Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 10, the Massachusetts Governor signed HB 4806, following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other provisions, the amendments to the current law:
- Prohibit users from requesting or obtaining the consumer credit report of a consumer unless the user obtains the consumer’s prior written, verbal, or electronic consent, and discloses the user's reason for accessing the consumer report to the consumer prior to obtaining consent.
- Require every consumer reporting agency to disclose to consumers, when properly identified, (i) the nature, contents, and substance of all information on file (except medical information) at the time of the request; (ii) the sources of all credit information; and (iii) “the recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.”
- State that a consumer reporting agency may not charge a fee to any consumer for placing, lifting, or removing a security freeze from a consumer report.
- Specify that a consumer reporting agency may not “knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer's credit.”
- Require persons who experience a security breach to report specific information to the state Attorney General, as well as certify that their credit monitoring services are in compliance.
- State that consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services.
- Require persons who experience a breach that compromises social security numbers to provide at least 18 months of free credit monitoring for affected individuals.
On January 8, the U.S. District Court for the Northern District of Illinois denied a bank’s motion to dismiss claims that it had obtained a credit report without a permissible purpose, ruling that the allegations rise above a mere procedural violation of the FCRA. According to the opinion, the consumer alleged that the bank accessed her credit report and obtained personal information, including current and past addresses, birth date, employment history, and telephone numbers, without having a personal business relationship, information to suggest the consumer owed the debt, or receiving consent for the release of the report. The bank argued that the consumer’s claim was only a “bare procedural violation” and not a concrete injury in fact as required under the U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins (covered by a Buckley Sandler Special Alert). However, the court determined that the consumer’s allegation that the invasion of privacy, which occurred when the bank accessed her credit report from a consumer reporting agency without receiving consent and with no legitimate business reason to do so, “adequately alleges a concrete injury sufficient to confer standing.”
On January 8, a national retailer reached a $1.5 million multistate settlement with 43 states and the District of Columbia to resolve an investigation following a 2013 data breach of customer payment card information. According to the Illinois Attorney General’s announcement, the retailer will implement provisions to prevent future breaches, such as (i) complying with Payment Card Industry Data Security Standard requirements; (ii) maintaining a system to collect and monitor network activity; (iii) updating software that maintains and safeguards personal information; and (iv) devaluing payment card information through the use of encryption and tokenization technology to obfuscate payment card data. The retailer must also retain a third-party professional responsible for conducting an information security assessment and report, as well as outlining corrective measures.
On December 31, 2018, the U.S. District Court for the District of Utah granted in part and denied in part a national bank’s motion to dismiss putative class action claims concerning the bank’s use of confidential customer information to open deposit and credit card accounts as part of its incentive compensation sales program. (See previous InfoBytes coverage here.) According to the court, the plaintiffs claiming accounts were opened in their name plausibly alleged that the bank benefited from an increase in the number of accounts and products, and disagreed with the bank that the misappropriation of name claim should fail because those plaintiffs’ names and identities had value beyond those of the general public. While the majority of the state claims and all federal claims were dismissed, the court allowed four state claims to remain, including invasion of privacy. However, the court requested that the parties address why it should not decline to exercise jurisdiction over the state law claims following the dismissal of all federal claims.
Additionally, the court dismissed claims brought by “Bystander Plaintiffs” who did not allege the opening of any unauthorized accounts in their names, or claim that their information was ever improperly used or accessed or that they were subject to improper sales practices. Because the Bystander Plaintiffs claimed only that they would not have opened accounts if bank employees had told them about the alleged issues, the court dismissed their claims for lack of Article III standing, reasoning that they did not allege any injury.
On December 19, the Massachusetts Attorney General announced a $155,000 settlement with a California-based payment processor resolving allegations that the company exposed consumers’ personal information online in violation of consumer protection and data security laws. According to the announcement, the company employees accidently removed password protections from public-facing websites, which exposed consumers’ personal data, such as bank account and social security numbers, addresses, and driver’s license numbers. The Attorney General’s investigation claims that company employees appeared to know of the vulnerability for a year before fixing it. Under the terms of the settlement, the company has agreed to comply with Massachusetts laws and is required to (i) maintain a chief information security officer; (ii) conduct employee training on data security; and (iii) “assess and update information security policies relating to changes to its systems and to external vulnerabilities.”
On December 13, the Department of Veterans Affairs (VA) released Circular 26-18-28, which outlines the VA’s Loan Guaranty Service Red Flag Rules Policy to aid in the detection, prevention, and mitigation of identity theft for certain loans financed by the VA (known as, “Vendee loans”), Native American Direct Loans, and refunded loans held by the VA. The policy lists categories and warning signs monitored by the VA, such as (i) credit reporting agencies alerts; (ii) suspicious documents that look altered or forged; (iii) suspicious or fictitious personal identifying information; and (iv) account activity inconsistent with established patterns. The policy notes that the VA Office of Inspector General will investigate accounts flagged for possible identity theft. Holds will be placed on the suspicious accounts or transactions as necessary.
The VA is required by the FTC’s Red Flags Rule to develop and implement a written identity theft prevention program. Notably, as previously covered by InfoBytes, the FTC is seeking comments on whether the agency should make changes to the Rule. Comments are due by February 11, 2019.
