On April 23, Washington Governor Jay Inslee signed bill H.R.1078, which requires covered entities to contact consumers living within the state as soon as possible, and no more than 45 days, after the discovery of a breach of personal information. Under the new law, failure to notify consumers of a data breach would violate the state’s Consumer Protection Act. The legislation also requires covered entities to notify the state attorney general and grants the attorney general authority to pursue enforcement actions on behalf of the state or consumers living within the state. The new law goes into effect July 24, 2015.
FDIC OIG Publishes Results of Audit of Personally Identifiable Information in Owned Real Estate Properties
On April 28, the FDIC’s Office of the Inspector General published a report – The FDIC’s Controls for Identifying, Securing, and Disposing of Personally Identifiable Information in Owned Real Estate Properties – regarding its audit of the agency’s internal controls of personally identifiable information (PII) in owned real estate (ORE) properties, which it acquires from failed FDIC-insured financial institutions. The audit was conducted to determine whether or not the FDIC’s internal controls sufficiently identified, secured, and disposed of ORE properties’ PII. According to the report, the OIG determined that the agency’s Division of Resolutions and Receivership (DRR), which is responsible for the liquidation of assets, often did not identify PII in a timely manner, and its “practices for handling and disposing of the information were inconsistent in certain key respects.” As a result of the audit, the OIG recommends that the DRR incorporate the following enhancements to its current review process of PII at ORE properties: (i) Obtain from the agency’s legal division an opinion that outlines and clarifies the requirements for handling PII at ORE properties; (ii) Review existing policies, procedures, guidance, and training and make adjustments where necessary; and (iii) Establish “the appropriate disposition of the PII that was identified at three of the ORE properties reviewed during the audit and that is currently in off-site storage.”
On April 13, the FTC announced that two debt brokers agreed to settle two separate cases filed last year involving the leaking of over 55,000 consumers’ personal information. The brokers allegedly shared consumers’ personal information online – including credit card numbers, names, addresses, and bank account numbers – via unencrypted documents. Although the information was geared towards members of the debt collection industry, it was available to anyone with an internet connection. According to the FTC, the publicly available information put consumers at risk of identity theft and/or phantom debt collection. Under the terms of both proposed settlement agreements (Orders), the brokers would be required to: (i) implement and effectively maintain security programs that will protect consumers’ information; and (ii) have their respective security programs examined initially by a certified third party and again, thereafter, every two years for a duration of 20 years after service of the Orders. The FTC unanimously approved the proposed Orders and has filed them in the U.S. District Court for the District of Columbia for final court approval.
On January 20, 2015, Douglas F. Gansler, former Attorney General of Maryland, joined BuckleySandler LLP as a Partner in the firm’s Washington, DC, office upon completion of his second term as Maryland Attorney General. An accomplished trial lawyer and appellate advocate with a unanimous victory before the U.S. Supreme Court, Doug’s in-depth knowledge and understanding of complex civil, criminal and enforcement matters will be, as firm Chairman Andrew L. Sandler recently noted, “an invaluable asset for firm clients in navigating the government enforcement challenges they confront on a daily basis.”
As he makes the transition to private practice, Doug is optimistic about the opportunities in front of him and is looking forward to getting to know his new colleagues and meeting with firm clients. He shares some added professional and personal insights for InfoBytes Spotlight. Read more…
On January 28, the FTC released a comprehensive report detailing what the so-called “Internet of Things” is, how it is being used, and how both consumers and businesses can protect themselves. The report defines the Internet of Things as “devices or sensors – other than computers, smartphones, or tablets – that connect, store or transmit information with or between each other via the Internet,” and that are sold to or used by consumers. The report focuses on consumer privacy and security and offers a variety of recommendations for those companies offering devices that fall within the definition, including that security be a key part of the design process and data collection be limited where possible. The report does not call for new legislation specific to the Internet of Things because the FTC believes such legislation would be premature. The FTC states that it will use existing authority under laws such as the FTC Act, the Fair Credit Reporting Act, the Hi-Tech Act, and the Children’s Online Privacy Protection Act to take actions against Internet of Things products and services as necessary to protect consumers.
