Alston & Bird Consumer Finance Blog

Privacy and Cybersecurity

California Passes Several Amendments to the California Consumer Privacy Act

By

The California legislature passed several amendments to the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 to 1798.190) (the “CCPA”) on September 13, 2019. (For additional background, see Which CCPA Amendments Made the Cut? and Potential Changes to the CCPA; California Senate Considers Amendments). These amendments will soon head to Governor Newsom’s desk for signature. Among other things, the amendments:

  • Revise the definition of personal information;
  • Create limited exemptions for employment-related personal information and personal information involved in business-to-business communications and transactions;
  • Create an exemption for information related to consumer warranties and product recalls and vehicle ownership information;
  • Clarify the exemption for certain personal information used in consumer reports; and
  • Clarify the “value test” established in the CCPA’s anti-discrimination provisions.

Below is a description of the amendments:

Definition of Personal Information.

The California Senate and Assembly approved AB 874, which cabins the definition of “personal information” to that which is “reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal information includes information that is “reasonably” capable of being associated with identifiers listed in the CCPA, including, but not limited to, real name, alias, postal address, internet protocol address, and social security number. AB 874 further amends the CCPA to exclude from personal information deidentified or aggregate consumer information.

Additionally, AB 874 simplifies the definition of publicly available information, which is excluded from personal information. The bill removes the conditions required for information to qualify as public information. Instead the term is amended to mean “information that is lawfully made available from federal, state, or local government records.” However, publicly available information still excludes biometric information collected without the consumer’s knowledge.

Exemptions for Employment Information.

The original version of AB 25 approved by the State Assembly broadly excluded personal information of employees, contractors, and job applicants from the CCPA. The Assembly and Senate approved a modified version which provides a more limited exemption. AB 25 now provides that the statute does not apply to the personal information of job applicants, employees, and contractors that a business collects in the course of employment or the application process, but only to the extent solely used in the context of the job application or the employment relationship. In addition, businesses must inform employees, contractors, and applicants, at or before the point of collection, of the categories of personal information to be collected and the purposes for which such information will be used. This information also remains subject to the private right of action established in the law for certain security incidents.

The amendment adds an additional exemption for consumer personal information involved in business to business communications or transactions. The exemption does not apply to the right to opt out of data sales, and the information remains subject to a private right of action for certain security incidents. The non-discrimination provisions of the statute also continue to apply.

AB 25 will become inoperative on January 1, 2021. Employment-related information will become subject to the full set of requirements of the CCPA on and after that date unless California first enacts an employee privacy law.

Exemptions for Warranties, Product Recall, and Vehicle Ownership Information.

AB 1146 creates exemptions to the CCPA’s right to delete and right to opt out for certain categories of information. Businesses are no longer required to comply with a consumer’s request to delete personal information if the request pertains to information the business needs to “fulfill the terms of a written warranty or product recall conducted in accordance with federal law.” Businesses are also not required to comply with requests to opt out of sales relating to vehicle ownership information shared between a “new motor vehicle dealer” and the manufacturer regarding vehicle repairs relating to warranty work or recalls provided that the dealer or manufacturer does not sell, share, or use the information for any other purpose.

Exemption for Personal Information in Consumer Reports.

The California legislature amended and passed AB 1355, which clarifies the existing exemption for personal information related to the Fair Credit Reporting Act (15 U.S.C. § 1681) (the “FCRA”). The CCPA currently does not apply to personal information sold to or from a consumer reporting agency if such information is reported or used in a consumer report and covered by the FRCA. AB 1355 clarifies the exemption to apply to activity by consumer reporting agencies, furnishers of information, or users of consumer reports concerning personal information related to a consumer report. Such information includes that “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living….” The FCRA exemption applies to activity that is regulated under the act and is not “used, communicated, disclosed, or sold except as authorized by the [FCRA].” Information covered by this exemption is subject to the CCPA’s private right of action provision.

Differential Treatment of Consumers.

