InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC seeks to protect highly sensitive data
On July 11, the FTC’s Division of Privacy & Identity Protection published a blog post addressing risks associated with the sharing of highly personal information with strangers, particularly with respect to the use of technology that directly observes or derives sensitive information about users. The FTC noted that aside from location information, which is often automatically generated from consumers’ connected devices, consumers are also actively generating sensitive health information, including personal reproductive data, through apps on their devices. This “potent combination of location data and user-generated health data creates a new frontier of potential harms to consumers,” the FTC warned, pointing to the “ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity.” Additionally, once the sensitive information is collected, the FTC said that consumers usually have no idea who has access to it, what the information is being used for, or that companies are profiting from the sale of their data. “The misuse of mobile location and health information–including reproductive health data–exposes consumers to significant harm,” the FTC stated. “Criminals can use location or health data to facilitate phishing scams or commit identity theft . . . and may subject people to discrimination, stigma, mental anguish, or other serious harms.” The FTC reminded companies that it is committed to using the full scope of its legal authorities to protect consumers’ privacy and that it “will vigorously enforce the law” to protect the security and privacy of consumers’ personal information. Companies are advised that sensitive information is protected by several federal and state laws and that making claims that data is “anonymous” or “has been anonymized” may be a deceptive trade practice under the FTC Act if untrue.
Fed discusses cybersecurity risk management and emerging threats
On July 7, the Federal Reserve Board published its 2022 Cybersecurity and Financial System Resilience Report. Issued pursuant to the Consolidated Appropriations Act, the Fed’s report described measures it has taken to strengthen cybersecurity in the financial services sector. The report identified cybersecurity as a high priority for the Federal Reserve System and Board-supervised institutions and recognized the increasing and evolving nature of cybersecurity threats to the financial system. It delivered an overview of the Fed’s supervisory policies and procedures, which, among other things, require supervised institutions to implement internal controls and information systems appropriate to the size of the institution and to the nature, scope, and risk of its activities. The report explained that examiners’ cybersecurity evaluations consider “the business model and activities conducted by supervised institutions as part of a principles-based supervision program.” According to the Fed, an examination’s scope “is set as part of a multiyear supervisory plan that considers key cybersecurity risks, the industry landscape, and other factors such as emerging technologies.” The Fed explained that as part of these evaluations, “examiners consider business-line controls, risk-management practices, assurance functions, and governance activities performed by the firm’s senior management and board of directors.”
The report also outlined intergovernmental, international, and public and private sector coordination activities, and included a list of recent actions taken by the Fed and other agencies to promote cybersecurity. Additionally, the report discussed current or emerging threats to financial institutions’ ability to operate and protect customer data, including ransomware, sophisticated distributed denial of service threats, increasing geopolitical tensions, and attacks to supply chains or third parties. Other emerging technology-related cybersecurity threats are also discussed including “[p]otential cybersecurity vulnerabilities in fintech applications,” such as cryptocurrency exchanges, banking applications, and other platforms that provide “threat actors an opportunity to steal funds or data by compromising victims’ computer systems or technology infrastructure used to interact with the products or services.”
District Court approves contact tracing suit settlement
On October 31, the U.S. District Court for the Northern District of California granted plaintiffs’ motion for attorneys' fees, expenses, and service awards related to a class action settlement alleging that an internet platform (defendant) violated the California Confidentiality of Medical Information Act, as well as other state laws through its “contact tracing” system that operated on consumers’ mobile devices. According to the motion, the defendant co-designed a digital contact tracing system to combat the spread of COVID-19 on mobile devices using the defendant’s mobile device operating system. The plaintiffs alleged that the defendant unlawfully exposed confidential medical information and personally identifying information through this system. Furthermore, the plaintiffs alleged that the defendant's system was "fundamentally flawed in its design and implementation" because it left users’ private medical and personally identifying information unprotected on mobile device “system logs” to which the defendant and third parties had routine access. Under the terms of the settlement, class counsel will receive approximately $1.95 million in attorneys’ fees and $56,457.44 in expenses. Additionally, the defendant must pay service awards to class representatives.
District Court preliminarily approves $3.7 million data breach settlement
On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach exposed current and former employees’ personal identifying information (PII), including names and Social Security numbers. Following an investigation, the defendant sent notices to roughly 103,767 individuals whose PII may have been subject to unauthorized access and offered impacted individuals one year of free credit and identity monitoring services. Putative class actions were filed claiming the defendant failed to adequately safeguard its current and former employees’ (and their family members’) electronically stored PII, and alleging, among other things, violations of California’s Unfair Competition Law, Customer Records Act, and Consumer Privacy Act. If the settlement is granted final approval, each class member will be eligible to make a claim for up to $1,000 in reimbursements for expenses and lost time, and up to $5,000 in reimbursements for extraordinary expenses for identity theft related to the data breach. California settlement subclass members will also be entitled to $100 as a statutory damages award. Additionally, all class members will be eligible to enroll in two-years of three-bureau credit monitoring. The defendant may also be responsible for attorneys’ fees, costs, and service awards.