On January 12, President Obama announced new privacy initiatives to combat identity theft, enhance consumer security, and improve data privacy online and in the classroom. His main legislative proposals call for (i) a Personal Data Notification & Protection Act, which would specify the obligations that companies have when a consumer’s personal information has been exposed, establish a 30-day notification requirement following a company’s discovery of a data breach, and criminalize illicit overseas trade in identities; (ii) a Consumer Privacy Bill of Rights; and (iii) increased protections for data collected from students. The President called for Congressional support, saying privacy is not a partisan issue.
On December 16, the NIST announced the release of its new guidance on assessing the security and privacy safeguards for federal information systems and organizations. The updated guidance will be used by government IT security professionals to “assess a wide range of software configurations, physical security measures and operating procedures meant to safeguard information systems from both chance failures and hostile attacks.” The new guidance complements the NIST’s Security and Privacy Controls for Federal Information Systems and Organizations catalogue.
On December 2, District Judge Paul Magnuson denied Target’s motion to dismiss the class action suit brought by banks in response to its 2013 data breach. In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (D. Minn., Dec. 2, 2014). The banks have alleged four claims against Target: (i) a general negligence claim that Target breached its duty to provide security and prevent the data breach; (ii) that Target violated Minnesota’s Plastic Security Card Act (PSCA) by retaining customer data which was subsequently stolen; (iii) that a violation of the PSCA is negligence per se; and (iv) a negligent misrepresentation by omission claim that Target made public statements regarding the strength of their data security system when they knew or should have known it was deficient. The first three were allowed to proceed and the last was dismissed with leave to amend the complaint for a failure to allege the requisite reliance upon Target’s assertion of its secure system. Notably, Judge Magnuson found that the PSCA applies to all transactions completed by a company operating in Minnesota, not just transactions occurring within the state.
On December 3, the Merchant and Financial Associations Cybersecurity Partnership (“Partnership”) submitted a letter to Congress requesting its consideration of adopting cybersecurity information sharing legislation. Created in February in response to high profile security breaches, the Partnership aims to protect retailers and financial institutions against cyber attacks. In its letter, the Partnership suggests that Congress adopt legislation that would “increase the current level of voluntary cybersecurity information sharing, while recognizing and responding to key privacy concerns.”
Delaware’s Fiduciary Access to Digital Assets and Digital Accounts Act (H.B. 345) makes Delaware the latest state to regulate access to “digital assets” after death. Unless the account-holder instructs otherwise, legally appointed fiduciaries will: (1) have the same access to digital assets as they have always had to tangible assets, and (2) the same duty to comply with the account-holder’s instructions. In short, the personal representative or guardian of a digital account-holder can access the emails, documents, audio, video, images, social media content, computer programs, software licenses, usernames and passwords created on the deceased’s digital devices or stored electronically. This access could be very helpful, or extremely problematic, depending on what the digital records reveal. Read more…
On October 28, amid growing threats to consumer privacy, the FCC announced that it has joined the Global Privacy Enforcement Network (GPEN), an international group of privacy regulators and enforcers. The move will allow the FCC to more easily collect and share data among approximately 50 privacy and data protection authorities from around the world. The FCC joins the FTC as the only two agencies representing the United States in cross-border GPEN proceedings.
On October 20, the CFPB finalized its amendment to Regulation P, which requires that financial institutions meet specific consumer data-sharing requirements, including the delivery of annual privacy notices. Under the new rule, bank and nonbank institutions under the CFPB’s jurisdiction will now be allowed to post privacy notices online, rather than deliver an annual paper copy. Institutions that choose to post notices online must meet certain conditions, including (i) providing notice to consumers if the institution shares any data to third parties, in addition to providing an opportunity to opt out of such sharing; and, (ii) using the 2009 model disclosure form developed by federal regulatory agencies. The institutions that choose to rely on the new delivery method must (i) ensure that customers are aware of the notices posted online; (ii) provide paper copies within ten days of a customer’s request; and, (iii) make customers aware that the privacy notice(s) are available online—and that a paper copy will be provided at the customer’s request—by inserting a “clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure.” As outlined when the proposed rule was issued in May, the CFPB anticipates that the rule will: (i) provide consumers with constant access to privacy notices; (ii) limit the amount of an institution’s data sharing with third parties; (iii) educate consumers on the various types of privacy policies available to them; and, (iv) reduce the cost for companies to provide privacy notices.