AB 1355 also modifies the “value test” in the CCPA’s non-discrimination provisions. Prior to this amendment, the CCPA prohibited discrimination against consumers exercising CCPA rights unless the difference in prices or rates charged or the level or quality of goods or services provided to these consumers was “reasonably related to the value provided to the consumer by the consumer’s data.” This “value test” has been criticized for requiring businesses to complete an impossible task – determining the value of a consumer’s data to each individual consumer. AB 1355 alleviates this situation by clarifying that a business may require consumers who exercise their CCPA rights to pay a different price or rate or provide a different level or quality of goods or services if the difference is “reasonably related to the value provided to the business by the consumer’s data.”

Specific Pieces of Information Clarified.

The CCPA requires businesses that collect personal information about consumers to disclose in their privacy policy the specific pieces of personal information collected about consumers. AB 1355 revises the CCPA to require businesses to disclose that a consumer has the right to request the specific pieces of personal information collected about that consumer. This also makes clear that the obligation in Section 1798.110(a) to disclose the “specific pieces of information” requires the business to disclose a copy of the information, not a description.

Methods for Submitting Consumer Requests.

The CCPA requires businesses to make two or more methods available for a consumer to submit requests pursuant to Cal. Civ. Code §§ 1798.110 and 1798.115. Now, pursuant to AB 1564, businesses that operate exclusively online and have a “direct relationship with a consumer from whom” the business collects personal information may provide an email address to support the submission of requests under section 110 and 115 in lieu of a toll-free telephone number. (Note that the underlying requirements to have two channels for requests and the amendments via AB 1564 do not apply to requests submitted pursuant to Cal. Civ. Code §§ 1798.100 or 1798.105.) Businesses that maintain a website must still make a website available for requests. The amendment also provides that businesses may choose, but are not obligated, to require consumers that have business accounts to submit requests through the accounts.

In addition, AB 1564 clarifies that businesses may verify the identity of consumers who make requests in a reasonable manner considering the nature of the information requested. Businesses may impose more comprehensive or strenuous identity verification processes for consumer requests concerning sensitive personal information.

Private Right of Action.

The CCPA’s current language of “nonencrypted or nonredacted” would allow for a private right of action if the personal information involved was either nonencrypted or nonredacted. In other words, businesses would have to both encrypt and redact personal information to avoid liability. AB 1355 amends the CCPA’s private right of action provision for certain security incidents to apply to personal information that is “nonencrypted and nonredacted.” The amendment allows businesses to defend against a civil action by either encrypting or redacting personal information.

The California legislature also recently passed a bill that impacts the CCPA’s private right of action provision by amending California’s data security law. The CCPA’s private right of action applies to personal information as defined in California’s data security law (Cal Civ. Code § 1798.81.5). California passed Assembly Bill 1130 expanding the categories of personal information covered by the data security law and thereby expanding the data elements covered by CCPA’s private right of action.

Although all amendments discussed above have been passed by the California legislature, the format of the final amendments’ text is undecided. Before the amendments were passed, each bill was revised to incorporate changes proposed by other amendments upon enactment (e.g., AB 1355 incorporates amendments proposed in ABs 25, 874, 1146, and 1564). The final text of the amendments depends on the order in which the bills are enacted. We will provide a link to the final text once the order of enactment has been determined.

The CCPA Could Reset Data Breach Litigation Risks

By ,

A&B Abstract:

While much has been written about the California Consumer Privacy Act (CCPA), the focus has primarily been on the new rights it affords California consumers to have access to and control use of their data and opt out of many transfers to third parties. While this is a sea change in data privacy legislation in the United States, perhaps the greatest risk to businesses covered by the CCPA is that the CCPA creates a private right of action – with substantial statutory damages – for data breaches. This change will likely reset litigation risks in California in the post-data-breach context and may have significant implications for data breach litigation across the country.

