Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court approves settlement in data breach suit

    Privacy, Cyber Risk & Data Security

    On February 22, the U.S. District Court for the Central District of California granted final approval of a class settlement and ordered a final judgment between a plaintiff class and a provider of outpatient imaging (defendant) resolving allegations that the defendant was responsible for failing to establish adequate security measures to protect their customers’ and employees’ data. According to the preliminarily approval order, a third party gained unauthorized access to the defendant’s server which stored the plaintiffs’ sensitive personal identifying information. The order noted that the security incident put the plaintiffs “at a high risk of identity theft and other cybercrimes.” The plaintiffs alleged in the complaint that the defendants violated California's Unfair Competition Law, the California Consumer Privacy Act, and the FTC Act, among other things, by failing “to adequately ensure the privacy, confidentiality, and security of employee data entrusted to it and Defendant’s failure to have adequate data security measures in place.” Under the terms of the order, the defendants are required to establish a $2.6 million settlement fund to provide monetary settlement benefits to class members within forty-five days of a preliminary approval order directing class notice. The plaintiff class will be separated into two separate tiers: a nationwide class consisting of individuals residing in the U.S. who were or may have been impacted in the data breach, and a California subclass, consisting of individuals who resided in California on July 18, 2020, who were or may have been impacted in the data breach. The order also granted $650,000 in class counsel fees and approximately $50,000 in costs and expenses. Each lead plaintiff received $1,500 as part of the settlement.

    Privacy/Cyber Risk & Data Security Courts Data Breach California CCPA FTC Act Class Action

  • District Court approves $14.8 million cloud subscription settlement

    Privacy, Cyber Risk & Data Security

    On August 4, the U.S. District Court for the Northern District of California approved a $14.8 million class action settlement resolving claims that a major technology company allegedly misled users about its cloud storage practices. In 2020, plaintiffs filed an amended complaint alleging the company breached its agreement with customers by hosting user data on third-party servers without providing proper notice, which resulted in overcharges. The plaintiffs alleged that the “selection of a cloud storage provider is a significant and material consideration as it involves entrusting all of a user’s stored data—including sensitive information like photographs, documents of all kinds, and e-mail content—to be stored by the cloud storage provider,” and that “users have an interest in who is offering this storage and taking custody of their data.” Plaintiffs claimed that, while the company assured users that it was the provider of the purchased cloud storage service, it was actually reselling cloud storage space on other third parties’ cloud facilities and charging users a “premium” for believing their data was being stored by the company. Approximately 16.9 million class members will receive individual settlement payments based on the overall payments made by each user for his or her cloud subscription during the class period. In granting final approval of the settlement, the court noted that the deal is fair, reasonable, and adequate.

    Privacy/Cyber Risk & Data Security Courts Settlement Class Action

  • California Privacy Protection Agency plans to finish rulemaking by Q4 of 2022

    Privacy, Cyber Risk & Data Security

    On February 17, the California Privacy Protection Agency (CPPA) Board held a public meeting to provide an update on the California Privacy Rights Act (CPRA or the Act) rulemaking process. According to sources, the CPPA, which was established under the CPRA, stated it intends to finalize rulemaking in the third or fourth quarter of 2022. As previously covered by InfoBytes, last September, the CPPA formally called on stakeholders to provide preliminary comments on proposed CPRA rulemaking. The Act (effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 (covered by InfoBytes here) and amended the existing California Consumer Privacy Act. The invitation for comments highlighted several areas of interest for the CPPA, including topics concerning cybersecurity audits and risk assessments, automated decision-making, consumer privacy rights and requests to know, sensitive personal information, and dark patterns. While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the meeting that the rulemaking process will extend into the second half of the year. Soltani noted that preliminary and informational proceedings will take place sometime this March and April, and will include instructive sessions with various subject matter experts and public sessions to obtain stakeholder input, and will take into account responses from the comment solicitation period that ended November 8, 2021. Following these proceedings, the Board will begin the formal rulemaking process during the second and third quarters, with final rules being finished by the end of the year. Soltani acknowledged that while the Board is behind schedule with respect to the July deadline, the CPPA expects to use the extra time to fill open positions at the agency.

    Privacy/Cyber Risk & Data Security California CCPA CPRA CPPA State Issues Agency Rule-Making & Guidance

  • Consulting firm agrees to $4.95 million settlement to resolve class data breach claims

    Privacy, Cyber Risk & Data Security

    On February 16, the U.S. District Court for the Southern District of New York granted final approval of a $4.95 million class action settlement, resolving allegations that a consulting firm failed to use reasonable data security measures when designing web-based portals for state employment agencies in Illinois, Colorado, and Ohio. According to the class’s supplemental brief in support of their motion for final approval, the allegedly poorly designed websites were subject to a data breach that resulted in unauthorized access to unemployment seekers’ personally identifiable information. The parties agreed to a nationwide settlement class of 237,675 individuals in Illinois, Colorado, and Ohio. These individuals were notified by their state employment agencies that certain personal information submitted when applying for pandemic-related unemployment claims may have been inadvertently exposed in a data breach. Under the terms of the settlement, the defendant agreed to establish a $4.95 million settlement fund to compensate eligible claimants, and will pay more than $1.6 million in attorneys’ fees and costs, as well as class member service awards.

