The FTC has proposed amendments to its 2003 Safeguards Rule and 2000 Privacy Rule, applicable to financial institutions under the Gramm Leach Bliley Act (GLBA).  The proposed changes are informed by the FTC’s enforcement experience and are intended to keep pace with technological developments.

The Safeguards Rule requires financial institutions to have a comprehensive information security program.  The proposed rule amendment will more clearly define the requirements for such information security programs.  Some of the proposed changes to the Safeguards Rule include:

  • Encryption of all consumer data,
  • Implementing access controls to prevent unauthorized users from accessing consumer information;
  • Implementing multifactor authentication to access consumer data, and
  • Requiring periodic reports submitted to the boards of directors to ensure compliance.

The proposed amendments to the Safeguards Rule will better align the rule with prevailing cyber security standards, such as the NY DFS cybersecurity regulations and the NIST framework.  The amendments are also designed to ensure that non-bank financial technology entities, fintechs, are subject to cybersecurity standards similar to those that banks are subject to under the FFIEC interagency guidelines.

Further, the Commission proposes to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to include companies engaged in activities “incidental to financial activities.”  The expansion includes “finders” or those who charge a fee to connect consumers looking for a loan to a lender.

While the proposed changes to the Safeguards Rule and Privacy Rule will provide more clarity for certain GLBA covered entities regarding the contours of their information security programs, the proposed expansion of the definition of financial institution may not be greeted with open arms by the companies not currently covered by the Safeguards Rule and the Privacy Rule.

New proposed legislation in California, backed by state Attorney General (“AG”) Xavier Becerra, would amend the new California Consumer Privacy Act (“CCPA”) to make it easier for private plaintiffs and public officials to sue for violations while further increasing regulatory uncertainty and compliance costs for businesses. Specifically, SB 561 would expand the CCPA’s private right of action, remove the Act’s public enforcement “cure” provision, and eliminate the ability of affected companies to seek compliance guidance from the AG.

The CCPA is a sweeping new privacy law which goes into effect in January 2020. It gives California residents substantial control over personal data held by certain California businesses, requiring disclosure of what personal information the business collects, how that information is used or sold, and allowing consumers to control or delete that information upon request. It currently allows private plaintiffs to seek statutory damages of up to $750 per violation for certain violations, and it allows the AG to seek civil penalties of up to $2,500 for most violations, and up to $7,500 for violations found to be intentional.

SB 561 would make three key changes to the Act:

  • Expanding the private right of action—As written, the Act appears to provide a private right of action only when a consumer’s personal information was subject to an avoidable data breach. However, some speculated that allegedly ambiguous language in the statute could support a private right of action for any violation. SB 561 would resolve this ambiguity by expressly providing a broad private right of action to any consumer “whose rights under this title are violated.”
  • Removal of the public enforcement cure period—Currently, the Act provides that the AG may only bring an action after a business fails to cure an alleged violation within thirty days after being notified of alleged noncompliance. SB 561 removes this notification requirement, allowing the AG to bring enforcement actions immediately.
  • Elimination of AG compliance opinions—As of now, the Act provides a mechanism to seek a legal opinion from the Attorney General about compliance with the Act. SB 561 does away with this right, and instead provides that the AG may publish materials giving businesses and others general guidance on how to comply with the Act.

In announcing his support of SB 561, Attorney General Becerra said that the amendments are needed to eliminate the requirement that his office provide compliance advice to businesses “at taxpayers’ expense,” and to nullify a “free pass” for businesses to cure violations before enforcement could occur. This statement suggests that the AG is likely to be active in enforcing the CCPA once it goes into effect next year.

Businesses should continue to monitor legislative activity and rulemaking concerning the CCPA, as further amendments and the final implementing regulations are likely forthcoming soon. Given the approaching effective date and the possibility that it will not be extended by further amendments or the implementing regulations, there may not be a great deal of time in which to comply with revised requirements.

On March 20, 2019, from 12 p.m. to 1 p.m. ET, Ballard Spahr attorneys will hold a webinar, “The California Consumer Privacy Act: What Comes Next?” The webinar registration form is available here.

Less than three months after California passed the California Consumer Privacy Act of 2018 (CCPA), Governor Jerry Brown signed SB 1121 this week, making a number of technical and substantive changes to the law.

Of particular note: SB 1121 modifies the financial institution carve-out language in CCPA section 1798.145(e). While the change is a welcome development for entities subject to regulation under the Gramm-Leach-Bliley Act (GLBA), it does not grant full exemption from the CCPA. Therefore, GLBA-regulated entities that collect information online will need to analyze the CCPA’s requirements and how they apply to a specific business.

The original carve-out language provided that:

“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.”

As we have previously discussed, that language raised a number of issues, such as what would constitute a “conflict” between the GLBA and the CCPA, and whether the language was even consistent with the GLBA insofar as personal information is not collected, processed, sold, or disclosed pursuant to the GLBA. The provision also failed to address the relationship between the CCPA and California’s Financial Information Privacy Act.

