InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Maine enacts consumer privacy law for internet service providers
On June 6, the Maine governor signed S.P. 275/L.D. 946, which requires certain broadband Internet access services to receive express, affirmative consent from a customer before disclosing, selling, or permitting access to a customer’s personal information. Among other things, the provisions stipulate that a customer may revoke his or her consent at any time, and forbid providers from refusing service or charging a penalty or offering a discount based on the customer’s decision to provide or not provide consent. Furthermore, providers must include a “clear, conspicuous and nondeceptive notice at the point of sale,” as well as on the provider’s public website, concerning the provider’s obligations and the customer’s rights. Requirements for safeguarding customers’ personal information are also outlined. The Act applies only to providers operating in Maine that provide Internet access service to customers that are physically located and billed for services received in Maine. The new law will take effect July 1, 2020.
Oregon enacts new vendor data breach notification requirements
On May 24, the Oregon Governor signed SB 684, which amends the state’s data breach notification provisions related to third-party vendors. Among other provisions, the amendments require vendors that are contracted to maintain or access personal information on behalf of a covered entity to (i) notify the covered entity “as soon as is practicable but not later than 10 days” after discovering a security breach or believing a breach has occurred; and (ii) notify the state Attorney General if a security breach involves personal information of more than 250 consumers, or an undetermined amount of consumers, provided that the covered entity has not already done so. SB 684 also updates the definition of personal information to include usernames in combination with other authentication factors used to access a consumer’s account, and establishes that a covered entity or vendor may “affirmatively defend” against allegations it has not adequately safeguarded personal information by showing that it maintained reasonable security measures for protecting personal information in compliance with HIPAA or the Gramm-Leach-Bliley Act, as applicable. The amendments take effect January 1, 2020.
4th Circuit upholds certification of TCPA class action against satellite provider
On May 30, the U.S. Court of Appeals for the 4th Circuit held that a lower court correctly certified a class of individuals who claimed a satellite provider (defendant) violated the TCPA when its authorized sales representative routinely placed telemarketing calls to numbers on the national Do-Not-Call registry. The plaintiff-appellee alleged that because his number was on the registry, the calls were not only annoying but illegal. He therefore filed a lawsuit against the defendant for violations of the TCPA, and in 2018, the court issued a final judgment upholding a jury’s verdict as to both liability and damages for a class of 18,066 members, tripling the damages to more than $61 million. The defendant appealed the verdict asserting that the class definition was too broad in that included uninjured consumers. Specifically, the defendant argued that the definition should be limited to telephone subscribers or the person who actually received the calls. The defendant further asserted on appeal that it was not responsible for the sales representative’s actions.
On appeal, the 4th Circuit affirmed the lower court’s judgment, stating that it saw “no basis for imposing such a limit,” on the class definition given that “[t]he text of the TCPA notes that it was intended to protect ‘consumers,’ not simply ‘subscribers.’” Concerning the defendant’s argument that it was not responsible for the violations, the appellate court noted that the sales representative’s “entire business model was to make calls like these on behalf of television service providers,” like the defendant, which the defendant knew were being placed on its behalf.
NYDFS creates Cybersecurity Division
On May 22, NYDFS announced its newly created Cybersecurity Division, led by Justin Herring as Executive Deputy Superintendent, that is, according to NYDFS, “the first of its kind to be established at a banking or insurance regulator.” The new division will focus on enforcing and issuing guidance on NYDFS’ cybersecurity regulation 23 NYCRR Part 500, advising on cybersecurity examinations, conducting cyber-related investigations, and disseminating information related to cyber-attack trends and threats. NYDFS highlighted Herring’s experience in supervising cybercrime and digital currency cases as Chief of the U.S. Attorney’s Office for the District of New Jersey Cyber Crimes Unit and a member of the Economic Crimes Unit, including investigating money laundering using digital currency and prosecuting unlicensed digital currency exchanges.
FTC Commissioners discuss state privacy preemption
On May 8, the FTC Commissioners participated in a subcommittee hearing before the House Committee on Energy and Commerce entitled, “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.” During the hearing, the Commissioners were questioned about the agency’s privacy and data security enforcement and regulatory activities, including whether they would support preemption of state privacy laws by a federal privacy statute. Using the California Consumer Privacy Act (covered by InfoBytes here) as an example, some Congressmen worried about the prospect of conflicting privacy legislation in other states, creating “confusion and uncertainty in the business community.”
Split along party lines, Democratic Commissioners expressed caution with federal preemption of state privacy laws; Commissioner Chopra, citing to federal preemption laws leading up to the mortgage crisis, warned of “unintended consequences.” Democratic Commissioner Slaughter recognized the “desire for uniformity, consistency, clarity, and predictability” that a federal law would provide, but noted that the appropriateness of preemption should be based on “whether a federal law meets or exceeds…the level of protections that states can provide and whether it allows them the opportunity to fill any gaps that may remain after a federal law is developed.” Republican Commissioners stressed the importance of having a federal law that would preempt the current “patchwork” of state laws, which Commissioner Phillips argued is “essential” in order to provide businesses clarity and reduced compliance costs, while also providing consumers with more power to understand expectations. FTC Chairman Simons noted that even if federal law preempts state privacy laws, Congress should grant concurrent enforcement authority to the states’ attorneys general.
The hearing also discussed, among other things, (i) the need for additional resources to increase agency staff focused on privacy issues; (ii) giving the FTC authority to levy civil money penalties, as Section 5 of the FTC act does not allow the Commission to seek civil penalties for first-time privacy violations; and (iii) the need for targeted rule-making authority.
