InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
11th Circuit vacates FTC data security cease and desist order issued against medical testing laboratory
On June 6, the U.S. Court of Appeals for the 11th Circuit vacated an FTC cease and desist order (Order) that directed a Georgia-based medical testing laboratory to overhaul its data security program, ruling that the Order was unenforceable because it lacked specifics on how the overhaul should be accomplished. In 2013, the FTC claimed that the laboratory’s violation of Section 5(a) of the FTC Act constituted an “unfair act or practice” by allegedly failing to implement and provide reasonable and appropriate data security for patient information. The now defunct laboratory argued, among other things, that the FTC did not have the authority under Section 5 to regulate how it handled its data security measures. But the three-judge panel chose not to rule on the broader question about the scope of the FTC’s Section 5 data security authority, choosing to focus its decision on the Order. As previously covered in InfoBytes, in 2016 the FTC reversed an Administrative Law Judge’s Initial Decision to dismiss the 2013 FTC complaint, ordering the laboratory to, among other things, employ reasonable security practices that complied with FTC standards.
After the Order was issued, the laboratory asked the 11th Circuit to decide whether the FTC’s Order was “unenforceable because it does not direct it to cease committing an unfair ‘act or practice’ within the meaning of Section 5(a).” The 11th Circuit agreed to stay enforcement of the Order and ultimately permanently vacated it. “In the case at hand, the cease and desist order contains no prohibitions,” the panel wrote. “It does not instruct [the laboratory] to stop committing a specific act or practice. Rather, it commands [the laboratory] to overhaul and replace its data security program to meet an indeterminable standard of reasonableness. This command is unenforceable.” The court concluded that “[t]his is a scheme that Congress could not have envisioned.”
FTC files complaint against two operations allegedly responsible for making billions of illegal robocalls
On June 5, the FTC announced charges filed against two individuals and their related operations (defendants) for allegedly facilitating billions of robocalls to consumers across the country through a telephone dialing platform in violation of the FTC Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and the Telemarketing Sales Rule. According to the complaint filed in the U.S. District Court for the Central District of California, the alleged misconduct—dating back to 2001—centered around the principal and owner of a group of companies that operated and developed a computer-based telephone dialing platform, and a second individual defendant and his group of call center businesses that paid for the development and use of software designed to make autodial telephone calls and deliver prerecorded messages. The FTC alleged that for many years the two individual defendants jointly owned and operated businesses that resold access to a “bundle of services”—referred to as a “one-stop-shop for illegal telemarketers”—that provided, among other things, (i) servers to host the autodialing software, as well as the physical space housing the servers; and (ii) the ability to make calls using “spoofed” caller ID numbers, which made it look as if the calls came from a consumer’s local area code. According to the FTC, this “bundle of services” became so widely used within the industry that it has been named in at least eight other FTC lawsuits centered on the facilitation of unlawful calls. Among other things, the charges against the defendants include assisting with illegal robocalls, calling with prerecorded messages, calling numbers on the National Do Not Call Registry, calling with spoofed caller IDs, and abandoning calls. The FTC seeks civil monetary penalties, a permanent injunction against the defendants to prevent future violations, and reimbursement of costs for bringing the action.
Colorado enacts expansive consumer data protection law, includes 30-day breach notification requirement
On May 29, the Colorado governor signed HB1128, which significantly expands Colorado’s consumer data protection laws to include a broader definition of personal information and a 30-day notice requirement regarding data breaches. The law, which is effective on September 1, requires covered entities—defined in the statute as, “a person . . . that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation”— to notify affected Colorado residents within 30 days after the determination that a security breach occurred. The notice to residents must include, among other things, (i) the date range of the security breach; (ii) a description of the personal information that was part of the security breach; (iii) contact information for the entity; and (iv) contact information for credit reporting agencies and the FTC. The act defines personal information to include a Colorado resident’s first name or first initial and last name in combination with the following non-encrypted or redacted items: “social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.” Other key elements of the law include:
- In addition to notifying affected residents, covered entities must notify the Colorado Attorney General within 30 days if the entity determines 500 or more people have been affected by the security breach, unless the entity determines that misuse of the information has not and is not likely to occur.
