InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC reportedly approves $5 billion privacy settlement with social media company
On July 12, it was reported that the FTC has approved a $5 billion penalty against the world’s largest social media company for allegedly mishandling its users’ personal information. The reported settlement would be the largest privacy penalty ever levied by the agency. According to reports, the settlement, which was approved in a 3-2 vote, resolves allegations that the company allowed a British consulting firm access to 87 million users’ personal data for political consulting purposes in violation of a 2012 privacy settlement with the FTC. Neither the FTC nor the social media company have commented on the reported settlement, which is still pending approval from the Department of Justice.
FTC seeks comment on COPPA Rule
On July 17, the FTC released a notice seeking comment on a wide range of issues related to the Children’s Online Privacy Protection Rule (COPPA Rule). The FTC last amended COPPA in 2013, and while the FTC usually reviews its rules every 10 years, the FTC notes that “[r]apid changes in technology, including the expanded use of education technology, reinforce the need to re-examine the COPPA Rule at this time.” The notice seeks comment on all major provisions of the COPPA Rule, including definitions, notice and parental consent requirements, exceptions to verifiable parental consent, and the safe harbor provision. Additionally, the notice seeks responses to specific questions, including (i) has the Rule affected the availability of websites or online services directed to children?; (ii) does the Rule correctly articulate the factors to consider in determining whether a website or online service is directed to children, or should additional factors be considered?; and (iii) what are the implications for COPPA enforcement raised by technologies such as interactive television, interactive gaming, or other similar interactive media? Comments must be received within 90 days after publication in the Federal Register.
8th Circuit affirms reduction in TCPA statutory damages from $1.6 billion to $32 million
On July 16, the U.S. Court of Appeals for the 8th Circuit affirmed a district court’s decision to reduce a $1.6 billion award in statutory damages for TCPA violations to $32.4 million after the court determined the original award violated the Fifth Amendment’s Due Process Clause. The named plaintiffs in the class action alleged that parties involved in the financing and marketing campaign of a film with religious and political themes violated the TCPA through the use of a telephone campaign in which approximately 3.2 million prerecorded robocalls were made in the course of a week. The plaintiffs—who received two of these messages on their answering machine—filed an appeal after the district court concluded that the original award was “‘obviously unreasonable and wholly disproportionate to the offense’” and reduced the statutory damages awarded by a jury from $500 per call to $10 per call.
On appeal, the 8th Circuit addressed several issues, including (i) whether the plaintiffs alleged a concrete injury under the TCPA; (ii) whether the district court abused its discretion concerning instructions on direct liability against one of the defendants; and (iii) whether the court erred in finding the amount of statutory damages to be unconstitutional. The appellate court first reviewed whether the plaintiffs had alleged a sufficiently concrete injury under the TCPA. According to the opinion, “[t]he harm to be remedied by the TCPA was ‘the unwanted intrusion and nuisance of unsolicited telemarketing phone calls and fax advertisements. . . .The [plaintiffs’] harm . . . was the receipt of two telemarketing messages without prior consent. These harms bear a close relationship to the types of harms traditionally remedied by tort law, particularly the law of nuisance.” However, the appellate court stated that the district court was correct to reject the plaintiffs’ direct liability instructions against the defendant who helped finance the film, writing that the plaintiffs “improperly blurred the line between direct and agency liability” and that “to be held directly liable, the defendant must be the one who ‘initiates’ the call,” which the financing defendant did not do. Finally, the appellate court agreed with the district court that the $1.6 billion award violated the Due Process Clause, and highlighted evidence that the advertiser “plausibly believed it was not violating the TCPA” and “had prior consent to call the recipients about religious liberty,” which was a predominant theme of the film being promoted. Moreover, the court noted,”[t]he call campaign was conducted for only about a week,” and recipients could only hear the message about the film if they voluntarily opted in during the call. The court further reasoned that “the harm to the recipients was not severe—only about 7% of the calls made it to the third question, the one about the film. Under these facts, $1.6 billion is ‘so severe and oppressive as to be wholly disproportioned to the offense and obviously unreasonable.’”
U.K.’s ICO announces two GDPR data breach actions
On July 8 and 9, the United Kingdom’s Information Commissioner’s Office (ICO) issued two notices of its intention to fine companies for infringements of the General Data Protection Regulation (GDPR). On July 8, the ICO announced it intended to fine a U.K.-based airline £183.39M for a September 2018 cyber incident, which, due to “poor security arrangements,” allowed attackers to divert user traffic on the airline’s website to a fraudulent site, making consumer details accessible. The airline notified the ICO about the incident, which compromised the data of approximately 500,000 consumers, and has cooperated with the ICO in the investigation and made improvements to its security arrangements. Additionally, on July 9, the ICO announced it intended to fine a multinational hotel chain £99,200,396 for failing to undertake sufficient due diligence when the chain purchased a hotel group in 2016, which had previously exposed 339 million guest records globally in 2014. The exposure was discovered in 2018, and the hotel chain thereafter reported the incident to the ICO, and has cooperated with the investigation and made improvements to its security arrangements. In both announcements, the ICO notes that it will, “consider carefully the representations made by the company and the other concerned data protection authorities” before issuing the final decision.
