InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC seeks comments on possible adjustments to privacy and data security rulemaking authority
On August 6, the FTC published a request for comments in the Federal Register—in advance of a series of 15 to 20 public hearings scheduled to start this September—on whether the agency should make adjustments to competition and consumer protection law, enforcement priorities, and policy in light of evolving technologies and market developments. The hearings will cover a range of consumer-related issues, including the agency’s “remedial authority to deter unfair and deceptive conduct in privacy and data security matters” and the “interpretation and harmonization of state and federal statutes and regulations that prohibit [such conduct].” According to testimony presented by FTC Chairman Joseph Simons at a July 18 House Subcommittee on Digital Commerce and Consumer Protection hearing, there exists a need for expanded rulemaking and civil penalty authority. Specifically, Simons discussed Section 5 of the FTC Act, which he stated is too limited to address all of the privacy and security concerns in the marketplace and does not provide for civil penalties. Comments on the hearing topics must be received by August 20.
Conference of State Bank Supervisors supports legislation to coordinate federal and state examinations of third-party service providers
On July 12, the Conference of State Bank Supervisors (CSBS) issued a statement to the Senate Banking Committee, offering support for legislation that would “enhance state and federal regulators’ ability to coordinate examinations of, and share information on, banks’ [third-party technology service providers (TSPs)] in an effective and efficient manner.” H.R. 3626, the Bank Service Company Examination Coordination Act, introduced by Representative Roger Williams, R-Texas, would amend the Bank Service Company Act to provide examination improvements for states by requiring federal banking agencies to (i) consult with the state banking agency in a reasonable and timely fashion, and (ii) take measures to avoid duplicating examination activities, reporting requirements, and requests for information. Currently, 38 states have the authority to examine TSPs, however, according to CSBS, amending the Bank Service Company Act would more appropriately define a state banking agency’s authority and role when it comes to examining potential risks associated with TSP partnerships. In its statement, CSBS also references a recent action taken by eight state regulators against a major credit reporting agency following its 2017 data breach that requires, among other things, a wide range of corrective actions, including improving oversight and ensuring sufficient controls are developed for critical vendors. (See previous InfoBytes coverage here.) The House Financial Services Committee advanced H.R. 3626 on June 24 on a unanimous vote.
FTC announces settlement with California company over EU-U.S. Privacy Shield false certification claims
On July 2, the FTC announced it had reached a settlement with a California-based company over allegations that it falsely claimed participation in the European Union-U.S. Privacy Shield framework, EU-U.S. Privacy Shield. According to the FTC, the company’s false claim that it was in the process of certification is a violation of the FTC Act’s prohibition against deceptive acts or practices. The settlement prohibits the company from misrepresenting its participation in “any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization” and requires the submission of timely compliance notices. This action marks the fourth FTC EU-U.S. Privacy Shield enforcement action following the EU’s finalization and adoption in July 2016 (see previous InfoBytes coverage here) of the EU-U.S. Privacy Shield, which established a mechanism for companies to transfer consumer data between the EU and the U.S. in compliance with specified obligations.
Buckley Special Alert: California governor signs significant data privacy bill into law
On June 28, California Governor Jerry Brown signed the California Consumer Privacy Act (the “Consumer Privacy Act” or the “Act”) into law. The Act was enacted largely in response to a more restrictive ballot initiative (“Ballot Initiative”) that appeared to have gained a sufficient number of signatures to appear on the November 2018 ballot in the state. Both the Act and the Ballot Initiative were a reaction to high-profile news stories involving large-scale consumer data collection and sharing by online companies, often done without notice to or consent from consumers.
