The Association of Corporate Counsel (ACC) Foundation has released The State of Cybersecurity Report (2018), underwritten by Ballard Spahr.  The report, subtitled “An In-House Perspective,” provides insights on corporate cybersecurity issues from more than 600 general counsel, chief legal officers, and other senior law department leaders at organizations worldwide.

The new report, which updates and builds on the 2015 edition that was also underwritten by Ballard Spahr, reflects the fact that companies experienced more breaches than ever in 2017—up 45% from 2016—as in-house counsel continue to increase the amount of attention—and money—spent on protecting sensitive online data.  It includes a self-assessment tool companies can use to assist their efforts.

For more about the report, click here.

In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers.  Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.

The bills are a direct reaction to Equifax’s data breach disclosure last summer.  Oregon, New York, Alabama, and Rhode Island have now joined the list of states considering new data breach legislation.  Such legislation has already been proposed in Arizona, Colorado, North Carolina, and South Dakota.

See our legal alert for an analysis of how the new bills could affect covered entities.

We are pleased to announce that Ballard Spahr has launched CyberAdviser, a new blog focused on the latest news and developments in privacy and cybersecurity law.  It will offer insights into the latest transactional, governance and compliance matters, investigations, civil and criminal litigation, regulatory and legislative developments, industry trends, emerging technologies, and other cyber issues.

CyberAdviser is produced by the members of Ballard’s Privacy and Data Security Group—a nationwide team of more than 50 attorneys who provide a wide range of legal services to help clients identify, manage, and mitigate cyber risk.  Please visit the blog and subscribe to receive regular updates.

The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras).  In addition, the FTC also brought its first actions to enforce the EU-US Privacy Shield in 2017.  The FTC report also described its activities relating to international enforcement, children’s privacy, and Do-Not-Call.

The FTC also highlighted its advocacy efforts, workshops, and publications, many of which focus on what are likely future areas of FTC enforcement, such as privacy and security concerns with IoT devices, payment systems, artificial intelligence and blockchain technologies, connected cars, and student privacy.  One of the FTC’s new publications of note is its Stick with Security blog series, which offers periodic insights into key takeaways from recent law enforcement actions, closed investigations, and experiences of companies.  The FTC report also demonstrated that the agency is attempting to be flexible in light of the changing nature of identity theft, informational injuries, and modern technologies while remaining vigilant in its mission to protect consumers.  Companies should similarly remain cognizant of the FTC’s role as “one of the most active privacy and data security enforcers in the world.”

This week, New York Governor Andrew Cuomo issued a press release directing the New York Department of State to issue a new regulation impacting consumer reporting agencies.  The new regulation was adopted on an emergency basis and went into immediate effect in order to protect consumers from identity theft and other potential economic harms that may arise following a data breach.

The regulation requires consumer reporting agencies to:

  • Identify dedicated points of contact for the Division of Consumer Protection to obtain information to assist New York consumers in the event of a data breach;
  • Respond within 10 days to information requests made on behalf of consumers by the Division of Consumer Protection;
  • File a form with certain information to the Division of Consumer Protection, including all fees associated with the purchase or use of products and services marketed as identity theft protection products as well as a listing and description of all business affiliations and contractual relationships with any other entities relating to the provision of any identity theft prevention or mitigation products or services; and
  • In any advertisements or other promotional materials, disclose any and all fees associated with the purchase or use of proprietary products offered to consumers for the prevention of identity theft, including, if offered on a trial basis, any and all fees charged for its purchase or use after the trial period and the requisites of cancellation of such continued use.

The protections appear targeted to address alleged abuses by the consumer reporting industry following the recent Equifax data breach.  Cuomo also announced that the Division of Consumer Protection will be issuing a demand letter to Equifax for information to assess the damage and risk of identity theft to New York State consumers resulting from the data breach.

Cuomo did not address the status of previously announced proposed regulations of the consumer credit reporting agencies by the New York Department of Financial Services.

Among the more than 20 bills that the House Financial Services Committee is scheduled to mark-up this Wednesday, October 11, is a bill to provide a “Madden fix” as well as several others relevant to consumer financial services providers.

These bills are the following:

  • H.R. 3299, “Protecting Consumers’ Access to Credit Act of 2017.  In Madden, the Second Circuit ruled that a nonbank that purchases loans from a national bank could not charge the same rate of interest on the loan that Section 85 of the National Bank Act allows the national bank to charge.  The bill would add the following language to Section 85 of the National Bank Act: “A loan that is valid when made as to its maximum rate of interest in accordance with this section shall remain valid with respect to such rate regardless of whether the loan is subsequently sold, assigned, or otherwise transferred to a third party, and may be enforced by such third party notwithstanding any State law to the contrary.”
    This language is identical to language in a bill introduced in July 2017 by Democratic Senator Mark Warner as well as language in the Financial CHOICE Act and the Appropriations Bill that is also intended to override Madden.  Like those bills, H.R. 3299 would add the same language (with the word “section” changed to “subsection” when appropriate) to the provisions in the Home Owners’ Loan Act, the Federal Credit Union Act, and the Federal Deposit Insurance Act that provide rate exportation authority to, respectively, federal savings associations, federal credit unions, and state-chartered banks.  In the view of Isaac Boltansky of Compass Point, the bill is likely to be enacted in this Congress.
  • H.R. 2706, “Financial Institution Consumer Protection Act of 2017.”  This bill is intended to prevent a recurrence of “Operation Chokepoint,” the federal enforcement initiative involving various agencies, including the DOJ, the FDIC, and the Fed. Initiated in 2012, Operation Chokepoint targeted banks serving online payday lenders and other companies that have raised regulatory or “reputational” concerns.  The bill includes provisions that (1) prohibit a federal banking agency from (i) requesting or ordering a depository institution to terminate a specific customer account or group of customer accounts, or (ii) attempting to otherwise restrict or discourage a depository institution from entering into or maintaining a banking relationship with a specific customer or group of customers. unless the agency has a material reason for doing so and such reason is not based solely on reputation risk, and (2) require a federal banking agency that requests or orders termination of specific customer account or group of customer accounts to provide written notice to the institution and customer(s) that includes the agency’s justification for the termination.  (In August 2017, the DOJ sent a letter to the chairman of the House Judiciary Committee in which it confirmed the termination of Operation Chokepoint.  Acting Comptroller Noreika in remarks last month, in which he also voiced support for “Madden fix” legislation, indicated that the OCC had denounced Operation Choke Point.)
  • H.R. 3072, “Bureau of Consumer Financial Protection Examination and Reporting Threshold Act of 2017.”  The bill would raise the asset threshold for banks subject to CFPB supervision from total assets of more than $10 billion to total assets of more than $50 billion.
  • H.R. 1116, “Taking Account of Institutions with Low Operation Risk Act of 2017.”  The bill includes a requirement that for any “regulatory action,” the CFPB, and federal banking agencies must consider the risk profile and business models of each type of institution or class of institutions that would be subject to the regulatory action and tailor the action in a manner that limits the regulatory compliance and other burdens based on the risk profile and business model of the institution or class of institutions involved.  The bill also includes a look-back provision that would require the agencies to apply the bill’s requirements to all regulations adopted within the last seven years and revise any regulations accordingly within 3 years.  A “regulatory action” would be defined as “any proposed, interim, or final rule or regulation, guidance, or published interpretation.”
  • H.R. 2954, “Home Mortgage Disclosure Adjustment Act.”  The bill would amend the Home Mortgage Disclosure Act to create exemptions from HMDA’s data collection and disclosure requirements for depository institutions (1) with respect to closed-end mortgage loans, if the institution originated fewer than 1,000 such loans in each of the two preceding years, and (2) with respect to open-end lines of credit, if the institution originated fewer than 2,000 such lines of credit in each of the two preceding years.  (An amendment in the nature of a substitute would lower these thresholds to fewer than 500 closed-end mortgage loans and fewer than 500 open-end lines of credit.)
  • H.R. 1699, “Preserving Access to Manufactured Housing Act of 2017.”  The bill would amend the Truth in Lending Act and the Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (SAFE Act) to generally exempt a retailer of manufactured housing from TILA’s “mortgage originator” definition and the SAFE Act’s “loan originator” definition.  It would also increase TILA’s “high-cost mortgage” triggers for manufactured housing financing.
  • H.R. 2396, “Privacy Notification Technical Clarification Act.”  This bill would amend the Gramm-Leach-Bliley Act’s requirements for providing an annual privacy notice.  (An amendment in the nature of a substitute is expected to be offered.)

The FTC has announced that it will host a workshop on December 12, 2017 in Washington, D.C. to examine consumer injury in the context of privacy and data security.

In the workshop, the FTC plans to examine questions about the injury consumers suffer when information about them is exposed or misused such as “how to best characterize these injuries, how to accurately measure such injuries and their prevalence, and what factors businesses and consumers consider when evaluating the tradeoffs involved in collecting, using, or providing information while also potentially increasing their exposure to injuries.”

The types of consumer harm that flow from data security and privacy breaches has significant implications both for government enforcement and private actions.  With regard to government enforcement actions, in remarks given in February 2017 soon after her appointment by President Trump as Acting FTC Chairman, Maureen Ohlhausen observed that a focus on consumer injury is important both in deciding what cases to bring and in determining what remedy to seek.  She stated that the FTC can best use its limited resources “by focusing on practices that are actually harming or likely to harm consumers” and used recent privacy and data security actions as examples of situations where the FTC “strayed from a focus on actual harm.”  She also criticized the FTC’s pursuit of disgorgement  that was “disproportionate to any consumer harm” and stated that she intended to “work to ensure that our enforcement actions target behaviors causing concrete consumer harm, and that remedies are tied to consumer harm.”

With regard to private actions, the issue of what types of consumer injury will satisfy Article III standing under the U.S. Supreme Court’s Spokeo decision continues to be litigated.  In Spokeo, the Supreme Court held that a plaintiff alleging a violation of the Fair Credit Reporting Act does not have Article III standing to sue for statutory damages in federal court unless the plaintiff can show that he or she suffered “concrete,” “real” harm as a result of the violation.