On August 12, Delaware Governor Jack A. Markell signed the Digital Access and Digital Accounts Act, the first law in the nation to comprehensively govern access to a person’s digital assets, including social media and email accounts, after the person dies or becomes incapacitated. Under the new law, a Delaware resident’s digital assets will become part of his or her estate after death, and these assets will be accessible to heirs to the same extent as the deceased person’s physical, tangible assets. Digital assets are defined broadly to include data, texts, email, audio, video, images, sounds, social media and social networking content, health care and insurance records, computer codes and programs, software and software licenses, and databases, along with usernames and passwords. The law expressly does not apply to digital accounts of an employer regularly used by an employee in the usual course of business. The law requires any company that controls a person’s digital assets to give the legal fiduciary for the deceased’s estate the usernames, passwords, and any other information needed to gain access to the digital assets upon a valid written request. Any contrary provisions in service agreements or privacy policies that limit a fiduciary’s access to digital accounts are void, although the account owner can specify that the account should remain private after death. The law also grants the company controlling the digit assets immunity for complying with valid requests for account access. The new law takes effect January 1, 2015.
Nebraska Federal Court Refuses To Dismiss Suit Claiming Breach Of Contract, Violation of State Law for Unauthorized Credit Card Transactions Following Bank Data Breach
On August 20, the U.S. District Court for the District of Nebraska denied motions to dismiss filed by a Nebraska bank and two credit card processing companies in response to a purported class action filed by a merchant alleging that it suffered damages following a data breach at the defendants’ premises. Wines, Vines & Corks, LLC v. First Nat’l of Neb., Inc., No. 8:14CV82 (D. Neb. Aug. 20, 2014). According to the merchant’s complaint, the merchant maintained a credit card processing account with the defendants and, following the breach, had unauthorized credit card transactions processed and fees withdrawn from its account. The merchant alleged breach of contract, negligence, and violations of the Nebraska Consumer Protection Act and the Nebraska Uniform Deceptive Trade Practices Act based on the defendants’ failure to adequately secure and protect account information and refusal to refund the fees. In denying the motions to dismiss, the court determined that the merchant sufficiently pled the existence of a contract and resulting damages in support of its breach of contract claim, as well as a breach of the duty of due care in support of its negligence claim. Also, the court found that the merchant’s state law claims were adequately supported and determined that the defendants’ argument that the economic loss doctrine barred these claims was misplaced.
On August 1, the FTC released a staff report on the agency’s review of shopping apps—those used for comparison shopping, to collect and redeem deals and discounts, and to complete in-store purchases. The FTC staff examined information available to consumers before they download the software onto their mobile devices—specifically, information describing how apps that enable consumers to make purchases dealt with fraudulent or unauthorized transactions, billing errors, or other payment-related disputes. The staff also assessed information on how the apps handled consumer data. The FTC staff determined that the apps studied “often failed to provide pre-download information on issues that are important to consumers.” For example, according to the report, few of the in-store purchase apps provided any information prior to download explaining consumers’ liability or describing the app’s process for handling payment-related disputes. In addition, according to the FTC, most linked privacy policies “used vague language that reserved broad rights to collect, use, and share consumer data, making it difficult for readers to understand how the apps actually used consumer data or to compare the apps’ data practices.” The FTC staff recommends that companies that provide mobile shopping apps to consumers: (i) disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions; (ii) clearly describe how they collect, use, and share consumer data; and (iii) ensure that their strong data security promises translate into strong data security practices. The report also includes recommended practices for consumers.