InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Credit Reporting Agencies Must Comply With Emergency Regulations
On Tuesday, New York State adopted emergency regulations intended to “provide consumers with the means to protect themselves against identity theft” and assist those consumers who have fallen victim to such theft. The New York Department of State’s Division of Consumer Protection (the Division), which has the authority to promulgate rules and regulations related to consumer protection activities of all state agencies, announced the adoption of regulations as part of its Identify Theft Prevention and Mitigation Program (the Program). In a press release issued December 12 by the office of New York Governor Andrew M. Cuomo, the regulations will require consumer credit reporting agencies to comply with the following, among other things:
- provide responses within 10 days to information requests made by the Division when investigating, mediating, or mitigating a consumer’s identity theft complaint;
- identify dedicated points of contact to assist the Division’s effective administering of the program;
- make available to the Division a list and description of all business affiliations and contractual relationships that provide identity theft and credit monitoring-related products or services; and
- clearly disclose all fees associated with offered products and services marketed to prevent identity theft, and inform consumers of trial and cancellation provisions.
Consumer credit reporting agencies will be required to comply with these regulations, effective immediately. A to-be-announced public comment period will occur prior to the regulations’ final adoption.
As previously covered by InfoBytes, New York Department of Financial Services (NYDFS) has taken several steps to address cybersecurity concerns, including a September 18 announcement that the state would expand cybersecurity standards to cover credit reporting agencies. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations, would be required to initially register with NYDFS, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule.
FTC Announces Final Approval of Settlements With Companies Over EU-U.S. Privacy Shield False Certification Claims
On November 29, the FTC announced it had approved final settlements with three companies over allegations that they falsely claimed participation in the European Union-U.S. Privacy Shield (EU-U.S. Privacy Shield) framework. (See previous InfoBytes coverage here.) The settlements mark the FTC’s first EU-U.S. Privacy Shield enforcement actions following the EU’s finalization and adoption in July 2016 (as covered by InfoBytes) of the EU-U.S. Privacy Shield Framework, which established a mechanism for companies to transfer consumer data between the EU and the U.S. in compliance with specified obligations.
Ride-Sharing Company Announces Data Breach; State Attorneys General Launch Investigations
On November 21, a ride-sharing company disclosed via press release a 2016 data breach that exposed the personal data of 57 million riders and drivers. According to the company, an outside forensic investigation revealed that in October 2016 hackers obtained approximately 600,000 driver names and license numbers, along with rider names, email addresses, and mobile phone numbers. The company claimed that hackers did not obtain driver or passenger social security, credit card, bank account, birth date, or trip location information. Though the company stated that it has taken action to address the delay in notifying affected individuals and regulators, lawsuits filed by the State of Washington and the City of Chicago claim that the company capitulated to hackers’ demands and “paid the hackers to delete the consumer data and keep quiet about the breach.”
According to a letter from the company to the Washington attorney general attached to the state’s complaint, the company “is taking personnel actions with respect to some of those involved in the handling of the incident.” The company further stated that it has “implemented and will implement further technical security measures, including improvements related to both access controls and encryption.”
According to sources, three separate class action lawsuits have been filed against the company as a result of the 2016 breach (see here, here, and here) and five attorneys general (New York, Illinois, Connecticut, Massachusetts, and Missouri) have launched investigations.
The 2016 data breach follows a settlement in January of that year with the New York Attorney General related to allegations that the company failed to promptly disclose a 2014 data breach. The 2014 data breach involved an alleged failure to prevent unauthorized access to the company’s consumer and driver data maintained on a third-party cloud service provider. As previously reported in InfoBytes in August, the company reached a settlement with the FTC related to the 2014 data breach; however, that settlement was entered into before the company disclosed the existence of the 2016 breach.
In a related development, on November 27, the U.S. District Court for the Northern District of California dismissed without prejudice a putative class action lawsuit against the company related to the 2014 data breach. The court held that the driver’s name, license number, and limited banking information disclosed in the breach was not the type of personally identifiable information that could expose plaintiffs to the risk of identity theft. Accordingly, the court dismissed the case for lack of Article III standing. The court also granted plaintiffs a final opportunity to amend their complaint to address the standing deficiencies.
Federal Reserve Governor Calls for Collaboration Between Regulators, Banks, Data Aggregators, and Fintech Firms for Financial Data Sharing Standards
On November 16, Federal Reserve Governor Lael Brainard spoke at a fintech conference sponsored by the University of Michigan regarding consumers’ right to understand and control how their financial data is used by third-party aggregators, and in developing fintech technology. “There's an increasing recognition that consumers need better information about the terms of their relationships with aggregators, more control over what is shared, and the ability to terminate the relationship,” Brainard noted. “Consumers should have relatively simple means of being able to consent to what data are being shared and at what frequency. And consumers should be able to stop data sharing and request the deletion of data that have been stored.”
Brainard emphasized that regulators, data aggregators, bank partners, and fintech developers should jointly develop a common, consistent message for how customer data is shared and protected within the fintech space and “other areas experiencing significant technological change.” As previously reported in InfoBytes, on October 18, the CFPB issued principles concerning the security and transparency of financial data sharing when companies—including fintech firms—get authorization from consumers to access their account data that reside in separate organizations to provide products and services.