The new language tries to resolve some of those issues, stating:

“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act … . This subdivision shall not apply to Section 1798.150.”

The new language removes the phrase “if it is in conflict with that law,” incorporates the California Financial Information Privacy Act, and adds a sentence providing that financial institutions are still subject to Section 1798.150. The preamble explains those changes as follows:

“The bill would also prohibit application of the act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies, among others, and would also except application of the act to that information pursuant to the California Financial Information Privacy Act.”

While the revised language is no doubt welcomed by GLBA-regulated entities, it should not be interpreted as a full exemption. Rather, GLBA entities will remain subject to the provisions and requirements of the CCPA if they engage in activities falling outside of the GLBA—which they almost certainly do.

By way of explanation, the GLBA regulates financial institutions’ management of nonpublic personal information, which is defined in 15 U.S.C. § 6809 as personally identifiable financial information: 1) provided by a consumer to a financial institution; 2) resulting from any transaction with the consumer or any service performed for the consumer; or 3) otherwise obtained by the financial institution.

The CCPA defines “personal information” much more broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA identifies numerous examples such as online identifiers, Internet Protocol addresses, email addresses, browsing history, search history, geolocation data, and information regarding a consumer’s interaction with a website or online application or advertisement. Notably, the CCPA’s definition also includes any “inferences drawn” from any personal information that is used “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

Therefore, to the extent that GLBA-regulated entities are using targeted online advertising, tracking web page visitors, and/or collecting geolocation data—to name a few examples—either through their web pages or apps, they will need to analyze the CCPA’s requirements.

As for the new statutory language providing that “[t]his subdivision shall not apply to Section 1798.150,” the impact of that sentence cannot be overstated.

Section 1798.150 sets forth a private right of action for consumers to seek statutory damages of not less than $100 and not greater than $750 “per consumer per incident or actual damages, whichever is greater” if the consumer’s information “is subject to an unauthorized access, exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” In other words, GLBA-regulated entities will still be subject to millions of dollars of potential damages if they experience a data breach.

California is once again poised to set the standard for privacy and data security by enacting the first state law directed at securing Internet of Things (IoT) devices. The law has passed the state legislature and is awaiting the signature of Governor Jerry Brown. It requires manufacturers of “connected devices” to equip them with “a reasonable security feature or features” that are:

  • appropriate to the nature and function of the device;
  • appropriate to the information the device may collect, contain or transmit; and
  • designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.

The law further provides that if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a “reasonable security feature” if the preprogrammed password is either unique to each device or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

The law defines “authentication” as “a method of verifying the authority of a user, process, or device to access resources in an information system.” It defines “connected device” as “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” “Manufacturer” is defined as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.”

Notably, the law exempts certain activities from its requirements. For example, it does not impose a “duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.” It also does not apply “to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.” And the law exempts HIPAA covered entities and business associates to the extent the activity in question is covered by that act.

Importantly, the law states that it does not create a private right of action and vests enforcement authority solely with the California Attorney General’s Office, a city attorney, a county counsel, or a district attorney.

California law also already requires businesses to notify affected individuals if the business experiences a data breach and allows for a private right of action. The newly enacted California Consumer Privacy Act of 2018 also provides for not only a private right of action for certain data breaches, but also for statutory damages of between $100 and $750 per consumer per incident. Therefore, the new law fits into a broader statutory landscape that IoT manufacturers should be aware of and should take steps to mitigate the risk of litigation. That is particularly true given that plaintiffs’ lawyers have publicly stated that they are preparing for an onslaught of IoT-related litigation.

The Senate Floor Analysis explained that the law is necessary because many IoT devices “collect a vast amount of personal and intimate information” which, if not properly secured, can be vulnerable to breaches. Further, many IoT devices “can be directly hacked into, allowing strangers to conduct surreptitious surveillance on homes or to communicate through devices directly.”

The law was enacted contemporaneously in both the California Senate and Assembly. It takes effect on January 1, 2020.

The CFPB has issued a final rule amending the provisions of Regulation P that implement the Gramm-Leach-Bliley Act (GLBA) annual privacy notice requirement.  The final rule is intended to reflect the GLBA amendments made by the Fixing America’s Surface Transportation Act that exempted financial institutions meeting certain conditions from the annual notice requirement.  The statutory exemption from the annual notice requirement became effective in December 2015.  The amendments to Regulation P made by the final rule will be effective 30 days from the final rule’s publication in the Federal Register.

