The CFPB has issued a final rule amending the provisions of Regulation P that implement the Gramm-Leach-Bliley Act (GLBA) annual privacy notice requirement.  The final rule is intended to reflect the GLBA amendments made by the Fixing America’s Surface Transportation Act that exempted financial institutions meeting certain conditions from the annual notice requirement.  The statutory exemption from the annual notice requirement became effective in December 2015.  The amendments to Regulation P made by the final rule will be effective 30 days from the final rule’s publication in the Federal Register.

The final rule provides that a financial institution is not required to deliver a GLBA annual privacy notice if the financial institution (1) only shares nonpublic personal information (NPPI) with nonaffiliated third parties only under one of the GLBA exceptions that do not trigger a customer’s opt-out rights (§ 1016.13, § 1016.14, or § 1016.15); and (2) has not changed its policies and practices with regard to disclosing NPPI from the policies and practices that were disclosed in the most recent privacy notice provided to the customer.  Financial institutions that choose to take advantage of the annual notice exemption must still provide any opt-out disclosures required under the Fair Credit Reporting Act (FCRA), which can generally be provided in the initial privacy notice.  In the Supplementary Information accompanying the final rule, the CFPB states that it does not interpret the second condition for using the annual notice exemption to include changes to a financial institution’s FCRA disclosures or changes to voluntary disclosures and opt-outs that are provided in the institution’s privacy notice.

The final rule includes timing requirements for providing annual privacy notices by a financial institution that no longer meets the conditions for the exemption.  The timing requirements vary depending on whether the change that causes the institution to no longer satisfy the conditions for the exemption also triggers a requirement under Regulation P to provide a revised privacy notice.  Under Regulation P, a financial institution must provide revised notices before it begins to share NPPI with a nonaffiliated third party if such sharing would be different from what the institution described in the initial privacy notice it delivered.

The final rule also removes the alternative delivery method for GLBA annual privacy notices that Regulation P (pursuant to a 2014 amendment) allowed financial institutions to use if they met certain conditions.  Since any financial institution that met the conditions for using the alternative delivery method would meet the conditions for the statutory exemption, the CFPB believes an institution with both options available to it would choose not to provide an annual privacy notice at all rather than provide it using the alternative delivery method.  However, the CFPB indicates in the Supplementary Information that financial institutions that qualify for the annual notice exemption can still, without affecting their eligibility for the exemption, choose to post privacy notices on their websites, provide privacy notices to consumers who request them, and notify consumers of the notices’ availability.

 

CFPB Acting Director Mick Mulvaney reportedly announced on Thursday that he was lifting the freeze on the CFPB’s collection of personally identifiable information (PII) from companies it supervises.  As we previously reported in December 2017, Mr. Mulvaney imposed a freeze on the CFPB’s collection of PII due to concerns about the CFPB’s data security systems.

The freeze was reportedly lifted through a memo to the staff of the CFPB, in which Mr. Mulvaney stated that “Out of an abundance of caution and a desire to protect Americans’ privacy, I placed a hold on the collection of personally identifiable information and other sensitive data.”  However, “after an exhaustive review by outside experts, including a comprehensive ‘white-hat hacking’ effort, we can lift th[e] hold.”  The independent review concluded that “externally facing Bureau systems appear to be well-secured.”

The freeze had significantly impacted the CFPB’s supervisory program, prior to which companies being examined were able to submit information, including PII, to CFPB examiners by uploading it to the CFPB’s Extranet.  During the freeze, the CFPB halted use of the Extranet, and examination teams resorted to burdensome workarounds, such as requiring examination responses to be printed onto paper that could be shredded at the conclusion of the exam.  Notably, the freeze did not extend to the CFPB’s enforcement division, which continued to collect PII in connection with enforcement actions.

Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country.

The new law—which becomes effective on September 1, 2018—was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements.  As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

On Monday, June 4, 2018, at 12 PM PT/1 PM MT/3 PM ET, Ballard Spahr attorneys will hold a webinar to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance.  Click here to register.

For a discussion of the new law’s most notable provisions, see our legal alert.

 

The Association of Corporate Counsel (ACC) Foundation has released The State of Cybersecurity Report (2018), underwritten by Ballard Spahr.  The report, subtitled “An In-House Perspective,” provides insights on corporate cybersecurity issues from more than 600 general counsel, chief legal officers, and other senior law department leaders at organizations worldwide.

The new report, which updates and builds on the 2015 edition that was also underwritten by Ballard Spahr, reflects the fact that companies experienced more breaches than ever in 2017—up 45% from 2016—as in-house counsel continue to increase the amount of attention—and money—spent on protecting sensitive online data.  It includes a self-assessment tool companies can use to assist their efforts.

For more about the report, click here.

In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers.  Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.

The bills are a direct reaction to Equifax’s data breach disclosure last summer.  Oregon, New York, Alabama, and Rhode Island have now joined the list of states considering new data breach legislation.  Such legislation has already been proposed in Arizona, Colorado, North Carolina, and South Dakota.

See our legal alert for an analysis of how the new bills could affect covered entities.