The Ballot Initiative, driven and funded by a coalition of privacy advocates, proposed both expanding consumer privacy rights under existing state laws such as the California Online Privacy Protection Act and the “Shine the Light” law, and giving new consumer rights with regard to information sharing. The Ballot Initiative, which was withdrawn in response to the enactment of the Act, would have provided state residents with increased rights regarding the types of information online companies possess about them, the purposes for which the information is used, and the entities with which the information is shared. Consumers would also have been given the right to stop certain sharing of their personal information. Critics asserted that the Ballot Initiative was poorly crafted and would stifle innovation in data services. Last minute revisions to the language of the Act, which generally follows the requirements of the Ballot Initiative, sought to address some of these concerns and several industry groups that had opposed the Ballot Initiative did not lobby against the quick passage of the Act.
* * *
Click here to read the full special alert.
If you have questions about the act or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.Credit reporting agency agrees to cybersecurity corrective action with eight state regulators
On June 27, the New York Department of Financial Services (NYDFS) announced that a major credit reporting agency has agreed to cybersecurity and internal control corrective action following its 2017 data breach, which reportedly affected 143 million American consumers. The consent order, which was entered into with NYDFS and seven other state regulators, requires a wide range of corrective actions. The company must: (i) review and approve a written risk assessment which identifies data breach risks and the likelihood of threats; (ii) establish and oversee a formal internal audit program; (iii) improve oversight of its information security program; and (iv) improve oversight and ensure sufficient controls are developed for critical vendors. The consent order does not include any monetary penalties.
The consent order follows the June 25 announcement by NYDFS that credit reporting agencies will be required to register annually with the state and comply with the state’s cybersecurity regulation (covered by InfoBytes here).
New York regulation requires all credit reporting agencies to register with NYDFS
On June 25, the New York governor announced the issuance by the New York Department of Financial Services (NYDFS) of a final regulation that requires consumer credit reporting agencies (CRAs) with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity standard. Specifically, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS, beginning on or before September 1, 2018 for 2017 reporting, and by February 1 for every year thereafter. Among other things, the regulation also (i) authorizes the NYDFS superintendent to refuse to renew a CRA’s registration for various reasons, including if the applicant or affiliate of the applicant fails to comply with the cybersecurity regulations; (ii) subjects the CRAs to examination by NYDFS at the superintendent’s discretion; and (iii) prohibits CRAs from engaging in any “unfair, deceptive, or predatory act or practice toward any consumer,” to the extent not preempted by federal law. Additionally, beginning on November 1, the regulation requires every CRA to comply with NYDFS’ cybersecurity regulation, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Recent InfoBytes coverage on NYDFS’ cybersecurity regulation available here and here.)
According to Governor Cuomo, the oversight of CRAs will help to ensure New York consumers’ information is less vulnerable to the threat of cyber-attacks, stating, “[a]s the federal government weakens consumer protections, New York is strengthening them with these new standards.”
Rhode Island and New Hampshire prohibit security freeze fees
On June 14, the governor of Rhode Island signed S2562, which prohibits consumer reporting agencies from charging a fee for security freeze services, including the placement, removal, or temporary lifting of a security freeze for a consumer. The law also prohibits the charging of a fee in connection with issuing or reissuing a personal identification number that is used by a consumer to authorize the use of his or her credit or to remove the freeze. Previously, Rhode Island allowed credit reporting agencies to charge a fee up to $10 dollars for security freeze services and $5 for reissuances of personal identification numbers, although customers were entitled to a free initial reissuance of their personal identification numbers. The law is effective September 1.
Similarly, on June 8, the governor of New Hampshire signed HB1700, which prohibits a consumer reporting agency from charging a fee to place, remove, or temporarily lift a security freeze. The law also prohibits a consumer reporting agency from charging a fee to issue or replace a consumer’s personal identification number used in connection with the security freeze. The law requires the consumer reporting agencies to place the freeze within three business days after receiving a consumer request, if the consumer makes the request via mail and within 24 hours after receiving a consumer request, if made electronically or by telephone. The law is effective January 1, 2019.