Overview of the CCPA Breach Provisions

The CCPA will do two significant things for the first time in the world of data breach litigation. First, it will give consumers the ability to sue businesses when their “nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” This private right of action comes into play when the statutory trigger has been met and the incident is a result of the business’s failure to implement and maintain “reasonable security procedures and practices.” This reasonable security requirement essentially codifies negligence claims found in much of today’s post-breach litigation. Second, the CCPA is the first U.S. law to provide for statutory damages in connection with data security incidents, including penalties of $100 to $750 per incident, actual damages, and injunctive relief.

There are two aspects of this portion of the CCPA that provide some hope to breached entities. The definition of personal information used for the private right of action provision of the CCPA is the narrower definition of personal information set forth in the  current California data breach notification law, Section 1798.81.5, rather than the now famously broad definition of personal information under the CCPA (information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”) The statute also requires both access and exfiltration, theft, or disclosure, which is a more exacting standard than those state breach notification laws that only require unauthorized access to personal data.

Damages: Amount & Factors for Consideration by a Court

The CCPA authorizes courts to award statutory damages in such action of between $100 and $750 “per consumer per incident” or to award actual damages, whichever is greater. Id. § 1798.150(a)(1)(A). The statute directs courts to consider a number of factors in assessing the amount of statutory damages to award, “including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of
the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.” Id. § 1798.150(a)(2).[1] These statutory damages are substantial. Moreover, the mere existence of statutory damages will provide data breach plaintiffs with a new argument for standing (which otherwise can be problematic).

First, the statute purports to allow consumers to sue even when they have not suffered any damages as a result of the breach. This is in stark contrast to the most common data breach claims that consumers bring against victims of data breaches today. Those suits are typically based on negligence and/or breach of implied contract theories, both of which require plaintiffs to prove actual damages as an element of their claims. This risk is particularly acute in litigation brought by consumers following the theft of payment card
data, where actual damages are often lacking and are difficult to quantify since payment cards are often canceled and reissued after a data breach and financial institutions are generally required to reimburse consumers for unauthorized charges.

Plaintiffs who attempt to allege a violation of the CCPA will still be constrained – at least in federal court – by the constitutional requirement that they suffer a legally cognizable injury-in-fact in order to have standing to sue. This requirement has been difficult to satisfy for plaintiffs in data breach class actions. Moreover, because the U.S. Supreme Court has held that the mere violation of a statute alone is insufficient to confer Article III standing when it is otherwise lacking, the existence of a private-right-of-action provision in the CCPA does not automatically grant plaintiffs the right to bring a claim in federal court. Courts will ultimately need to address the intersection between the CCPA’s private-right-of-action provision and Article III standing requirements, and this will be an evolving area of the law that companies should pay close attention to over the next several years.

Second, the amount of statutory damages under the CCPA increases the potential overall exposure companies could face in data breach litigation. The statutory damages, which range from $100 to $750 per incident, can add up very quickly, particularly if a large number of records are impacted by the breach.

Third, the prospect of an award of statutory damages has significant class certification implications if the plaintiffs bring a claim for a violation of the CCPA. Defendants have argued in past data breach cases that individualized damages issues are a significant hurdle to trying the plaintiffs’ claims classwide. While the existence of individualized damages issues alone is generally not sufficient to defeat a motion for class certification, it can be part of a powerful argument that predominance is lacking. Thus, in CCPA litigation, defendants will likely have to place a greater emphasis on other defenses to class certification, including case-specific issues that predominate over issues common to the putative class.

Reasonable Security Standard

The CCPA’s private right of action allows for damages when (1) a company experienced a security incident or data breach; and (2) the company failed to maintain reasonable security practices and procedures. This begs the question of what constitutes “reasonable security.” While a detailed discussion of this topic is beyond the scope of this article, potential defendants under the statute should address this issue in their CCPA implementation programs.

In considering this issue, note that California’s former attorney general, Senator Kamala Harris, provided quite clear guidance on what she considered reasonable security. In February 2016, the attorney general’s office released the California Data Breach Report, which analyzed breaches from 2012 to 2015 and provided guidance on what businesses could consider reasonable security. The guidance focuses on the 20 controls in the Center for Internet Security’s (CIS) Critical Security Controls (previously known as the SANS Top 20).  According to Attorney General Harris, these controls “identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” While Attorney General Harris’s guidance does not have the force of law, it is hard to ignore this guidance for purposes of analyzing these provisions of the CCPA.

