InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Financial institutions, CRA reach settlement over 2017 data breach
On May 15, a putative class of financial institutions filed an unopposed motion for preliminary approval of a settlement in a multidistrict litigation stemming from a credit reporting agency’s (CRA) 2017 data breach. The class, comprised of financial institutions that issued credit or debit cards whose information was believed to have been breached, argued that the data breach was the result of the CRA’s alleged failure to implement the necessary precautions to safeguard consumers’ personally identifiable information (PII). The class further contended that financial institutions suffer the primary harm caused by identity theft, because they “bear the risk of loss when identity thieves use a customer’s PII to open accounts, transfer funds, take out loans, make fraudulent transactions, or obtain credit or debit cards in the customer’s name.”
The proposed settlement—pending approval from the U.S. District Court for the Northern District of Georgia—will require the CRA to pay $5.5 million to class members that submit valid claims, spend at least $25 million over a two-year period on “data security measures pertinent to the [financial intuitions] and their claims,” and cover settlement administration and notice costs, as well as agreed-upon attorney fees, expenses, and named-plaintiff service awards. The motion for preliminary approval states that the CRA will also, among other things, (i) adopt and/or maintain certain measures in order to identify “reasonably foreseeable threats” to PII; (ii) respond to identified vulnerabilities that may impact the confidentiality of PII; (iii) design safeguards to manage risks identified though data security risk assessments; (iv) implement a security control framework consistent with requirements for systems that “store, process, or transmit [p]ayment [c]ard [d]ata in connection with U.S. payment card transactions”; and (v) maintain a compliance program and submit annual certifications to class counsel.
District court compels arbitration of biometric privacy suit
On May 15, the U.S. District Court for the Northern District of Illinois granted an online photography company’s motion to compel arbitration in a biometric privacy lawsuit, notwithstanding the company’s unilateral modification of arbitration terms after the lawsuit was filed. According to the opinion, the plaintiffs created an account on the company’s website in August 2014. In May 2015, the company added an arbitration provision to its Terms of Use. In June 2019, the plaintiffs filed the proposed class action alleging the company violated the Illinois Biometric Information Privacy Act (BIPA) “by using facial-recognition technology to extract biometric identifiers for ‘tagging’ individuals and by ‘selling, leasing, trading, or otherwise profiting from Plaintiffs’…biometric information.’” In September 2019, the company sent an email to all of its users that its account Terms of Use were updated, including provisions regarding arbitration. The email stated that if users continued to use the website or did not close their account by October 1, 2019, they were deemed to have accepted the updated terms. The plaintiffs’ account remained open as of October 2, 2019. The company moved to compel arbitration of the plaintiffs’ claims. The plaintiffs argued that the September 2019 email did not create a binding agreement to arbitrate and that it should not apply retroactively to the June 2019 claim.
The court rejected the plaintiffs’ arguments, concluding that they were already bound to arbitration by the 2015 update to the company’s terms of use, because the terms accepted in 2014 included a “change-in-terms” provision, allowing the company to revise terms from time to time by posting revisions. Moreover, the court disagreed with the plaintiffs that the September 2019 email was “an attempt by [the company] to ‘surreptitiously’ bind unwitting putative class members to arbitration agreements,” noting that the 2019 modifications did not significantly alter users’ rights under the arbitration agreement and the court would “not rely on the 2019 email to find that any putative class members agreed to arbitrate.”
$550 million preliminary settlement reached in biometric privacy class action
On May 8, plaintiffs in a biometric privacy class action in the U.S. District Court for the Northern District of California filed a motion requesting preliminary approval of a $550 million settlement deal. The preliminary settlement, reached between a global social media company and a class of Illinois users, would resolve consolidated class claims that alleged the social media company’s face scanning practices violated the Illinois Biometric Information Privacy Act (BIPA). As previously covered by InfoBytes, last August the U.S. Court of Appeals for the 9th Circuit affirmed class certification and held that the class’s claims met the standing requirement described in Spokeo, Inc. v. Robins because the social media company’s alleged development of a face template that used facial-recognition technology without users’ consent constituted an invasion of an individual’s private affairs and concrete interests. According to the motion for preliminary approval, the settlement would be the largest BIPA class action settlement ever and would provide “cash relief that far outstrips what class members typically receive in privacy settlements, even in cases in which substantial statutory damages are involved.” If approved, the social media company must also provide “forward-looking relief” to ensure it secures users’ informed, written consent as required under BIPA.
