InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court temporarily halts enforcement of New York’s user data-sharing ordinances
On December 27, the U.S. District Court for the Southern District of New York issued a stipulation and order in a consolidated action, temporarily reprieving three delivery app companies from complying with New York City’s Administrative Code §§ 20-847.3 and 20-563.7 (collectively, “the ordinances”). The amended complaint contends that the ordinances “create an unconstitutional, privacy-infringing, data-disclosure requirement pursuant to which third-party food-ordering and delivery platforms. . . must divulge, against their will, sensitive, proprietary customer information,” including full names, phone numbers, email addresses, delivery addresses, and order contents to New York City restaurants “regardless of whether that restaurant maintains any security infrastructure, and regardless of whether the customer has expressly consented to their personal information being so shared.” According to the plaintiffs, the ordinances “state that customers are presumed to have consented to this dangerous flow of their information unless they specifically opt out for each and every order they place, contrary to the common view that opt-out requests should be valid for at least several months.” The plaintiffs allege, among other things, that the ordinances are preempted by New York State’s Right of Privacy and violate delivery app companies’ First Amendment rights.
Notably, while New York City “has agreed to stay enforcement of the Challenged Laws pending final determination by this Court resolving, or disposing of, this action in exchange for Plaintiff’s agreement not to file a motion for a preliminary injunction,” the stipulation and order is not an indefinite agreement to stop enforcement of the ordinances.
New Jersey settles CFA and HIPAA violations following 2019 data breach
On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately safeguard patient data. The settlement resolved allegations that patients’ personal and protected health information, including health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers, were exposed when several employee email accounts were compromised in a 2019 data breach. The AG additionally contended that while notifying clients of the initial data breach, the defendants “improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin.” Federal and state law require medical providers to implement appropriate safeguards to protect consumers’ sensitive health and personal information and identify potential threats—measures, the AG alleged, the defendants failed to take. Without admitting to any violation of law, the defendants agreed to the terms of the consent order and will pay $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. The defendants will also adopt additional comprehensive privacy and security measures to safeguard consumers’ protected information and will obtain a third-party assessment of their policies and practices related “to the collection, storage, maintenance, transmission, and disposal of patient data.”
New Mexico settles with technology company over COPPA violations
On December 13, the New Mexico attorney general announced a settlement in two federal court cases filed against a multinational technology company both of which resolve allegations against the company under the federal Children’s Online Privacy Protection Act (COPPA) and other state consumer protection laws. According to one complaint, the company allegedly violated COPPA and the New Mexico Unfair Practice Act by collecting the personal information of minors and the mining of student emails in connection with the use of the company’s educational tools. In a separate complaint, among other things, the company’s mobile ad platform permitted a third-party game developer to collect the personal data of minors without “verifiable parental consent.” According to the AG, under the terms of the settlement, the company must, among other things: (i) fund a new initiative to promote education, privacy, and safety for children across New Mexico and work with the AG to identify recipients of these funds; (ii) “provide[] school administrators with tools to protect minor students from improper collection of their personal data, including age-based access settings to ensure that minor children’s data is protected from unauthorized collection and disclosure”; (iii) monitor app developers that mislabel their child-directed apps; and (iv) require apps to implement age screening measures which ensure that these apps do not collect information from children.
Global tech corporation fined for GDPR violations fends off daily fines
According to sources, the Luxembourg President of the Administrative Tribunal issued an ordinance on December 17 partially suspending a July decision issued by the Luxembourg National Commission for Data Protection (CNPD) against a global technology corporation for alleged violations of the EU’s General Data Protection Regulations (GDPR). As previously covered by InfoBytes, the CNPD fined the corporation $746 million euro (approximately $888 million USD), issuing a decision against the corporation’s European headquarters, claiming the corporation’s “processing of personal data did not comply with the [GDPR].” The decision—which required corresponding practice revisions, the details of which were not disclosed—followed an investigation started in 2018 when a French privacy group claiming to represent the interests of Europeans filed complaints against several large technology companies to ensure European consumer data is not manipulated for commercial or political purposes. The December ordinance suspends orders that required the corporation to make a number of changes to its data processes by January 15 or risk additional daily fines. Sources stated that the CNPD’s order “had not been formulated in clear, precise and free of uncertainty terms” that would allow the corporation to meet the conditions. The corporation’s appeal is still pending.
