Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS imposes $5 million fine against cruise line for cybersecurity violations

    Privacy, Cyber Risk & Data Security

    On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.

    The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).

    Privacy/Cyber Risk & Data Security State Issues NYDFS State Regulators Enforcement Settlement Data Breach 23 NYCRR Part 500

  • FTC finalizes action against e-commerce platform for data breach cover up

    Federal Issues

    On June 24, the FTC announced a final decision and order against two limited liability companies (respondents) accused of allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. As previously covered by InfoBytes, the respondents—former and current owners of an online customized merchandise platform—allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect customers’ personal information against unauthorized access and misrepresenting that appropriate steps were taken to secure consumer account information following security breaches. The complaint further alleged that respondents failed to apply readily available protections against well-known threats or adequately respond to security incidents, which resulted in the respondents’ network being breached multiple times. Under the terms of the final settlement, one of the respondents is required to pay $500,000 to victims of the data breaches. The other respondent is required to provide notice to consumers impacted by a 2019 data breach. Among other things, the order prohibits respondents from misrepresenting their privacy and security measures and requires that respondents implement comprehensive information security programs that are assessed by an independent third party.

    Federal Issues Privacy/Cyber Risk & Data Security FTC Enforcement Data Breach FTC Act Deceptive UDAP

  • Rep. McHenry introduces draft privacy legislation based on GLBA

    Federal Issues

    On June 23, House Financial Services Ranking Member Patrick McHenry (R-NC) released a discussion draft of new federal legislation intended to modernize financial data privacy laws and provide consumers more control over the collection and use of their personal information. (See overview of the discussion draft here.) The draft bill seeks to build on the Gramm-Leach-Bliley Act (GLBA) to better align financial data protection law with evolving technologies that have innovated the financial system and the way in which consumers interact with financial institutions, including nonbank institutions. “Technology has fundamentally changed the way consumers participate in our financial system—increasing access and inclusion. It has also increased the amount of sensitive data shared with service providers. Our privacy laws—especially as they relate to financial data—must keep up,” McHenry said, emphasizing the importance of finding a way to “secure Americans’ privacy without strangling innovation.”

    Among other things, the draft bill:

    • Requires notice of collection activities. The GLBA currently requires that consumers be provided notice when their information is being disclosed to third parties. The draft bill updates this requirement to require financial institutions to provide notice when consumers’ nonpublic personal information is being collected.
    • Recognizes the burden on small institutions. The draft bill stipulates that agencies shall consider compliance costs imposed on smaller financial institutions when promulgating rules.
    • Amends the definition of a “financial institution.” The draft bill will update the definition to cover data aggregators in addition to financial institutions engaged in financial activities as described in 4(k) of the Bank Holding Company Act of 1956.
    • Expands the definition of non-public information. The draft bill expands the definition of “personally identifiable financial information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” Publicly available information is not included in this definition. The definition of “consumer account credentials” will mean “nonpublic information (including a username, password, or an answer to a security question) that enables the consumer to access an account of the consumer at a financial institution.”
    • Provides consumers access to data. The draft bill provides that financial institutions must, upon an authorized request from a consumer, disclose the data held, entities with which the financial institution shares consumer data, and a list of entities from whom the financial institution has received a consumer’s non-public personal information.
    • Allows consumers to stop the collection and disclosure of their data. When a financial institution is required to terminate the collection and/or sharing of a consumer’s nonpublic personal information, the draft bill provides that a financial institution must notify third parties that data sharing is terminated and must require the third parties to also terminate collection and disclosure. Additionally, upon request from a consumer, the financial institution must delete any nonpublic personal information in its possession, and if required by law to retain the data, the financial institution may only use the data for that purpose.
    • Minimizes data collection. The draft bill requires that financial institutions notify consumers of their data collection practices in their privacy policies, including the categories collected, how the information is collected, and the purposes for the collection. Consumers must be allowed an opportunity to opt-out of the collection of their data if not necessary for the provision of the product or service by that entity.
    • Provides informed choice and transparency. Under the draft bill, privacy terms and conditions must be transparent and easily understandable. The draft bill requires the disclosure of a financial institution’s privacy policies in a manner that provides consumers meaningful understanding of what data is being collected, the manner in which the data is collected, the purposes for which the data will be used, the right to opt-out, who has access to the data, how an entity is using the data, where the data will be shared, the data retention policies of the entity, the consumer’s termination rights, and the rights associated with that data for uses inconsistent with stated purpose, among others.
    • Stipulates liability for unauthorized access. The draft bill states that “[i]f the nonpublic personal information of a consumer is obtained from a financial institution (either due to a data breach or in any other manner) and used to make unauthorized access of the consumer’s account, the financial institution shall be liable to the consumer for the full amount of any damages resulting from such unauthorized access.’’
    • Requires preemption. The draft bill will preempt state privacy laws to create a national standard.

