InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CPPA continues efforts towards California Privacy Rights Act
The California Privacy Protection Agency board is continuing its efforts to prepare regulations implementing the California Privacy Rights Act (covered by InfoBytes here and here).
Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8 open meeting held by the board. Draft regulations on automated decision-making remain to be published. More comprehensive comment and feedback is expected on these draft regulations, unlike regulations finalized in March that were presented in a more robust state. As previously covered by InfoBytes, the California Privacy Protection Agency cannot enforce any regulations until a year after their finalization, adding a ticking reminder to the finalization process for these draft regulations.
The draft cybersecurity regulations include thoroughness requirements for the annual cybersecurity audit, which must also be completed “using a qualified, objective, independent professional” and “procedures and standards generally accepted in the profession of auditing.” A management certification must also be signed certifying the business has not influenced the audit, and has reviewed the audit and understands its findings.
The draft risk assessment regulations require conducting a risk assessment prior to initiating processing of consumers’ personal information that “presents significant risk to consumers’ privacy,” as set forth in an enumerated list include the selling or sharing of personal information; processing personal information of consumers under age 16; and using certain automated decision-making technology, including AI.
DOJ announces international malware action, recovers $8.6 million in illicit profits
On August 29, the DOJ announced a multinational operation involving the U.S., France, Germany, the Netherlands, the UK, Romania, and Latvia to “disrupt” a malware’s infrastructure called Qakbot. Attorney General Merrick B. Garland stated that, “[t]ogether with our international partners, the Justice Department has hacked Qakbot’s infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world, and seized $8.6 million in extorted funds. ” The main method by which the Qakbot malware spreads to target computers is via spam emails that contain harmful attachments or links. Upon successfully infecting a target computer, the DOJ mentioned that Qakbot gains the capability to introduce other types of malware, such as ransomware. Over the past few years, many ransomware collectives have used Qakbot as an initial avenue for initiating infections and has caused hundreds of millions of dollars in damages. The DOJ highlighted that “[t]he action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.”
NIST updates its Cybersecurity Framework
The National Institute of Standards and Technology (NIST) recently unveiled a proposed update to its Cybersecurity Framework, which was originally developed to provide information security guidelines for “critical infrastructure” like banking and energy industries. (Covered by InfoBytes here). The update includes a new, sixth pillar called “govern” that provides categories to facilitate executive oversight; manage enterprise risk (including supply chain risk); and effective alignment of enterprise resources, strategies, and risk, emphasizing that “cybersecurity is a major source of enterprise risk and a consideration for senior leadership.” This pillar will also guide organizations’ leadership in making internal decisions to support its cybersecurity strategy. The framework draft also updated its implementation guidance, especially for creating profiles that tailor guidance for certain situations. Additionally, NIST included implementation examples that are particularly beneficial for smaller firms. The framework’s lead developer, Cherilyn Pascoe, mentioned the framework has proven useful across many different sectors like small businesses and foreign governments, therefore it was updated to be a useful tool to sectors, regardless of type or size, outside of those designated as critical. A major goal of the updated version of the framework is to show organizations how to leverage existing technology frameworks, standards, and guidelines to implement NIST’s framework. Furthermore, the framework title changed from “Framework for Improving Critical Infrastructure Cybersecurity” to “The Cybersecurity Framework” to reflect its expanded inclusivity and wide adoption.
Public comments must be received by November 4.
7th Circuit affirms dismissal of proposed Driver’s Privacy Protection Act class action
On August 22, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of a proposed class action alleging that defendant insurance companies leaked the plaintiffs’ drivers license numbers, holding that the plaintiffs lacked standing to sue the insurance companies. In a split decision, the majority opinion held that plaintiffs failed to establish standing to bring a lawsuit under the Driver’s Privacy Protection Act (DPPA) based on the unauthorized disclosure of their driver’s license numbers through a form on defendant’s website. The majority held that plaintiffs failed to allege a concrete injury, writing that allegations that plaintiffs are worried about future identity theft stemming from the disclosure are insufficient for standing, focusing on legitimate reasons why driver’s license numbers are commonly exposed to third-parties. The majority further held that plaintiffs failed to allege that false unemployment benefit applications submitted in their name were traceable to the disclosure of their driver’s license number, dooming their standing claim. In a dissent, Judge Kenneth Ripple disagreed with the majority’s conclusion that plaintiffs failed to make sufficient allegations to justify standing, reasoning that the DPPA contemplates a private right of action for the types of harms suffered by the plaintiffs and that plaintiffs adequately alleged that they suffered harm from false unemployment benefit applications submitted as a result of the driver’s license number leak.
