Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • California law requires credit reporting agencies to address security vulnerabilities

    State Issues

    On September 19, the California governor signed AB 1859, which requires a credit reporting agency “that owns, licenses, or maintains personal information about a California resident” or a third party that maintains such personal information on behalf of a credit reporting agency to implement available software updates to address security vulnerabilities. Specifically, a credit reporting agency, or applicable third party that knows, or reasonably should know, that a system maintaining personal information is subject to a security vulnerability must, within three days, begin testing for implementation of an available software update, and complete the update no later than 90 days after becoming aware of the vulnerability. The law requires the credit reporting agency to employ “reasonable compensating controls” to reduce the risk of breach until the software update is complete. Additionally, whether or not a software update is available, the law requires the credit reporting agency to keep with industry best practices, including by (i) identifying, prioritizing, and addressing the highest risk security vulnerabilities most quickly; (ii) testing and evaluating compensating controls and how they affect security vulnerabilities; and (iii) requiring, by contract, that third parties implement and maintain appropriate security measures for personal information. The legislation is expected to take effect January 1, 2019.

    State Issues State Legislation Credit Reporting Agency Privacy/Cyber Risk & Data Security Data Breach

  • Free security freezes available nationwide

    Federal Issues

    On September 21, the FTC announced the nationwide availability of free security freezes and one-year fraud alerts, which were authorized under the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA). Specifically, Section 301 of EGRRCPA prohibits a national credit reporting agency from charging a fee to place, remove, or temporarily lift a security freeze. The law also allows parents to obtain a free credit freeze for any of their children who are under 16, and guardians, conservators, and those with a valid power of attorney can obtain a free freeze for the person for whom they have legal authority to act. Additionally, Section 301 extends the duration of the free fraud alert from 90 days to one year. Consumers are required to contact all three nationwide credit reporting agencies to place the security freeze, but only are required to contact one of the three for the fraud alert, as each bureau is obligated to notify the others of a fraud alert.

    Federal Issues FTC Security Freeze Fraud Credit Reporting Agency EGRRCPA S. 2155 Privacy/Cyber Risk & Data Security

  • New Mexico Attorney General sues technology companies over COPPA violations regarding the collection of children’s personal data

    Privacy, Cyber Risk & Data Security

    On September 12, the New Mexico Attorney General announced the filing of a lawsuit against a group of technology companies for allegedly designing and marketing mobile gaming applications (apps) targeted towards children that contain illegal tracking software. The complaint asserts that the defendants’ practices violate both the Children’s Online Privacy Protection Act (COPPA) and New Mexico’s Unfair Practices Act, and pose the risk of data breaches and third-party access. Among other things, the complaint alleges the defendants’ data collection and sharing practices did not comply with COPPA’s specific notice and consent requirements, while the apps’ embedded software development kits allow the apps to communicate directly with the advertising companies that analyze, store, use, share, and sell the data to other third-parties to build “increasingly-detailed profiles of child users” in order to send highly-targeted advertising. The complaint seeks injunctive relief and nominal and punitive damages.

    Privacy/Cyber Risk & Data Security State Issues State Attorney General COPPA

  • California governor signs amendments requiring the furnishing of customer account information associated with certain crime reports

    State Issues

    On September 6, the governor of California signed amendments to the California Right to Financial Privacy Act to provide various state and local agencies—including the police, sheriff’s department, or district attorney in the state—the authorization to request information from financial institutions in certain circumstances associated with crime reports involving the alleged fraudulent use of drafts, checks, access cards, or other orders. Specifically, AB 3229 states that banks, credit unions, and savings associations must furnish a statement with the requested customer account information for a period of 30 days prior, and up to 30 days following, the date of the alleged illegal act’s occurrence. AB 3229 further states that financial institutions will be required to furnish account information—subject to the outlined procedures—to a DOJ special agent upon request.

    State Issues State Legislation Privacy/Cyber Risk & Data Security

  • New Jersey Attorney General announces settlement with data management software company over auto dealer data breach claims

    State Issues

    On September 7, the New Jersey Attorney General announced a settlement with an Iowa-based data management software company related to an alleged data breach that exposed the personally identifiable information (PII) of auto dealership customers across the country. According to the consent order, the company—which develops and operates a dealer management system that stores and secures customer and employee data accessed by 130 auto dealerships nationwide—experienced a breach of security in 2016 that allowed unauthorized public access to unencrypted files containing PII. Following the breach, the state commenced an investigation into whether the company violated either the state’s Consumer Fraud Act (CFA) or its Identity Theft Prevention Act (ITPA). Under the terms of the settlement, the company—without admitting to the allegations—has agreed to pay a $49,420 civil money penalty, of which $20,000 will be suspended and automatically vacated after two years provided the company complies with the consent order and does not engage in any future violations of the CFA and/or the ITPA. Furthermore, the company will pay $31,365 to reimburse attorneys’ fees, and has, among other things, agreed to implement a comprehensive security program to prevent similar breaches from occurring in the future.

    State Issues Privacy/Cyber Risk & Data Security Data Breach State Attorney General

  • Court approves $8.5 million class action settlement with global money service for alleged TCPA violations

    Courts

    On August 31, the U.S. District Court for the Northern District of Illinois approved an $8.5 million class action settlement resolving allegations that a global money service violated the Telephone Consumer Protection Act (TCPA) by sending unsolicited text messages to class members. While the court approved the full settlement amount, it only awarded 5 percent of the fund to the class counsel, as opposed to the 35 percent requested, noting counsel’s “disquieting conduct” related to a class objector and lack of billing records supporting the “substantial work” counsel claimed to have performed on the case (reportedly more than 2.5 times the hours spent by defense counsel). Of the $8.5 million required to be paid by the company, the court modified the agreement to provide class member claims over $7.5 million. The court determined that the settlement “provides fair actual cash value to the class,” as the company had potential defenses to the pending litigation; there was legal uncertainty as to whether the telecommunications equipment used by the company was actually an “automatic telephone dialing system” under the TCPA; and the inherent expense in litigation and proceeding to trial for the class.