    The draft bill was introduced days after the House Subcommittee on Consumer Protection and Commerce heard testimony from consumer advocates and industry representatives on the recently proposed bipartisan American Data Privacy and Protection Act (covered by a Buckley Special Alert here).

    Federal Issues Privacy/Cyber Risk & Data Security Federal Legislation Gramm-Leach-Bliley Consumer Protection

  • States reach $1.25 million data breach settlement with cruise line

    State Issues

    On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According to the announcement, in March 2020 the company publicly reported that the breach involved an unauthorized actor gaining access to certain employee email accounts. The breach notifications sent to the AGs' offices stated the company first became aware of suspicious email activity in late May of 2019, approximately 10 months before it reported the breach. An ensuing multistate effort focused on the company’s email security practices and compliance with state breach notification statutes. The announcement explained that “’unstructured’ data breaches, like the [company’s] breach, involve personal information stored via email and other disorganized platforms” and that “[b]usinesses lack visibility into this data, making breach notification more challenging and causing further risks for consumers with the delays.”

    Under the terms of the settlement, the company has agreed to provisions designed to strengthening its email security and breach response practices, including, among other things: (i) implementing and maintaining a breach response and notification plan; (ii) requiring email security training for employees; (ii) instituting multi-factor authentication for remote email access; (iii) requiring the use of strong, complex passwords, password rotation, and secure password storage for password policies and procedures; (iv) maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and (v) undergoing an independent information security assessment, consistent with past data breach settlements.

    State Issues Enforcement State Attorney General Data Breach Settlement Privacy/Cyber Risk & Data Security

  • U.S. and EU collaborate to combat ransomware attacks

    Privacy, Cyber Risk & Data Security

    On June 16, the DOJ announced that representatives from the U.S. and EU met at a recent workshop in the Hague to share best practices and to plan enhanced collaboration efforts to confront ransomware attacks. According to the DOJ, attorneys from the DOJ’s Computer Crime and Intellectual Property Section, along with representatives from the FBI, the U.S. Secret Service, the U.S. Homeland Security Investigations, European Judicial Cybercrime Network, Eurojust’s Cybercrime Team, and Europol’s European Cybercrime Centre shared “experiences, best practices, and lessons learned in directing an investigation to a successful outcome including collaborating with the tech and private sector.” Participants also discussed “relevant changes in the law, including issues related to electronic evidence, charging options, and cross-border considerations."

    Privacy/Cyber Risk & Data Security DOJ EU Of Interest to Non-US Persons Ransomware

  • District Court grants preliminary approval of class action settlement in data breach case

    Courts

    On June 21, the U.S. District Court for the Southern District of New York granted preliminary approval of a class settlement in an action against a cable TV and communications provider (defendant) for failing to protect current and former employees’ (plaintiffs) personal information and prevent a 2019 phishing attack. According to the plaintiffs’ supplemental memorandum in support of preliminary approval of settlement, the defendant notified the plaintiffs (as well as the attorneys general of several states) that a successful phishing campaign was launched against them. The phishing scheme resulted in cybercriminals being able to “access” and “download” a report containing the unencrypted personally identifiable information (PII) of 52,846 plaintiffs. The plaintiffs alleged that as a result of the data security incident they suffered concrete injuries, including, inter alia, identity theft, the exposure of their PII to cybercriminals, a substantial risk of identity theft, and actual losses. Under the terms of the preliminarily approved settlement, class members are eligible to enroll in three years of identity protection and credit monitoring, and may receive reimbursement of out-of-pocket expenses and compensation for up to three hours spent dealing with the security incident.

    Courts Privacy/Cyber Risk & Data Security Data Breach Class Action Settlement

  • Special Alert: House subcommittee hears testimony on privacy bill

    Privacy, Cyber Risk & Data Security

    The House Subcommittee on Consumer Protection and Commerce held a June 14 hearing, “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security,” to listen to testimony from consumer advocates and industry representatives on the recently proposed American Data Privacy and Protection Act (ADPPA).

    The bipartisan initiative faces new headwinds following June 22 remarks by Senate Commerce Chair Maria Cantwell (D-WA), who cited “major enforcement holes” in the legislation on preemption issues — but expressed hope that the sponsors could offer revisions. 