FCC Chairman proposes rules addressing spoofed texts and international robocalls
On July 8, FCC Chairman Ajit Pai proposed rules supported by a bipartisan group of more than 40 state attorneys general that would extend prohibitions against robocalls to caller ID spoofing of text messages and international calls, implementing measures passed last year in the RAY BAUM’s Act. Previously, anti-spoofing prohibitions applied only to domestic robocalls. According to Pai, “Scammers often robocall us from overseas, and when they do, they typically spoof their numbers to try and trick consumers. . . . With these new rules, we’ll close the loopholes that hamstring law enforcement when they try to pursue international scammers and scammers using text messaging.” The FCC will vote on the proposed rules at its August 1 meeting.
As previously covered by InfoBytes, the FCC authorized voice service providers last month to automatically identify and block unwanted robocalls “based on reasonable call analytics, as long as their customers are informed and have the opportunity to opt out of the blocking.”
D.C. Circuit: Receipt containing complete credit card information constitutes concrete injury
On July 2, the U.S. Court of Appeals for the D.C. Circuit reversed a district court’s ruling that a consumer lacked Article III standing to allege a violation of the Fair and Accurate Credit Transaction Act (FACTA) when a merchant included all 16 digits of her credit card account number, her full name, and the expiration date on a receipt, because the receipt was not thrown away. Under FACTA, merchants are prohibited from including on a receipt (i) more than the last five digits of a consumer’s credit card number; and (ii) a credit card’s expiration date. The consumer alleged that the merchant violated the restriction, but the district court ruled that the consumer lacked standing to sue because she failed to describe a concrete risk of “actual or imminent” injury to a protected interest as defined in the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins. According to the district court, because the consumer did not dispose of the receipt, and was the only person who ever saw the receipt, her risk of identity theft had not increased. Moreover, the district court stated that the burden of protecting the non-compliant receipt did not constitute a concrete injury.
On appeal, the D.C. Circuit reversed, holding that printing a receipt containing all 16 digits of a consumer’s credit card number is an “egregious” enough violation of FACTA to confer standing. According to the panel, the harm inflicted on the consumer by the merchant’s mishandling of her receipt had a “close relationship” to the type of harm that gives rise to a “breach of confidence” claim. Moreover, the panel stated that it was irrelevant that the consumer had been able to protect herself by safeguarding the receipt because: (i) FACTA protects an interest in avoiding an increased risk of identity theft, which the panel considered to be sufficiently concrete; and (ii) under the facts presented, the violation of the truncation requirement created a “risk of real harm” to such concrete interest. The D.C. Circuit remanded the case for further proceedings consistent with its findings. Notwithstanding, the panel was clear that not every violation of FACTA’s truncation requirement creates a risk of identity theft.
Notably, while the D.C. Circuit’s decision is in agreement with an 11th Circuit opinion issued in April (prior InfoBytes coverage here), it conflicts with other appellate decisions, including an opinion issued by the 3rd Circuit in March (covered by InfoBytes here), wherein the 3rd Circuit held that, without concrete evidence of harm, a consumer lacks standing under FACTA to sue a merchant for including too many digits of a credit card account number on a receipt. The D.C. Circuit noted, however, that the 3rd Circuit “recognized its analysis would be different if it were presented with the facts [the consumer] presents to us.”
FTC holds fourth annual PrivacyCon to address hot topics
On June 27, the FTC held its fourth annual PrivacyCon, which hosted research presentations on a wide range of consumer privacy and security issues. Following opening remarks by FTC Chairman Joseph Simons, the one-day conference featured four plenary sessions covering a number of hot topics:
- Session 1: Privacy Policies, Disclosures, and Permissions. Five presenters discussed various aspects of privacy policies and notices to consumers. The panel discussed current trends showing that privacy notices to consumers have generally become lengthier in recent years, which helps cover the information regulators require, but often results in information overload for consumers more generally. One presenter advocated the concept of a condensed “nutrition label” for privacy, but acknowledged the challenge of distilling complicated activities into short bullets.
- Session 2: Consumer Preferences, Expectations, and Behaviors. This panel addressed research concerning consumer expectations and behaviors with regard to privacy. Among other anecdotal information, the presenters noted that many consumers are aware that personal data is tracked, but consumers are generally unaware of what data collectors ultimately do with the personal data once collected. To that end, one presenter advocated prescriptive limits on data collection in general, which would take the onus off consumers to protect themselves. Separately, with regard to the Children’s Online Privacy Protection Act (COPPA), one presenter noted that the law generally aligns with parents’ privacy expectations, but the implementing regulations and guidelines are too broad and leave too much room for implementation variations.