    Privacy/Cyber Risk & Data Security Courts Data Breach Class Action Settlement

  • UK accepts multinational tech company’s privacy sandbox proposals

    Privacy, Cyber Risk & Data Security

    On February 11, the UK Competition and Markets Authority (CMA) issued a decision accepting a multinational technology company’s offer to provide more transparency and oversight to its privacy sandbox proposals. The purpose of these proposals is to remove cross-site tracking of certain users through third-party cookies and alternative tracking method such as fingerprinting, and replace these methods “with tools to provide selected functionalities currently dependent on cross-site tracking.” A replacement technology has not yet been selected. CMA conducted an investigation centered around competition concerns related to the impact the privacy sandbox proposals may have if they are “implemented without sufficient regulatory scrutiny and oversight, in terms of third parties’ unequal access to the functionality associated with user tracking.” CMA’s decision requires the company to work closely with the agency when developing and testing its proposed replacements for third-party cookies. Additionally, the company is barred from making changes that give it an advantage over competitors when third-party cookies are removed and from developing replacements that give the company a competitive advantage over third parties. The company is also required to provide CMA with at least 60 days’ notice before removing support for third-party cookies and may not “combine user data from certain specified sources for targeting or measuring digital advertising on either [company] owned and operated ad inventory or ad inventory on websites not owned and operated by [the company].” CMA stated that it will continue to consult with the UK Information Commissioner’s Office on aspects of the privacy sandbox proposals related to privacy and data protection measures to ensure these concerns are addressed as the proposals are more fully developed.

    Privacy/Cyber Risk & Data Security UK Regulatory Sandbox Fintech Of Interest to Non-US Persons

  • France says tool for EU-U.S. data transfers is unsafe

    Privacy, Cyber Risk & Data Security

    On February 10, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), issued a decision related to a multinational technology company’s practice of transferring data collected through its analytics tool to the U.S. The analytics tool, which measures the number of user visits, assigns a unique identifier to each visit (which constitutes personal data). The identifier and associated data are then transferred by the company to the U.S. CNIL stated that it received numerous complaints related to the transfer of the collected data and noted that complaints were filed against 101 data controllers for allegedly transferring personal data to the U.S. The agency analyzed the conditions under which the collected data was being transferred, and assessed the risk potential for individuals raising the concerns. According to CNIL, the company’s trans-Atlantic data transfers “are currently not sufficiently regulated” in spite of “additional measures” adopted by the company to regulate these data transfers. These measures “are not sufficient to exclude the accessibility of this data for U.S. intelligence services,” CNIL determined, noting that “in the absence of an adequacy decision (which would establish that this country offers a sufficient level of data protection with regard to the GDPR) concerning transfers to the United States, the transfer of data can only take place if appropriate guarantees are provided for this flow in particular.”

    CNIL stated that these data transfers violate Article 44 et seq. of the GDPR (which governs the transfer of personal data to a third country or to an international organization), and ordered a “website manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the [analytics tool] functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU.” The website operator must comply within one month. Additional compliance orders were also issued to other website operators using the analytics tool. CNIL also recommended that the analytics tool should only be used to produce anonymous statistical data, and stated that it has launched an evaluation program to determine solutions that are exempt from consent.

    Privacy/Cyber Risk & Data Security Of Interest to Non-US Persons France GDPR EU

  • Illinois Supreme Court rules Workers’ Compensation Act does not bar BIPA privacy claims

    Privacy, Cyber Risk & Data Security

    On February 3, the Illinois Supreme Court unanimously ruled that the Illinois Workers’ Compensation Act (Compensation Act) does not bar claims for statutory damages under the state’s Biometric Information Privacy Act (BIPA). According to the opinion, the plaintiff sued the defendant and several other long-term care facilities in 2017 for violations of BIPA, alleging their timekeeping systems scanned her fingerprints without first notifying her and seeking her consent. The defendant countered that the Compensation Act preempted the plaintiff’s claims, but in 2020 the Illinois Appellate Court, First District, held that it failed to see how the plaintiff’s claim for liquidated damages under BIPA “fits within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury.” As such, the appellate panel concluded that the Compensation Act’s exclusivity provisions “do not bar a claim for statutory, liquidated damages, where an employer is alleged to have violated an employee’s statutory privacy rights under the Privacy Act, as such a claim is simply not compensable under the Compensation Act.”

