Photo of Carmen Tracy

Email
(202) 342-8639
Bio

The Federal Trade Commission (FTC) announced this week that it is seeking comments on proposed amendments to the Privacy Rule and Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA).  These two rules outline obligations for financial institutions to protect the privacy and security of customer data in their control.  While the proposed changes to the Privacy Rule are modest, the expansive list of specific cyber controls proposed for the Safeguards Rule is material and could impose a new de facto minimum security standard that implicates many businesses, including those outside the coverage of the Rule.

Privacy Rule

The Privacy Rule, which went into effect in 2000, requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties. Changes to the Dodd-Frank Act in 2010 transferred the majority of the FTC’s rulemaking authority for the Privacy Rule to the Consumer Financial Protection Bureau.  Only certain motor vehicle dealers are still subject to FTC rulemaking under the Privacy Rule.  To address these changes, the proposed amendments would remove from the Rule examples of financial institutions that are no longer subject to FTC rulemaking authority, and provide clarification to motor vehicle dealers regarding the annual privacy notices.

Safeguards Rule

The Safeguards Rule, which went into effect in 2003, requires financial institutions to develop, implement, and maintain comprehensive information security programs to protect their customers’ personal information. Currently, the Safeguards Rule emphasizes a process-based approach that is flexible in how the program is implemented so long as it meaningfully addresses core components, and where the safeguards address foreseeable internal and external cyber risks to customer information.

The proposed amendments to the Safeguards Rule would still follow a process-based approach but add significantly more specific requirements that must be addressed as part of the company’s information security program. These include, for example:

  • Appointing a Chief Information Security Officer (CISO) (e.g., a qualified individual responsible for overseeing and implementing the information security program and enforcing the program). The CISO can be an employee, affiliate, or a service provider, but if the latter, additional requirements apply;
  • More specificity in what the required information security program’s risk assessments involve;
  • More specificity in what is required as part of a company’s access controls for their information systems;
  • Updating risk assessments and resulting safeguards concerning a company’s data and system identification and mapping;
  • Employing encryption of all customer information stored or transmitted over external networks or implement alternative compensating controls that are reviewed and approved by the company’s CISO;
  • Adopting secure development practices for in-house developed applications that handle customer information;
  • Implementing multi-factor authentication for any individual with access to customer information or internal networks that contain customer information (unless the CISO approves a compensating control);
  • Including audit trails that detect and respond to security events;
  • Implementing change management procedures;
  • Implementing safeguards that both monitor authorized activity and detect unauthorized activity involving customer information;
  • Regular testing of the effectiveness of the information security program’s key controls, systems, and procedures, including continuous monitoring or annual penetration testing and biannual vulnerability assessments;
  • Establishing a written incident response plan that addresses goals, outlines the internal processes for incident response, defines clear roles, responsibilities and levels of decision-making authority, identifies external and internal communications and information sharing, identifies requirements for the remediation of identified weaknesses in information systems and controls, addresses the documentation and reporting of security events and related incident response activities, and the evaluation and revision of the program, as needed post-incident;
  • Requiring the CISO to at least annually report to the board of directors or equivalent governing body on the status of the information security program, the company’s compliance with the Safeguards Rule, and material matters related to the information security program.

The proposed modifications would exempt small businesses (financial institutions that maintain customer information concerning fewer than five thousand consumers) from some of the Safeguard Rule’s requirements.

In addition, the proposed modifications would expand the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities (e.g., “finders” that bring together buyers and sellers of a product or service), and incorporate the definition of this term directly in the Safeguards Rule, instead of by reference based on the Privacy Rule.

Two Republican appointed-Commissioners, Noah Phillips and Christine Wilson, dissented from the proposed amendments, noting that it may not be appropriate to mandate such prescriptive standards for all market participants. They maintained that producing guidance for companies would be a better approach than one-size-fits-all amendments that all companies will have to follow. The Commissioners also made a case that the proposed amendments are based on the New York State Department of Financial Services cyber regulations, which are too new for the FTC to evaluate for impact or efficacy.  They also expressed concerns with the rigidity that these new requirements would place on what is now a flexible approach, and whether these amendments would place the Commission in the stead of a company’s governance in deciding the level of board engagement, hiring and training, and accountability design, among other controls.

***

While the proposed amendments are limited to financial institutions subject to the GLBA Privacy Rule and Safeguards Rule, if adopted, the specificity of the cyber controls proposed are likely to factor into contract terms that financial institutions impose on their partners and service providers, as well as serve as a potential model for other industries. If adopted, these would be the most explicit cyber regulations in the United States to date.  At the same time, it is notable that the agency declined to adopt a safe harbor based on a showing of compliance with an industry standard, such as NIST or PCI DSS.  In other words, the proposed changes suggest a potential new minimum standard for enterprise security programs that warrant close consideration.  Given the influential role that the Safeguards Rule played in developing information security programs outside of the financial sector, these new proposed requirements may well become the de facto industry standard if history is a guide.