New York fines supermarket chain $400,000 for mishandled consumer data
On June 30, the New York attorney general announced a settlement with a New York-based supermarket chain (respondent) for allegedly leaving more than three million customers’ personal information in unsecured, misconfigured cloud storage containers, which made the data potentially easy to access. The compromised data included customer account usernames and passwords, as well as customer names, email addresses, mailing addresses, and additional data derived from drivers’ license numbers. According to the assurance of discontinuance, a security researcher informed the respondent in 2021 that one of the cloud storage containers was misconfigured from its creation in January 2018 until April 2021, potentially exposing customers’ personal information. A second misconfigured container was identified in May 2021 that had been publicly accessible since November 2018, the AG said, noting that the respondent “immediately reviewed its cloud environment and identified the container, which had a database backup file with over three million records of customer email addresses and account passwords.” The AG asserted that the respondent also “failed to inventory its cloud assets containing personal information, secure all user passwords, and regularly conduct security testing of its cloud assets.” Nor did the retailer maintain long-term logs of its cloud assets, thus making it difficult to security incidents, the AG said.
The terms of the settlement require the respondent to pay $400,000 in penalties to the state. The respondent has also agreed to (i) maintain a comprehensive information security program, including reporting security risks to the company's leadership; (ii) establish practices and policies to maintain an inventory of all cloud assets and to ensure all cloud assets containing personal information have appropriate measures to limit access; (iii) develop a penetration testing program and implement centralized logging and monitoring of cloud asset activity; (iv) establish appropriate password policies and procedures for customer accounts; (v) maintain a reasonable vulnerability disclosure program to enable third parties to disclose vulnerabilities; (vi) establish appropriate practices for customer account management and authentication; and (vii) update its data collection and retention practices to ensure it only collects customers’ personal information when there is a reasonable business purpose for the collection and permanently deletes all personal information collected before the agreement for which no reasonable purpose exists.
Insurers consider biometric exclusions as privacy cases increase
According to sources, some insurers are considering adding biometric exclusions to their insurance policies as privacy lawsuits increase. An article on the recent evolution of biometric privacy lawsuits noted an apparent increase in class actions claiming violations of the Illinois Biometric Information Privacy Act (BIPA), as “more courts began ruling that individuals need not show actual injury to allege BIPA violations.” The article explained that insurance carriers now “argue that general liability policies, with their lower premiums and face values, don’t insure data privacy lawsuits and can’t support potentially huge BIPA class action awards and settlements.” This issue is poised to become increasingly important to carriers and policyholders as additional states seek to regulate biometric privacy. The article noted that in the first quarter of 2022, seven states (California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York) introduced biometric laws generally based on Illinois’ BIPA. Texas and Washington also have biometric laws, but without a private right of action.
District Court says Massachusetts law will apply in choice-of-law privacy dispute
On June 28, the U.S. District Court for the District of South Carolina ruled that it will apply Massachusetts law to negligence claims in a putative class action concerning a cloud-based services provider’s allegedly lax data-security practices. The plaintiffs claimed that the defendant’s “security program was inadequate and that the security risks associated with the Personal Information went unmitigated, allowing [] cybercriminals to gain access.” During discovery, the defendant (headquartered in South Carolina) stated that its U.S. data centers are located in Massachusetts, Texas, California, and New Jersey, and that the particular servers that housed the plaintiffs’ data (and were the initial entry point for the ransomware attack) are physically located in Massachusetts. While both parties stipulated to the application of South Carolina choice-of-law principles generally, the plaintiffs specifically requested that South Carolina law be applied to their common law claims of negligence, negligence per se, and invasion of privacy since it was the state where defendant executives made the cybersecurity-related decisions that allegedly allowed the data breach to occur. However, the defendant countered that the law of each state where a plaintiff resides should apply to that specific plaintiff’s common law tort claims because the “damages were felt in their respective home states.” Both parties presented an alternative argument that if the court found the primary choice-of-law theory to be unfounded, then Massachusetts law would be appropriate as “Massachusetts was the state where the last act necessary took place because that is where the data servers were housed.”
In determining which state’s common-law principles apply, the court stated that even if some of the cybersecurity decisions were made in South Carolina, the personal information was stored on servers in Massachusetts. Moreover, the “alleged decisions made in South Carolina may have contributed to the breach, but they were not the last act necessary to establish the cause of action,” the court wrote, noting that in order for the defendant to be potentially liable, the data servers would need to be breached. The court further concluded that “South Carolina’s choice of law rules dictate that where an injury occurs, not where the result of the injury is felt or discovered is the proper standard to determine the last act necessary to complete the tort.” As such, the court stated that Massachusetts law will apply as that is where the data breach occurred.