On December 14, the New York Attorney General announced settlements with five companies, including a global payment processor, a credit reporting agency, and a credit score company, whose mobile apps allegedly failed to secure sensitive user data. As part of the Attorney General’s initiative to uncover vulnerabilities before a data breach, the office tested dozens of mobile apps that handled consumer information such as credit card and bank account numbers. After testing, the Attorney General determined that certain versions of the five companies’ apps failed to properly authenticate the “SSL/TLS” certificates, which are used to verify the computer’s identity attempting to establish a connection to the mobile device. According to the Attorney General, this failure could allow an attacker to impersonate the companies’ servers and intercept information, including credit card information, entered into the app by the user. The settlement requires the companies to implement a comprehensive security program to protect their users’ information.
On December 12, the FCC adopted new rules to establish a single, comprehensive database designed to reduce the number of calls inadvertently made to reassigned numbers as part of its strategy to help stop unwanted calls. According to FCC Chairman Ajit Pai, the database would enable callers to verify—prior to placing a call—whether a number has been permanently disconnected and is therefore eligible for reassignment. Currently, callers may be held liable under the TCPA should they call a reassigned number where the new party did not consent to receiving calls. The FCC also announced it will (i) add a safeguard requiring a “minimum ‘aging’ period of 45 days before permanently disconnected telephone numbers can be reassigned”; and (ii) provide a safe harbor from TCPA liability for any calls to reassigned numbers due to database error. However, FCC Commissioner Michael O’Reilly stated that while he supported the creation of the database, he expressed reservations about both the cost and effectiveness, stating “only the honest and legitimate callers will consult the reassigned numbers database—not the criminals and scammers.” O’Reilly suggested developing better, more logical interpretations of the TCPA, asserting that “much more work remains, particularly on narrowing the prior Commission’s ludicrous definition of ‘autodialer,’ and eliminating the lawless revocation of consent rule.”
Additionally, the FCC announced a ruling (see FCC 18-178) denying requests from mass-texting companies and other parties for text messages to be classified as ‘“telecommunications services’ subject to common carrier regulations under the Communication Act.” If the request had been granted, the FCC stated, the classification would have limited wireless providers’ efforts to effectively combat spam and scam robotexts. Rather, the FCC classified SMS and Multimedia Messaging Services as “information services” under the Communications Act, which allows wireless providers the ability to take action to stop unwanted text messages, such as applying filtering technologies to block messages that are likely spam.
New York Attorney General reaches largest ever COPPA settlement to resolve violations of children’s privacy
On December 4, the New York Attorney General announced the largest Children’s Online Privacy Protection Act (COPPA) settlement in U.S. history—totaling approximately $6 million —to resolve allegations with a subsidiary of a telecommunications company that allegedly conducted billions of auctions for ad space on hundreds of websites it knew were directed to children under the age of 13. According to the Attorney General’s office, the subsidiary collected and disclosed personal data on children through auctions for ad space, allowing advertisers to track and serve targeted ads to children without parental consent. Under COPPA, operators of websites and other online services are prohibited from collecting or sharing the information of children under the age of 13 unless they give notice and have express parental consent. Among other things, the subsidiary also allegedly placed ads on other exchanges that possessed the capability to auction ad space on child-directed websites, but that when it won ad space on COPPA-covered websites, the subsidiary treated the space as it would any other and collected user information to serve targeted ads.
Under the terms of the settlement, the subsidiary must (i) create a comprehensive COPPA compliance program, which requires annual COPPA training for staff, regular compliance monitoring, and the retention of service providers that can comply with COPPA, as well as a third party who will assess the privacy controls; (ii) enable website operators that sell ad inventory to indicate what portion of a website is subject to COPPA; and (iii) destroy the personal data it collected on children.
On December 4, the FTC released a request for public comment on whether the agency should make changes to its identity theft detection rules—the Red Flags Rule and the Card Issuers Rule—which require financial institutions and creditors to take certain actions to detect signs of identity theft affecting their customers. The FTC is seeking comment as part of its systematic review of all of its regulations and guides. According to the FTC, consumer complaints relating to identity theft represented the third largest category of consumer complaints made to the FTC through the first three quarters of 2018 and the second largest category in 2017. The FTC is seeking comment on all aspects of the two rules, but also poses specific questions for commenters to address, such as (i) whether there is a continuing need for the specific provisions of the rules; (ii) what significant costs have the rules imposed on consumers and businesses; and (iii) whether there are any types of creditors that are not currently covered by the Red Flags Rule but should be covered. The request for comment is due to be published in the Federal Register shortly, and comments must be received by February 11, 2019.
- Warren W. Traiger to discuss "Community Reinvestment Act reform" at the New York State Bar Association Annual Meeting
- APPROVED Webcast: Periodic reporting: More than just clicking “submit”
- Buckley Sandler Webcast: Tips for this year’s FHA annual recertification and what the shutdown means
- Jessica L. Pollet to discuss "Your career is impacting your life..." at the Ark Group Women Legal Conference
- Melissa Klimkiewicz to discuss "RESPA-compliant marketing" at NEXT
- Daniel P. Stipano to provide "Update on AML/SAR reporting and enforcement" at an Mortgage Bankers Association webinar
- Daniel P. Stipano to discuss "Dynamic customer due diligence and beneficial ownership from KYC to ongoing CDD and the new rule implementation" at the Puerto Rican Symposium of Anti-Money Laundering
- Jon David D. Langlois to discuss "Successors in interest updates" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Brandy A. Hood to discuss "Keeping your head above water in flood insurance compliance" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Melissa Klimkiewicz to discuss "Servicing super session" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Moorari K. Shah to provide "Regulatory update – California and beyond" at the National Equipment Finance Association Summit
- Daniel P. Stipano to discuss "Lessons learned from ABLV and other major cases involving inadequate compliance oversight" at the ACAMS International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "A year in the life of the CDD final rule: A first anniversary assessment" at the ACAMS International AML & Financial Crime Conference