FCC changes TCPA enforcement under TRACED Act
On May 1, the FCC issued an order announcing the Commission will no longer send entities outside its jurisdiction warnings prior to commencing an enforcement action related to TCPA robocall violations. Specifically, the order, as mandated under Section 3 of the TRACED Act (covered by InfoBytes here), (i) removes provisions that previously required the FCC to issue a warning prior to imposing penalties for making robocalls; (ii) increases the maximum fine that the FCC can assess for robocall violations to $10,000 per intentional unlawful call, in addition to a forfeiture penalty amount; and (iii) extends the statute of limitations to four years for the FCC to investigate and take enforcement action against an entity that violates the TCPA. The order takes effect 30 days after publication in the Federal Register.
FFIEC discusses cloud computing risk management practices
On April 30, the FFIEC released a statement on risk management principles for cloud computing security in the financial services sector. The FFIEC emphasizes that the statement does not contain new regulatory expectations, but rather highlights examples of risk management practices for the safe and sound use of cloud computing services, along with safeguards for protecting customers’ sensitive information from risks that may cause potential consumer harm. Among other things, the statement stresses that management should understand the division of responsibilities between a financial institution and a cloud service provider in order to assess and implement appropriate controls over operations to prevent the increased risk of operational failures or security breaches. The FFIEC also addresses the importance of protecting customer-sensitive information from unsafe or unsound practices by implementing “an effective risk management process for cloud computing commensurate with the level of risk and complexity of the financial institution’s operations residing in a cloud computing environment.” The statement provides a list of government and industry resources and references to assist financial institutions when using cloud computing services.
Court approves $5 billion FTC settlement with social media company
On April 23, the U.S. District Court for the District of Columbia approved a $5 billion settlement between the FTC and a global social media company, resolving allegations that the company violated consumer protection laws by using deceptive disclosures and settings to undermine users’ privacy preferences in violation of a 2012 privacy settlement with the FTC. The settlement, first announced last July (covered by InfoBytes here), requires the company to take a series of remedial steps, including (i) ceasing misrepresentations concerning its collection and disclosure of users’ personal information, as well as its privacy and security measures; (ii) clearly disclosing when it will share data with third parties and obtaining user express consent if the sharing goes beyond a user’s privacy setting restrictions; (iii) deleting or de-identifying a user’s personal information within a reasonable time frame if an account is closed; (iv) creating a more robust privacy program with safeguards applicable to third parties with access to a user’s personal information; (v) creating a new privacy committee and designating a dedicated corporate officer in charge of monitoring the effectiveness of the privacy program; (vi) alerting the FTC when more than 500 users’ personal information has been compromised; and (vii) undertaking reporting and recordkeeping obligations, and commissioning regular, independent privacy assessments. The order “resolves all consumer-protection claims known by the FTC prior to June 12, 2019, that [the company], its officers, and directors violated Section 5 of the FTC Act.” While the court acknowledged concerns raised by several amici opposing the settlement, the court concluded that the settlement and the proposed remedies were reasonable and in the public interest. On April 28, the FTC announced the formal approval of amendments to its 2012 privacy order to incorporate updated provisions included in the 2019 settlement.