FCC Adopts Rules Allowing Voice Service Providers to Block Illegal Robocalls
On November 16, the FCC approved new rules allowing phone companies to proactively block illegal robocalls originating from certain types of phone numbers.
Pursuant to the report and order released on November 17, providers may block calls that: (i) are made from telephone numbers that are not designed to make outgoing calls; (ii) originate from telephone numbers listed on a subscriber’s “do not originate” list; or (iii) originate from telephone numbers with non-existent area codes, no provider assignment, or that are not currently in use. The FCC is seeking public comments from phone service providers by January 23, 2018, to minimize the possibility of blocking “lawful calls” by establishing procedures for identifying and fixing erroneous blocks.
SEC Releases FY 2017 Annual Report on Enforcement Priorities and Results
On November 15, the SEC Division of Enforcement released a report highlighting the division’s priorities for the coming year and summarizing the enforcement actions from FY 2017. Division Co-Directors Stephanie Avakian and Steven Peikin identify and discuss the five core principles that guide their decision making: (i) “Focus on the Main Street Investor”; (ii) “Focus on Individual Accountability”; (iii) “Keep Pace With Technological Change”; (iv) “Impose Sanctions That Most Effectively Further Enforcement Goals”; and (v) “Constantly Assess the Allocation of [the Division’s] Resources.”
The report highlights the two new initiatives announced in 2017 as key priorities: the Cyber Unit and Retail Strategy Task Force (previously covered by InfoBytes). The report also gives an overview of the 754 FY 2017 enforcement actions, including a summary of the various remedies the Division sought.
Missouri AG Announces Investigation Into Tech Company’s Privacy Policies and Use of Consumer Data
On November 13, Missouri Attorney General Joshua Hawley announced that his office has issued a civil investigative demand (CID) to a major California-based technology company as part of an investigation into suspected violations of the Missouri Merchandising Practices Act and the state’s antitrust laws. The investigation is focused on certain business practices, including, with respect to privacy issues, the company’s collection, use, retention, storage, sale, and dissemination of information and data about its users and their online activities. The CID requests documents and communications related to, among other things, (i) the company’s privacy policies; (ii) the collection and sharing of data that constitutes “personal information” related to the company’s users; (iii) disclosures concerning the collection of consumers’ credit or debit card transactions; (iv) data the company discloses or shares with third parties, and the identification of third-party partners; and (v) how the company tracks users’ online activities. The company has until January 22, 2018 to comply.
50-State Class Action Complaint Filed Against Credit Reporting Company in Response to September Data Breach Announcement
On November 10, plaintiffs, and the members of the class and subclasses they seek to represent, filed a complaint in the Northern District of Georgia against a major credit reporting company, consolidating individual suits filed against the company since September in each of the 50 states and the District of Columbia. The plaintiffs allege that the company’s data breach (covered previously in InfoBytes)—in which hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers—has led to, among other things, identity theft, unauthorized credit and debit card charges, and applications for unauthorized student loans.
The complaint alleges a series of missteps by the company before, during, and after the breach, including: (i) not applying a recommended security patch; (ii) failing to recognize the breach for over three months; (iii) not warning consumers for another month after discovering the breach, thus preventing timely credit freezes or other protection methods; (iv) sending confusing emails and notices to consumers about whose data was compromised and how to protect themselves after the breach; and (v) creating confusion as to whether an arbitration clause included in the terms of service for the company’s credit monitoring website would apply to consumers using the service.
The plaintiffs seek, among other things, class certification; permanent injunctive relief; disgorgement and restitutions of earnings; compensatory, consequential, general, statutory, and punitive damages; declaratory relief; and attorneys’ fees.
House Energy and Commerce Subcommittee Examines Consumer Data Security
On November 1, the House Subcommittee on Digital Commerce and Consumer Protection (Subcommittee) held a hearing entitled “Securing Consumers’ Credit Data in the Age of Digital Commerce” to examine: (i) the legal and regulatory framework for consumer reporting agencies, including the Gramm-Leach-Bliley Act and Fair Credit Reporting Act; (ii) current cybersecurity standards, best practices, threats, and vulnerabilities; and (iii) how data breaches relate to incidences of identity theft and fraud. In introductory remarks, Subcommittee Chairman, Bob Latta (R-Ohio), acknowledged the need to understand ways to protect against data breaches and secure consumer data. This sentiment was echoed by Full Committee Chairman, Greg Walden (R-Or.), who noted in his opening statement that recent data breaches “demonstrate the challenges of protecting consumer information in the digital age.” The full list of witnesses, testimony, and committee background memo is available here.
District of Columbia Mayor Signs Emergency Legislation Temporarily Prohibiting Credit Freeze Fees
On October 23, District of Columbia Mayor Muriel Bowser signed emergency legislation (Act 22 155) that prohibits credit reporting agencies (CRAs) from charging consumers fees for security credit freezes. The Credit Protection Fee Waiver Emergency Amendment Act of 2017 requires CRAs to provide security freeze services and one-time reissuances of passwords or PINs to consumers for free, but permits charging up to $10 for subsequent instances of password or PIN requests. The Act took effect immediately and will remain in effect for a maximum of 90 days.
As previously covered in InfoBytes, a coalition of state attorneys general recently petitioned two major CRAs to cease charging fees for credit freezes.