Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Connecticut becomes fifth state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 10, the Connecticut governor signed SB 6, establishing a framework for controlling and processing consumers’ personal data in the state. Connecticut is now the fifth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Virginia, and Utah (covered by Buckley Special Alerts here and here and InfoBytes here and here). As previously covered by InfoBytes, Connecticut consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. The Act also outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests free of charge within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 60 days to cure the alleged violation before the attorney general can file suit. The Act takes effect July 1, 2023.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Connecticut Consumer Protection

  • District Court settles data scraping lawsuit

    Privacy, Cyber Risk & Data Security

    On May 9, the U.S. District Court for the Northern District of California issued a final judgment on consent resolving a lawsuit concerning data scraping allegations. A professional networking site (plaintiff) sued a Singapore-based company and three company founders (collectively, “defendants”) claiming the defendants violated the terms of the plaintiff’s user agreement by gaining unauthorized access to areas of the plaintiff’s platform that are only accessible to real logged-in members, scraping millions of member profile pages, and using fake member accounts and prepaid virtual debit card numbers to fraudulently obtain access to a function that provides advanced features. In alleging claims for breach of contract, fraud and deceit, and misappropriation, among others, the plaintiff claimed the defendants’ activities defrauded it out of hundreds of thousands of dollars in revenue. According to the court’s judgment, the defendants have agreed to be permanently restrained and barred from engaging in the aforementioned activities, including using scraping to access the plaintiff’s data, engaging in marketing and advertising about the availability of user data on the defendant’s website, circumventing any technological measures that control access to the plaintiff’s servers, and transferring data to third parties. “Defendants represent that they have destroyed all [plaintiff] member profile data, whether stored in electronic form or otherwise, in their possession, custody, or control and have certified in writing that they have done so,” the judgment stated. While the judgment did not include a monetary penalty, the court noted that violation of the final judgment or consent shall expose the defendants and all other persons bound by the final judgment on consent “to all applicable penalties, including contempt of Court.”

    Privacy/Cyber Risk & Data Security Courts Data Scraping Settlement

  • District Court dismisses privacy class action claims citing absence of jurisdiction

    Privacy, Cyber Risk & Data Security

    On May 5, the U.S. District Court for the Northern District of California granted defendants’ motions to dismiss a putative class action concerning invasion of privacy claims related to the collection of consumer data over an online shopping platform. The Canada-based e-commerce company and two of its wholly-owned subsidiaries operate an e-commerce platform that hosts merchants’ websites and facilitates and verifies customers’ payment information. According to the plaintiff, the defendants’ platform intercepts payment information and collects shoppers’ sensitive personal information through the use of cookies, including names, addresses, and credit card information. The plaintiff alleged that the defendants compile the data into individualized profiles, which is shared with merchants, and also share shoppers' data with other non-merchant third parties. Shoppers are not required to consent to any of these activities and are supposedly unaware that their sensitive information is being tracked and shared, the plaintiff stated, claiming violations of California’s Invasion of Privacy Act, Computer Data Access and Fraud Act, and Unfair Competition Law, among other things. In dismissing the action, the court concluded that the plaintiff’s privacy claims against the defendants are too general and fail to identify which defendant is responsible for the plaintiff’s alleged injuries. The court noted that it would normally permit the plaintiff to amend his complaint to address the issue, but said that in this case the court lacks both general and specific jurisdiction over any of the defendants. The court explained that the plaintiff failed to argue that any of the three entities (based either in Canada or Delaware) are subject to general jurisdiction in California. Simply stating that the platform “enables merchants to sell products online . . . does not represent an intentional act directed at California residents,” the court stated.

    Privacy/Cyber Risk & Data Security Courts Class Action State Issues California Jurisdiction

  • Defendants to pay $5.7 million for alleged data breach

    Privacy, Cyber Risk & Data Security

    On October 17, the U.S. District Court for the Northern District of Ohio granted final approval of a $5.7 million settlement in a class action against a fast-food chain (defendant) resolving allegations that it acted negligently for failing to protect customers’ data when hackers stole payment card information from more than 700 franchised restaurants. According to the order, in 2017, a data breach compromised the defendant’s customer payment data, which resulted in multiple lawsuits that were settled. In the current case, the plaintiffs sued the defendant for negligence related to insecure systems that led to the data breach. The plaintiffs alleged that the defendant’s negligence required financial institutions to spend resources to respond to the breach. Under the terms of the settlement, the defendant is required to pay under a per-card formula up to $5.73 million to resolve class member claims, which would include up to $3 million to pay class members’ claims ($1.00 per reissued card and $1.50 per card experiencing fraud within four weeks of the breach). The defendant is required to pay up to $500,000 for settlement administration, up to $30,000 for class representative service awards, and up to $2.2 million for attorneys’ fees and expenses.