The deadline to submit written comments will be 60 days after the notice is published in the Federal Register. We will continue to monitor these developments.

 

On January 14, Plaintiffs in the consolidated case of Veera v. Banana Republic, LLC, et al., filed for approval of a preliminary class action settlement after Plaintiffs Veera and Etman successfully argued that “frustration” and “embarrassment” over unclear discounts is sufficient to meet the requirements for injury.

According to separate lawsuits filed against Banana Republic and The Gap, the companies displayed in-store signs promoting a class of merchandise for sale at a stated price (e.g., 40% off sweaters) or subject to a stated discount (e.g., “40% off your purchase”) without clearly and conspicuously identifying the items that were excluded from the offer. The lawsuits alleged that these signs were either not accompanied by any disclosure of limitations, or were accompanied by a disclosure so small and closely colored to the sign background as to not be noticeable.

In an action under California’s Unfair Competition Law (UCL), False Advertising Law (FAL), and Consumers Legal Remedies Act (CLRA), Plaintiffs claimed that, in reliance on the signs, they selected various items for purchase at the advertised discount, and out of frustration and embarrassment, ultimately bought some of the items, even after learning that the discount did not apply.

Although a lower court granted summary judgment in favor of the retailers, the California Court of Appeals concluded that Plaintiffs met the requirements to allege injury. “Injury in fact is not a substantial or insurmountable hurdle,” the Court noted, “Rather, it suffices to allege some specific, identifiable trifle of injury.” The Court agreed with the Plaintiffs claim that, but for the allegedly misleading signs, Plaintiffs would not have made the clothing purchases (even after hearing of the non-discounted price at the register).

The parties agreed upon the proposed settlement hours before the class certification hearings. The key terms of the settlement provide that The Gap will provide a one-time coupon for the purchase of up to 4 items in a Banana Republic or The Gap store at 30% off regular price to certain customers who purchased items from The Gap or Banana Republic stores in California, for use on a future purchase. The Plaintiffs in the action will also receive $8,000 each under the proposed settlement. The Gap will also pay $1 million in fees and costs, and all costs of administering the proposed settlement.

A hearing is set for March 1st on the motion for preliminary approval of the settlement.

This proposed settlement serves as a reminder about the importance of clearly and conspicuously disclosing the limitations of any offer, including the terms of a sale. We will watch the California Court of Appeals for further willingness to allow cases to go forward even when Plaintiffs claim little to no injury beyond “embarrassment.”

On January 10, 2019, Massachusetts Governor Charlie Baker signed into law the Massachusetts’s Data Breach Notification Act, which amends Massachusetts data breach reporting laws. The new law, available here, amends the timing and content of individual and regulator data breach notifications, and provides for credit monitoring services when social security numbers may have been compromised.

Key updates to the state’s data breach notification laws include the following:

  • Free Credit Monitoring: Following breaches involving Social Security numbers, entities must “contract with a third party to provide” free credit monitoring services to impacted Massachusetts residents at no cost for at least 18 months (42 months, if the company is a consumer reporting agency), and provide consumers with instructions on how to access these services.
  • No Mandatory Arbitration Clauses: Companies are prohibited from asking individuals to waive their right to a private action as a condition for receiving credit monitoring services.
  • Additional Required Information for the Breach Notice: The required notice to consumers, the Massachusetts Attorney General, and the Office of Consumer Affairs and Business Regulation already provided for under current Massachusetts law must now also include additional information such as the name and address of the person that experienced the breach of security, the person responsible for the breach, if known, and the type of personal information compromised. Entities are also required to submit to regulators a sample of the notification letters that they send to consumers, which will be posted online.
  • Notice Timing: An entity may not delay notice to affected individuals on the grounds that it has not determined the total number of individuals affected. Rather, the entity must send out additional notices on a rolling basis, as necessary.
  • Disclosure of Parent/Affiliate Company: If the company experiencing a breach is owned by a separate entity, the individual notice letter must specify “the name of the parent or affiliated corporation.”

Under Massachusetts data security regulations (201 CMR § 17.03), any entity that owns or licenses personal information about a Massachusetts resident is currently obligated to develop, implement, and maintain a comprehensive written information security program that incorporates the prescriptive requirements contained in the regulation.

The Massachusetts’s Data Breach Notification Act will take effect on April 11, 2019. This is a good opportunity for businesses to update their data breach notification related policies and procedures to ensure that they are in compliance with all state requirements. We will continue to track any updates to state breach notification statutes and post on this blog.

