On January 29, New York Attorney General Eric T. Schneiderman announced a settlement with a foreign computer manufacturer over allegations of a data breach of customer data. The AG’s office claims the security vulnerabilities allowing for the breach lasted almost a full calendar year. In addition to a $115,000 penalty, the manufacturer is required to “maintain [both] reasonable security policies designed to protect consumer personal information. . .[and] data security standards required by the credit card industry.”
On February 9, the New York Attorney General’s (NYAG’s) office announced two settlements with mobile app developers who allegedly omitted information about their data collection practices in their privacy policies. While the investigation revealed that neither developer misused their customers’ personal information or improperly disclosed such information to third parties, the NYAG’s office determined that both companies failed to properly disclose the fact that they had collected the information as required by law. Both companies have agreed to add privacy policies to their apps.
On January 12, the FTC hosted its second annual “PrivacyCon”— a public forum promoted by the regulator in order to “expand collaboration among leaders from academia, research, consumer advocacy, and industry on the privacy and security implications of emerging technologies.” Throughout the day, speaker panels presented research and opened the floor to discussions addressing five major topic areas: (i) the Internet of Things (IoT) and big data; (ii) mobile privacy; (iii) consumer privacy expectations; (iv) online behavioral advertising; and (v) information security. Among other things, panelists discussed the possibility of using machine learning to automatically block or permit user tracking and information collection by applications and websites based on the user’s past practices. Many panelists also examined data “leakage” from devices and the possible privacy and security issues that are raised by such leakage.
A full version of the agenda, including links to abstracts of the research being presented, as well as a video recording of the event, is available online. Additional research not present but submitted without a request for confidential treatment is also available here.
On November 17, the CFPB formally announced the launch of an inquiry into the benefits and risks associated with consumers authorizing third-parties to access their financial and account information held by financial service providers. The CFPB has been investigating and assessing issues related to data access and technological innovation for some time, including through Project Catalyst .
As detailed in the Request for Information (Dkt No. CFPB-2016-0048) issued on November 17, the CFPB is focused on three main points of inquiry: (i) secure access for consumers – i.e., are consumers able to securely access, and authorize others to securely access, their financial records? Are there any “business burdens” that must be addressed to provide access and use of financial records?; (ii) third-party risk — i.e., some financial institutions have expressed concern that providing third parties with access to records may compromise consumer privacy or put their funds at risk. The CFPB would like learn more about options for ensuring that financial records are securely obtained, stored and used; and (iii) consumer control — i.e., to what extent are consumers able to control how shared data is being used by third-parties with authorized access? Are consumers able to limit the number of times those firms can access the data?
In prepared remarks delivered at a field hearing in Salt Lake City, UT, CFPB Director Richard Cordray explained: “The technology around digital financial records continues to develop and, so far, there are many unanswered questions about how the information is being shared, by and to whom, and how safely. As with any emerging industry, we are hearing about some bumps in the road. Both Fintech companies and financial institutions, as well as consumer groups, are describing to us the various challenges, risks and technological obstacles to further progress in this area.”