Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court grants motion to dismiss in CIPA class action

    Privacy, Cyber Risk & Data Security

    On January 25, the U.S. District Court for the Northern District of California granted a motion to dismiss a class action suit, in which plaintiffs alleged that the defendant continued to monitor mobile users’ browsing history even after being asked to cease and desist. In their third amended complaint, the plaintiffs alleged that the defendant violated the California Invasion of Privacy Act (CIPA) because, among other things, although “developers and consumers consented to [the defendant] uploading data to its servers for the developers’ use, … [the defendant] also retained a copy for its own use.” The defendant argued that the plaintiffs’ “conclusory statement that communications are intercepted is not enough to make out a § 631 claim [of the CIPA].”

    The CIPA claims against the defendant were previously dismissed because they “failed to aver simultaneous interception.” The plaintiffs also attempted to revitalize their breach of contract claim by arguing it was a unilateral contract, but the district court noted that “[u]nder this theory, a contract was created by [the defendant’s] provision of a button to adjust privacy settings, text describing what the button supposedly did, and [the plaintiffs’] clicking of that button.” The district court further noted that it is not enough to create a unilateral contract, and that “[the defendant] was not asking [the plaintiffs’] to click the button, let alone bargain for such performance, and [the plaintiffs’] could not have reasonably expected they were entering into a contract simply by adjusting their account settings.”

    Privacy/Cyber Risk & Data Security Courts Class Action CIPA

  • District Court finalizes BIPA class action settlement

    Privacy, Cyber Risk & Data Security

    On January 24, the U.S. District Court for the Northern District of Illinois granted final approval to a nearly $877,000 class action settlement to resolve allegations that a food manufacturer’s fingerprint-based timekeeping system violated Illinois’ Biometric Information Privacy Act (BIPA). Class members (both direct employees and temporary staffing workers who worked for the defendant between June 2015 and the date of preliminary approval) alleged that the defendant (i) collected biometric fingerprint identifiers and information without receiving informed written consent from employees; (ii) processed these identifiers and information “without establishing and following a publicly available data retention schedule and destruction policy”; and (iii) disclosed the employees’ identifiers and information to its timekeeping vendor without consent. The defendant contended that since 2020 it has maintained BIPA consents and compliance policies, and “does not retain any finger scan data for separated Illinois employees.” While denying all liability and wrongdoing, the defendant has agreed to pay $876,750 to cover class member payments, attorney fees and costs, settlement administrator costs, and the class representative’s service award.

    Privacy/Cyber Risk & Data Security BIPA Class Action State Issues Courts Settlement Illinois

  • SBA rolls out small business cybersecurity pilot program

    Privacy, Cyber Risk & Data Security

    On January 21, the SBA announced $3 million in funding for the agency’s Cybersecurity for Small Business Pilot Program. The funding is intended to help state governments assist emerging small businesses develop their cybersecurity infrastructures to combat increasing and evolving threats. Applications will be accepted from January 26 through March 3. “Throughout the COVID-19 pandemic, small businesses have adopted technology at high rates to survive, operate, and grow their businesses. As a result, cybersecurity has become increasingly important as now, more than ever before, small business owners face cyber risks and challenges that could disrupt their operations and competitive advantages. As we seek to build a stronger and more inclusive entrepreneurial ecosystem, we must innovate and provide resources to meet the evolving needs of the growing number of small businesses. With this new funding opportunity, the SBA intends on leveraging the strengths across our state governments, territories, and tribal governments to provide services to help small businesses get cyber ready and, in the process, fortify our nation’s supply chains,” SBA Administrator Isabella Casillas Guzman said in the announcement.