NYDFS imposes $5 million fine against cruise line for cybersecurity violations
On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.
The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).
FTC finalizes action against e-commerce platform for data breach cover up
On June 24, the FTC announced a final decision and order against two limited liability companies (respondents) accused of allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. As previously covered by InfoBytes, the respondents—former and current owners of an online customized merchandise platform—allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect customers’ personal information against unauthorized access and misrepresenting that appropriate steps were taken to secure consumer account information following security breaches. The complaint further alleged that respondents failed to apply readily available protections against well-known threats or adequately respond to security incidents, which resulted in the respondents’ network being breached multiple times. Under the terms of the final settlement, one of the respondents is required to pay $500,000 to victims of the data breaches. The other respondent is required to provide notice to consumers impacted by a 2019 data breach. Among other things, the order prohibits respondents from misrepresenting their privacy and security measures and requires that respondents implement comprehensive information security programs that are assessed by an independent third party.
Rep. McHenry introduces draft privacy legislation based on GLBA
On June 23, House Financial Services Ranking Member Patrick McHenry (R-NC) released a discussion draft of new federal legislation intended to modernize financial data privacy laws and provide consumers more control over the collection and use of their personal information. (See overview of the discussion draft here.) The draft bill seeks to build on the Gramm-Leach-Bliley Act (GLBA) to better align financial data protection law with evolving technologies that have innovated the financial system and the way in which consumers interact with financial institutions, including nonbank institutions. “Technology has fundamentally changed the way consumers participate in our financial system—increasing access and inclusion. It has also increased the amount of sensitive data shared with service providers. Our privacy laws—especially as they relate to financial data—must keep up,” McHenry said, emphasizing the importance of finding a way to “secure Americans’ privacy without strangling innovation.”
Among other things, the draft bill:
- Requires notice of collection activities. The GLBA currently requires that consumers be provided notice when their information is being disclosed to third parties. The draft bill updates this requirement to require financial institutions to provide notice when consumers’ nonpublic personal information is being collected.
- Recognizes the burden on small institutions. The draft bill stipulates that agencies shall consider compliance costs imposed on smaller financial institutions when promulgating rules.
- Amends the definition of a “financial institution.” The draft bill will update the definition to cover data aggregators in addition to financial institutions engaged in financial activities as described in 4(k) of the Bank Holding Company Act of 1956.
- Expands the definition of non-public information. The draft bill expands the definition of “personally identifiable financial information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” Publicly available information is not included in this definition. The definition of “consumer account credentials” will mean “nonpublic information (including a username, password, or an answer to a security question) that enables the consumer to access an account of the consumer at a financial institution.”
- Provides consumers access to data. The draft bill provides that financial institutions must, upon an authorized request from a consumer, disclose the data held, entities with which the financial institution shares consumer data, and a list of entities from whom the financial institution has received a consumer’s non-public personal information.
- Allows consumers to stop the collection and disclosure of their data. When a financial institution is required to terminate the collection and/or sharing of a consumer’s nonpublic personal information, the draft bill provides that a financial institution must notify third parties that data sharing is terminated and must require the third parties to also terminate collection and disclosure. Additionally, upon request from a consumer, the financial institution must delete any nonpublic personal information in its possession, and if required by law to retain the data, the financial institution may only use the data for that purpose.
- Minimizes data collection. The draft bill requires that financial institutions notify consumers of their data collection practices in their privacy policies, including the categories collected, how the information is collected, and the purposes for the collection. Consumers must be allowed an opportunity to opt-out of the collection of their data if not necessary for the provision of the product or service by that entity.
- Provides informed choice and transparency. Under the draft bill, privacy terms and conditions must be transparent and easily understandable. The draft bill requires the disclosure of a financial institution’s privacy policies in a manner that provides consumers meaningful understanding of what data is being collected, the manner in which the data is collected, the purposes for which the data will be used, the right to opt-out, who has access to the data, how an entity is using the data, where the data will be shared, the data retention policies of the entity, the consumer’s termination rights, and the rights associated with that data for uses inconsistent with stated purpose, among others.
- Stipulates liability for unauthorized access. The draft bill states that “[i]f the nonpublic personal information of a consumer is obtained from a financial institution (either due to a data breach or in any other manner) and used to make unauthorized access of the consumer’s account, the financial institution shall be liable to the consumer for the full amount of any damages resulting from such unauthorized access.’’
- Requires preemption. The draft bill will preempt state privacy laws to create a national standard.
The draft bill was introduced days after the House Subcommittee on Consumer Protection and Commerce heard testimony from consumer advocates and industry representatives on the recently proposed bipartisan American Data Privacy and Protection Act (covered by a Buckley Special Alert here).