California Considers Data Breach Bill Imposing Significant New Obligations on Businesses
Who should be responsible for paying for the costs of data breaches?
Reacting to the recent high-profile security lapses at major retailers (click here to read our previous newsletter), California lawmakers are considering a bill that would shift the burden of dealing with a data breach—and the costs—off the shoulders of banks and card issuers.
Under the current framework, credit card companies and banks generally carry the initial burden of any financial losses resulting from a cyber attack or hack, such as replacing cards or providing credit monitoring services. But AB 1710 shifts responsibility to the businesses where the breach occurred—Target, for example.
“Financial institutions should not be taking the heat for a data breach that occurs at a retailer,” Assemblyman Roger Dickinson (D-Sacramento), chairman of the Assembly Banking and Finance Committee and coauthor of the bill, told the Los Angeles Times. Coauthor Assemblyman Bob Wieckowski (D-Fremont) chairs the Assembly Judiciary Committee.
Under their proposal, the source of the breach would be required to notify affected California residents within 15 days and “offer to provide appropriate identity theft prevention and mitigation services” at no cost for a two-year period. All associated costs would be shouldered by the business, such as paying for card replacements.
The proposed law also contains provisions intended to reduce the fallout if a breach should occur. Pursuant to the bill, businesses that accept credit or debit cards would be prohibited from “storing, retaining, sending, or failing to limit access to payment-related data” including the contents of a payment card’s magnetic stripe or the card verification code subsequent to an authorization. In addition, the sale of Social Security numbers would be banned.
Violations of AB 1710 could result in civil penalties of $500 per violation, or up to $3,000 for each willful, intentional or reckless violation.
While Dickinson and his co-sponsors are backed by privacy advocates and consumer groups including Privacy Rights Clearinghouse, retailers have already promised to fight the bill.
“It’ll be a fight, a tough fight,” Bill Dombrowski, president of the California Retailers Association, promised the Los Angeles Times.
The bill is currently being considered by the Assembly Judiciary Committee.
To read AB 1710, click here.
Why it matters: The legislation is music to the ears of banks and card issuers, who currently cover the costs when a data breach occurs. But the bill faces a serious challenge from the retail industry, with groups such as the California Retailers Association speaking out in opposition.
back to top
Add-on Products Cost Bank of America $772M
The Consumer Financial Protection Bureau (CFPB) ordered Bank of America and subsidiary FIA Card Services to pay a record-setting $727 million for deceptively marketing credit card add-on products the agency said were sometimes not even provided—plus an additional $20 million civil penalty.
Pursuant to its authority under the Dodd-Frank Wall Street Reform and Consumer Protection Act to take action against unfair, deceptive or abusive practices, the CFPB’s allegations fell into two categories: deceptive marketing and charges for services not provided.
Over a two-year period, Bank of America marketed its “Credit Protection Plus” and “Credit Protection Deluxe” as means to cancel some credit card debt for specified hardships or life events, such as disability or retirement.
But the agency said more than 1.4 million card members were misled about the enrollment process (some customers were signed up thinking they were simply agreeing to receive additional information), the coverage of the products (the bank led customers to believe that the first 30 days were free of charge) and the benefits of the products (like the need to submit a request and be approved; some customers believed the benefits were automatic).
The bank will pay $268 million to customers for the alleged misrepresentations.
Bank of America also charged customers for services that were not received, the agency said, such as fraud and identity theft credit monitoring services “Privacy Guard,” “Privacy Source” and “Privacy Assist.” Federal law requires that consumers provide authorization for banks to obtain consumer credit information, but the CFPB said Bank of America billed customers either before obtaining approval or without the necessary consent. And for some customers, the fraud and identity theft services were either only partially performed or not performed at all, the agency alleged.
For the almost two million accounts affected by the alleged illegal practices between October 2000 and September 2011, the bank will pay $459 million to customers.
In addition to the $727 million in consumer redress, Bank of America will pay a $20 million civil penalty to the CFPB. The bank has already halted the marketing of the add-on products and agreed to a prohibition from any marketing of such products until a compliance plan has been submitted to the agency.
The challenged billing practices are also prohibited under the consent order.
The enforcement action began with an investigation by the Office of the Comptroller of the Currency (OCC), and the CFPB jumped on board. Separately, the OCC ordered a $25 million civil penalty for Bank of America’s billing practices, which the regulator said was based on “a number of factors, including the scope and duration of the violation and financial harm to consumers from the unfair practices.”
To read the CFPB’s consent order, click here.
To read the OCC’s consent order, click here.
Why it matters: It is the largest settlement over credit card add-ons with federal regulators and marks the largest refund amount ordered by the CFPB. In light of the crackdown by regulators on credit card add-ons, many banks have elected to discontinue these products. Given this settlement, along with prior settlements arising out of CFPB enforcement actions against Capital One, Discover, JPMorgan Chase and American Express, it is likely we will see a continuation of this trend. “We have consistently warned companies about illegal practices related to credit card add-on products,” CFPB Director Richard Cordray said in a statement about the case. “Bank of America both deceived consumers and unfairly billed consumers for services not performed. We will not tolerate such practices and will continue to be vigilant in our pursuit of companies who wrong consumers in this market.”
back to top
Regulators Caution Financial Institutions About Cyber Attacks, Heartbleed Bug
In three statements, the Federal Financial Institutions Examination Council (FFIEC) cautioned financial institutions about data security threats, such as distributed denial-of-service (DDoS) attacks, cyber attacks targeting ATMs and recent security encryption vulnerabilities.
