InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District court concludes loan servicer violated TCPA
On August 19, the U.S. District Court for the Western District of Michigan held that a Pennsylvania-based student loan servicing agency violated the TCPA by calling the plaintiffs’ cell phones over 350 times using an automatic telephone dialing system (autodailer) after consent was revoked. According to the opinion, after revoking consent to receive calls via an autodialer, two plaintiffs asserted that the servicer called their cell phones collectively over 350 times in violation of the TCPA and moved for summary judgment seeking treble damages for each violation. In response, the loan servicer argued that the system used to make the calls does not meet the statutory definition of an autodialer under the TCPA and disputed the appropriateness of treble damages.
The court, in disagreeing with the loan servicer, concluded that the system used by the loan servicer to make the calls qualified as an autodialer. The court applied the logic of the U.S. Court of Appeals for the 9th Circuit in Marks v. Crunch San Diego, LLC (covered by InfoBytes here), stating that it was not bound by the FCC’s interpretations of an autodialer, based on the D.C. Circuit’s ruling in ACA International v. FCC, and therefore, “‘only the statutory definition of [autodialer] as set forth by Congress in 1991 remains.’” The court noted that there was “no question” that the system used by the loan servicer “stores telephone numbers to be called and automatically dials those numbers,” which qualifies the system as an autodialer. However, the court determined that the loan servicer did not violate the statute “willfully or knowingly,” noting that at the time of the calls it was not clear from the FCC whether the system being used was an autodialer. As a result, the court awarded statutory damages, but not the treble damages sought by the plaintiffs.
Illinois requires companies to report data breaches to attorney general
On August 9, the Illinois governor signed SB 1624, which requires that a single data breach involving the personal information of more than 500 Illinois residents must be reported to the state attorney general. The notice must include: (i) a description of the nature of the breach of security or unauthorized acquisition or use; (ii) the number of Illinois residents affected by such incident at the time of notification; and (iii) any steps the data collector has taken or plans to take relating to the incident. Notification is required to be made “in the most expedient time possible and without unreasonable delay,” but no later than when the data collector informs consumers of the breach under current law. The bill is effective January 1, 2020.
District Court approves TCPA class action settlement
On August 15, the U.S. District Court for the Northern District of California entered a final approval order and judgment to resolve class action allegations claiming a security system company and its third-party dealer violated the TCPA through the use of an automatic telephone dialing system and prerecorded messages. According to the claims, consumers—including those on the do-not-call registry—allegedly received telemarketing calls at their residences or on cellphones from the dealer or the dealer’s sub-dealers promoting goods or services offered by the company. The company argued it was not responsible for calls the dealer made on its behalf, but the district court denied summary judgment and set a trial date. However, prior to the trial’s commencement, the parties reached a settlement. Under the terms of the settlement, the company agreed to implement changes to its practices to ensure TCPA compliance and banned the dealer from marketing or activating new accounts for the company. The company also agreed to pay $28 million into a settlement fund for consumer redress, no more than $1.4 million towards settlement administrator costs and expenses, $30,000 total in service awards to class representatives, and combined attorneys’ fees and litigation costs of approximately $7.5 million.
9th Circuit: Plaintiffs’ face-scanning claims can proceed
On August 8, the U.S. Court of Appeals for the 9th Circuit affirmed a district court order certifying a class action suit that alleged a social media company’s face-scanning practices violated the Illinois Biometric Information Privacy Act (BIPA). The court found that the plaintiffs alleged a sufficiently concrete injury necessary to establish Article III standing as defined in the U.S. Supreme court’s decision in Spokeo, Inc. v. Robins. The plaintiffs contended that the defendant’s use of the facial-recognition technology did not comply with Illinois law designed to regulate “the collection, use, safeguarding and storage of biometrics”—which, under BIPA, includes the scanning of face geometry. The district court denied the defendant’s motion to dismiss for lack of standing and certified the class. The defendant appealed, arguing, among other things, that even if the plaintiffs have standing to sue, (i) BIPA is not intended to be applied extraterritorially; (ii) the collection of biometric data occurred on servers located outside of Illinois; and (iii) it is unclear that the alleged privacy violations “occurred ‘primarily and substantially within’” within the state. Additionally, the defendant argued that the district court abused its discretion by certifying the class because the state’s “extraterritoriality doctrine precludes the district court from finding predominance,” and that a class action was not superior to individual actions due to the potential for a large statutory damages award.
