the failure could not be cured by the passage of time. Other state law claims, involving violations of the Wisconsin Deceptive Trade Practices Act and Pennsylvania Unfair Trade Practices and Consumer Protection Law, were also dismissed due to a failure to articulate cognizable losses.