- If the covered entity determines 1000 or more people are affected by the security breach, “in the most expedient time possible and without unreasonable delay” the entity must notify all consumer reporting agencies.
- Covered entities are required to implement and maintain reasonable security procedures that are “appropriate to the nature of the personal identifying information and to the nature and size of the business and its operations.”
- If a covered entity discloses a consumer’s personal information to a third-party service provider, the covered entity must require the third-party to implement and maintain reasonable security procedures.
The law also includes security and notification requirements for Colorado governmental entities.
Louisiana governor amends data breach notification law; passes security freeze legislation
On May 20, the Louisiana governor signed SB361 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state or that own or license computerized data to (i) “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure,” and (ii) take “all reasonable steps” to destroy documents containing personal information once they no longer need to be retained. Key amendment highlights are as follows:
- revises definitions, which include (i) defining “breach of the security of the system” to now apply to “the compromise… of computerized data that results in, or there is a reasonable likelihood to result in. . .” unauthorized acquisition and access; and (ii) revising the definition of “personal information” to include residents of the state, and include passport numbers and biometric data;
- requires entities to notify affected individuals within 60 days of the discovery of a data breach—pending the needs of law enforcement—and further stipulates that if a determination is made to delay notification, the Attorney General must be notified in writing within the 60-day period to receive an extension of time;
- provides that substitute notification—consisting of email notification, a notice posted to the entity’s website, and notifications to major statewide media—may be provided should the entity demonstrate that (i) the cost of the notification would exceed $100,000; (ii) the affected class of persons exceeds 100,000; or (iii) the entities lack sufficient contact information; and
- states that violations of the Database Security Breach Notification Law constitute an unfair act or practice.
The amendments take effect August 1.
Separately, on May 15, the governor signed SB127, which prohibits credit reporting agencies from charging a fee for placing, reinstating, temporarily lifting, or revoking a security freeze. The bill became effective upon signature by the governor.
OCC highlights key risks affecting the federal banking system in spring 2018 semiannual risk report
On May 24, the OCC released its Semiannual Risk Perspective for Spring 2018, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. Priorities focus on credit, operational, compliance, and interest risk, and while the OCC commented on the improved financial performance of banks from 2016 to early 2018, in addition to the “incremental improvement in banks’ overall risk management practices,” the agency also noted that risks previously highlighted in its Fall 2017 report have “changed only modestly.” (See previous InfoBytes coverage here.)
Specific areas of concern noted by the OCC include: (i) easing of commercial credit underwriting practices; (ii) increasing complexity and severity of cybersecurity threats; (iii) use of third-party service providers for critical operations; (iv) compliance challenges under the Bank Secrecy Act; (v) challenges in risk management involving consumer compliance regulations; and (vi) rising market interest rates, including certain risks associated with the “potential effects of rising interest rates, increasing competition for retail and commercial deposits, and post-crisis liquidity regulations for banks with total assets of $250 billion or more, on the mix and cost of deposits.” Additionally, concerns related to integrated mortgage disclosure requirements under TILA and RESPA previously considered a key risk have been downgraded to an issue to be monitored.
Court denies plaintiff’s motion for summary judgment in TCPA action, questions accuracy of report citing number of robocalls
On May 21, the U.S. District Court for the Southern District of California denied a plaintiff’s motion for summary judgment against a solar company that she claimed made multiple unwanted robocalls to her cell phone, holding that questions remained about the accuracy of a report identifying the number of illegal calls the company allegedly placed. The plaintiff filed a putative class action complaint asserting that the company, in order to market products and services, violated the Telephone Consumer Protection Act (TCPA) when it used a “predictive dialer” to contact cell phone numbers the company bought from third parties. The plaintiff further claimed that none of the alleged call recipients had provided prior express consent to receive the calls, and that an expert retained by the plaintiff found that the company had made 897,534 calls to 220,007 unique cell phones. After the class was certified, the plaintiff moved for summary judgment, requesting that class members be awarded damages available under the TCPA of $1,500, or $500 per call.