On appeal, the 9th Circuit held that the plaintiffs’ claims met the standing requirement of Spokeo because the defendant’s alleged development of a face template that uses facial-recognition technology without users’ consent constituted an invasion of an individual’s private affairs and concrete interests. “Because we conclude that BIPA protects the plaintiffs’ concrete privacy interests and violations of the procedures in BIPA actually harm or pose a material risk of harm to those privacy interests, the plaintiffs have alleged a concrete and particularized harm, sufficient to confer Article III standing,” the appellate court stated. The 9th Circuit also dismissed the defendant’s extraterritoriality argument, stating that predominance is not defeated because the threshold questions of exactly which consumers BIPA applies to can be decided on a classwide basis.
FCC adopts rules addressing spoofed texts and international robocalls
On August 1, the FCC announced the adoption of new rules that will extend the Truth in Caller ID’s prohibitions against robocalls to caller ID spoofing of text messages and international calls, and implement measures passed last year in the RAY BAUM’s Act. As previously covered by InfoBytes, the rules are supported by a bipartisan group of more than 40 state attorneys general, and will allow the FCC to bring enforcement actions and assess fines on international players who try to defraud U.S. residents. However, while Commissioner Michael O’Rielly voted in favor of the measure, he raised concerns that the FCC may encounter problems when trying to enforce the rules across international borders. “As I expressed before, the expanded extraterritorial jurisdiction may prove difficult to execute in uncooperative nations and come back to bite us in other contexts,” O’Rielly stated. “In addition, the definitions of text messaging and voice services are broader than my liking and may cause future unintended consequences.” However, his statement did not specify what these unintended consequences might be.
National bank announces data breach
On July 29, a national bank announced a data breach affecting approximately 100 million individuals in the United States and approximately six million in Canada. According to the announcement, the incident occurred on July 19 when an unauthorized individual obtained personal information of credit card customers and people who had applied for credit card products. The bank noted that no credit card account numbers or log-in credentials were compromised and over 99 percent of social security numbers were not compromised. The largest category of information accessed was consumer and small business information from applications submitted from 2005 through early 2019, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Upon discovery of the breach, the bank fixed the vulnerability that allowed for the individual to gain access and worked with the federal authorities, resulting in the arrest of the person allegedly responsible. The bank will notify and make free credit monitoring and identity protection available to those affected.
New York expands data breach notification laws
On July 25, the New York governor signed two bills designed to strengthen protections for consumers in the event their private information is compromised in a data breach.
A 5635B, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) updates the state’s privacy law by expanding the definition of personal information and broadening the definition of a data breach. Notably, the SHIELD Act applies to any person or entity with access to a New York resident’s private information, regardless of whether or not the company conducts business in the state. Among other provisions, the SHIELD Act:
- Requires all covered entities to adopt and implement “reasonable” administrative, technical, and physical safeguards to protect and dispose of sensitive data, as well as implement “reasonable” administrative safeguards, such as employee training;
- Stipulates that a covered entity that is already regulated by, and in compliance with, certain existing applicable state or federal data security requirements (e.g., Gramm-Leach-Bliley Act, HIPAA, and 23 NYCRR Part 500—NYDFS’ Cybersecurity Regulation) is considered a “compliant regulated entity”;
- Requires entities to promptly notify impacted individuals under new, broadened data breach notification requirements, which now include (i) “access to” private information as a trigger for notification, in addition to the existing “acquired” trigger; and (ii) expanded data types, including biometric data, email addresses, and corresponding passwords or security questions and answers;
- Applies a more flexible standard for small businesses to ease regulatory burdens (qualifying small businesses must have fewer than 50 employees, under $3 million in gross annual revenue, or less than $5 million in assets) and will consider a small business compliant if its “security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business” to protect the security, confidentiality, and integrity of private information; and
- Broadens the New York attorney general’s oversight regarding data breaches impacting state residents. The SHIELD Act further stipulates that actions may not be brought under the law’s provisions unless the action is commenced within three years following either the date on which the attorney general received notice of the violation, or the date the notice was sent to affected individuals, whichever occurs first. However, “[i]n no event shall an action be brought after six years from the date of discovery of the breach of private information by the company unless the company took steps to hide the breach.”
The SHIELD Act takes effect March 21, 2020.
A 2374, which was signed into the law the same day, prohibits consumer credit reporting agencies from charging fees to consumers if the agency’s system was involved in a data breach including social security numbers. Credit reporting agencies are required to provide “reasonable identity theft prevention services and, if applicable, identity theft mitigation services for a period not to exceed five years at no cost to such consumers.” The law applies to any breach of security of a consumer credit reporting agency that occurred in the last three years. This measure takes effect September 23.
