InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FCC Joins Global Privacy Enforcement Network
On October 28, amid growing threats to consumer privacy, the FCC announced that it has joined the Global Privacy Enforcement Network (GPEN), an international group of privacy regulators and enforcers. The move will allow the FCC to more easily collect and share data among approximately 50 privacy and data protection authorities from around the world. The FCC joins the FTC as the only two agencies representing the United States in cross-border GPEN proceedings.
CFPB Finalizes Rule To Limit Relief From Annual Privacy Notice Delivery Requirements
On October 20, the CFPB finalized its amendment to Regulation P, which requires that financial institutions meet specific consumer data-sharing requirements, including the delivery of annual privacy notices. Under the new rule, bank and nonbank institutions under the CFPB’s jurisdiction will now be allowed to post privacy notices online, rather than deliver an annual paper copy. Institutions that choose to post notices online must meet certain conditions, including (i) providing notice to consumers if the institution shares any data to third parties, in addition to providing an opportunity to opt out of such sharing; and, (ii) using the 2009 model disclosure form developed by federal regulatory agencies. The institutions that choose to rely on the new delivery method must (i) ensure that customers are aware of the notices posted online; (ii) provide paper copies within ten days of a customer’s request; and, (iii) make customers aware that the privacy notice(s) are available online—and that a paper copy will be provided at the customer’s request—by inserting a “clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure.” As outlined when the proposed rule was issued in May, the CFPB anticipates that the rule will: (i) provide consumers with constant access to privacy notices; (ii) limit the amount of an institution’s data sharing with third parties; (iii) educate consumers on the various types of privacy policies available to them; and, (iv) reduce the cost for companies to provide privacy notices.
ABA Petitions FCC To Allow Security And Fraud Alerts To Customers Without Consent
On October 14, the ABA submitted a petition to the FCC requesting that it exercise its statutory authority to allow financial institutions to send consumers certain security and fraud alerts without the consumers’ prior consent. Specifically, the consumers would receive alerts regarding: (i) transactions suggesting a risk of identity theft or fraud; (ii) potential security breaches involving personal information; (iii) preventative steps consumers can take to decrease their chances of falling victim to security breaches, in addition to steps they can take to remedy harm already caused by a breach; and (iv) actions required to receive a receipt for money transfers. The petition notes that the most effective way to ensure that consumers receive these important messages is through automated texts and calls to mobile devices and accordingly requests that the FCC allow for an exemption to the Telephone Consumer Protection Act to ensure that customers receive security and fraud notifications in a timely manner.
New York Attorney General's Office Settles With Large Financial Institution
On October 15, the New York Attorney General’s office announced a settlement with a large financial institution in connection with a 2012 data breach. Of the $850,000 settlement agreement, New York State will receive over $114,000. The terms of the settlement require that the bank reform its former security practices, which caused over one million customer files to be compromised. Specifically, in 2012, the bank lost over one million unencrypted files that contained personal information for over 200,000 customers nationwide. Going forward, the bank must (i) notify state residents of security breaches in a timely manner; and (ii) maintain security policies that will protect personal information.
House Committee On Oversight And Government Reform Request Hearing Regarding Data Security Breach
On October 7, Elijah Cummings, the Ranking Member of the House Committee on Oversight and Government Reform, issued a letter asking committee Chairman Darrell Issa to hold a bipartisan hearing to examine a recent data security breach at a major U.S. financial institution. The breach is believed to have affected approximately 76 million households, in addition to 7 million small businesses. In his letter, Cummings told Issa that he believes an investigation into the breach “will help the Committee learn from [corporations] about security vulnerabilities they have experienced in order to better protect our federal information technology assets.” This is not the first time Cummings has asked Chairman Issa to hold hearings on the issue of data security. Cummings previously called for hearings on the issue in January and September of this year. To date, Chairman Issa has not responded to Cummings’s requests.
GAO Report On CFPB Data Collection And Privacy Practices Finds Room For Improvement
On September 22, the GAO issued a report regarding the privacy and data security implications of the CFPB’s data collection practices. The report, performed in part based on a request by Senator Crapo, notes the CFPB’s data includes three one-time collections of data that contain information that directly identifies individuals: arbitration case records, deposit account data regarding deposit advance products, and borrower-level activity regarding storefront payday loans. The report highlights several areas for improvement: (i) development of written procedures and documentation regarding data intake and information security risk assessments; (ii) implementation of privacy control steps and information security practices; and (iii) Paperwork Reduction Act compliance regarding credit card data. In a comment appended to the report, the CFPB outlines the reasons for its data collection efforts and concurs with the GAO’s recommendations addressed to the CFPB.