District court declines to reconsider BIPA accrual ruling
On August 14, an Illinois District Court denied in part and granted in part a tech company’s motion to dismiss a class-action suit that alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”). The complaint alleged that the tech giant failed to safeguard the facial data in its photo service as closely as it protected other types of data and violated its own policy governing biometric identifier storage. BIPA requires companies to store, transmit, and protect biometric data using the reasonable standard of care within the company’s industry and to protect that data in either the same or more protective manner as it protects other types of confidential data.
In permitting the complaint to move forward, the court noted that the defendant’s internal documents allegedly show that it made minimal investment in its photo service and made no attempt to identify flaws in the system. Further, the court referred to allegations in the complaint that the defendant devotes fewer resources and staffing to protecting the photo service. The court noted that the allegations were sufficient because the lack of protocols made consumers’ critical metadata “vulnerable to attacks.”
In granting the motion related to violation of the defendant’s policies, the court noted that plaintiffs did not show they were personally injured by the alleged violation. The defendant’s policy requires it to delete files for accounts that have been abandoned for two years, for which image recognition was disabled, or where user deleted their photo account. However, the court concluded that the complaint did not allege that plaintiffs did any of these actions.
Chopra announces rulemaking for data brokers
On August 15, CFPB Director Rohit Chopra delivered remarks at the White House Roundtable on the harms of data broker practices. Referencing the prevalence of artificial intelligence in data surveillance, Chopra highlighted a common practice employed by companies: the gathering, leveraging, and sharing of data concerning consumers, including individual pieces of data or consumer profiles, without consumers’ awareness with third parties that employ AI to formulate forecasts and decisions. These detailed data sets can also easily be exploited by bad actors, Chopra warned. Chopra announced that after conducting an inquiry into data broker practices, the Bureau will endeavor to make rules regulating data broker surveillance to ensure sensitive data is not misused and on par with FCRA requirements.
Two proposals are being considered: the first proposal would define the term “consumer reporting agency” to include a data broker that sells certain types of consumer data, thereby triggering requirements to ensure accuracy and to govern disputes concerning the reporting of inaccurate information. The second proposal will address existing confusion by clarifying the existing confusion concerning “the extent to which credit header data constitutes a consumer report, [and] reducing the ability of credit reporting companies to impermissibly disclose sensitive contact information that can be used to identify people who don’t wish to be contacted, such as domestic violence survivors.” The rulemaking will also complement efforts put forth by the FTC.
DFPI launches actions against crypto scams, initiates education campaign
On August 9, the California Department of Financial Protection and Innovation (DFPI) announced that it issued cease and desist orders against three entities (orders here, here, and here) for allegedly offering and selling unqualified securities, and making material misrepresentations and omissions to investor related to cryptocurrency investments. The entities allegedly created high-yield investment programs (HYIPs), which DFPI characterizes as “investment frauds that typically promise high returns with low risk, promise overly consistent returns, provide little details about the people running the HYIP, use vague language to describe how the HYIP makes money, offer referral bonuses, facilitate deposits and withdrawals with crypto assets, and use social media to gain attention and attract investors.”
The cease and desist orders are just one of the tools DFPI employs to address investment scams involving crypto assets, also using enforcement actions, social media, and a Crypto Scam Tracker. DFPI has posted videos to its social media accounts that are directed towards the same group of individuals targeted by the crypto community in order to educate investors about its enforcement actions and violations of law. The Crypto Scam Tracker was launched earlier this year to help Californian’s identify and avoid scams involving cryptocurrency. (Covered by InfoBytes here).