Multi-jurisdiction settlement reached with credit reporting agency over 2017 data breach
On April 17, the Massachusetts attorney general announced a settlement with a credit reporting agency (CRA) to resolve a state investigation into a 2017 data breach that reportedly compromised the personal information of nearly three million Massachusetts residents. According to the AG’s 2017 complaint (covered by InfoBytes here), the CRA ignored cybersecurity vulnerabilities for months before the breach occurred and failed to take measures to implement and maintain reasonable safeguards. Under the terms of the proposed settlement, pending final court approval, the CRA will pay Massachusetts $18.2 million and is required to take significant measures to strengthen its security practices to ensure compliance with Massachusetts law. These measures include (i) implementing a comprehensive information security program; (ii) minimizing the collection of sensitive personal information; (iii) managing and implementing specific technical safeguards and controls; (iv) providing consumer-related relief, such as credit monitoring services and security freezes; and (iv) allowing third-party assessments of its data safeguards.
Earlier, on April 14, the Indiana attorney general also announced that the CRA will pay the state $19.5 million to resolve allegations that it failed to protect Indiana residents whose personal information was exposed in the 2017 data breach. Under the terms of the final judgment and consent decree, in addition to paying $19.5 million in restitution, the CRA must take measures similar to those outlined in the Massachusetts settlement.
Massachusetts and Indiana were the only two states that chose not to participate in the 2017 multi-agency settlement that resolved federal and state investigations into the data breach and required the company to pay up to $700 million (covered by InfoBytes here).
Separately, on April 7, the City of Chicago announced a $1.5 million settlement to resolve allegations that the CRA’s failure to employ adequate data-security measures led to the breach.
6th Circuit affirms access-device fraud and identity theft convictions
On April 17, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s access-device fraud and aggravated identity theft convictions, finding that there was sufficient evidence to support the court’s factual findings on both charges. According to the opinion, the defendant applied for a debit card for his great-grandfather’s bank account without authorization and used the card to pay for his own expenses. The defendant was also seen multiple times on bank security cameras withdrawing money from an ATM using this card. The district court also heard testimony that the defendant opened accounts and applied for loans under his own name but used his great-grandfather’s social security number. The district convicted the defendant on one count of access-device fraud and two counts of aggravated identity theft. The defendant appealed, arguing that the district court failed to make adequate findings of fact and that the government failed to present sufficient evidence to support the charges for which he was convicted.
On appeal, the 6th Circuit reviewed the factual findings underlying the convictions, and first concluded that, with respect to the count of access-device fraud, the government proved each element: that the defendant (i) knowingly used an access device assigned to another individual; (ii) possessed an intent to defraud; (iii) obtained a thing or things with an aggregate value of $1,000 or more within a year using the access device; and (iv) affected interstate or foreign commerce in using the access device. The appellate court explained that there was ample circumstantial evidence to support lack of authorization from the proper owners of the accounts at issue, and that the card was issued in Kentucky and the bank issuing the card was headquartered in Minnesota. The appellate court next considered whether evidence supported the district court’s finding that the defendant committed aggravated identity theft under the bank-fraud statute by opening a checking account and applying for a loan using his great-grandfather’s social security number. The appellate court held that the defendant’s use of his great-grandfather’s social security number properly supported the district court’s finding that the defendant knowingly used, without lawful authority, another person’s means of identification and that the defendant committed a predicate felony under the bank-fraud statute.
Data breach exposes SBA Emergency Injury Disaster Loan program applicants
On April 21, according to reports, the Small Business Association (SBA) acknowledged that it notified almost 8,000 applicants of the Economic Injury Disaster Loan (EIDL) program that their information may have been exposed as part of a data breach. Specifically, the agency stated that on March 25, the personal information of business owners applying for the EIDL program was potentially exposed to other applicants on the SBA’s website. The information exposed included names, social security numbers, birth dates, certain financial information, email addresses, and phone numbers. According to the SBA, there is no evidence that the exposed information has been misused. Notably, the breach only effected the applicants of the EIDL program, not the Paycheck Protection Program, which did not begin accepting applications until April 3.
Missouri extends duration of “Stay Home Missouri” order
On April 16, the Missouri Department of Health extended the duration of a prior “Stay Home Missouri” order to May 3, 2020, unless extended or modified. Relying on the Cybersecurity and Infrastructure Security Agency (CISA) advisory memorandum, financial services are considered essential.