While the court determined that there is no argument as to the plaintiff’s TCPA claim concerning whether the company made telemarketing calls (and failed to receive prior express consent), a dispute remained over whether the plaintiff had “carried its burden of demonstrating” that the high number of calls cited in the report were actually made. First, the court stated that, because the company “stipulated that the [p]laintiff’s expert in fact reached a certain conclusion, it does not follow that [the company] stipulated to the accuracy of the conclusion.” Second, the court held that, since a reasonable jury could find the report’s “conclusions are flawed for any number of reasons,” a fact issue as to the report’s accuracy remained. A settlement conference has been set for June 6.
Vermont legislation regulates data brokers and provides consumer protections
On May 22, a Vermont bill, established to regulate data brokers and provide consumers with protections against companies that collect, analyze, and sell their personal information, was enacted without the governor’s signature. Among other things, H.764: (i) requires data brokers to pay a $100 fee to register annually with the Vermont Secretary of State and publicly disclose information about data collection practices and opt-out policies; (ii) requires companies to implement measures to ensure they have “adequate security standards” to safeguard against data breaches; (iii) prohibits the “acquisition of personal information with the intent to commit wrongful acts”; and (iv) prohibits credit reporting agencies from charging consumers fees for the placement, removal, or temporary lift of a security freeze. The credit freeze provisions became effective upon passage. The data broker provisions take effect January 1, 2019.
Minnesota prohibits security freezes fees, authorizes security freezes for protected persons
On May 19, the Minnesota governor signed HF1243, which, effective immediately, prohibits credit reporting agencies for charging a fee for the placement, removal, or temporary lift of a security freeze. The law previously allowed for a fee of $5.00. Additionally, effective January 1, 2019, the law authorizes the placement of a security freeze for a protected person – defined by the law as an individual under the age of 16 – if a consumer reporting agency receives a request by the protected person’s representative and certain authentication standards are met. The law also outlines the requirements for removing a security freeze for a protected person.
Maryland and Georgia prohibit security freeze fees
On May 15, the Maryland governor signed SB 202, which prohibits consumer reporting agencies from charging consumers, or protected consumers’ representatives, a fee for the placement, removal, or temporary lift of a security freeze. Previously, Maryland allowed for a fee, in most circumstances, of up to $5.00 for each placement, temporary lift, or removal. The law takes effect October 1.
On May 3, the Georgia governor signed SB 376, which amends Georgia law to prohibit consumer reporting agencies from charging a fee for placing or removing a security freeze on a consumer’s account. Previously, Georgia law allowed for a fee of no more than $3.00 for each security freeze placement, removal, or temporary lift, unless the consumer was a victim of identity theft or over 65 years old. Under SB 376, consumer reporting agencies may not charge a fee to any consumer at any time for the placement or removal of a security freeze. This law takes effect July 1.
Court holds text message advertisements sent by internet domain provider do not violate TCPA
On May 14, the U.S. District Court for the District of Arizona granted an internet domain provider’s motion for summary judgment, holding that the platform used by the company to send text message advertisements did not qualify as an “autodialer” under the Telephone Consumer Protection Act (TCPA). The plaintiff filed a putative class action in 2016 asserting that the company, without his consent, sent him a single text message offering a discount on new products in violation of the TCPA. The company filed for summary judgment arguing that the platform it uses to send messages is not an “autodialer.” Citing to the recent D.C. Circuit decision in ACA International v. the FCC (covered by a Buckley Sandler Special Alert) which narrowed the FCC’s 2015 interpretation of “autodialer”, the Court agreed with the company. The Court held that the text was not sent automatically or without human intervention because the company had to “log into the system, create a message, schedule a time to send it, and perhaps most importantly, enter a code to authorize its ultimate transmission.”
As covered by InfoBytes, the FCC’s Consumer and Governmental Affairs Bureau released a notice seeking comment on the interpretation of the Telephone Consumer Protection Act (TCPA) in light of the recent D.C. Circuit decision in ACA International.