The final rule provides that a financial institution is not required to deliver a GLBA annual privacy notice if the financial institution (1) only shares nonpublic personal information (NPPI) with nonaffiliated third parties only under one of the GLBA exceptions that do not trigger a customer’s opt-out rights (§ 1016.13, § 1016.14, or § 1016.15); and (2) has not changed its policies and practices with regard to disclosing NPPI from the policies and practices that were disclosed in the most recent privacy notice provided to the customer.  Financial institutions that choose to take advantage of the annual notice exemption must still provide any opt-out disclosures required under the Fair Credit Reporting Act (FCRA), which can generally be provided in the initial privacy notice.  In the Supplementary Information accompanying the final rule, the CFPB states that it does not interpret the second condition for using the annual notice exemption to include changes to a financial institution’s FCRA disclosures or changes to voluntary disclosures and opt-outs that are provided in the institution’s privacy notice.

The final rule includes timing requirements for providing annual privacy notices by a financial institution that no longer meets the conditions for the exemption.  The timing requirements vary depending on whether the change that causes the institution to no longer satisfy the conditions for the exemption also triggers a requirement under Regulation P to provide a revised privacy notice.  Under Regulation P, a financial institution must provide revised notices before it begins to share NPPI with a nonaffiliated third party if such sharing would be different from what the institution described in the initial privacy notice it delivered.

The final rule also removes the alternative delivery method for GLBA annual privacy notices that Regulation P (pursuant to a 2014 amendment) allowed financial institutions to use if they met certain conditions.  Since any financial institution that met the conditions for using the alternative delivery method would meet the conditions for the statutory exemption, the CFPB believes an institution with both options available to it would choose not to provide an annual privacy notice at all rather than provide it using the alternative delivery method.  However, the CFPB indicates in the Supplementary Information that financial institutions that qualify for the annual notice exemption can still, without affecting their eligibility for the exemption, choose to post privacy notices on their websites, provide privacy notices to consumers who request them, and notify consumers of the notices’ availability.

 

CFPB Acting Director Mick Mulvaney reportedly announced on Thursday that he was lifting the freeze on the CFPB’s collection of personally identifiable information (PII) from companies it supervises.  As we previously reported in December 2017, Mr. Mulvaney imposed a freeze on the CFPB’s collection of PII due to concerns about the CFPB’s data security systems.

The freeze was reportedly lifted through a memo to the staff of the CFPB, in which Mr. Mulvaney stated that “Out of an abundance of caution and a desire to protect Americans’ privacy, I placed a hold on the collection of personally identifiable information and other sensitive data.”  However, “after an exhaustive review by outside experts, including a comprehensive ‘white-hat hacking’ effort, we can lift th[e] hold.”  The independent review concluded that “externally facing Bureau systems appear to be well-secured.”

The freeze had significantly impacted the CFPB’s supervisory program, prior to which companies being examined were able to submit information, including PII, to CFPB examiners by uploading it to the CFPB’s Extranet.  During the freeze, the CFPB halted use of the Extranet, and examination teams resorted to burdensome workarounds, such as requiring examination responses to be printed onto paper that could be shredded at the conclusion of the exam.  Notably, the freeze did not extend to the CFPB’s enforcement division, which continued to collect PII in connection with enforcement actions.

Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country.

The new law—which becomes effective on September 1, 2018—was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements.  As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

On Monday, June 4, 2018, at 12 PM PT/1 PM MT/3 PM ET, Ballard Spahr attorneys will hold a webinar to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance.  Click here to register.

For a discussion of the new law’s most notable provisions, see our legal alert.

 

The Association of Corporate Counsel (ACC) Foundation has released The State of Cybersecurity Report (2018), underwritten by Ballard Spahr.  The report, subtitled “An In-House Perspective,” provides insights on corporate cybersecurity issues from more than 600 general counsel, chief legal officers, and other senior law department leaders at organizations worldwide.

The new report, which updates and builds on the 2015 edition that was also underwritten by Ballard Spahr, reflects the fact that companies experienced more breaches than ever in 2017—up 45% from 2016—as in-house counsel continue to increase the amount of attention—and money—spent on protecting sensitive online data.  It includes a self-assessment tool companies can use to assist their efforts.

For more about the report, click here.

In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers.  Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.

The bills are a direct reaction to Equifax’s data breach disclosure last summer.  Oregon, New York, Alabama, and Rhode Island have now joined the list of states considering new data breach legislation.  Such legislation has already been proposed in Arizona, Colorado, North Carolina, and South Dakota.

See our legal alert for an analysis of how the new bills could affect covered entities.

We are pleased to announce that Ballard Spahr has launched CyberAdviser, a new blog focused on the latest news and developments in privacy and cybersecurity law.  It will offer insights into the latest transactional, governance and compliance matters, investigations, civil and criminal litigation, regulatory and legislative developments, industry trends, emerging technologies, and other cyber issues.

CyberAdviser is produced by the members of Ballard’s Privacy and Data Security Group—a nationwide team of more than 50 attorneys who provide a wide range of legal services to help clients identify, manage, and mitigate cyber risk.  Please visit the blog and subscribe to receive regular updates.