We are pleased to announce that Ballard Spahr has launched CyberAdviser, a new blog focused on the latest news and developments in privacy and cybersecurity law.  It will offer insights into the latest transactional, governance and compliance matters, investigations, civil and criminal litigation, regulatory and legislative developments, industry trends, emerging technologies, and other cyber issues.

CyberAdviser is produced by the members of Ballard’s Privacy and Data Security Group—a nationwide team of more than 50 attorneys who provide a wide range of legal services to help clients identify, manage, and mitigate cyber risk.  Please visit the blog and subscribe to receive regular updates.

The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras).  In addition, the FTC also brought its first actions to enforce the EU-US Privacy Shield in 2017.  The FTC report also described its activities relating to international enforcement, children’s privacy, and Do-Not-Call.

The FTC also highlighted its advocacy efforts, workshops, and publications, many of which focus on what are likely future areas of FTC enforcement, such as privacy and security concerns with IoT devices, payment systems, artificial intelligence and blockchain technologies, connected cars, and student privacy.  One of the FTC’s new publications of note is its Stick with Security blog series, which offers periodic insights into key takeaways from recent law enforcement actions, closed investigations, and experiences of companies.  The FTC report also demonstrated that the agency is attempting to be flexible in light of the changing nature of identity theft, informational injuries, and modern technologies while remaining vigilant in its mission to protect consumers.  Companies should similarly remain cognizant of the FTC’s role as “one of the most active privacy and data security enforcers in the world.”

This week, New York Governor Andrew Cuomo issued a press release directing the New York Department of State to issue a new regulation impacting consumer reporting agencies.  The new regulation was adopted on an emergency basis and went into immediate effect in order to protect consumers from identity theft and other potential economic harms that may arise following a data breach.

The regulation requires consumer reporting agencies to:

  • Identify dedicated points of contact for the Division of Consumer Protection to obtain information to assist New York consumers in the event of a data breach;
  • Respond within 10 days to information requests made on behalf of consumers by the Division of Consumer Protection;
  • File a form with certain information to the Division of Consumer Protection, including all fees associated with the purchase or use of products and services marketed as identity theft protection products as well as a listing and description of all business affiliations and contractual relationships with any other entities relating to the provision of any identity theft prevention or mitigation products or services; and
  • In any advertisements or other promotional materials, disclose any and all fees associated with the purchase or use of proprietary products offered to consumers for the prevention of identity theft, including, if offered on a trial basis, any and all fees charged for its purchase or use after the trial period and the requisites of cancellation of such continued use.

The protections appear targeted to address alleged abuses by the consumer reporting industry following the recent Equifax data breach.  Cuomo also announced that the Division of Consumer Protection will be issuing a demand letter to Equifax for information to assess the damage and risk of identity theft to New York State consumers resulting from the data breach.

Cuomo did not address the status of previously announced proposed regulations of the consumer credit reporting agencies by the New York Department of Financial Services.

Among the more than 20 bills that the House Financial Services Committee is scheduled to mark-up this Wednesday, October 11, is a bill to provide a “Madden fix” as well as several others relevant to consumer financial services providers.

These bills are the following:

  • H.R. 3299, “Protecting Consumers’ Access to Credit Act of 2017.  In Madden, the Second Circuit ruled that a nonbank that purchases loans from a national bank could not charge the same rate of interest on the loan that Section 85 of the National Bank Act allows the national bank to charge.  The bill would add the following language to Section 85 of the National Bank Act: “A loan that is valid when made as to its maximum rate of interest in accordance with this section shall remain valid with respect to such rate regardless of whether the loan is subsequently sold, assigned, or otherwise transferred to a third party, and may be enforced by such third party notwithstanding any State law to the contrary.”
    This language is identical to language in a bill introduced in July 2017 by Democratic Senator Mark Warner as well as language in the Financial CHOICE Act and the Appropriations Bill that is also intended to override Madden.  Like those bills, H.R. 3299 would add the same language (with the word “section” changed to “subsection” when appropriate) to the provisions in the Home Owners’ Loan Act, the Federal Credit Union Act, and the Federal Deposit Insurance Act that provide rate exportation authority to, respectively, federal savings associations, federal credit unions, and state-chartered banks.  In the view of Isaac Boltansky of Compass Point, the bill is likely to be enacted in this Congress.
  • H.R. 2706, “Financial Institution Consumer Protection Act of 2017.”  This bill is intended to prevent a recurrence of “Operation Chokepoint,” the federal enforcement initiative involving various agencies, including the DOJ, the FDIC, and the Fed. Initiated in 2012, Operation Chokepoint targeted banks serving online payday lenders and other companies that have raised regulatory or “reputational” concerns.  The bill includes provisions that (1) prohibit a federal banking agency from (i) requesting or ordering a depository institution to terminate a specific customer account or group of customer accounts, or (ii) attempting to otherwise restrict or discourage a depository institution from entering into or maintaining a banking relationship with a specific customer or group of customers. unless the agency has a material reason for doing so and such reason is not based solely on reputation risk, and (2) require a federal banking agency that requests or orders termination of specific customer account or group of customer accounts to provide written notice to the institution and customer(s) that includes the agency’s justification for the termination.  (In August 2017, the DOJ sent a letter to the chairman of the House Judiciary Committee in which it confirmed the termination of Operation Chokepoint.  Acting Comptroller Noreika in remarks last month, in which he also voiced support for “Madden fix” legislation, indicated that the OCC had denounced Operation Choke Point.)
  • H.R. 3072, “Bureau of Consumer Financial Protection Examination and Reporting Threshold Act of 2017.”  The bill would raise the asset threshold for banks subject to CFPB supervision from total assets of more than $10 billion to total assets of more than $50 billion.
  • H.R. 1116, “Taking Account of Institutions with Low Operation Risk Act of 2017.”  The bill includes a requirement that for any “regulatory action,” the CFPB, and federal banking agencies must consider the risk profile and business models of each type of institution or class of institutions that would be subject to the regulatory action and tailor the action in a manner that limits the regulatory compliance and other burdens based on the risk profile and business model of the institution or class of institutions involved.  The bill also includes a look-back provision that would require the agencies to apply the bill’s requirements to all regulations adopted within the last seven years and revise any regulations accordingly within 3 years.  A “regulatory action” would be defined as “any proposed, interim, or final rule or regulation, guidance, or published interpretation.”
  • H.R. 2954, “Home Mortgage Disclosure Adjustment Act.”  The bill would amend the Home Mortgage Disclosure Act to create exemptions from HMDA’s data collection and disclosure requirements for depository institutions (1) with respect to closed-end mortgage loans, if the institution originated fewer than 1,000 such loans in each of the two preceding years, and (2) with respect to open-end lines of credit, if the institution originated fewer than 2,000 such lines of credit in each of the two preceding years.  (An amendment in the nature of a substitute would lower these thresholds to fewer than 500 closed-end mortgage loans and fewer than 500 open-end lines of credit.)
  • H.R. 1699, “Preserving Access to Manufactured Housing Act of 2017.”  The bill would amend the Truth in Lending Act and the Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (SAFE Act) to generally exempt a retailer of manufactured housing from TILA’s “mortgage originator” definition and the SAFE Act’s “loan originator” definition.  It would also increase TILA’s “high-cost mortgage” triggers for manufactured housing financing.
  • H.R. 2396, “Privacy Notification Technical Clarification Act.”  This bill would amend the Gramm-Leach-Bliley Act’s requirements for providing an annual privacy notice.  (An amendment in the nature of a substitute is expected to be offered.)

The FTC has announced that it will host a workshop on December 12, 2017 in Washington, D.C. to examine consumer injury in the context of privacy and data security.

In the workshop, the FTC plans to examine questions about the injury consumers suffer when information about them is exposed or misused such as “how to best characterize these injuries, how to accurately measure such injuries and their prevalence, and what factors businesses and consumers consider when evaluating the tradeoffs involved in collecting, using, or providing information while also potentially increasing their exposure to injuries.”

The types of consumer harm that flow from data security and privacy breaches has significant implications both for government enforcement and private actions.  With regard to government enforcement actions, in remarks given in February 2017 soon after her appointment by President Trump as Acting FTC Chairman, Maureen Ohlhausen observed that a focus on consumer injury is important both in deciding what cases to bring and in determining what remedy to seek.  She stated that the FTC can best use its limited resources “by focusing on practices that are actually harming or likely to harm consumers” and used recent privacy and data security actions as examples of situations where the FTC “strayed from a focus on actual harm.”  She also criticized the FTC’s pursuit of disgorgement  that was “disproportionate to any consumer harm” and stated that she intended to “work to ensure that our enforcement actions target behaviors causing concrete consumer harm, and that remedies are tied to consumer harm.”

With regard to private actions, the issue of what types of consumer injury will satisfy Article III standing under the U.S. Supreme Court’s Spokeo decision continues to be litigated.  In Spokeo, the Supreme Court held that a plaintiff alleging a violation of the Fair Credit Reporting Act does not have Article III standing to sue for statutory damages in federal court unless the plaintiff can show that he or she suffered “concrete,” “real” harm as a result of the violation.

In advance of the workshop, the FTC is seeking comment by October 27 on the issues to be covered by the workshop, including the following questions:

  • What are the qualitatively different types of injuries from privacy and data security incidents?  What are some real life examples of these types of informational injury to consumers and to businesses?
  • What frameworks might we use to assess these different injuries?  How do we quantify injuries?  How might frameworks treat past, current, and potential future outcomes in quantifying injury?  How might frameworks differ for different types of injury?
  • How do businesses evaluate the benefits, costs, and risks of collecting and using information in light of potential injuries?  How do they make tradeoffs? How do they assess the risks of different kinds of data breach?  What market and legal incentives do they face, and how do these incentives affect their decisions?
  • How do consumers perceive and evaluate the benefits, costs, and risks of sharing information in light of potential injuries?  What obstacles do they face in conducting such an evaluation?  How do they evaluate tradeoffs?