DDoS attacks targeting financial institutions have increased in both number and sophistication and intensity in recent years, the FFIEC said. Often coupled with attempted fraud, the attacks present both operational and reputational risks.
All financial institutions have an obligation to address such attacks as part of their information security and incident response plans, the regulators said. Specifically, banks should be prepared to assess and prioritize possible risks to both online accounts and external websites, monitor Internet traffic to detect potential attacks, and launch a response plan in the event of an attack, complete with communication strategies with customers about the safety of their accounts.
The regulators suggested that precontracted third-party services might be appropriate for the duration of a DDoS attack and reminded financial institutions to consider sharing information about the attack with other organizations and law enforcement. In the wake of attacks, financial institutions should take stock of their plans and fill in any gaps.
In a second statement, the FFIEC warned financial institutions that ATMs are facing a new type of fraud resulting in large dollar losses. In this type of attack, dubbed “Unlimited Operations” by the U.S. Secret Service, hackers gain access to ATM web-based control panels used by small and medium-sized financial institutions and then alter the settings, allowing unlimited amounts of cash beyond control limits or customer balances.
The FFIEC members said they “expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response processes.”
To meet regulatory expectations, the statement presented a multistep process beginning with ongoing information security risk assessments and the performance of security monitoring, prevention and risk mitigation, as well as protection against unauthorized access. Because an Unlimited Operations attack often begins with a phishing e-mail sent to bank employees, financial institutions should ensure that antivirus and firewall protections are up to date. Consider limiting the number of elevated privileges, updating all credentials and establishing authentication rules, the FFIEC advised.
Controls and incident response plans should be implemented and tested regularly, with reports to senior management or the board of directors, and employees should be trained in information security awareness, including guidance on how to identify and prevent phishing attempts. Financial institutions might also think about participating in industry information-sharing forums, the regulators added.
Just days later, after news reports detailed widespread problems related to the “Heartbleed” bug, the regulators issued a supplemental alert. Financial institutions that use OpenSSL to encrypt data in transit for websites, e-mail servers or other applications are vulnerable after the discovery of the Heartbleed coding error, leaving them open to a variety of cyber attacks.
Among other things, financial institutions are expected to (a) upgrade vulnerable systems as soon as possible to eliminate the possibility for attackers to decrypt, spoof or perform attacks on network communications, (b) verify that third-party vendors are taking appropriate mitigation steps to upgrade and patch all implicated systems and monitor the vendors’ efforts, and (c) conduct testing to ensure success.
In addition, “[f]inancial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch,” the FFIEC wrote.
Why it matters: Data security threats are a major concern for financial institutions and recent happenings—from the Heartbleed bug to data breaches to ATM cyber attacks—reinforce the importance of taking steps to prevent such threats and being prepared to react if and when they do occur.
back to top
Illinois AG Sues Online Payday Lenders, Lead Provider
Continuing the nationwide trend, the Illinois attorney general sued four online payday lenders and a lead provider, alleging that their practices violate the state’s Payday Loan Reform Act.
Regulators from around the country have focused their attention on payday lenders recently, from the California Department of Business Oversight (click here to read our previous newsletter) to the Justice Department to the Federal Trade Commission (click here to read our previous newsletter).
In a new suit, Illinois AG Lisa Madigan said BD PDL Services LLC, Mountain Top Services LLC, Red Leaf Ventures LLC and VIP PDL Services LLC charged rates in excess of those allowed by statute, which permits charges of up to $15.50 per $100 in loans. According to the complaint, the defendants charged nearly twice that, up to $30 per $100 loan.
The defendants also allowed borrowers to take out multiple loans at a time in contravention of the Payday Loan Reform Act (PLRA) and failed to provide required disclosures and written agreements as required by the law. Pursuant to the PLRA, all payday lenders are required to be registered in the state, but none of the defendants—all of which are based out of state and operate exclusively online—has a license.
A fifth suit targeted MoneyMutual LLC, a company endorsed by talk show host Montel Williams, that provides customer leads to lenders (pitching the company as “a trusted source to our 60 lenders” in TV ads). The AG said the PLRA’s broad definition of lender encompasses the lead generator as it includes “any person or entity…that…arranges a payday loan for a third party, or acts as an agent for a third party in making a payday loan.”
According to the complaint, the statute required MoneyMutual to obtain its own license and vet lenders before matching them with borrowers. By connecting borrowers with lenders not licensed in the state of Illinois that charge finance fees and percentage rates ranging between 200 and 1,400 percent, the company additionally knowingly violated the statute since 2011, the AG claimed.
