Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • New Mexico Attorney General sues technology companies over COPPA violations regarding the collection of children’s personal data

    Privacy, Cyber Risk & Data Security

    On September 12, the New Mexico Attorney General announced the filing of a lawsuit against a group of technology companies for allegedly designing and marketing mobile gaming applications (apps) targeted towards children that contain illegal tracking software. The complaint asserts that the defendants’ practices violate both the Children’s Online Privacy Protection Act (COPPA) and New Mexico’s Unfair Practices Act, and pose the risk of data breaches and third-party access. Among other things, the complaint alleges the defendants’ data collection and sharing practices did not comply with COPPA’s specific notice and consent requirements, while the apps’ embedded software development kits allow the apps to communicate directly with the advertising companies that analyze, store, use, share, and sell the data to other third-parties to build “increasingly-detailed profiles of child users” in order to send highly-targeted advertising. The complaint seeks injunctive relief and nominal and punitive damages.

    Privacy/Cyber Risk & Data Security State Issues State Attorney General COPPA

    Share page with AddThis
  • California governor signs amendments requiring the furnishing of customer account information associated with certain crime reports

    State Issues

    On September 6, the governor of California signed amendments to the California Right to Financial Privacy Act to provide various state and local agencies—including the police, sheriff’s department, or district attorney in the state—the authorization to request information from financial institutions in certain circumstances associated with crime reports involving the alleged fraudulent use of drafts, checks, access cards, or other orders. Specifically, AB 3229 states that banks, credit unions, and savings associations must furnish a statement with the requested customer account information for a period of 30 days prior, and up to 30 days following, the date of the alleged illegal act’s occurrence. AB 3229 further states that financial institutions will be required to furnish account information—subject to the outlined procedures—to a DOJ special agent upon request.

    State Issues State Legislation Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • New Jersey Attorney General announces settlement with data management software company over auto dealer data breach claims

    State Issues

    On September 7, the New Jersey Attorney General announced a settlement with an Iowa-based data management software company related to an alleged data breach that exposed the personally identifiable information (PII) of auto dealership customers across the country. According to the consent order, the company—which develops and operates a dealer management system that stores and secures customer and employee data accessed by 130 auto dealerships nationwide—experienced a breach of security in 2016 that allowed unauthorized public access to unencrypted files containing PII. Following the breach, the state commenced an investigation into whether the company violated either the state’s Consumer Fraud Act (CFA) or its Identity Theft Prevention Act (ITPA). Under the terms of the settlement, the company—without admitting to the allegations—has agreed to pay a $49,420 civil money penalty, of which $20,000 will be suspended and automatically vacated after two years provided the company complies with the consent order and does not engage in any future violations of the CFA and/or the ITPA. Furthermore, the company will pay $31,365 to reimburse attorneys’ fees, and has, among other things, agreed to implement a comprehensive security program to prevent similar breaches from occurring in the future.

    State Issues Privacy/Cyber Risk & Data Security Data Breach State Attorney General

    Share page with AddThis
  • Court approves $8.5 million class action settlement with global money service for alleged TCPA violations


    On August 31, the U.S. District Court for the Northern District of Illinois approved an $8.5 million class action settlement resolving allegations that a global money service violated the Telephone Consumer Protection Act (TCPA) by sending unsolicited text messages to class members. While the court approved the full settlement amount, it only awarded 5 percent of the fund to the class counsel, as opposed to the 35 percent requested, noting counsel’s “disquieting conduct” related to a class objector and lack of billing records supporting the “substantial work” counsel claimed to have performed on the case (reportedly more than 2.5 times the hours spent by defense counsel). Of the $8.5 million required to be paid by the company, the court modified the agreement to provide class member claims over $7.5 million. The court determined that the settlement “provides fair actual cash value to the class,” as the company had potential defenses to the pending litigation; there was legal uncertainty as to whether the telecommunications equipment used by the company was actually an “automatic telephone dialing system” under the TCPA; and the inherent expense in litigation and proceeding to trial for the class.