FTC and DOJ announce $5 billion privacy settlement with social media company; SEC settles for $100 million
On July 24, the FTC and the DOJ officially announced (see here and here) that the world’s largest social media company will pay a $5 billion penalty to settle allegations that it mishandled its users’ personal information. As previously covered by InfoBytes, it was reported on July 12 that the FTC approved the penalty, in a 3-2 vote. This is the largest privacy penalty ever levied by the agency, almost “20 times greater than the largest privacy or data security penalty ever imposed worldwide,” and one of the largest ever assessed by the U.S. government for any violation. According to the complaint, filed the same day as the settlement, the company allegedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of a 2012 privacy settlement with the FTC, which allowed the company to share users’ data with third-party apps that were downloaded by users’ “friends.” Moreover, the complaint alleges that many users were unaware the company was sharing the information, and therefore did not take the steps needed to opt-out of the sharing. Relatedly, the FTC also announced a separate action against a British consulting and data analytics firm for allegedly using deceptive tactics to “harvest personal information from millions of [the social media company’s] users.”
In addition to the monetary penalty, the 20-year settlement order overhauls the company’s privacy program. Specifically, the order, among other things, (i) establishes an independent privacy committee of the company’s board of directors; (ii) requires the company to designate privacy program compliance officers who can only be removed by the board’s privacy committee; (iii) requires an independent third-party assessor to perform biennial assessments of the company’s privacy program; (iv) requires the company to conduct a specific privacy review of every new or modified product, service, or practice before it is implemented; and (v) mandates that the company report any incidents in which data of 500 or more users have been compromised to the FTC.
In dissenting statements, Commissioner Chopra and Commissioner Slaughter asserted that the settlement, while historic, does not contain terms that would effectively deter the company from engaging in future violations. Commissioner Slaughter argues, among other things, that the civil penalty is insufficient and believes the order should have contained “meaningful limitations on how [the company] collects, uses, and shares data.” Similarly, Commissioner Chopra argues that the order imposes no meaningful changes to the company’s structure or financial incentives, and the immunity provided to the company’s officers and directors is unwarranted.
On the same day, the SEC announced that the company also agreed to pay $100 million to settle allegations that it mislead investors about the risks it faced related to the misuse of its consumer data. The SEC’s complaint alleges that in 2015, the company was aware of the British consulting and data analytics firm’s misuse of its consumer data but did not correct its disclosures for more than two years. Additionally, the SEC alleges the company failed to have policies and procedures in place during that time that would assess the results of internal investigations for the purposes of making accurate disclosures in public filings. The company neither admitted nor denied the allegations.
Credit reporting agency agrees to multi-agency settlement over 2017 data breach
On July 22, the CFPB, FTC, and 48 states, the District of Columbia and Puerto Rico announced a settlement of up to $700 million with a major credit reporting agency to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. According to the complaints (see here and here) filed in the U.S. District Court for the Northern District of Georgia, the company allegedly engaged in unfair and deceptive practices by, among other things, (i) failing to provide reasonable security for the sensitive personal information stored within its network; (ii) deceiving consumers about its data security program capabilities; and (iii) failing to patch its network after being alerted in 2017 to a critical security vulnerability.
Under the terms of the proposed settlements (see here and here), pending final court approval, the company will pay up to $425 million in monetary relief to consumers and provide credit monitoring to affected individuals, as well as six free credit reports each year for seven years to all U.S. consumers. The company must also pay $175 million to 48 states, the District of Columbia and Puerto Rico, and a $100 million civil money penalty to the Bureau. The $425 million fund will also compensate consumers who bought credit- or identity-monitoring services from the company and paid other expenses as a result of the breach. The company must also, among other things, implement a comprehensive information security program that will require annual assessments of security risks and safeguard measures, obtain third-party information security assessments, and acquire annual certifications from the board of directors that the company has complied with the settlements.
U.K.’s ICO fines real estate management company for data security failures
On July 19, the United Kingdom’s Information Commissioner’s Office (ICO) issued a £80,000 fine against a London-based real estate management company for allegedly leaving over 18,000 customers’ personal data exposed for almost two years. According to the ICO, when the company transferred personal data from its server to a partner organization, the company failed to switch off an “anonymous authentication” function, which exposed all the data—including personal data such as bank statements, salary details, copies of passports, dates of birth, and addresses—stored between March 2015 and February 2017. The ICO alleges that the company failed to take appropriate technical and organizational measures to protect customers’ personal data and concluded the failures were “a serious contravention of the 1998 data protection laws which have since been replaced by the [General Data Protection Regulation] GDPR and the Data Protection Act 2018.”