Norwegian Data Protection Authority fines U.S. dating app $7.1 million for alleged GDPR violations
On December 13, the Norwegian Data Protection Authority issued a reduced administrative fine against a U.S. company operating a GPS-based mobile dating app for allegedly violating the EU’s General Data Protection Regulation (GDPR). The regulator’s 2020 complaint stated that the company allegedly forced users to accept a full privacy policy in order to use the app, rather than providing users the option to independently and specifically consent to the sharing of their data with third parties and the company’s other data processing operations. This consent mechanism, the regulator claimed, “infringed most of the requirements for valid consent” under GDPR Articles 4(11), 6(1)(a), 7 and 9(2)(a). According to the regulator, the company allegedly shared user data with third parties for marketing purposes, including IP addresses, GPS location information, gender, age, and device information, among others, without a valid legal basis and disclosed “special category personal data to advertising partners without a valid exemption.” The regulator reduced the originally proposed $11.1 million fine to approximately $7.2 million, noting that the company’s efforts “to remedy the deficiencies in [its] previous [consent mechanism were] a mitigating factor.” However, the regulator noted that the company benefited financially from its GDPR violations, which was an “aggravating factor” in its deliberations.
FTC publishes 2022 regulatory priorities
On December 10, the FTC published a statement disclosing its regulatory priorities for 2022. Among other things, the statement highlights; (i) newly initiated and upcoming periodic reviews of rules and guides; (ii) ongoing periodic reviews of rules and guides; (iii) proposed rules; and (iv) final actions. According to the Plan, the FTC “will consider developing both unfair methods-of-competition rulemakings as well as rulemakings to define with specificity unfair or deceptive acts or practices.” The FTC noted that there are many pressing issues consumers face in the modern economy, such as the “abuses stemming from surveillance-based business models,” which also threaten competition. “The Commission is considering whether rulemaking in this area would be effective in curbing lax security practices, limiting intrusive surveillance, and ensuring that algorithmic decision-making does not result in unlawful discrimination.” The Plan further explains that the FTC will “explore whether rules defining certain ‘unfair methods of competition’ prohibited by section 5 of the FTC Act would promote competition and provide greater clarity to the market.” According to the Dissenting Statement by FTC Commissioner Christine S. Wilson, though, the plan takes “a big step into uncharted waters” with this latter statement, given the breadth of potential rulemakings and lack of clarity on which areas the FTC would pursue. Wilson’s view is that many existing rules “should be abolished,” rather than issuing new rules.
FSB requests feedback on data frameworks affecting cross-border payments
Recently, the Financial Stability Board (FSB) issued a survey requesting stakeholder feedback on “how existing national and regional data frameworks interact with and affect the functioning, regulation and supervision of cross-border payment arrangements,” in addition to feedback on issues concerning the cross-border use of these data frameworks by national authorities and the private sector. Data frameworks within the survey’s scope include those concerning data access; data privacy, security, or storage; requirements for data retention; and multilateral or bilateral trade agreements covering the use and sharing of data across borders. Among other things, the survey seeks information on (i) ways data-specific national and regional data frameworks affect the costs and speed of delivering payments, as well as access and transparency; (ii) potential barriers to cross-border data use; (iii) areas of improvement for overcoming barriers in data frameworks; (iv) whether one jurisdiction’s data framework can impact the provision or supervision of cross-border payments services offered in other jurisdictions; and (v) whether there are particular payment corridors (especially related to emerging markets) that face specific challenges related to data frameworks. The survey also requests information on the implementation of international standards from the FSB and other standard-setting bodies, “if not included as part of formal, domestic data frameworks,” and “[o]ther international efforts, arrangements, or agreements that jurisdictions may implement in their domestic data frameworks or that may affect cross-border data flows.” The survey will close on January 14, 2022.