    Courts Settlement TCPA Autodialer Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • NYDFS launches online registration form for credit reporting agencies to comply with new regulation

    State Issues

    On August 22, the New York Department of Financial Services (NYDFS) announced an online registration form for credit reporting agencies (CRAs) to comply with the state’s final regulation that requires CRAs with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity regulation. (As previously covered by InfoBytes, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS.) Registration must be complete by September 15 of this year and by February 1 of each successive year for the calendar year thereafter. Under the new regulation, CRAs are also required to comply with New York’s cybersecurity requirements by November 1, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Continuing InfoBytes coverage on NYDFS’ cybersecurity regulation available here.)

    State Issues NYDFS Credit Reporting Agency Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Court approves $115 million settlement for health insurer data breach

    Privacy, Cyber Risk & Data Security

    On August 15, the U.S. District Court for the Northern District of California issued final approval for a $115 million class action settlement to resolve claims stemming from a large health insurer’s 2015 data breach. As previously covered by InfoBytes, in June 2017, the health insurer and plaintiffs came to the $115 million agreement regarding the company’s 2015 data breach, exposing consumers’ and employees’ social security numbers, birthdays, and other personal data to hackers. The settlement agreement provides for (i) two years of credit monitoring; (ii) reimbursement of out-of-pocket costs related to the breach; and (iii) alternative cash payment for credit monitoring services already obtained. While the settlement agreement was challenged after the initial deal was struck, the court noted that the objectors “ignore that the [s]ettlement provides the class with a timely, certain, and meaningful recovery.” Moreover, the court notes the objectors do not account for the “strong message” it sends to the health insurer, stating, “a settlement does not need to provide for all possible recoverable damages to deter wrongdoing.”

    Privacy/Cyber Risk & Data Security Courts Data Breach Settlement

    Share page with AddThis
  • NYDFS reminds covered entities of upcoming cybersecurity regulation compliance dates; updates FAQs

    State Issues

    On August 8, the New York Department of Financial Services (NYDFS) issued a reminder for regulated entities required to comply with the state’s cybersecurity requirements under 23 NYCRR Part 500 that the third transitional period ends September 4. Banks, insurance companies, and other financial services institutions (collectively, “covered entities”) that are required to implement a cybersecurity program to protect consumer data must be in compliance with additional provisions of the cybersecurity regulation by this date. As of September 4, a covered entity must (i) start presenting annual reports to the board by the Chief Information Security Officer on “critical aspects of the cybersecurity program”; (ii) create an “audit trail designed to reconstruct material financial transactions” in case of a breach; (iii) institute policies and procedures to ensure the use of “secure development practices for IT personnel that develop applications”; and (iv) implement encryption to protect nonpublic information it holds or transmits. Covered entities are also required to have policies and procedures in place “to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.” Covered entities are further reminded that they have until March 1, 2019, to assess the risks presented by the use of a third-party service provider to ensure the protection of their security systems and data.

    In coordination with the reminder, NYDFS provided new updates to its FAQs related to 23 NYCRR Part 500. The original promulgation of the FAQs was covered in InfoBytes, as were the last updates in February and March. The four new updates to the FAQs add the following guidance:

    • Clarifies that in certain circumstances, an entity can be a covered entity, an authorized user, and a third party service provider, and therefore must comply fully with all applicable provisions;
    • Outlines specific compliance provisions for covered entities that have limited exemptions from the NYDFS cybersecurity requirements;
    • Identifies a covered entity’s responsibilities when addressing cybersecurity risks with respect to bank holding companies; and
    • Clarifies situations and requirements for when a covered entity can rely upon the cybersecurity program that another covered entity has implemented for a common trust fund.

    Find continuing InfoBytes coverage on NYDFS’ cybersecurity regulations here.