    Privacy/Cyber Risk & Data Security Courts Class Action Data Breach Settlement

  • District Court allows data sharing invasion of privacy claims to proceed

    Privacy, Cyber Risk & Data Security

    On May 4, the U.S. District Court for the Central District of California partially dismissed the majority of a putative class action accusing several large retailers and a data analytics company (collectively, “defendants”) of illegally sharing their consumer transaction data, allowing only an invasion of privacy claim to proceed. In 2020, plaintiffs’ claimed the retail defendants shared consumer data without authorization or consent, including “all unique identification information contained on or within a consumer’s driver’s license, government-issued ID card, or passport, e.g., the consumer’s name, date of birth, race, sex, photograph, complete street address, and zip code,” with the data analytics company who used the information to create “risk scores” that purportedly calculated a consumer’s likelihood of retail fraud or other criminal activity. The court permanently dismissed the plaintiffs’ California Consumer Privacy Act claims, finding that the state law was not in effect when some of the plaintiffs allegedly attempted returns or exchanges and that the law does not contain an express retroactivity provision. Additionally, while plaintiffs argued that the retail defendants engaged in “a pattern or practice of data sharing,” the court concluded that plaintiffs failed “to allege that they are continuing to return or exchange merchandise at these retailers such that their data is disclosed” to the data analytics company. The court also dismissed the FCRA claims, ruling that the data analytics company’s risk report is not a “consumer report” subject to the FCRA because it does not “bear on Plaintiff’s eligibility for credit.” Plaintiffs’ claims for unjust enrichment and violations of California's Unfair Competition Law were also dismissed. However, the court concluded that the plaintiffs had plausibly alleged a reasonable expectation of privacy against the defendants, pointing to “the wide discrepancy between Plaintiffs’ alleged expectations for Retail Defendants’ use of their data and its actual alleged use.”

    “The court finds dismissing this claim at the pleading stage particularly inappropriate where, as is the case here, defendants are the only party privy to the true extent of the intrusion on Plaintiffs’ privacy,” the court stated. “Reading the Complaint in a light most favorable to Plaintiffs, Plaintiffs sufficiently allege that [] defendants’ intrusion into Plaintiffs’ privacy was highly offensive.”

    Privacy/Cyber Risk & Data Security Courts State Issues Class Action CCPA California

  • District Court partially certifies data breach suit

    Privacy, Cyber Risk & Data Security

    On May 3, the U.S. District Court for the District of Maryland granted in part and denied in part certification of eight class actions against a hotel corporation (defendant) alleging that it misled consumers regarding a major breach of customers’ personal information. According to the opinion, the plaintiffs filed suit after allegedly learning that the defendant took more than four years to discover the breach and took nearly three months to notify customers of their exposed information. The defendant discovered the breach in September 2018 when a consulting company contracted, to provide data security services reported an anomaly pertaining to a guest information database. In total, the breach impacted approximately 133.7 million guest records associated with the U.S., including an estimated 47.7 million records associated with the bellwether states. The defendant argued that certification should be denied because not all of the class members demonstrated that they suffered an injury, which the court rejected, noting that the plaintiffs do not need to demonstrate that every class member has standing at the class certification stage. The size of the certified classes based on an overpayment theory was decreased, because the court agreed with the defendants’ argument that the plaintiffs were too broad in seeking to include all customers who were affected by the breach, rather than those who only “bore the economic burden.” The court also declined to certify one class seeking only injunctive or declaratory relief, stating that “[w]ithout any direction as to the nature of the injunction sought, besides a request for further discovery, plaintiffs’ motion goes no further than requesting that defendants discontinue their current practices with respect to the [personally identifiable information] at issue.”

    Privacy/Cyber Risk & Data Security Courts Data Breach Class Action

  • 9th Circuit: Data release did not violate defendant’s Fourth Amendment rights

    Privacy, Cyber Risk & Data Security

    On April 27, the U.S. Court of Appeals for the Ninth Circuit concluded that limited digital data uncovered online that was not collected at the behest of the government did not violate the Fourth Amendment, which protects individuals from unreasonable government searches and seizures. According to the opinion, the defendant, who was convicted of child exploitation, argued that his Fourth Amendment rights were violated when two electronic service providers (ESPs) investigated his accounts without a warrant and reported the evidence of child sexual exploitation. He further maintained that evidence seized upon his arrest should have been suppressed because the ESPs were “acting as government agents when they searched his online accounts,” and that “he had a right to privacy in his digital data and that the government’s preservation requests and subpoenas, submitted without a warrant, violated the Fourth Amendment.” 

    The 9th Circuit disagreed, concluding first that the federal Stored Communications Act and the Protect Our Children Act “transformed the ESPs’ searches into governmental action” and “that the government was sufficiently involved in the ESPs’ searches of the defendant’s accounts to trigger Fourth Amendment protection.” The appellate court also determined that the government’s preservation requests for the private communications did not amount to unreasonable seizure and that “the defendant did not have a legitimate expectation of privacy in the limited digital data sought in the government’s subpoenas, where the subpoenas did not request any communication content from the defendant’s accounts and the government did not receive any such content in response to the subpoenas.” Moreover, the 9th Circuit stated that the defendant agreed to terms of use that granted the ESPs’ contractual rights under agreed upon privacy policies “to investigate, prevent, or take action regarding illegal activities,” and consented to the ESPs honoring of preservation requests from law enforcement.