    Privacy/Cyber Risk & Data Security Federal Issues Special Alerts Federal Legislation Consumer Protection FTC House Subcommittee on Consumer Protection and Commerce

  • FTC issues report to Congress on use of AI

    Privacy, Cyber Risk & Data Security

    On June 16, the FTC issued a report to Congress regarding the use of artificial intelligence (AI), warning that policymakers should use caution when relying on AI to combat the spread of harmful online conduct. In the 2021 Appropriations Act, Congress directed the FTC to study and report on whether and how AI “may be used to identify, remove, or take any other appropriate action necessary to address” a wide variety of specified “online harms,” referring specifically to content that is deceptive, fraudulent, manipulated, or illegal. The report suggests that adoption of AI could be problematic, as AI tools can be biased, discriminatory, or inaccurate, and could rely on invasive forms of surveillance. To avoid introducing these additional harms, the report suggests lawmakers instead focus on developing legal frameworks to ensure no additional harm is caused by AI tools used by major technology platforms and others. The report further suggests that Congress, regulators, platforms, scientists, and others focus their attention on creating frameworks to address the following related considerations, among others: (i) the need for human intervention in connection with monitoring the use and decisions of AI tools intended to address harmful content; (ii) the need for meaningful transparency, “which includes the need for it to be explainable and contestable, especially when people’s rights are involved or when personal data is being collected or used”; and (iii) the need for accountability with respect to the data practices and results of the use of AI tools by platforms and other companies. Other recommendations include use of authentication tools, responsible use of inputs and outputs by data scientist, and using interventions, such as tools that slow the viral spread or otherwise limit the impact of certain harmful content.

    The Commission voted 4-1 at an open meeting to send the report to Congress. Commissioner Noah Joshua Phillips issued a dissenting statement, finding that the report provides “short shrift to how and why AI is being used to combat the online harms identified by Congress,” and instead “reads as a general indictment of the technology itself.”

    Privacy/Cyber Risk & Data Security Federal Issues FTC Artificial Intelligence Congress

  • U.S., UK collaborate on privacy-enhancing tech prize challenges

    Privacy, Cyber Risk & Data Security

    On June 13, the White House announced that the U.S. and UK governments are developing privacy-enhancing technology prize challenges to help address cross-border money laundering. The White House highlighted that the estimated $2 trillion of cross-border money laundering which happens annually could be better detected if improvements were made to information sharing and collaborative analytic efforts. However, research shows that this process “is hindered by the legal, technical and ethical challenges involved in jointly analyzing sensitive information,” the White House said. Privacy-enhancing technologies (PETs) could play a transformative role in addressing the global challenges of financial crime, the White House explained, noting that PETs can allow “machine learning models to be trained on high quality datasets collaboratively among organizations, without the data leaving safe environments.” Moreover, “[s]uch technologies have the potential to help facilitate privacy-preserving financial information sharing and analytics,” thus “allowing suspicious types of behavior to be identified without compromising the privacy of individuals, or requiring the transfer of data between institutions or across borders.” 

    Opening this summer, the challenges (developed between the White House Office of Science and Technology Policy, the U.S. National Institute of Standards and Technology, the U.S. National Science Foundation, the UK’s Center for Data Ethics and Innovation, and Innovate UK) will allow innovators to develop state-of-the-art privacy-preserving federated learning solutions to help combat barriers to the wider use of these technologies without the uncertainty of potential regulatory implications. Innovators will engage with the U.K.’s Financial Conduct Authority and Information Commissioner’s Office and the Financial Crimes Enforcement Network. Acting FinCEN Director Himamauli Das announced that the agency “is pleased to support this important initiative to advance the development of a building block for protecting the U.S. financial system from illicit finance.” 

    Privacy/Cyber Risk & Data Security Financial Crimes Biden UK Of Interest to Non-US Persons FinCEN Anti-Money Laundering

  • District Court approves data breach settlement

    Courts

    On June 8, the U.S. District Court for the Southern District of New York granted a plaintiffs’ motion for final approval of a class action settlement resolving claims that several retail businesses failed to establish reasonable safeguards that led to a data breach. According to the opinion, the plaintiff alleged that a syndicate accessed cardholder information and sold it on the so-called dark web. The plaintiffs also claimed that the breach caused them to spend time monitoring their accounts, safeguarding account information, and, for some plaintiffs, resolving fraudulent charges and withdrawals. The settlement provides for two different levels of payments to affected consumers. Tier 1 claimants, who must provide proof of a payment transaction during the period of the breach and confirm that they spent time monitoring account information after the breach, will receive $30. Tier 2 claimants will be reimbursed for documented out-of-pocket expenses incurred as a result of the breach, such as costs and expenses related to identity theft or fraud, late fees, and unauthorized charges and withdrawals, in an amount not to exceed $5,000. The total amount to be paid to class members is approximately $278,000.

    Courts Privacy/Cyber Risk & Data Security Data Breach Consumer Finance Settlement Class Action

Pages

Upcoming Events