Alston & Bird Consumer Finance Blog

Privacy and Cybersecurity

Potential Changes to the CCPA; California Senate Considers Amendments

On April 30, we detailed several proposed amendments to the California Consumer Privacy Act (the “CCPA”) that were advancing in the State Assembly (see our previous blog post here). Since then, a number of the proposed amendments passed the Assembly and moved to the California Senate, where they remain under consideration.

This past week the Judiciary Committee considered a number of the bills and proposed several key amendments. These amendments are discussed below.

• AB 25. The original version of this bill excluded employees, contractors and job applicants from the definition of “consumer” provided that personal information about those categories of persons was used only for limited purposes. The bill has now been amended to provide that employees, contractors and applicants are still consumers, but that certain personal information relating to them will not be subject to the statute as long as used only for purposes relating to their status as employees, contractors or applicants to the business in question. The bill has also been amended to require delivery of privacy notices to employees, contractors and job applicants which identify personal information collected concerning those individuals and the purposes of the collection. As with the version that passed the Assembly, the private right of action and statutory damages established by the CCPA for certain security incidents will continue to apply.

Most notably, the amendment is proposed to be operative only through 2020. The intent is to provide incentive to the legislature to draft and approve a law on employee privacy. But if a new employee privacy law is not approved, then personal information about employees will be subject to the full CCPA as of January 1, 2021.

• AB 846. The amendment seeks to clarify the treatment of consumers in retail loyalty programs under the CCPA. The bill previously stated that offering “a different price, rate, level, or quality of goods or services” under a retail loyalty program was permissible if (1) a consumer volunteered for the program or (2) the offering was for a specific good or service whose functionality was directly related to the collection, use or sale of the consumer’s data. The bill has been amended to only permit differential offerings under a retail loyalty program when a consumer volunteers for the program. However, a business is prohibited from offering a program that is “unjust, unreasonable, coercive, or usurious in nature.” A business is also prohibited from selling personal information collected as part of a retail loyalty program.

• AB 873. This bill has been amended to clarify the definition of “deidentified” information and the handling of such information. The bill was amended while in the California State Assembly to define “deidentified” information as that which “does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer” as opposed to the previous definition of that which “does not reasonably identify or link, directly or indirectly, to a particular consumer….” The amendment failed to pass its first hearing on July 9 after advancing to the Senate, but it has been granted reconsideration.

• AB 981. This bill originally proposed to exempt from the CCPA insurance institutions, agents, and support organizations to the extent that those institutions were already subject to California’s Insurance Information and Privacy Protection Act (IIPPA). The bill has now been amended to remove this blanket exception from the CCPA, and it now provides that a consumer may not request a business to delete or not sell the consumer’s personal information if it is necessary for the business to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer.

• AB 1146. This amendment exempts a defined category of vehicle information from the CCPA’s right to deletion and do not sell requirements. The information includes name and contact information of a vehicle owner, VIN, make, model, year, and odometer reading shared between a “new motor vehicle dealer” and the manufacturer with respect to vehicle repairs relating to warranty work or recalls. The bill states that (1) the applicable vehicle information is exempt from the right to opt out of data sales provided that the business is not using such information for reasons other than ”effectuating, or in in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall” and (2) a business is not required to delete personal information that it is maintaining to “fulfill the terms of a warranty or a federally mandated recall covering a product purchased by the consumer.”

• AB 1564. The amendment previously changed a business’s obligation to make available two or more designated methods to just one method to submit requests for information concerning a business’s collection and disclosure practices. The bill has been amended to again require a business to make available two or more methods for submitting requests, including a toll-free telephone number at minimum. If a business maintains a website, the amendment requires a business to make that website available for a consumer to submit requests. If a business operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, the business is also required to provide an email address for submitting request for information.

We will continue to monitor these amendments and provide further updates as they occur.

New York DFS Unveils Two New Divisions Focused on Consumer Protection, Financial Enforcement and Cybersecurity

New York State’s Department of Financial Services (DFS) recently unveiled two new divisions with broad enforcement authority focused on consumer protection, financial enforcement, and cybersecurity.  Financial service providers should take note as New York and other states continue to shore up their enforcement capabilities.