43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide. The data breach, discovered in 2014, resulted in access to over 370,000 Neiman Marcus credit cards, at least 9,200 of which the states alleged were used fraudulently.

In addition to a monetary settlement of $1.5 million, Neiman Marcus has agreed to implement a number of security-relatedinjunctive terms, including:

  • Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
  • Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
  • Maintaining working agreements with two separate, qualified Payment Card Industry forensic investigators;
  • Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
  • Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company’s business; and
  • Devaluing payment card information, using technologies like encryption and tokenization, to obscure payment card data.

Neiman Marcus must also obtain an information security assessment and report from a qualified third-party professional and detail any corrective actions that it takes. The full settlement report is available here.

This settlement follows another multistate resolution with Adobe (here), highlighting the interest and monitoring by State Attorneys General on companies’ data security programs and steps taken to prevent, detect, and remediate data breaches. This most recent case is a good reminder to take steps to make sure you have an appropriate data security program in place, and that your records meaningfully reflect the comprehensive steps taken to address cyber incidents that may arise.

California Attorney General Xavier Becerra announced yesterday that the California Department of Justice will hold a series of six public forums on the California Consumer Privacy Act (CCPA).  The hearings will take place during January and February of this year and will give the public an initial opportunity to comment on the requirements set forth by the CCPA and the regulations the Attorney General must adopt on or before July 1, 2020.

The CCPA was passed in June of this year, and gives California residents specific privacy rights related to their online activities. Starting January 1, 2020, businesses will be required to comply with a number of provisions including requirements to disclose data collection and sharing practices to consumers, grant consumers a right to request deletion of their data, grant consumers a right to opt out of the sale of their personal information, and a prohibition on selling personal information of consumers under the age of 16 without explicit consent.

The CCPA requires the Attorney General to “solicit broad public participation” and adopt regulations regarding issues such as the definition of personal information, considering changes in technology and data collection practices, procedures for how a consumer can submit a request to opt out of the sale of his or her personal information, and procedures for businesses to determine whether a consumer’s request for information is verifiable.

The Attorney General’s announcement is particularly important because CCPA enforcement will not begin until six months after the promulgation of these regulations, or July 1, 2020, whichever is sooner.  These public forums indicate that Attorney General Becerra’s office is taking steps to adopt these rules, meaning CCPA enforcement may come sooner rather than later.

These hearings will serve as the first public forum in which businesses and members of the public can voice their thoughts or concerns about the required regulations. Members of the public who would like to speak at the forums can, but are not required to, register online. Comments may also be submitted via mail or email. A full schedule of the forums can be found here.

Kelley Drye is happy to assist if your business is considering whether to submit comments concerning the CCPA regulations or enforcement.  These forums present a critical opportunity for any stakeholder interested in California privacy law and enforcement to have their voices heard.  For more information on the CCPA and how it may affect your business, please visit our past blog posts here and here.

Last week, Gonzalo wrote about the letter Truth in Advertising sent to the FTC, urging the Commission to investigate Diageo’s use of influencers to market Ciroc vodka on Instagram. We also learned last week that the Humane Society sent a similar letter to the FTC requesting that Commission initiate an investigation of Pilgrim’s Pride for its treatment of chickens.  These complaints got us thinking – how often are third parties successful in instigating regulatory activity?

Of course, without knowing the facts, it is impossible to know whether the complaint allegations have merit.  We do know, however, that many similar complaints have been filed asking the FTC to look into a company’s practices.  For example, with regard to the subject of animal welfare, we have seen complaints that include allegations of deceptive advertising relating to puppy sellers and pork producers. Similar claims have also been filed by PETA (example here) and Mercy for Animals (example here). These complaints have not usually led to litigation or negotiated consent orders.

That is not to say that these complaints do not result in some action. For example, last year, after four consumer groups urged the FTC to investigate and bring enforcement actions regarding the use of influencers on Instagram, the FTC sent more than 90 letters to companies and influencers, reminding the recipients of their legal obligations. And in 2016, after HSUS urged the FTC to take action against companies claiming “faux fur” (example here), the FTC released a blog post warning consumers about the risks (details here).

Even without FTC action, complaints themselves may have an effect on the company involved. As another example, in 2013, Tyson Foods announced a commitment to the humane treatment of animals and formed an independent advisory panel to help them pursue this mission after the Humane Society and the Animal Legal Defense Fund both filed FTC complaints against them. Full story here.

Also, in the area of dietary supplement advertising, the FTC has maintained a strong interest in the crackdown against false advertising of health claims, and they have taken action when urged to do so by third parties.  CSPI filed a complaint asking for the FTC and FDA to file claims against dietary supplements holding themselves out as opioid withdrawal aids and were successful in getting the action pursued (here).

So, while third party complaints don’t always (or even usually) lead to formal enforcement action, they do often result in action.