Delaware Enacts Law Governing Access To Digital Records After Death
On August 12, Delaware Governor Jack A. Markell signed the Digital Access and Digital Accounts Act, the first law in the nation to comprehensively govern access to a person’s digital assets, including social media and email accounts, after the person dies or becomes incapacitated. Under the new law, a Delaware resident’s digital assets will become part of his or her estate after death, and these assets will be accessible to heirs to the same extent as the deceased person’s physical, tangible assets. Digital assets are defined broadly to include data, texts, email, audio, video, images, sounds, social media and social networking content, health care and insurance records, computer codes and programs, software and software licenses, and databases, along with usernames and passwords. The law expressly does not apply to digital accounts of an employer regularly used by an employee in the usual course of business. The law requires any company that controls a person’s digital assets to give the legal fiduciary for the deceased’s estate the usernames, passwords, and any other information needed to gain access to the digital assets upon a valid written request. Any contrary provisions in service agreements or privacy policies that limit a fiduciary's access to digital accounts are void, although the account owner can specify that the account should remain private after death. The law also grants the company controlling the digit assets immunity for complying with valid requests for account access. The new law takes effect January 1, 2015.
Nebraska Federal Court Refuses To Dismiss Suit Claiming Breach Of Contract, Violation of State Law for Unauthorized Credit Card Transactions Following Bank Data Breach
On August 20, the U.S. District Court for the District of Nebraska denied motions to dismiss filed by a Nebraska bank and two credit card processing companies in response to a purported class action filed by a merchant alleging that it suffered damages following a data breach at the defendants’ premises. Wines, Vines & Corks, LLC v. First Nat’l of Neb., Inc., No. 8:14CV82 (D. Neb. Aug. 20, 2014). According to the merchant’s complaint, the merchant maintained a credit card processing account with the defendants and, following the breach, had unauthorized credit card transactions processed and fees withdrawn from its account. The merchant alleged breach of contract, negligence, and violations of the Nebraska Consumer Protection Act and the Nebraska Uniform Deceptive Trade Practices Act based on the defendants’ failure to adequately secure and protect account information and refusal to refund the fees. In denying the motions to dismiss, the court determined that the merchant sufficiently pled the existence of a contract and resulting damages in support of its breach of contract claim, as well as a breach of the duty of due care in support of its negligence claim. Also, the court found that the merchant’s state law claims were adequately supported and determined that the defendants’ argument that the economic loss doctrine barred these claims was misplaced.
FTC Finalizes Mobile Application Privacy Settlements
On August 19, the FTC approved final orders resolving allegations that two companies: (i) misrepresented the level of security of their mobile applications; and (ii) failed to secure the transmission of millions of consumers’ sensitive personal information. The FTC alleged that one company’s application assured consumers that their credit card information was stored and transmitted securely even though the company disabled a higher level of security validation, which allowed such credit card information to be intercepted. In addition, the company allegedly failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties. The FTC alleged that the second company also disabled enhanced security validation despite claiming that it followed industry-leading security precautions, which also left consumers’ information vulnerable to interception. The final settlement orders require both companies to establish comprehensive programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit the companies from misrepresenting the level of privacy or security of their products and services.
California Federal Court Dismisses User Information Claims Against Digital Wallet Company
On August 12, the U.S. District Court for the Northern District of California dismissed for failure to state a claim a putative class action alleging that a digital wallet provider made unauthorized disclosures of user information to third-party mobile app developers. Svenson v. Google Inc., No. 13-cv-04080, 2014 WL 3962820 (N.D. Cal. Aug. 12, 2014). The named plaintiff claimed that when the digital wallet provider processed payments for apps purchased through an affiliated online store, it also provided certain customer/personally identifiable information to third-party app developers, including email address, account name, home city and state, zip code, and in some instances, telephone number. The plaintiff asserted theories of breach of contract and breach of the implied covenant of good faith and fair dealing, as well as violations of the Stored Communications Act and California’s Unfair Competition Law. The court held that the plaintiff’s breach of contract claim failed, reasoning in part that: (i) the plaintiff was not deprived of the “benefit of the bargain” given that the allegations involved free services and a $1.77 app; and (ii) there was no support for the theory that the economic value of the plaintiff’s information was diminished (because the plaintiff failed to allege that there was a market for the information). Similarly, the court held that the plaintiff’s Unfair Competition Law claims did not allege an economic injury, and that the breach of implied covenant claims were duplicative of the breach of contract claims. The court also dismissed the plaintiff’s Stored Communications Act claims.