8th Circuit affirms $17 million class settlement for retailer data breach
On June 13, the U.S. Court of Appeals for the 8th Circuit affirmed the district court’s ruling approving a $17 million class settlement to resolve consumer claims related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. The settlement, which consists of $10 million in consumer redress and almost $7 million in plaintiffs’ attorney fees, was preliminarily approved in 2015 by the district court (previously covered by InfoBytes here) but was remanded back to the court by the 8th Circuit for failing to conduct the appropriate pre-certification analysis. After the district court recertified the class, two settlement challengers appealed, arguing that the class was not properly certified as there were not separate counsel for the subclasses and that the court erred in approving the settlement because the award of attorney’s fees was not reasonable. The appellate court disagreed, holding that no fundamental conflict of interest required separate representation for named class members and class members who suffered no actual losses. The court also concluded that the 29 percent in total monetary payment to the plaintiffs’ attorneys was “well within the amounts [the court] has deemed reasonable in the past” and therefore, the district court did not error in its discretion.
Illinois, Connecticut, and Hawaii pass security freeze legislation
On June 8, the Illinois governor approved HB 4095, which amends the Consumer Fraud and Deceptive Business Practices Act to prohibit consumer reporting agencies (CRAs) from charging consumers a fee for placing, removing, or temporarily lifting a security freeze. The act takes effect immediately. The Act also permits a consumer to request a security freeze by phone or electronic means, in addition to a request in writing.
This followed a similar action by the Connecticut governor, who on June 4 signed SB 472 to prohibit CRAs from charging a fee to consumers to place, remove, or temporarily lift a security freeze on a consumer's account. The legislation also, among other things, (i) prohibits CRAs from—as a condition of placing the freeze—requiring that consumers agree to limit their claims against the agency; (ii) increases the length of time that identity theft prevention and mitigation services must be provided to a consumer after a security breach from 12 to 24 months; and (iii) provides that the banking commissioner will adopt regulations that require CRAs to provide it with “dedicated points of contact” to allow the Department of Banking to assist consumers when a data breach occurs. The act takes effect October 1.
On June 6, the Hawaii governor signed HB 2342 to enhance protection of consumer information by expanding the methods consumers may use to request security freezes, and by prohibiting credit reporting agencies (CRAs) from charging consumers a fee to place, remove, or temporarily lift a security freeze on a consumer's credit report or records. Among other things, the act now permits a consumer or a “protected consumer’s representative” to request a security freeze via first-class mail, a telephone call, or through a CRA’s designated secure website, and also preserves the CRA’s ability to lift a security freeze when the freeze was executed due to material misrepresentation by the consumer. When lifting a security freeze, CRAs are required to send written confirmation to the affected consumer within five business days. The act takes effect July 1.
District Court grants preliminary injunction in FTC search engine suit
On June 6, the U.S. District Court for the Southern District of Florida granted the FTC’s request for preliminary injunction against an individual defendant and the company he owns and manages (stipulating defendants) for allegedly violating the FTC Act by making robocalls to small business owners claiming they represented a global search engine and could guarantee top search result placements. The stipulating defendants are part of a larger group of Florida-based companies, affiliates, and representatives (defendants) identified in the FTC’s 2018 complaint. According to the FTC’s May 23 press release, the defendants—who allegedly have no relationship with the search engine—threatened to remove companies from the search engine’s results or label them as “permanently closed” unless they accepted the robocall and paid a fee to participate in the defendants’ program. The complaint also claimed that the defendants—who lost the ability to accept payments by credit card after their merchant account was closed due to high chargeback rates—allegedly “took money, usually $100, from at least 250 of their prior or existing customers’ checking accounts without those customers’ advance knowledge, consent, or authorization, and with no apparent reason or justification.”
In granting the preliminary injunction, the court found that there exists “good cause” to believe the FTC’s allegations against the stipulating defendants, and that the FTC is “likely to prevail on the merits of this action.” The injunction, among other things, blocks the stipulating defendants from continuing with their business, freezes their assets and records, and orders the appointment of a receiver to take control over those assets. A temporary restraining order was also issued against all defendants on May 8.