District Court splits order against crypto platform
On August 11, a split U.S District Court of the Southern District of New York partially granted and partially denied a crypto platform’s (defendant) motion to dismiss most charges for failure to state a claim upon which relief can be granted. Four months after plaintiff opened an account with defendant, a hacker siphoned approximately $5 million worth of Bitcoin from the account. Between the time the hacker accessed the account and withdrew the Bitcoin, plaintiff contacted the platform about being locked out of the account, to which defendant responded that the password change email could be in plaintiff’s spam folder. The complaint alleged that had the company locked the account, plaintiff would still have access to their Bitcoin, and that the platform has a duty to protect its customers’ assets and accounts. Among other things, the complaint also alleged that the platform violated the Electronic Fund Transfer Act (EFTA), the New York General Business Law, and the Michigan Consumer Protection Act.
In its motion to dismiss, defendant argued that Regulation E does not apply to the platform because the EFTA language does not explicitly cover cryptocurrency and only references denominations of the U.S. dollar. Although a separate case against the same defendant determined EFTA did apply to the platform since the statute’s “funds” reference could reasonably cover cryptocurrency (covered by InfoBytes here), the judge’s order focused on, “electronic fund transfer”. The court more closely considered the purpose of the account, expressing uncertainty as to whether it was for personal, family, or household purposes. The court found that the definition of an “account” under EFTA does not include plaintiff’s electronic fund transfer account which was established for investment purposes. In the previous case against the same defendant, the court held that the defendant deceived the users regarding its security measures, but the judge presiding over this case disagreed. The court cut the claims of misrepresentation finding that plaintiff failed to allege that the statements were false at the time they were made. The order denies two claims: (i) that the defendant misrepresented its security level; and (ii) that the defendant failed to meet EFTA requirements and its implementing Regulation E, because investment purposes accounts are precluded from the statute’s protections. The court granted the other four counts.
FDIC releases operational risks in 2023 Risk Review
On August 14, the FDIC released its 2023 Risk Review, summarizing emerging risks in the U.S. banking system observed during 2022 and early 2023 in five broad categories: (i) credit risk; (ii) market risk; (iii) operational risk; (iv) crypto-asset risk; and (v) climate-related financial risk. According to the FDIC, the current risk review adds a new section relating to the FDIC’s approach to understanding and evaluating crypto-asset-related markets and activities. Monitoring these risks is among the agency’s top priorities, the FDIC said, and the “failure of three large banking institutions in March and May highlighted certain risks to the banking sector.” The FDIC stated that weaker economic conditions and higher interest rates in 2022 continued through early 2023, and “financial market conditions tightened considerably starting in 2022 on rising interest rates, high inflations, and concerns over a potential recession.” Overall, the FDIC said that “despite these challenges and the market stress in early 2023, the banking industry demonstrated resilience, but industry performance moderated from 2022.”
Dubai to facilitate personal data transfers with California-based entities
On August 9, the Dubai International Financial Centre Authority (DIFC) Commissioner of Data Protection issued a “first-of-its-kind” adequacy decision, declaring California’s data protection regime as “substantially equivalent and low risk.” The DIFC deemed the California Consumer Privacy Act (CCPA) of 2018, as amended by the California Privacy Rights Act of 2020, equivalent to DIFC’s DP Law 2020—opening the door to facilitate personal data transfers between DIFC and California-based entities without the need to apply additional contractual measures. The DIFC further noted that CCPA Regulations provide procedures, guidance, and clarity on the requirements of the CCPA and highlighted the key aspects of CCPA, including (i) concepts and definitions; (ii) breach notification requirements; (iii) enforcement authority; (iv) notifications to the commissioner; and (v) commissioner authority and objectives. The DIFC’s decision outlines nine observations regarding California’s data protection regime that informed its adequacy decision. In its press release, the DIFC noted that the CCPA “gives consumers control and protection over personal data collected by businesses” and limits data collection and processing to what is fair, lawful, and necessary. The DIFC added that this adequacy decision sets a precedent for Dubai to build “similar relationships with various US states and the US privacy framework in the future.”