- Session 3: Tracking and Online Advertising. In the third session, five presenters covered various topics, including privacy implications of free versus paid-for applications to the impact of the EU’s General Data Protection Regulation (GDPR). According to the presenters, current research suggests that the measurable privacy benefits of paying for an app are “tenuous at best,” and consumers cannot be expected to make informed decisions because the necessary privacy information is not always available in the purchase program on a mobile device such as a phone. As for GDPR, the panel agreed that there are notable reductions in web use, with page views falling 9.7 percent in one study, although it is not clear whether such reduction is directly correlated to the May 25, 2018 effective date for enforcement of GDPR.
- Session 4: Vulnerabilities, Leaks, and Breach Notifications. In the final presentation, presenters discussed new research on how companies can mitigate data security vulnerabilities and improve remediation. One presenter discussed the need for proactive identification of vulnerabilities, noting that the goal should be to patch the real vulnerabilities and limit efforts related to vulnerabilities that are unlikely to be exploited. Another presenter analyzed data breach notifications to consumers, noting that all 50 states have data breach notification laws, but there is no consensus as to best practices related to the content or timing of notifications to consumers. The presenter concluded with recommendations for future notification regulations: (i) incorporate readability testing based on standardized methods; (ii) provide concrete guidelines of when customers need to be notified, what content needs to be included, and how the information should be presented; (iii) include visuals to highlight key information; and (iv) leverage the influence of templates, such as the model privacy form for the Gramm-Leach-Bliley Act.
6th Circuit: Merchant indemnified against card breach costs
On June 7, the U.S. Court of Appeals for the 6th Circuit affirmed a lower court’s ruling that an agreement between a Texas-based merchant and a payment processor did not require the merchant to pay millions of dollars in damage-control costs related to two card system data breaches. After the data breaches, the payment processor withheld routine payment card transaction proceeds from the merchant, asserting that the merchant was responsible for reimbursing the amount that the issuing banks paid to cardholders affected by the breaches. However, the merchant refused to pay the payment processor, relying on a “consequential damages waiver” contained in the agreement.
The payment processor argued that, under the agreement’s indemnification clause and provision covering third-party fees and charges, the merchant retained liability for assessments passed down from the card brands’ acquiring bank. The district court, however, granted summary judgment to the merchant, finding that the merchant was not liable for the card brands’ assessments. The court further ruled that the payment processor materially breached the agreement when it diverted funds to reimburse itself.
On review, the 6th Circuit agreed with the lower court that the assessments “constituted consequential damages” and that the agreement exempted consequential damages from liability under a “conspicuous limitation” to the indemnification clause. According to the 6th Circuit, the “data breaches, resulting reimbursement to cardholders, and levying of assessments, though natural results” of the merchant’s failure to comply with the Payment Card Industry's Data Security Standards, “did not necessarily follow from it.” In addition, the appellate court agreed with the district court’s holding that third-party fees and charges in the contract refer to routine charges associated with card processing services rather than liability for a data breach. The appellate court also concurred that the payment processor’s decision to withhold routine payment card transactions, constituted a material breach of the agreement.
FTC settles with software provider over data security failures
On June 12, the FTC announced a settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in violation of the FTC Act and the Standards for Safeguarding Customer Information Rule, issued pursuant to the Gramm-Leach-Bliley Act.
In its complaint, the FTC alleged the company’s failure to, among other things, (i) implement an organization information security policy; (ii) implement reasonable guidance or training for employees; (iii) use readily available security measures to monitor systems; and (iv) impose reasonable data access controls, resulted in a hacker gaining unauthorized access to the company’s database containing the personal information of approximately 12.5 million consumers. The proposed consent order requires the company to, among other things, implement and maintain a comprehensive information security program designed to protect the personal information it collects, including implementing specific safeguards related to the FTC’s allegations. Additionally, the proposed consent order requires the company to obtain third-party assessments of its information security program every two years and have a senior manager certify compliance with the order every year.
New York settles with online retailer over data breach
On June 6, the New York Attorney General announced a $65,000 settlement with an online retailer resolving allegations that the company failed to provide notice of an online data breach to over 39,000 customers, including nearly 3,000 New Yorkers, for over three years. According to the announcement, unauthorized parties placed malicious code designed to steal credit card information in the company’s software in September 2014. The company discovered the code in November 2014, but did not remediate it until January 2015 (or February 2015, after the code was mistakenly reintroduced and permanently deleted). The Attorney General alleges that the company did not notify its affected customers until May 2018, and that, because the company did not notify New York authorities or its affected customers “in an expedient time-period, and without unreasonable delay,” it violated New York’s General Business Law § 899-aa.
The company offered potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services, which is not required by law. In addition to the penalty, the settlement requires the company to conduct trainings for appropriate employees and conduct thorough investigations of any future data security breaches involving private information to ensure compliance with state law.