Consumer Protection & Financial Enforcement

DFS’ highly touted Consumer Protection and Financial Enforcement (“CPFE”) division was launched on April 29, 2019.  The CPFE’s debut marks the latest DFS action to solidify the Department’s position as “a leader in financial services regulation.”

Heralded by acting Superintendent Linda Lacewell as a “powerhouse”, the CPFE is tasked with broad responsibility, specifically: (1) protecting and educating consumers; (2) combating consumer fraud; (3) ensuring that DFS-regulated entities serve the public in compliance with state and federal law; (4) developing investigative leads and intelligence in the banking, insurance, and financial services arenas, with a particular focus on cybersecurity events; and (5) developing and directing supervisory, regulatory and enforcement policy regarding financial crimes.

The Department created its new mega group by merging its enforcement operation with the division which conducts DFS’ civil and criminal investigations (formerly known as the Financial Frauds and Consumer Protection or “FFCP”).  The CPFE’s creation follows DFS’ pronouncement last year that it was prepared to step in to “fill voids” in areas where consumer and market protections are rolled back on the federal level.  The announcement also follows the news that the Consumer Finance Protection Bureau (“CFPB”) will adjust its focus from enforcement to “preventing harm”.  The Bureau’s shift in approach was announced by Kathleen L. Kraninger during her first policy address as the CFPB’s new Director on April 17, 2019.  Director Kraninger expressed the “hope that our emphasis on prevention will mean that we need our enforcement tool less often.”

The CPFE division will be headed by Katherine A. Lemire, who is expected to draw upon her decade of prosecutorial experience at the federal (Assistant United States Attorney in the Southern District of New York) and state (Assistant District Attorney in the New York County District Attorney’s Office) levels.  During her time in the Manhattan U.S. Attorney’s office, Ms. Lemire’s work included the prosecution of disgraced political donor Norman Hsu – sentenced to over 24 years in prison – and the corruption conviction of City Council Member Miguel Martinez.  Referred to by the NY Daily News as a “legal Howitzer,” Ms. Lemire also served as special counsel to then-NYPD Commissioner Raymond Kelly.

Upon entering the private sector, Ms. Lemire founded an international compliance and investigative services firm.  As part of a 2017 roundtable discussion on “How to Conduct Internal Investigations Efficiently and Effectively,” the new CPFE head shared the following insights on effectively working with government investigators to “narrow the scope” of subpoena requests in order to minimize client costs and business disruption:

Remember that prosecutors are people too … they can be reasonable. If confronted with a very broad subpoena seeking, for example, a large swath of documents over the course of years, it may make sense to call the prosecutor and find out whether you may narrow the scope of responsive documents. Often, prosecutors will provide specifics regarding the target of the investigation, and work with you to produce documents in a time-efficient manner. Prosecutors typically have investigative priorities, and if you can provide a proposed schedule for document/materials production, they will often work with you so that they can get what they need the most in a rapid fashion. Relatedly, you may be able to spare yourself producing materials that are not within the actual scope of materials needed. While they are the “expert” in the investigation, you are the “expert” in your business — prosecutors may be asking for materials they do not actually need, and with some education from you, you may be able to narrow the scope of the investigation.

The unveiling of its new “mini CFPB” marks yet another recent DFS milestone, highlights of which include over three billion dollars in fines imposed as a result of investigations into foreign exchange trade rigging, and the issuance of “whistleblower” guidance to all DFS-regulated entities.  The whistleblower guidance is especially significant in light of the Department’s position that “a robust whistleblowing program is an essential element of a comprehensive compliance program for regulated financial service companies”.  And, while not intended to provide a “one size fits all” model, the guidance sets forth ten “important principles and practices” of an “effective whistleblowing program”:

  • Whistleblower reporting channels are independent, well-publicized, easy to access, and consistent;
  • Strong protections to guard whistleblower anonymity;
  • Procedures to identify and manage potential conflicts of interest;
  • Adequate staff training on how to receive and act upon whistleblower complaints, as well as manage investigations, referrals and escalations;
  • Procedures to investigate allegations of wrongdoing;
  • Procedures to ensure valid complaints are followed-up appropriately;
  • Protections against whistleblower retaliation;
  • Confidential process;
  • Appropriate internal and external oversight of the whistleblowing function; and
  • Culture of top-down support for the whistleblowing function.