    Privacy/Cyber Risk & Data Security SBA Small Business Covid-19

  • FCC proposes new reporting on telecom data breaches

    Federal Issues

    On January 12, the FCC announced that it shared, among the FCC staff, a notice of proposed rulemaking (NPRM) to strengthen the rules for notifying consumers and federal law enforcement of breaches of customer proprietary network information. According to the FCC, the NPRM “would better align the Commission’s rules with recent developments in federal and state data breach laws covering other sectors,” and “further advances the FCC’s efforts to ensure its rules keep pace with evolving cybersecurity threats and to protect consumers in the face of today’s challenges.” The NPRM outlines certain updates to current FCC rules that address telecommunications carriers’ breach notification requirements, including: (i) “[e]liminating the current seven business day mandatory waiting period for notifying customers of a breach”; (ii) “[e]xpanding customer protections by requiring notification of inadvertent breaches”; and (iii) “[r]equiring carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service.” The NPRM solicits feedback regarding whether the FCC should require customer breach notices to include specific categories of information “to help ensure they contain actionable information useful to the consumer.” According to FCC Chairwoman Jessica Rosenworcel, current laws “need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers.”

    Federal Issues Privacy/Cyber Risk & Data Security FCC Data Breach Agency Rule-Making & Guidance

  • French data protection agency issues privacy fines over cookies

    Privacy, Cyber Risk & Data Security

    On January 6, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a multinational technology company 150 million euros and a global social media company 60 million euros (approximately $170 and $68 million USD respectively) for failure to comply with the French Data Protection Act related to the companies’ process for managing cookies. (See additional press releases here and here.) According to the CNIL, the companies provide a button allowing users to immediately accept cookies but do not provide an equivalent option to allow users to easily refuse the cookies through a single click. This process, CNIL stated, “influences [a user’s] choice in favor of consent” since a user “cannot refuse the cookies as easily as they can accept them,” and constitutes an infringement of Article 82 of the French Data Protection Act. In addition to the fines, the CNIL gave the companies three months “to provide […] users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent.” Failure to comply will come with the risk of an additional daily fine of 100,000 euros per day of delay.

    Privacy/Cyber Risk & Data Security Of Interest to Non-US Persons Consumer Protection France Enforcement

  • District Court temporarily halts enforcement of New York’s user data-sharing ordinances

    Privacy, Cyber Risk & Data Security

    On December 27, the U.S. District Court for the Southern District of New York issued a stipulation and order in a consolidated action, temporarily reprieving three delivery app companies from complying with New York City’s Administrative Code §§ 20-847.3 and 20-563.7 (collectively, “the ordinances”). The amended complaint contends that the ordinances “create an unconstitutional, privacy-infringing, data-disclosure requirement pursuant to which third-party food-ordering and delivery platforms. . . must divulge, against their will, sensitive, proprietary customer information,” including full names, phone numbers, email addresses, delivery addresses, and order contents to New York City restaurants “regardless of whether that restaurant maintains any security infrastructure, and regardless of whether the customer has expressly consented to their personal information being so shared.” According to the plaintiffs, the ordinances “state that customers are presumed to have consented to this dangerous flow of their information unless they specifically opt out for each and every order they place, contrary to the common view that opt-out requests should be valid for at least several months.” The plaintiffs allege, among other things, that the ordinances are preempted by New York State’s Right of Privacy and violate delivery app companies’ First Amendment rights.

    Notably, while New York City “has agreed to stay enforcement of the Challenged Laws pending final determination by this Court resolving, or disposing of, this action in exchange for Plaintiff’s agreement not to file a motion for a preliminary injunction,” the stipulation and order is not an indefinite agreement to stop enforcement of the ordinances.

    Privacy/Cyber Risk & Data Security Courts New York State Issues Consumer Protection

  • New Jersey settles CFA and HIPAA violations following 2019 data breach

    Privacy, Cyber Risk & Data Security

    On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately safeguard patient data. The settlement resolved allegations that patients’ personal and protected health information, including health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers, were exposed when several employee email accounts were compromised in a 2019 data breach. The AG additionally contended that while notifying clients of the initial data breach, the defendants “improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin.” Federal and state law require medical providers to implement appropriate safeguards to protect consumers’ sensitive health and personal information and identify potential threats—measures, the AG alleged, the defendants failed to take. Without admitting to any violation of law, the defendants agreed to the terms of the consent order and will pay $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. The defendants will also adopt additional comprehensive privacy and security measures to safeguard consumers’ protected information and will obtain a third-party assessment of their policies and practices related “to the collection, storage, maintenance, transmission, and disposal of patient data.”

