InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Consumer advocates testify before Senate Commerce Committee on need for federal consumer data privacy legislation
On October 10, the Senate Committee on Commerce, Science, and Transportation held the second in a series of hearings on the subject of consumer data privacy safeguards. The hearing entitled “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act” heard from consumer privacy advocates on lessons from the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, and what types of consumer protections should be considered in future federal legislation. Committee Chairman, Senator John Thune, opened the hearing by emphasizing the importance of promoting privacy without stifling innovation. Senator Thune stated that, while understanding the experience of technology and telecommunications companies in this space is important, any new federal privacy law must also incorporate views from affected industry stakeholders and consumer advocates.
The consumer privacy advocate witnesses agreed there is a need for heightened consumer protections and rights, and that the time is ripe to have a debate on what a consumer data privacy law at the federal level would look like and how it would work with state level laws. However, witnesses cautioned that federal legislation should create a floor and not a ceiling for privacy that will not prevent states from passing their own privacy laws. One of the witnesses who led the effort behind the California ballot initiative that resulted in the CCPA emphasized that federal legislation should contain a robust enforcement mechanism, while a witness from the Center for Democracy & Technology said that (i) lawmakers should give the FTC the ability to fine companies that violate consumers’ privacy and provide the agency with more resources; and (ii) a federal law should cover entities of all sizes and clarify what secondary and third-party uses of data are permissible.
Among other things, the hearing also discussed topics addressing: (i) GDPR open investigations; (ii) support for state Attorney General enforcement rights; (iii) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; and (iv) consumers’ rights to control their personal data.
Coalition of state Attorneys General encourages FCC to create rules to block illegal robocalls
On October 8, a collation of 35 state Attorneys General submitted reply comments in response to a public notice seeking ways the FCC could create rules that will enable telephone service providers to block illegal robocalls. In their comments to the FCC, the coalition encourages the FCC to implement rules and additional reforms that go beyond the agency’s 2017 call-blocking order, which allows phone companies to proactively block illegal robocalls originating from certain types of phone numbers. (See previous InfoBytes coverage here.) “Many illegal robocallers, however, simply do not care about the law and have a more insidious agenda — casting a net of illegal robocalls to ensnare vulnerable victims in scams to steal money or sensitive, personal information,” the coalition stated. “[C]riminals are estimated to have stolen 9.5 billion dollars from consumers through phone scams in 2017.” The coalition encourages collaboration between states, federal counterparts, and the domestic and international telecommunications industry, and applauds recent progress on the implementation of frameworks such as the “Secure Telephone Identity Revisited” and “Secure Handling of Asserted information using toKENs” protocols that assist service providers in identifying illegally spoofed calls.
DOJ issues updated cybersecurity incident response guidance
On September 28, the DOJ issued updated guidance originally presented the day before at a cybersecurity roundtable discussion on best practices for companies when responding to and reporting cybersecurity incidents. Officials from the DOJ, National Security Council, and the Department of Homeland Security made remarks regarding the difficulty in handling data breach investigations at the roundtable. The revised guidance, titled Best Practices for Victim Response and Reporting Cyber Incidents, addressed new issues such as creating relationships with incident response firms, cloud computing, ransomware attacks, and information-sharing with law enforcement. The DOJ further emphasized that properly assessing risk is the key to establishing effective cybersecurity priorities.
SEC penalizes investment company $1 million for cyber security failings
On September 26, the SEC announced a settlement with an Iowa-based broker-dealer and investment advisement company, which agreed to pay $1 million to resolve allegations that the company violated the Safeguards Rule and the Identity Theft Red Flags Rule arising out of the company’s failure to protect confidential customer information from intrusion. This is the SEC’s first enforcement action charging violations under the Rule. According to the order, intruders were able to access the company’s system by impersonating company contractors, calling the company’s support line, and requesting their passwords be reset. The intruders gained access to the company’s system that contained personally identifiable information for approximately 5,600 customers and obtained unauthorized access to account documents for three customers. The SEC identified weaknesses in the company’s cybersecurity procedures, including failure to terminate the intruders’ access even after the intrusion was flagged and failure to apply its procedures to the systems used by its independent contractors. The order takes into account remedial acts undertaken by the company, including blocking malicious IP addresses and issuing breach notices to affected customers, and requires the company to pay a $1 million penalty and retain an independent consultant to evaluate its compliance with the Safeguards Rule and the Identity Theft Red Flags Rule. The company did not admit nor deny the SEC’s findings.