    State Issues NYDFS Privacy/Cyber Risk & Data Security 23 NYCRR Part 500

    Share page with AddThis
  • CFPB amends Regulation P, provides exemptions for annual privacy notice requirement

    Agency Rule-Making & Guidance

    On August 10, the CFPB issued final amendments to Regulation P, which implements the Gramm-Leach-Bliley Act and provides, among other things, exemptions for financial institutions from sending annual privacy notices to consumers provided they meet certain conditions. The final rule—originally proposed in July 2016 (as previously covered in InfoBytes here)—implements a December 2015 statutory change in Section 75001 of the “Fixing America’s Surface Transportation Act,” which permits certain exemptions provided a qualifying financial institution (i) has not changed its privacy notice from the one previously delivered to its customer, and (ii) limits its sharing of a customer’s nonpublic personal information with nonaffiliated third parties so that a customer does not have the right to opt out, as otherwise afforded under the statute and Regulation P. The final rule will not affect the collection or use of a customer’s nonpublic personal information, and all financial institutions are still required to deliver initial privacy notices to customers. Moreover, the final rule establishes requirements for alternative delivery methods and provides deadlines for financial institutions that lose the exception and are required to resume delivery of annual privacy notices.

    The amendments to Regulation P will take effect 30 days after publication in the Federal Register.

    Agency Rule-Making & Guidance CFPB Regulation P Gramm-Leach-Bliley Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • FTC seeks comments on possible adjustments to privacy and data security rulemaking authority

    Privacy, Cyber Risk & Data Security

    On August 6, the FTC published a request for comments in the Federal Register—in advance of a series of 15 to 20 public hearings scheduled to start this September—on whether the agency should make adjustments to competition and consumer protection law, enforcement priorities, and policy in light of evolving technologies and market developments. The hearings will cover a range of consumer-related issues, including the agency’s “remedial authority to deter unfair and deceptive conduct in privacy and data security matters” and the “interpretation and harmonization of state and federal statutes and regulations that prohibit [such conduct].” According to testimony presented by FTC Chairman Joseph Simons at a July 18 House Subcommittee on Digital Commerce and Consumer Protection hearing, there exists a need for expanded rulemaking and civil penalty authority. Specifically, Simons discussed Section 5 of the FTC Act, which he stated is too limited to address all of the privacy and security concerns in the marketplace and does not provide for civil penalties. Comments on the hearing topics must be received by August 20.

    Privacy/Cyber Risk & Data Security FTC Federal Register FTC Act

    Share page with AddThis
  • Conference of State Bank Supervisors supports legislation to coordinate federal and state examinations of third-party service providers

    State Issues

    On July 12, the Conference of State Bank Supervisors (CSBS) issued a statement to the Senate Banking Committee, offering support for legislation that would “enhance state and federal regulators’ ability to coordinate examinations of, and share information on, banks’ [third-party technology service providers (TSPs)] in an effective and efficient manner.” H.R. 3626, the Bank Service Company Examination Coordination Act, introduced by Representative Roger Williams, R-Texas, would amend the Bank Service Company Act to provide examination improvements for states by requiring federal banking agencies to (i) consult with the state banking agency in a reasonable and timely fashion, and (ii) take measures to avoid duplicating examination activities, reporting requirements, and requests for information. Currently, 38 states have the authority to examine TSPs, however, according to CSBS, amending the Bank Service Company Act would more appropriately define a state banking agency’s authority and role when it comes to examining potential risks associated with TSP partnerships. In its statement, CSBS also references a recent action taken by eight state regulators against a major credit reporting agency following its 2017 data breach that requires, among other things, a wide range of corrective actions, including improving oversight and ensuring sufficient controls are developed for critical vendors. (See previous InfoBytes coverage here.) The House Financial Services Committee advanced H.R. 3626 on June 24 on a unanimous vote.

    State Issues State Regulators CSBS Federal Legislation Third-Party Privacy/Cyber Risk & Data Security

    Share page with AddThis