In advance of the workshop, the FTC is seeking comment by October 27 on the issues to be covered by the workshop, including the following questions:

  • What are the qualitatively different types of injuries from privacy and data security incidents?  What are some real life examples of these types of informational injury to consumers and to businesses?
  • What frameworks might we use to assess these different injuries?  How do we quantify injuries?  How might frameworks treat past, current, and potential future outcomes in quantifying injury?  How might frameworks differ for different types of injury?
  • How do businesses evaluate the benefits, costs, and risks of collecting and using information in light of potential injuries?  How do they make tradeoffs? How do they assess the risks of different kinds of data breach?  What market and legal incentives do they face, and how do these incentives affect their decisions?
  • How do consumers perceive and evaluate the benefits, costs, and risks of sharing information in light of potential injuries?  What obstacles do they face in conducting such an evaluation?  How do they evaluate tradeoffs?

The Federal Trade Commission (“FTC”) released an updated version of its guidance on complying with the Children’s Online Privacy Protection Act (“COPPA”) on June 21, 2017. Companies that collect personal information from children under 13 years of age need to comply with COPPA. To help companies with COPPA compliance, the FTC’s guidance presents a six-step plan:

  • Step 1: Determine whether your company is a website or online service that collects personal information from kids under 13;
  • Step 2: Post a privacy policy that complies with COPPA;
  • Step 3: Notify parents directly before collecting personal information from their kids;
  • Step 4: Get parents’ verifiable consent before collecting personal information from their kids;
  • Step 5: Honor parents’ ongoing rights with respect to personal information collected from their kids; and
  • Step 6: Implement reasonable procedures to protect the security of kids’ personal information.

The updated guidance makes two important changes. First, the FTC clarifies that “website or online service” includes Internet of Things devices as well as connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data.

Second, the updated guidance provides two additional methods by which businesses can obtain verifiable consent from parents to collect personal information from children:

  • Parents can answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer; or
  • Parents can provide a picture of a driver’s license or other photo ID which is then compared to a second photo submitted by the parent using facial recognition technology.

Last week, the Federal Trade Commission (FTC) Bureau of Consumer Protection’s Acting Director, Thomas Pahl, posted on the FTC’s Business Blog about the FTC’s role as the federal agency with the “broadest jurisdiction” to pursue privacy and data security issues. Pahl noted that for over twenty years the FTC has used its authority, “thoughtfully and forcefully to protect consumers even as new products and services emerge and evolve.”  Pahl emphasized that the FTC is “the enforcement leader in the privacy and security arena” and that the FTC will continue to “focus the national conversation on keeping consumer privacy and data security front and center as new technologies emerge.”

Pahl’s blog posting supports recent statements by FTC Acting Chairman Maureen Ohlhausen, who recently testified before Congress that, “the FTC is committed to protecting consumer privacy and promoting data security in the private sector.”

Companies should not expect the FTC to reduce its enforcement activities relating to privacy and data security issues, but companies can expect the FTC to shift away from bringing cases based on novel legal theories.  Ohlhausen is committed to re-focusing the FTC’s efforts on “bread-and-butter” enforcement.  Ohlhausen has spoken openly in opposition to recent enforcement actions brought under the Obama Administration that were based on speculative injury or subjective types of harm rather than concrete consumer injury.

Furthermore, companies should expect further guidance from the FTC relating to privacy and data security expectations to help reduce unnecessary regulatory burdens and provide additional transparency to businesses on how they can remain compliant and avoid engaging in unfair or deceptive acts of practices.  Under Ohlhausen’s leadership, companies should be watching closely for FTC guidance laying out what they should do to protect consumer privacy and ensure proper data security, rather than just waiting to find out what they should not do from FTC enforcement actions.

On September 15th, the FTC will hold a workshop to examine the testing and evaluation of disclosures that companies make to consumers about advertising claims, privacy practices, and other information.  The FTC’s workshop will explore how to test the effectiveness of these disclosures to ensure consumers notice them, understand them, and can use them in their decision-making.  Companies should incorporate the principles articulated during the workshop by federal regulators such as the FTC and the CFPB into the development of their own consumer disclosures, especially relating to e-commerce and mobile initiatives.

The “Putting Disclosures to the Test” workshop will explore ways to improve the evaluation and testing of consumer disclosures by industry, academics, and the FTC related to:

  • Disclosures in advertising  designed to prevent ads from being deceptive;
  • Privacy-related disclosures, including privacy policies and other mechanisms to inform consumers that they are being tracked; and
  • Disclosures in specific industries designed to prevent deceptive claims.

Among the participants at the workshop will be Heidi Johnson, a research analyst from the CFPB Office of Research, who will present a case study entitled, “Disclosure Research in the Lab and Online.” The CFPB’s Decision Making and Behavioral Studies team is engaged in a strategic initiative to invest in research that explores the factors that influence a disclosure’s efficacy, how to use different methodologies to study disclosure, and the market effects of disclosure. Ms. Johnson’s work as a part of this team has included consumer research on overdraft and other financial products.