Global technology companies testify before Senate Commerce Committee on need for federal consumer data privacy legislation
On September 26, the Senate Committee on Commerce, Science, and Transportation held a hearing entitled “Examining Safeguards for Consumer Data Privacy” to discuss whether federal lawmakers should write a broad federal online privacy law in the wake of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, which was amended on September 23. Committee Chairman, Senator John Thune, noted that the September 26 hearing was the first in a series of hearings the Committee plans to hold to discuss consumer data privacy concerns. Testifying before the Committee were executives representing six global technology and telecommunications companies who all agreed that there is a need for federal consumer privacy safeguards that would give consumers more control over the way their data is used. The witnesses also supported the idea of engaging in further discussions with the Committee regarding the FTC’s enforcement powers under its current authority to determine whether the agency needs more resources and tools to carry out its responsibilities effectively. However, the witnesses cautioned that Congress needed to strike an appropriate balance between industry accountability and giving government agencies unchecked power. The witnesses also voiced their opposition to proposed legislation that would require businesses to notify consumers of data breaches within 72 hours of their discovery.
Among other things, the hearing also discussed topics addressing: (i) GDPR compliance burdens; (ii) the need for federal privacy laws to preempt the growing “patchwork” of inconsistent state laws; (iii) pitfalls of mandatory opt-in requirements for consumers; (iv) data use transparency and mandatory disclosures; and (v) efforts undertaken by companies to monitor violations of the Children’s Online Privacy Protection Act, particularly with respect to both in-house and third-party apps offered by the several of the witnesses’ companies.
Global ride-sharing company settles with state Attorneys General for $148 million over data breach
On September 26, the California Attorney General announced that a global ride-sharing company reached a joint settlement with all 50 state Attorneys General and the District of Columbia for $148 million to resolve allegations that the company failed to safeguard user data and to notify authorities after a 2016 data breach. As previously covered by InfoBytes, in November 2017, the company disclosed, via press release, a 2016 data breach that exposed the personal data of 57 million riders and drivers, where hackers obtained approximately 600,000 driver names and license numbers, along with rider names, email addresses, and mobile phone numbers. During subsequent state investigations, authorities discovered that, after the company discovered the breach, it paid hackers $100,000 to delete the acquired data and to keep silent about the breach.
According to the California announcement, the $148 million settlement benefits all 50 states and the District of Columbia, with California receiving $26 million. In addition to the penalty, the settlement allegedly requires the company to implement various conduct provisions, including (i) integrating privacy considerations and protections into the development and design of products; (ii) implementing and maintaining robust data security practices and accurately representing them; (iii) developing and maintaining a comprehensive information security program; (iv) reporting data security incidents to states on a quarterly basis for two years; and (v) maintaining a “Corporate Integrity Program.”
Department of Commerce requests comments on new federal approach to consumer privacy rules
On September 26, the National Telecommunications and Information Administration (NTIA) published a notice and request for comments on behalf of the Department of Commerce seeking input from stakeholders on ways to address consumer privacy concerns while protecting prosperity and innovation. The NTIA’s notice seeks comments on a proposed set of “user-centric privacy outcomes” to be addressed by future federal action on consumer privacy policy, along with a set of high-level goals that would establish the outlines for the direction these protections should take. Among other things, the NTIA also seeks feedback on ways to (i) increase harmonization across the regulatory landscape; (ii) ensure a balance between legal clarity, flexibility for innovation, and consumer privacy; (iii) prevent a fragmented regulatory approach by ensuring that any law is applied equally to all businesses not covered by sectoral laws; (iv) develop a regulatory framework “consistent with the international norms and frameworks”; and (v) provide the FTC with the necessary tools and resources to effectively enforce such rules.