    Privacy/Cyber Risk & Data Security Courts Constitution Fourth Amendment

  • District Court approves final class action privacy settlement

    Privacy, Cyber Risk & Data Security

    On April 29, the U.S. District Court for the Western District of New York granted final approval of a class action settlement resolving privacy and data security allegations against a health insurance company and several related health insurance entities (collectively, “defendants”). According to the plaintiffs’ memorandum of support, the plaintiff filed suit in 2015, alleging that the defendants compromised the personal identifying information, Social Security numbers, and medical and financial data of approximately 9.3 million policy holders from a 2013 data breach. After the security incident was announced, 14 lawsuits were filed, which were consolidated with this case. Under the terms of the final settlement, the defendants are required to implement information security and compliance measures, and comprehensively address security risks. The settlement also includes $3.6 million in attorneys’ fees and $700,000 in litigation costs. Class representatives will be awarded service awards that range between $1,000-$7,500 each, which will total approximately $95,500.

    Privacy/Cyber Risk & Data Security Courts Settlement Data Breach Class Action

  • EU Court of Justice rules consumer protection agencies can sue companies for GDPR violations

    Privacy, Cyber Risk & Data Security

    On April 28, the Court of Justice of the European Union (CJEU) issued an opinion concluding that consumer protection associations are permitted to bring representative actions against infringements of personal data protection “independently of the specific infringement of a data subject’s right to the protection of his or her personal data and in the absence of a mandate to that effect.” According to the judgment, Germany’s Federal Union of Consumer Organisations and Associations brought an action for an injunction against a global social media company’s Ireland division for allegedly infringing on General Data Protection Regulation (GDPR) rules governing the protection of personal data, the combat of unfair commercial practices, and consumer protection when offering users free games provided by third parties. Germany’s Federal Court of Justice called into question whether a consumer protection association has standing to bring proceedings in the civil courts against infringements of the GDPR without obtaining a mandate from users whose data was misused. Germany’s Federal Court of Justice also observed that the GDPR could be inferred to read that “it is principally for the supervisory authorities to verify the application of the provisions of that regulation.”

    In its ruling, CJEU concluded that consumer protection associations in the EU can bring representative actions against the social media company for alleged violations of the GDPR, writing that the GDPR “does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data . . . where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.” Permitting associations to bring representative actions is “consistent with the objective pursued by the GDPR . . . in particular, ensuring a high level of protection of personal data,” CJEU stated.

    Privacy/Cyber Risk & Data Security Courts Germany EU Of Interest to Non-US Persons GDPR Consumer Protection

  • Connecticut legislature passes consumer data privacy bill

    Privacy, Cyber Risk & Data Security

    Recently, the Connecticut legislature passed SB 6, which would enact provisions related to consumer data privacy and online monitoring. Highlights of the bill include:

    • Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that, during the preceding calendar year, “controlled or processed the personal data of not less than seventy-five thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction” or “controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data.” Certain entities and types of data are exempt from the bill’s requirements, including state governmental entities; nonprofits; higher education institutes; national security associations registered under the Securities Exchange Act of 1934; financial institutions or data subject to federal privacy disclosure requirements; hospitals; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller and processor will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
    • Consumer rights. Under the bill, consumers will be able to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. A consumer may designate another person to serve as his or her authorized agent to opt out of the processing of such consumer’s personal data.
    • Controllers’ and processors’ responsibilities. Under the bill, controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, unless the request is “manifestly unfounded, excessive or repetitive,” in which case a controller may charge a reasonable administrative fee or decline to act on the request (a controller bears the burden of explaining the denial and must also establish an appeals process, including a method through which a consumer may submit a complaint to the state attorney general). Among other things, controllers must “[l]imit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” and are required to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. Controllers may not process personal data in violation of federal and state laws that prohibit unlawful discrimination against consumers and must provide an effective mechanism for consumers to revoke consent that is at least as easy as the method used to provide consent. Controllers must cease processing data within 15 days of receiving a revocation request. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing de-identified data or pseudonymous data. Data processors must adhere to a controller’s instructions and enter into contracts with clearly specified instructions for processing personal data.
    • Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general exclusive authority to enforce the law. The attorney general may also require a controller to disclose any data protection assessments relevant to an investigation. A violation of the bill’s provisions will constitute an unfair trade practice.
    • Right to cure. Upon discovering a potential violation of the bill, the attorney general (during the period beginning July 1, 2023 through December 31, 2024) must provide a controller or processor written notice of violation. The controller or processor then has 60 days to cure the alleged violation before the attorney general can file suit. Beginning on January 1, 2025, the attorney general, when determining whether to provide a controller or processor the opportunity to cure an alleged violation, may consider the number of violations, the controller/processor’s size and complexity, the nature and extent of the processing activities, the substantial likelihood of public injury, and the safety of persons or property.

    If enacted in its current form, the bill would take effect July 1, 2023.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Connecticut Consumer Protection COPPA State Attorney General Enforcement

Pages

Upcoming Events