States enact data breach notification requirements
On May 10, the New Jersey governor signed S 52, which amends the state’s data breach notification provisions. The amendments expand the definition of “personal information” to include “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” The amendment further permits breached entities to provide individuals, whose account access credentials have been compromised, with the opportunity to promptly change online account information, so long as the notification is not sent to an email account subject to the security breach. The amendments take effect on September 1.
On May 7, the Washington governor signed HB 1071, which amends the state’s data breach notification law to, among other things, (i) narrow the window for post-breach notification to affected individuals and to the state Attorney General, if applicable, from 45 days to 30 days after discovery; (ii) require notifications to contain the date of the breach and the date of the discovery of the breach, if known; (iii) permit electronic notification to affected individuals, which must instruct them to promptly change passwords and security questions or answers, as applicable; and (iv) significantly expand the items included in the notice to the Attorney General, including a summary of steps taken to contain the breach. In addition, HB 1071 expands the definition of “personal information” to include, among other things, the full birth date; a private key unique to an individual that is used to authenticate or sign electronic records; student, military, or passport ID numbers; health insurance identification numbers; biometric data or medical history; and user names and email addresses combined with passwords or security questions. The amendments take effect March 1, 2020.
Indiana sues credit reporting agency over 2017 data breach
On May 6, the Indiana Attorney General announced a lawsuit filed against a national credit reporting agency in response to its 2017 data breach, alleging the company “chose increasing revenue over protecting the safety of consumers’ sensitive personal information.” According to the complaint, the state alleges the company violated the Indiana Deceptive Consumer Sales Act by failing to secure 3.9 million residents’ personal data while representing to consumers that its payment systems were compliant with Payment Card Industry (PCI) standards. The complaint alleges among other things that the company “knew the system was storing payment card information in clear text, which was a known violation of the [PCI standard]” and “[d]espite its knowledge, … made a conscious choice to break the rules.” Indiana is seeking civil penalties, consumer restitution, costs and injunctive relief.
Maryland amends security breach notification requirements
On April 30, the Maryland governor signed HB 1154 to amend current law related to security breach notification requirements. Among other provisions, HB 1154 (i) requires businesses that own, license, or maintain computerized data that includes a resident’s personal information to conduct a reasonable, prompt investigation in the event of a security breach to determine whether the personal information has been, or is at risk of, being misused due to the breach; (ii) requires business to provide notice to the affected individuals; (iii) stipulates that businesses may not charge fees when providing necessary information to an owner or licensee who is required to provide notice to affected individuals; and (iv) provides restrictions concerning the use of the computerized data relative to the security breach. The amendments take effect October 1.
2nd Circuit: Unsolicited text messages are sufficient injury under TCPA
On April 30, the U.S. Court of Appeals for the 2nd Circuit held that the receipt of unsolicited text messages, absent any additional injury, is sufficient to demonstrate injury-in-fact in a TCPA class action. According to the opinion, consumers filed a class action lawsuit against a retail store for sending unsolicited text messages in violation of the TCPA. The district court approved a settlement between the parties and certified the class despite various objections, including one from a third-party defendant who argued the consumers lacked standing under the 2016 Supreme Court opinion Spokeo, Inc. v. Robins, because “they alleged only a bare statutory violation and statutory damages cannot substitute for concrete harm.”
On appeal, the appellate court first rejected the third-party defendant’s standing to appeal the district court’s decision because it had not been “‘formally strip[ped]’ of any claim or defense, it lacks standing to pursue its appeal” in the underlying class action. Notwithstanding the lack of standing by the third-party defendant, the appellate court then went on to address the jurisdictional standing issues raised against the consumers. The court reasoned that, even though the third party that raised the jurisdictional question had been dismissed, the court had an “independent obligation to satisfy [itself] of the jurisdiction” of the appellate and district court. The appellate court concluded that the consumers sufficiently alleged “nuisance and privacy invasion” by the unsolicited text messages, which “are the very harms with which Congress was concerned when enacting the TCPA.” Because the harms identified are “of the same character as harms remediable by traditional causes of action,” the appellate court held the consumers sufficiently demonstrated injury-in-fact as required by Article III.
Websites settle FTC data security allegations
On April 24, the FTC announced separate settlements with the operators of an online rewards website and a dress-up games website to resolve allegations concerning poorly implemented data security measures and Children’s Online Privacy Protection Act (COPPA) violations. According to the FTC, the online rewards website operator collected personal information (PII) from users who participated in their online offerings and made promises that their account information was secure. However, the operator allegedly failed to implement data security measures or utilize encryption techniques, which granted hackers access to the network. In addition, the operator allegedly maintained PII in clear unencrypted text. As a result of the breach, hackers published and offered for sale PII for approximately 2.7 million consumers. Under the terms of the decision and order, the operator is, among other things, prohibited from misrepresenting the measures taken to protect consumers’ PII and is required to implement a comprehensive information security program for future collections of PII.
On the same day, the FTC reached a proposed settlement with a dress-up games website and its operators, who allegedly violated COPPA by failing to obtain parental consent before collecting personal information from children under 13 or provide reasonable and appropriate security for the collected data. According to the FTC, data security failures allowed hackers access to the company’s network, which stored information for roughly 245,000 users under age 13. As part of the proposed settlement filed in the U.S. District Court for the Northern District of California, the company and operators, among other things, (i) have agreed to pay $35,000 in civil penalties; (ii) will change their business practices to comply with COPPA; and (iii) are prohibited from selling, sharing, or collecting personal information until a comprehensive data security program is implemented and undergoes independent biennial assessments.