All the suits—which were filed after cease and desist orders issued by the Illinois Department of Financial and Professional Regulation were ignored—seek a halt to the allegedly illegal practices and an order to cancel current loan contracts between the defendants with Illinois customers and provide restitution. The complaints also request civil penalties under the PLRA as well as the Illinois Consumer Fraud and Deceptive Business Practice Act.
To read the complaint in Illinois v. MoneyMutual, click here.
To read the AG’s press release about the other suits, click here.
Why it matters: The complaint affirms the continuing focus by both state and federal regulators on payday lenders, with the Consumer Financial Protection Bureau set to issue new rules for the industry later this year. AG Madigan managed to reference a second hot-button issue in her suits, noting that MoneyMutual’s collection of personal information triggered data security concerns given the recent rash of hacks and cyber attacks. As part of the application process, MoneyMutual collects data such as Social Security numbers, address and employment records, and personal banking information, all of which it shares with third parties, she said.
back to top
Court Sides With FTC in Dispute Over Power to Regulate Data Security
In a closely watched dispute over the Federal Trade Commission’s (FTC) power to regulate data security, a New Jersey federal court judge agreed with the agency that it can pursue its case against the Wyndham Hotel chain for lax security.
Businesses across the country have followed Wyndham’s challenge to the FTC’s authority. U.S. District Judge Esther Salas’ decision confirms that the agency can use its powers under Section 5 of the Federal Trade Commission Act to bring actions alleging that defendants engaged in unfair practices by failing to live up to data security promises.
The battle began in June 2012, when the FTC filed a complaint against Wyndham (click here to read our previous newsletter) alleging that the company violated Section 5 by misrepresenting the security measures in its privacy policy and by failing to protect customer information. Three separate data breaches occurred as a result, the agency said.
Wyndham responded with a motion to dismiss (click here to read our previous newsletter) with three arguments: a direct challenge to the FTC’s authority to assert an unfairness claim in the data security context, an assertion that the agency violated fair notice principles by not first promulgating regulations before bringing such a claim and, finally, that the FTC’s allegations were not sufficiently pleaded.
In an opinion that emphasized the “rapidly evolving” digital age “in which maintaining privacy, is, perhaps, an ongoing struggle,” the court refused “to carve out a data security exception” to the FTC’s authority.
Wyndham pointed out that several statutes specifically authorize data security authority with regard to particular areas—including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Children’s Online Privacy Protection Act—which infers that the FTC does not have general power to regulate data security, because the statutes would otherwise be superfluous. Pending legislation that would grant specific jurisdiction over data security to the agency further supported its argument, Wyndham told the court.
But Judge Salas disagreed, ruling that Congress granted the agency broad authority under Section 5 of the FTC Act and the subsequent data security legislation “seems to complement—not preclude—the FTC’s authority.” The identified statutes “each set forth different standards for injury in certain delineated circumstances, granting the FTC additional enforcement tools,” she wrote.
Comments made by various members of the FTC seeking additional regulatory powers in the data security ecosystem (such as a statement that “the Commission lacks authority to require firms to adopt information practice policies or to abide by the fair information practice principles on their websites, or portions of their websites, not directed to children”) did not convince Judge Salas that the agency had explicitly disclaimed data security authority.
The court also rejected Wyndham’s argument that the agency needed to first promulgate regulations before bringing enforcement actions or companies would have no guidance as to what could be actionable in the data security context. Because the FTC needs flexibility to adjust its actions to a range of industries and constantly changing technology, the court said formally published rules are not required.
Agencies in other circumstances bring enforcement actions without guidance, Judge Salas noted, using the National Labor Relations Board and the Occupational Safety and Health Administration as examples.
“[T]he contour of an unfairness claim in the data security context, like any other, is necessarily ‘flexible’ such that the FTC can apply Section 5 ‘to the facts of particular cases rising out of unprecedented situations,’” the court wrote. “Moreover, the court must consider the untenable consequence of accepting [Wyndham’s] proposal: the FTC would have to cease bringing all unfairness actions without first proscribing particularized prohibitions—a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.”
Accepting Wyndham’s position would otherwise lead “to the following incongruous result: [Wyndham] can explicitly represent to the public that it ‘safeguard[s]…personally identifiable information by using industry standard practices’ and makes ‘commercially reasonably efforts’ to make collection of data ‘consistent with all applicable laws and regulations’—but that, as a matter of law, the FTC cannot even file a complaint in federal court challenging such representations without first issuing regulations,” Judge Salas said.
The FTC’s complaint otherwise satisfied pleading requirements, the court determined, denying Wyndham’s motion to dismiss.
The court added that it was not rendering a decision on liability and “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”
To read the opinion in FTC v. Wyndham Worldwide Corporation, click here.
Why it matters: Judge Salas’ decision upholding the FTC’s authority to regulate data security practices puts businesses on notice that their privacy policies and procedures are fair game for agency oversight. Some uncertainty does remain, however—as pointed out by Wyndham, without existing guidance from the FTC as to what constitutes unfair practices, companies must use their own judgment to avoid an agency action.
back to top