Cybersecurity

On May 22, 2019 the Department launched a new Cybersecurity division, advertised as the “first of its kind at a banking or insurance regulator” which will focus on “protecting consumers and industries from cyber threats.”  The emergence of DFS’ new Cybersecurity division follows the Department’s signature enactment, its 2018 cybersecurity law (23 NYCRR 500) upon which the FTC has “primarily based” its latest proposed information security program requirements.  The new division’s emergence “builds upon DFS’ nation-leading efforts to protect consumers and financial markers from cyberattacks” and also follows the March 1, 2019 deadline by which all DFS-regulated institutions were required to submit comprehensive risk-based cybersecurity programs for protecting consumer’s private data.

Justin Herring will head the new Cybersecurity division, joining DFS from the New Jersey U.S. Attorney’s Office where he served as Chief of the Cyber Crimes Unit and also worked as a member of the U.S. Attorney’s Economic Crimes Unit.  The DFS signaled its intention to continue its efforts to combat cybercrime by “hiring additional experts as necessary,” in addition to utilizing and developing its personnel’s existing subject-matter expertise.

According to the DFS’ announcement, the role of the new Cybersecurity division will be to “enforce the Department’s cybersecurity regulations, advise on cybersecurity examinations, issue guidance on DFS’ cybersecurity regulations, and conduct cyber-related investigations in coordination with the Consumer Protection and Enforcement Division.”

Washington State Expands Data Breach Notification Law

Effective March 1, 2020, Washington State House Bill 1071 amends the state’s data breach notification law, expanding the categories of consumer information the unauthorized access of which would trigger notification requirements.  Under current law, any person or business conducts business in Washington State and that owns or licenses data that includes personal information to provide notice to potentially affected consumers and to the state Attorney General no more than 45 calendar days after a data breach that may have resulted in authorized access of consumers’ personal information; as amended, the law will reduce the timeline for notification to 30 days.

In addition to making non-substantive changes (e.g., recodifying definition and exemption provisions), the measure also:

  • Adds notification procedures for a data breach involving a consumer’s username or password (which vary according to whether the breach involves login credentials for an email account furnished by the person or business providing the notification);
  • Requires the notification to affected consumers to include “[a] time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach”; and
  • If a breach affected more than 500 Washington consumers, requires the notification to the Attorney General to provide: (i) a list of the types of personal information that were, or are reasonably believed to have ben, the subject of a breach; (ii) “[a] time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach”; (iii) a summary of steps taken to contain the breach; and (iv) a sample copy of a notification (which must exclude any personally identifiable information).

Alston & Bird Issues Client Alert on New Cybersecurity Requirements As Recently Announced by the Federal Trade Commission

On April 3 , Alston & Bird Senior Associate Michael Young issued a Client Alert on a recent announcement made by the Federal Trade Commission on proposed rule updates to two key privacy and security regulations of the Safeguards Rule and the Privacy Rule that address new cybersecurity requirements.  The Client Alert provides key highlights of the proposed rule updates for both rules as follows.  Under the Safeguards Rule, the proposal seeks to partially model itself after New York’s Cybersecurity Regulations, and would include a number of information security requirements.  Under the Privacy Rule, the proposal seeks to update the Privacy Rule to address annual privacy notice requirements.  In addition, the proposal seeks to provide clarification of the limited scope of the rulemaking authority of the FTC under Gramm Leach Bliley. The Client Alert also points out that the requirements set forth in the proposals may significantly impact various entities in the financial services industry and its activities under the authority of the FTC.

The Client Alert can be found here on the Alston & Bird Privacy Blog.