Of course, there are a number of other third-party protocols similar to the CIS Controls that one might also assert constitute “reasonable security.” These include the National Institute of Standards and Technology Cybersecurity Framework (NIST), which is now well established and in its latest revision has over 900 individual security measures, the Control Objectives for Information and Related Technologies (COBIT) created by ISACA, and the International Organization for Standardization (ISO) ISO/IEC 27000:2018 standards, and many others.[2]

The FTC has also been active in establishing at least what does not constitute reasonable security in its eyes. There have been a number of FTC enforcement actions against companies involving security issues, including In the Matter of Accretive Health Inc., Docket No. C-4432; In the Matter of Uber Technologies Inc., Docket No. C-4662; In the Matter of DSW Inc., Docket No. C-4157; In the Matter of the TJX Companies Inc., Docket No. C-4227; In the Matter of Goal Financial LLC, Docket No. C-4216; and In the Matter of Twitter Inc., Docket No. C-4316. Of course, there has also been significant litigation in this area somewhat expanding (FTC v. Wyndham Worldwide Corporation, 799 F. 3d 236 (3d Cir. 2015)) and contracting (LABMD Inc. v. FTC, 894 F.3d 1221 (11th Cir. 2018)) the FTC’s oversight in this area.

Companies subject to existing regulatory regimes have for some time dealt with security standards such as the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, 45 C.F.R. §§ 160, 164(a), 164(c), and the Gramm–Leach–Bliley (GLB) Safeguards Rule, 15 U.S.C. 6801(b), 6805(b)(2) (among others, although data subject to HIPAA and GLB is currently excepted from application of the CCPA). In the wake of the CCPA, however, companies that have not previously been subject to express regulation of their security practices should now affirmatively consider whether their security programs will allow them to comfortably assert that they have met their “reasonable security” obligation under the CCPA.

National Litigation Implications

Because it includes an express private right of action and authorizes courts to award statutory penalties, the CCPA will substantially increase litigation risk and exposure for companies that are subject to a data breach. The impact will be most strongly felt when claims are brought by (or on behalf of a class of) California residents or against a company that is organized or maintains its principal place of business in California, where the argument for the application of California law will be the strongest. See Phillips Petroleum Co. v. Shutts, 472 U.S. 797, 821 (1985) (holding that due process is violated when a court attempts to apply the law of one state with “little or no relationship” to the transaction “in order to satisfy the procedural requirement that there be a ‘common question of law’”). Nevertheless, the CCPA could have broader implications for data breach litigation nationwide.

First, it could incentivize plaintiffs to file more data breach class actions in California, though plaintiffs will be constrained in their ability to do so by the Supreme Court’s decision in Bristol-Meyers Squibb Co. v. Superior Court, 137 S. Ct. 827 (2017), which holds that state courts generally cannot exercise personal jurisdiction over an out-of-state defendant for claims brought by nonresident plaintiffs.

Second, plaintiffs’ lawyers are also likely to try to effectively expand the scope of the CCPA’s private-right-of-action provision by attempting to bring suit or violations of the CCPA under California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200. That statute prohibits plaintiffs from engaging in “any unlawful, unfair or fraudulent business act or practice,” and allows plaintiffs to “borrow[] violations of other laws and treat[] them as unlawful practices that the unfair competition law makes independently actionable.” Cel-Tech Communications Inc. v. Los Angeles Cellular Telephone Co., 20 Cal. 4th 163, 180 (1999). Plaintiffs are likely to try to argue that any violation of the CCPA, regardless of whether it falls within the private-right-of-action provision, is actionable under the Unfair Competition Law. While this has not yet been litigated, companies will have a strong argument that plaintiffs should not be able to evade the narrow scope of the private-right-of-action provision in this manner. The CCPA’s private-right-of-action
provision expressly states that nothing in the CCPA “shall be interpreted to serve as the basis for a private right of action under any other law.” Cal. Civ. Code § 1798.150(c). By including this provision in the law, it stands to reason that the legislature expressly intended to exempt the CCPA from the reach of the Unfair Competition Law. Nevertheless, companies should carefully monitor litigation in this area, as a court ruling to the contrary could dramatically increase the litigation risk posed by the CCPA. See also
Robert D. Phillips, Jr. & Gillian H. Clow, An Update on the California Consumer Privacy Act and Its Private Right of Action, available at https://www.alston.com/en/insights/publications/2018/09/california-consumerprivacy-act.