    Courts Settlement TCPA Autodialer Privacy/Cyber Risk & Data Security

  • NYDFS launches online registration form for credit reporting agencies to comply with new regulation

    State Issues

    On August 22, the New York Department of Financial Services (NYDFS) announced an online registration form for credit reporting agencies (CRAs) to comply with the state’s final regulation that requires CRAs with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity regulation. (As previously covered by InfoBytes, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS.) Registration must be complete by September 15 of this year and by February 1 of each successive year for the calendar year thereafter. Under the new regulation, CRAs are also required to comply with New York’s cybersecurity requirements by November 1, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Continuing InfoBytes coverage on NYDFS’ cybersecurity regulation available here.)

    State Issues NYDFS Credit Reporting Agency Privacy/Cyber Risk & Data Security

  • Court approves $115 million settlement for health insurer data breach

    Privacy, Cyber Risk & Data Security

    On August 15, the U.S. District Court for the Northern District of California issued final approval for a $115 million class action settlement to resolve claims stemming from a large health insurer’s 2015 data breach. As previously covered by InfoBytes, in June 2017, the health insurer and plaintiffs came to the $115 million agreement regarding the company’s 2015 data breach, exposing consumers’ and employees’ social security numbers, birthdays, and other personal data to hackers. The settlement agreement provides for (i) two years of credit monitoring; (ii) reimbursement of out-of-pocket costs related to the breach; and (iii) alternative cash payment for credit monitoring services already obtained. While the settlement agreement was challenged after the initial deal was struck, the court noted that the objectors “ignore that the [s]ettlement provides the class with a timely, certain, and meaningful recovery.” Moreover, the court notes the objectors do not account for the “strong message” it sends to the health insurer, stating, “a settlement does not need to provide for all possible recoverable damages to deter wrongdoing.”

    Privacy/Cyber Risk & Data Security Courts Data Breach Settlement

  • NYDFS reminds covered entities of upcoming cybersecurity regulation compliance dates; updates FAQs

    State Issues

    On August 8, the New York Department of Financial Services (NYDFS) issued a reminder for regulated entities required to comply with the state’s cybersecurity requirements under 23 NYCRR Part 500 that the third transitional period ends September 4. Banks, insurance companies, and other financial services institutions (collectively, “covered entities”) that are required to implement a cybersecurity program to protect consumer data must be in compliance with additional provisions of the cybersecurity regulation by this date. As of September 4, a covered entity must (i) start presenting annual reports to the board by the Chief Information Security Officer on “critical aspects of the cybersecurity program”; (ii) create an “audit trail designed to reconstruct material financial transactions” in case of a breach; (iii) institute policies and procedures to ensure the use of “secure development practices for IT personnel that develop applications”; and (iv) implement encryption to protect nonpublic information it holds or transmits. Covered entities are also required to have policies and procedures in place “to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.” Covered entities are further reminded that they have until March 1, 2019, to assess the risks presented by the use of a third-party service provider to ensure the protection of their security systems and data.

    In coordination with the reminder, NYDFS provided new updates to its FAQs related to 23 NYCRR Part 500. The original promulgation of the FAQs was covered in InfoBytes, as were the last updates in February and March. The four new updates to the FAQs add the following guidance:

    • Clarifies that in certain circumstances, an entity can be a covered entity, an authorized user, and a third party service provider, and therefore must comply fully with all applicable provisions;
    • Outlines specific compliance provisions for covered entities that have limited exemptions from the NYDFS cybersecurity requirements;
    • Identifies a covered entity’s responsibilities when addressing cybersecurity risks with respect to bank holding companies; and
    • Clarifies situations and requirements for when a covered entity can rely upon the cybersecurity program that another covered entity has implemented for a common trust fund.

    Find continuing InfoBytes coverage on NYDFS’ cybersecurity regulations here.

    State Issues NYDFS Privacy/Cyber Risk & Data Security 23 NYCRR Part 500

  • CFPB amends Regulation P, provides exemptions for annual privacy notice requirement

    Agency Rule-Making & Guidance

    On August 10, the CFPB issued final amendments to Regulation P, which implements the Gramm-Leach-Bliley Act and provides, among other things, exemptions for financial institutions from sending annual privacy notices to consumers provided they meet certain conditions. The final rule—originally proposed in July 2016 (as previously covered in InfoBytes here)—implements a December 2015 statutory change in Section 75001 of the “Fixing America’s Surface Transportation Act,” which permits certain exemptions provided a qualifying financial institution (i) has not changed its privacy notice from the one previously delivered to its customer, and (ii) limits its sharing of a customer’s nonpublic personal information with nonaffiliated third parties so that a customer does not have the right to opt out, as otherwise afforded under the statute and Regulation P. The final rule will not affect the collection or use of a customer’s nonpublic personal information, and all financial institutions are still required to deliver initial privacy notices to customers. Moreover, the final rule establishes requirements for alternative delivery methods and provides deadlines for financial institutions that lose the exception and are required to resume delivery of annual privacy notices.

    The amendments to Regulation P will take effect 30 days after publication in the Federal Register.

    Agency Rule-Making & Guidance CFPB Regulation P Gramm-Leach-Bliley Privacy/Cyber Risk & Data Security

Pages

Upcoming Events