The NTIA’s proposal follows the European Union’s General Data Protection Regulation (GDPR), which was implemented this past summer, and the recently enacted and amended California Consumer Privacy Act of 2018 (see previous InfoBytes coverage here). Comments on the notice must be received by October 26.
FCC fines health insurance lead generator $82 million for spoofed robocalls
On September 26, the FCC announced that it fined a telemarketer and associated companies more than $82 million for using allegedly illegal caller ID spoofing to market and generate leads for health insurance sales in violation of the Truth in Caller ID Act (the Act). The Act prohibits telemarketers from purposefully falsifying caller ID information with the intent to harm, defraud consumers, or wrongfully obtain anything of value. The FCC alleges that the telemarketer made more than 21 million robocalls with spoofed caller ID information, which makes it difficult for consumers to register complaints and for law enforcement to track and stop the illegal calls. According to the related Forfeiture Order (FCC 18-134), the FCC rejected the telemarketer’s argument that the value he received from the calls was not “wrongfully obtained,” concluding that the calls were placed without prior consent, including contacting consumers on the Do Not Call registry, and that the telemarketer knew the tactics he used to obtain the insurance leads were unlawful. The FCC also rejected the telemarketer’s request to reduce the penalty, stating “the proposed forfeiture of $82,106,000 properly reflects the seriousness, duration, and scope of [the telemarketer]’s violations.”
OCC releases bank supervision operating plan for fiscal year 2019
On September 26, the OCC’s Committee on Bank Supervision released its bank supervision operating plan (Plan) for fiscal year 2019. The Plan outlines the agency’s supervision priorities and specifically highlights the following supervisory focus areas: (i) cybersecurity and operational resiliency; (ii) commercial and retail credit loan underwriting, concentration risk management, and the allowance for loan and lease losses; (iii) Bank Secrecy Act/anti-money laundering compliance; (iv) change management to address new regulatory requirements; and (v) internal controls and end-to-end processes necessary for product and service delivery.
The annual plan guides the development of supervisory strategies for individual national banks, federal savings associations, federal branches, federal agencies, and service providers.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes previously has covered.
California amends the California Consumer Privacy Act of 2018
On September 23, the California governor signed SB 1121, a bill amending the California Consumer Privacy Act of 2018 (the Act) enacted on June 28. (See Buckley Sandler Special Alert here.) The Act, which carries an effective date of January 1, 2020, on most provisions, sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information. Among other changes, SB 1121 makes the following amendments to the Act:
- The bill requires businesses that collect a consumer’s personal information to disclose the consumer’s right to delete personal information in a form that is reasonably accessible to the consumer;
- The bill clarifies that the requirements imposed and rights afforded to consumers by the Act should not be interpreted in a way that infringes on a business’s ability to comply with federal, state, or local laws or that conflicts with the California Constitution;
- The bill prohibits application of the Act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies or pursuant to the California Financial Information Privacy Act;
- The bill clarifies that the only private right of action permitted under the Act is a private right of action for violations of the data breach provisions involving a consumer’s nonencrypted or nonredacted personal information and only to the extent that the business’ failure to maintain reasonable security measures caused the breach;
- The bill eliminates the requirement that plaintiffs notify the California Attorney General prior to proceeding with private litigation under the Act;
- The bill limits the civil penalties that the California Attorney General may assess for violations to $2,500 per violation or $7,500 per intentional violation; and
- The bill prohibits the California Attorney General from bringing an enforcement action under the Act until the earlier of either July 1, 2020, or six months after the publication of the final regulations.