[1] In order to bring a private right of action under the CCPA, the consumer is required to first “provide[] a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated.” Cal. Civ. Code § 1798.150(b).

[2] A few other states have included similar reasonableness standards in their breach notification statutes (although these statutes do not include corresponding private rights of action). For example, Indiana, I.C. Sec. 24-4.9-3-3.5 (c) (states that “a data base owner shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any personal information of Indiana residents collected or maintained by the data base owner.”

Potential Changes to the CCPA; California Senate Considers Amendments

By ,

On April 30, we detailed several proposed amendments to the California Consumer Privacy Act (the “CCPA”) that were advancing in the State Assembly (see our previous blog post here). Since then, a number of the proposed amendments passed the Assembly and moved to the California Senate, where they remain under consideration.

This past week the Judiciary Committee considered a number of the bills and proposed several key amendments. These amendments are discussed below.

• AB 25. The original version of this bill excluded employees, contractors and job applicants from the definition of “consumer” provided that personal information about those categories of persons was used only for limited purposes. The bill has now been amended to provide that employees, contractors and applicants are still consumers, but that certain personal information relating to them will not be subject to the statute as long as used only for purposes relating to their status as employees, contractors or applicants to the business in question. The bill has also been amended to require delivery of privacy notices to employees, contractors and job applicants which identify personal information collected concerning those individuals and the purposes of the collection. As with the version that passed the Assembly, the private right of action and statutory damages established by the CCPA for certain security incidents will continue to apply.

Most notably, the amendment is proposed to be operative only through 2020. The intent is to provide incentive to the legislature to draft and approve a law on employee privacy. But if a new employee privacy law is not approved, then personal information about employees will be subject to the full CCPA as of January 1, 2021.

• AB 846. The amendment seeks to clarify the treatment of consumers in retail loyalty programs under the CCPA. The bill previously stated that offering “a different price, rate, level, or quality of goods or services” under a retail loyalty program was permissible if (1) a consumer volunteered for the program or (2) the offering was for a specific good or service whose functionality was directly related to the collection, use or sale of the consumer’s data. The bill has been amended to only permit differential offerings under a retail loyalty program when a consumer volunteers for the program. However, a business is prohibited from offering a program that is “unjust, unreasonable, coercive, or usurious in nature.” A business is also prohibited from selling personal information collected as part of a retail loyalty program.

• AB 873. This bill has been amended to clarify the definition of “deidentified” information and the handling of such information. The bill was amended while in the California State Assembly to define “deidentified” information as that which “does not identify and is not reasonably linkable, directly or indirectly, to a particular consumer” as opposed to the previous definition of that which “does not reasonably identify or link, directly or indirectly, to a particular consumer….” The amendment failed to pass its first hearing on July 9 after advancing to the Senate, but it has been granted reconsideration.

• AB 981. This bill originally proposed to exempt from the CCPA insurance institutions, agents, and support organizations to the extent that those institutions were already subject to California’s Insurance Information and Privacy Protection Act (IIPPA). The bill has now been amended to remove this blanket exception from the CCPA, and it now provides that a consumer may not request a business to delete or not sell the consumer’s personal information if it is necessary for the business to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer.

