On February 12, seven industry trade associations co-authored a letter to Congress regarding anticipated data breach legislation. The letter urges Congress to protect its constituents from the impact of identity theft and financial fraud resulting from data breaches by (i) considering a national data security and breach standard; (ii) recognizing the existing fraud protection standards (e.g., HIPAA and GLBA) and having them serve as a model for sectors where there are none; and (iii) encouraging shared responsibility between entities, including costs. The letter is the latest effort among the industry to lobby Congress in passing legislation to combat increasing data breaches and fraud.
State AGs Urge Card Companies to Advance Consumer Protection by Implementing Chip and PIN Technology
On November 16, nine state attorneys general sent a letter urging leading card brands to expedite the implementation of chip and PIN technology in the United States. The letter summarizes research connected to recent data breaches, stating “individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.” Addressing concern that PIN technology would be burdensome or confusing to consumers, the AGs maintain that many consumers are accustomed to financial transactions that rely on PIN technology, such as transactions involving debit cards, and point to a November 2014 poll that indicated cardholders were supportive of chip and PIN technology. The AGs emphasize that PIN technology is “nothing new” and is considered the “gold standard” for payment card security, noting that countries around the world have seen a dramatic decrease in fraud since implementing the technology. Finally, while the letter stresses that chip and PIN technology would better protect both consumers and businesses from data breaches, it does not suggest that the technology be legally mandated at the federal or state level: “[T]his letter calls upon you as good corporate citizens to voluntarily expedite the implementation of existing technology that offers the most substantial security benefits, and to continue to adapt and improve security as quickly as possible as technology advances.”
On November 10, 2014, the Supreme Court denied Douglas Whitman’s petition for a writ of certiorari in Whitman v. United States, No. 14-29; Justice Antonin Scalia, joined by Justice Clarence Thomas, issued a brief statement specifically highlighting their view of the role that the doctrine of lenity should play in the interpretation of criminal statutes. Whitman asked the high court to review his 2012 conviction for securities fraud and conspiracy under the Securities Exchange Act of 1934. The Second Circuit appeared to defer to the SEC’s interpretation of ambiguous language in the Act—according to Justice Scalia, such an approach would disregard the “many cases . . . holding that, if a law has both criminal and civil applications, the rule of lenity governs its interpretation in both settings.” Justice Scalia further noted that it was the exclusive province of the legislature to create criminal laws, and to defer to the SEC’s interpretation of a criminal statute would “upend ordinary principles of interpretation.” Justice Scalia’s approach may indicate potential adjustments in the ongoing effort to strike the right balance between the due process rights of targets of enforcement actions to know what the law prohibits, and deference to enforcement agencies to interpret federal statutes flexibly. BuckleySandler discussed the tension between lenity and Chevron deference earlier this year in a January 16 article, Lenity, Chevron Deference, and Consumer Protection Laws.
On October 14, the ABA submitted a petition to the FCC requesting that it exercise its statutory authority to allow financial institutions to send consumers certain security and fraud alerts without the consumers’ prior consent. Specifically, the consumers would receive alerts regarding: (i) transactions suggesting a risk of identity theft or fraud; (ii) potential security breaches involving personal information; (iii) preventative steps consumers can take to decrease their chances of falling victim to security breaches, in addition to steps they can take to remedy harm already caused by a breach; and (iv) actions required to receive a receipt for money transfers. The petition notes that the most effective way to ensure that consumers receive these important messages is through automated texts and calls to mobile devices and accordingly requests that the FCC allow for an exemption to the Telephone Consumer Protection Act to ensure that customers receive security and fraud notifications in a timely manner.
On May 21, the FTC proposed to prohibit the use of certain payment methods it believes are favored by “fraudulent telemarketers.” The FTC’s proposed rule would amend the Telemarketing Sales Rule (TSR) to prohibit telemarketers from (i) using remotely created unsigned checks and payment orders to directly access consumer bank accounts, and (ii) receiving payment through “cash-to-cash” money transfers and “cash reload” mechanisms. The FTC explained that allegedly fraudulent telemarketers rely on such payment methods because they are largely unmonitored and provide fewer consumer fraud protections. The proposed rule also would (i) expand the TSR’s ban on telemarketing “recovery services” in exchange for an advance fee and (ii) clarify various other provisions of the TSR. The FTC is accepting public comments on the proposal through July 29, 2013.