    In affirming the appellate panel’s decision, the Illinois Supreme Court agreed that the “personal and societal injuries caused by violating [BIPA’s] prophylactic requirements are different in nature and scope from the physical and psychological work injuries that are compensable under the Compensation Act. [BIPA] involves prophylactic measures to prevent compromise of an individual’s biometrics.” Additionally, the Illinois Supreme Court held that the plain language of BIPA supports a conclusion that the state legislature did not intend for it to be preempted by the Compensation Act’s exclusivity provisions. Noting that it is aware of the consequences the legislature intended as a result of BIPA violations, the Illinois Supreme Court wrote that the “General Assembly has tried to head off such problems before they occur by imposing safeguards to ensure that the individuals’ privacy rights in their biometric identifiers and biometric information are properly protected before they can be compromised and by subjecting private entities who fail to follow the statute’s requirements to substantial potential liability . . . whether or not actual damages, beyond violation of the law’s provisions, can be shown.” Moreover, if a “different balance should be struck under [BIPA] given the category of injury,” that is “a question more appropriately addressed to the legislature.”

    Privacy/Cyber Risk & Data Security Courts State Issues Illinois BIPA Appellate

  • Colorado releases guidance on data privacy and security in advance of CPA implementation

    Privacy, Cyber Risk & Data Security

    On January 28, the Colorado attorney general issued prepared remarks and guidance on data security best practices in advance of the implementation of the Colorado Privacy Act (CPA). As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights and provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The Colorado AG has enforcement authority for the CPA, which does not have a private right of action. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024.

    AG Phil Weiser stated that, by this fall, his office will post a formal Notice of Proposed Rulemaking, including a proposed set of model rules, with the goal of adopting a final rule roughly a year from now. AG Weiser also outlined best practices that will be weighed in determining whether a company is acting reasonably to safeguard sensitive information. Notably, the AG’s office will first evaluate whether a company has identified the types of data it collects and established a system for storing and managing that data (including disposal procedures). Considerations will then be made as to whether the company has a written information security policy and a written data incident response plan. The AG’s office will also examine a company’s practices for monitoring vendors’ data security measures. AG Weiser also referenced the recently released Data Security Best Practices guidance, which outlines key steps companies should take to protect consumer data, including ways to adopt information security and incident response policies, train employees on mitigating and responding to cybersecurity attacks, and notify appropriate parties in the event of a data breach, among other topics.

    Privacy/Cyber Risk & Data Security State Issues Colorado State Attorney General

  • French Council of State confirms €100 million fine against tech company

    Privacy, Cyber Risk & Data Security

    On January 28, the French Council of State confirmed the French data protection agency Commission Nationale de l’Informatique et des Libertés’s (CNIL) jurisdiction to impose sanctions on a multinational technology company and its Irish affiliate related to the companies’ process for managing cookies. The judgment follows an appeal by the companies against a 100 million euro fine imposed by CNIL in December 2020, for failure to obtain users’ consent and provide adequate information before depositing advertising cookies on users’ computers. The 2020 decision cited three violations of Article 82 of the French Data Protection Act (the Act). In confirming the 2020 decision, the Council of State recognized that it is within CNIL’s jurisdiction “to issue sanctions regarding cookies outside the ‘one-stop-shop’ mechanism provided for in the GDPR and therefore confirmed the sanction imposed by the CNIL on the companies[.]” Specifically, the Council of State concluded that the GDPR’s “one-stop-shop” mechanism does not apply to the deposit of cookies, which is covered by the Act. Additionally, because the cookies in question are implemented in the context of the companies’ activities in France, the Council of State determined CNIL had jurisdiction pursuant to the Act, and consequently, did not have to forward the case to the Irish Data Protection Authority (the lead supervisory authority for these companies under the GDPR). Moreover, the Council of State held that the fines imposed by CNIL were “not disproportionate in view of the seriousness [of] the violations, the scope of the processing and the financial capabilities of the companies.”

    Privacy/Cyber Risk & Data Security Of Interest to Non-US Persons Enforcement France

  • California investigating loyalty programs for CCPA compliance

    Privacy, Cyber Risk & Data Security

    On January 28, the California attorney general announced an “investigative sweep” of businesses operating loyalty programs in the state. The California Consumer Privacy Act (CCPA), which became effective January 1, 2020, requires businesses that offer financial incentives in exchange for personal information, including loyalty programs, to provide consumers with a notice that clearly describes the material terms of the financial incentive program before consumers opt-in. (See InfoBytes coverage of the CCPA here.) Notices of noncompliance were sent to several businesses whose loyalty programs allegedly violated the CCPA, including data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers. Businesses have 30 days to cure or fix the alleged violation and come into compliance with the law before the initiation of an enforcement action. “I urge all businesses in California to take note and be transparent about how you’re using your customer’s data,” Attorney General Rob Bonta stated in the announcement. “My office continues to fight to protect consumer privacy, and we will enforce the law.”

    Privacy/Cyber Risk & Data Security State Issues State Attorney General California CCPA

Pages

Upcoming Events