• AB 1146. This amendment exempts a defined category of vehicle information from the CCPA’s right to deletion and do not sell requirements. The information includes name and contact information of a vehicle owner, VIN, make, model, year, and odometer reading shared between a “new motor vehicle dealer” and the manufacturer with respect to vehicle repairs relating to warranty work or recalls. The bill states that (1) the applicable vehicle information is exempt from the right to opt out of data sales provided that the business is not using such information for reasons other than ”effectuating, or in in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall” and (2) a business is not required to delete personal information that it is maintaining to “fulfill the terms of a warranty or a federally mandated recall covering a product purchased by the consumer.”

• AB 1564. The amendment previously changed a business’s obligation to make available two or more designated methods to just one method to submit requests for information concerning a business’s collection and disclosure practices. The bill has been amended to again require a business to make available two or more methods for submitting requests, including a toll-free telephone number at minimum. If a business maintains a website, the amendment requires a business to make that website available for a consumer to submit requests. If a business operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, the business is also required to provide an email address for submitting request for information.

We will continue to monitor these amendments and provide further updates as they occur.

New York DFS Unveils Two New Divisions Focused on Consumer Protection, Financial Enforcement and Cybersecurity

By

New York State’s Department of Financial Services (DFS) recently unveiled two new divisions with broad enforcement authority focused on consumer protection, financial enforcement, and cybersecurity.  Financial service providers should take note as New York and other states continue to shore up their enforcement capabilities.

Consumer Protection & Financial Enforcement

DFS’ highly touted Consumer Protection and Financial Enforcement (“CPFE”) division was launched on April 29, 2019.  The CPFE’s debut marks the latest DFS action to solidify the Department’s position as “a leader in financial services regulation.”

Heralded by acting Superintendent Linda Lacewell as a “powerhouse”, the CPFE is tasked with broad responsibility, specifically: (1) protecting and educating consumers; (2) combating consumer fraud; (3) ensuring that DFS-regulated entities serve the public in compliance with state and federal law; (4) developing investigative leads and intelligence in the banking, insurance, and financial services arenas, with a particular focus on cybersecurity events; and (5) developing and directing supervisory, regulatory and enforcement policy regarding financial crimes.

The Department created its new mega group by merging its enforcement operation with the division which conducts DFS’ civil and criminal investigations (formerly known as the Financial Frauds and Consumer Protection or “FFCP”).  The CPFE’s creation follows DFS’ pronouncement last year that it was prepared to step in to “fill voids” in areas where consumer and market protections are rolled back on the federal level.  The announcement also follows the news that the Consumer Finance Protection Bureau (“CFPB”) will adjust its focus from enforcement to “preventing harm”.  The Bureau’s shift in approach was announced by Kathleen L. Kraninger during her first policy address as the CFPB’s new Director on April 17, 2019.  Director Kraninger expressed the “hope that our emphasis on prevention will mean that we need our enforcement tool less often.”

The CPFE division will be headed by Katherine A. Lemire, who is expected to draw upon her decade of prosecutorial experience at the federal (Assistant United States Attorney in the Southern District of New York) and state (Assistant District Attorney in the New York County District Attorney’s Office) levels.  During her time in the Manhattan U.S. Attorney’s office, Ms. Lemire’s work included the prosecution of disgraced political donor Norman Hsu – sentenced to over 24 years in prison – and the corruption conviction of City Council Member Miguel Martinez.  Referred to by the NY Daily News as a “legal Howitzer,” Ms. Lemire also served as special counsel to then-NYPD Commissioner Raymond Kelly.

Upon entering the private sector, Ms. Lemire founded an international compliance and investigative services firm.  As part of a 2017 roundtable discussion on “How to Conduct Internal Investigations Efficiently and Effectively,” the new CPFE head shared the following insights on effectively working with government investigators to “narrow the scope” of subpoena requests in order to minimize client costs and business disruption:

Remember that prosecutors are people too … they can be reasonable. If confronted with a very broad subpoena seeking, for example, a large swath of documents over the course of years, it may make sense to call the prosecutor and find out whether you may narrow the scope of responsive documents. Often, prosecutors will provide specifics regarding the target of the investigation, and work with you to produce documents in a time-efficient manner. Prosecutors typically have investigative priorities, and if you can provide a proposed schedule for document/materials production, they will often work with you so that they can get what they need the most in a rapid fashion. Relatedly, you may be able to spare yourself producing materials that are not within the actual scope of materials needed. While they are the “expert” in the investigation, you are the “expert” in your business — prosecutors may be asking for materials they do not actually need, and with some education from you, you may be able to narrow the scope of the investigation.