    Privacy Cyber Risk & Data Security State Issues State Attorney General Settlement Data Breach Consumer Protection

  • New Mexico settles with technology company over COPPA violations

    Privacy, Cyber Risk & Data Security

    On December 13, the New Mexico attorney general announced a settlement in two federal court cases filed against a multinational technology company both of which resolve allegations against the company under the federal Children’s Online Privacy Protection Act (COPPA) and other state consumer protection laws. According to one complaint, the company allegedly violated COPPA and the New Mexico Unfair Practice Act by collecting the personal information of minors and the mining of student emails in connection with the use of the company’s educational tools. In a separate complaint, among other things, the company’s mobile ad platform permitted a third-party game developer to collect the personal data of minors without “verifiable parental consent.” According to the AG, under the terms of the settlement, the company must, among other things: (i) fund a new initiative to promote education, privacy, and safety for children across New Mexico and work with the AG to identify recipients of these funds; (ii) “provide[] school administrators with tools to protect minor students from improper collection of their personal data, including age-based access settings to ensure that minor children’s data is protected from unauthorized collection and disclosure”; (iii) monitor app developers that mislabel their child-directed apps; and (iv) require apps to implement age screening measures which ensure that these apps do not collect information from children.

    Privacy/Cyber Risk & Data Security State Attorney General New Mexico COPPA State Issues

  • Global tech corporation fined for GDPR violations fends off daily fines

    Privacy, Cyber Risk & Data Security

    According to sources, the Luxembourg President of the Administrative Tribunal issued an ordinance on December 17 partially suspending a July decision issued by the Luxembourg National Commission for Data Protection (CNPD) against a global technology corporation for alleged violations of the EU’s General Data Protection Regulations (GDPR). As previously covered by InfoBytes, the CNPD fined the corporation $746 million euro (approximately $888 million USD), issuing a decision against the corporation’s European headquarters, claiming the corporation’s “processing of personal data did not comply with the [GDPR].” The decision—which required corresponding practice revisions, the details of which were not disclosed—followed an investigation started in 2018 when a French privacy group claiming to represent the interests of Europeans filed complaints against several large technology companies to ensure European consumer data is not manipulated for commercial or political purposes. The December ordinance suspends orders that required the corporation to make a number of changes to its data processes by January 15 or risk additional daily fines. Sources stated that the CNPD’s order “had not been formulated in clear, precise and free of uncertainty terms” that would allow the corporation to meet the conditions. The corporation’s appeal is still pending.

    Privacy/Cyber Risk & Data Security Luxembourg Of Interest to Non-US Persons GDPR EU Enforcement

  • Norwegian Data Protection Authority fines U.S. dating app $7.1 million for alleged GDPR violations

    Privacy, Cyber Risk & Data Security

    On December 13, the Norwegian Data Protection Authority issued a reduced administrative fine against a U.S. company operating a GPS-based mobile dating app for allegedly violating the EU’s General Data Protection Regulation (GDPR). The regulator’s 2020 complaint stated that the company allegedly forced users to accept a full privacy policy in order to use the app, rather than providing users the option to independently and specifically consent to the sharing of their data with third parties and the company’s other data processing operations. This consent mechanism, the regulator claimed, “infringed most of the requirements for valid consent” under GDPR Articles 4(11), 6(1)(a), 7 and 9(2)(a). According to the regulator, the company allegedly shared user data with third parties for marketing purposes, including IP addresses, GPS location information, gender, age, and device information, among others, without a valid legal basis and disclosed “special category personal data to advertising partners without a valid exemption.” The regulator reduced the originally proposed $11.1 million fine to approximately $7.2 million, noting that the company’s efforts “to remedy the deficiencies in [its] previous [consent mechanism were] a mitigating factor.” However, the regulator noted that the company benefited financially from its GDPR violations, which was an “aggravating factor” in its deliberations.

    Privacy/Cyber Risk & Data Security GDPR EU Enforcement Norway Of Interest to Non-US Persons

Pages

Upcoming Events