NYDFS addresses use of cyber assessment framework in risk assessment process
On December 9, NYDFS updated its FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on 23 NYCRR Part 500 here.) New FAQ 41 addressed whether covered entities should use a cyber assessment framework as part of their risk assessment process as required by Sections 500.9 and 500.2(b). NYDFS clarified that while it “does not require a specific standard or framework for use in the risk assessment process," it expects covered entities “to implement a framework and methodology that best suits their risk and operations.” Commonly employed frameworks cited by NYDFS include the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework.
NYDFS addresses multi-factor authentication weaknesses
On December 7, NYDFS issued guidance on multi-factor authentication (MFA) to all regulated entities. According to NYDFS, “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies,” affecting both large companies and small businesses. The regulator noted that, since the Cybersecurity Regulation (23 NYCRR Part 500) went into effect (covered by InfoBytes here), MFA failures have continued to impact both financial services entities and consumers. From January 2020 to July 2021, more than 18.3 million consumers were affected by reported cyber incidents involving covered entities’ MFA failures, according to NYDFS. NYDFS has also taken two enforcement actions in the past year against companies whose failure to implement MFA fully resulted in unauthorized access to nonpublic information. The New York banking regulator is increasing its review of MFA during examinations and will focus on searching for common MFA failures discussed in the guidance. Covered entities are advised to consider carefully the importance of MFA as they implement their risk-based cybersecurity programs. Under the Cybersecurity Regulation, MFA is required for remote access, and must “be implemented beyond that as necessary to ensure effective access controls based on a comprehensive risk assessment.” The guidance provides examples of common problems related to MFA as well as recommendations for preventing problems.
Virginia Consumer Data Protection Act Work Group issues final report
Recently, the Virginia Consumer Data Protection Act Work Group (Work Group) released its final report addressing several privacy topics related to enforcement, definitions and rulemaking authority, and consumer rights and education. The Virginia Consumer Data Protection Act (VCDPA), enacted in March and covered by InfoBytes here, created the Work Group to study findings, best practices, and recommendations before the VCDPA’s January 1, 2023 effective date. The report summarizes information that arose during six Work Group meetings held this year, including the following:
- Establishing an education initiative led by leadership outside of the Office of Attorney General (OAG) to help small to medium-sized businesses comply with the VCDPA.
- Allowing the OAG to pursue actual damages, should they exist, based on consumer harm.
- Employing an “ability to cure” option for violations where a potential cure is possible.
- Authorizing consumers to assert, and requiring companies to honor, a global opt-out setting as a single-step for consumers to opt-out of data collection.
- Sunsetting the “right to cure” provision following the first few years after the VCDPA’s enactment to prevent companies from exploiting the provision.
- Amending “‘the right to delete’ provision to be a ‘right to opt out of sale’ in order to promote compliance and restrict further dissemination of consumer personal data.”
- Studying specific data privacy protections for children.
- Encouraging the development of third-party software and browser extensions to enable users to universally opt out of data collection instead of opting out on each website.
- Recruiting nonprofit consumer and privacy organizations to address concerns related to the VCDPA’s definitions of “sale,” “personal data,” and “publicly available information,” and whether general demographic data used when promoting diversity and outreach to underserved populations should be included in the definition of “sensitive personal information.”
- Creating an education website containing information about consumers’ rights under the VCDPA. Additionally, the website could provide guidance for smaller businesses seeking to comply with the VCDPA, including sample data protection forms.
- Directing an agency to promulgate regulations because the VCDPA does not currently grant the OAG such authority.
The Work Group’s recommendations will be presented during the upcoming legislative session.