The unveiling of its new “mini CFPB” marks yet another recent DFS milestone, highlights of which include over three billion dollars in fines imposed as a result of investigations into foreign exchange trade rigging, and the issuance of “whistleblower” guidance to all DFS-regulated entities.  The whistleblower guidance is especially significant in light of the Department’s position that “a robust whistleblowing program is an essential element of a comprehensive compliance program for regulated financial service companies”.  And, while not intended to provide a “one size fits all” model, the guidance sets forth ten “important principles and practices” of an “effective whistleblowing program”:

  • Whistleblower reporting channels are independent, well-publicized, easy to access, and consistent;
  • Strong protections to guard whistleblower anonymity;
  • Procedures to identify and manage potential conflicts of interest;
  • Adequate staff training on how to receive and act upon whistleblower complaints, as well as manage investigations, referrals and escalations;
  • Procedures to investigate allegations of wrongdoing;
  • Procedures to ensure valid complaints are followed-up appropriately;
  • Protections against whistleblower retaliation;
  • Confidential process;
  • Appropriate internal and external oversight of the whistleblowing function; and
  • Culture of top-down support for the whistleblowing function.

Cybersecurity

On May 22, 2019 the Department launched a new Cybersecurity division, advertised as the “first of its kind at a banking or insurance regulator” which will focus on “protecting consumers and industries from cyber threats.”  The emergence of DFS’ new Cybersecurity division follows the Department’s signature enactment, its 2018 cybersecurity law (23 NYCRR 500) upon which the FTC has “primarily based” its latest proposed information security program requirements.  The new division’s emergence “builds upon DFS’ nation-leading efforts to protect consumers and financial markers from cyberattacks” and also follows the March 1, 2019 deadline by which all DFS-regulated institutions were required to submit comprehensive risk-based cybersecurity programs for protecting consumer’s private data.

Justin Herring will head the new Cybersecurity division, joining DFS from the New Jersey U.S. Attorney’s Office where he served as Chief of the Cyber Crimes Unit and also worked as a member of the U.S. Attorney’s Economic Crimes Unit.  The DFS signaled its intention to continue its efforts to combat cybercrime by “hiring additional experts as necessary,” in addition to utilizing and developing its personnel’s existing subject-matter expertise.

According to the DFS’ announcement, the role of the new Cybersecurity division will be to “enforce the Department’s cybersecurity regulations, advise on cybersecurity examinations, issue guidance on DFS’ cybersecurity regulations, and conduct cyber-related investigations in coordination with the Consumer Protection and Enforcement Division.”

Washington State Expands Data Breach Notification Law

By

Effective March 1, 2020, Washington State House Bill 1071 amends the state’s data breach notification law, expanding the categories of consumer information the unauthorized access of which would trigger notification requirements.  Under current law, any person or business conducts business in Washington State and that owns or licenses data that includes personal information to provide notice to potentially affected consumers and to the state Attorney General no more than 45 calendar days after a data breach that may have resulted in authorized access of consumers’ personal information; as amended, the law will reduce the timeline for notification to 30 days.

In addition to making non-substantive changes (e.g., recodifying definition and exemption provisions), the measure also:

  • Adds notification procedures for a data breach involving a consumer’s username or password (which vary according to whether the breach involves login credentials for an email account furnished by the person or business providing the notification);
  • Requires the notification to affected consumers to include “[a] time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach”; and
  • If a breach affected more than 500 Washington consumers, requires the notification to the Attorney General to provide: (i) a list of the types of personal information that were, or are reasonably believed to have ben, the subject of a breach; (ii) “[a] time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach”; (iii) a summary of steps taken to contain the breach; and (iv) a sample copy of a notification (which must exclude any personally identifiable information).