Digital ConceptAs predicted in our February 4, 2020 blog post, the New York Department of Financial Services (“DFS”) has filed its first formal charges for violation of the state’s cybersecurity regulation. The charges were filed against an insurance company for allegedly violating several provisions of Part 500 of Title 23 of the New York Codes, Rules, and Regulations. In this case, the DFS alleged five distinct violations, including failure to identify and remediate certain risks, thereby enabling the potential exposure of millions of mortgage-related documents that contained sensitive non-public personal information.

The Credit Reporting Resource Guide (“CRRG”) is a resource guide prepared by the Consumer Data Industry Association that provides codes that facilitate compliance with the Fair Credit Reporting Act (FCRA). (Learn more here.) Courts in the Sixth Circuit have previously established that the CRRG is not dispositive on FCRA compliance. Thus, when Plaintiff tried to use the CRRG requirements to assert that Defendant acted negligently in not changing a closed tradeline to show a “zero” balance, the court was not impressed. In Calvin v. Mich. First Credit Union, No. 19-cv-11519, 2020 U.S. Dist. LEXIS 123322, at *10 (E.D. Mich. July 14, 2020), Plaintiff alleged that Michigan First violated §623 of the FCRA because it did not change Plaintiff’s tradeline, on a closed account, to show a payment balance of zero. Ruling in favor of Defendant, the Court determined that Plaintiff failed to show that the tradeline in question was inaccurate, failed to show Defendant’s alleged actions created an injury-in-fact, and failed to show negligence in Defendant’s conduct.

This case was not much different from cases routinely filed against Michigan First for inaccurate credit reporting (see the most recent one we covered here). It was thus not surprising to review the Court’s decision in determining that Michigan First’s reporting was not inaccurate. Indeed, a non-zero balance on a closed account, is not, in and of itself inaccurate reporting. The accuracy of credit information is assessed under the “materially misleading” standard test. “The fact that a layperson could be misled or that the consumer was misled is insufficient.” Plaintiff here was unable to show that any “any creditor was misled….Since Plaintiff did not show that a creditor was misled by the non-zero scheduled monthly payment tradeline or that a creditor’s decision was based on the non-zero scheduled monthly payment balance rather than other issues with her credit, Plaintiff failed to show Defendant’s tradeline resulted in a creditor being misled.”

Plaintiff tried using the CRRG to establish Michigan First’s negligence. CRRG requires the monthly payment amount on closed or charged off accounts to be changed to zero-what Plaintiff demanded from Michigan First. However, federal laws of commerce and trade, including the FCRA, do not mandate compliance with CRRG, which is, after all, only the publication of an industry trade association. Courts in the Eastern District of Michigan have concluded that CRRG is not industry standard AND “compliance or non-compliance with its provisions was [not] conclusive evidence of accuracy or inaccuracy.” In fact, they have gone so far to say that, “CRRG requirements are inadmissible hearsay because CRRG’s guidelines are out-of-court statements by an industry group.” Thus, Defendant’s noncompliance with the CRRG did not show negligence or willful misconduct in adherence to the FCRA.

Another win for Michigan First-despite Plaintiff’s creativity in attempting to use the CRRG guidelines.

On July 21, 2020 the FTC hosted its Fifth PrivacyCon-an event where researchers convene with FTC officials to discuss cutting-edge issues related to consumer privacy and security.  Because PrivacyCon can be a harbinger of FTC activity, CPW attended PrivacyCon and reported on various developments of interest.  Much of the focus this year was on healthcare data privacy—a particularly pertinent topic in light of the COVID outbreak.

Andrew Smith, the Director of the FTC Bureau of Consumer Protection, opened PrivacyCon with remarks on FTC’s enforcement activity this past year.  He also touched upon what might lie ahead in the future, with particular emphasis on FTC action in the healthcare arena.  [As you all at CPW probably know already, while the Department of Health and Human Services (“HHS”) Office for Civil Rights is responsible for enforcing the Health Insurance Portability and Accountability Act, the FTC has general oversight over deceptive and unfair practices.]  This past year, Smith observed, FTC has taken various enforcement actions directed at protecting consumer privacy.  This included what Smith described as “record-shattering” settlements reached against companies for privacy and security protections under various regulatory regimes, including the Fair Credit Reporting Act, the Gramm-Leach Bliley Act and the FTC Act.  Smith noted that many of these settlements included structural changes to how consumers’ and children’s data was treated.

Looking forward, Smith said the FTC would be paying increased attention to mobile health apps as consumers are increasingly relying on these tools in a variety of contexts (health trackers, sleep monitors, smoking cessation apps, diet guides, etc.).  Contract tracing brought on with the COVID outbreak has added additional complexity to this area.  Smith noted that HHS had issued rules that made it easier for consumers to access their medical records on various apps, but cautioned that “whenever data flow increases the opportunities for data compromise increase.”  Smith reiterated that the FTC would not hesitate to take action against entities that misrepresent what they are doing with consumers’ health data or put consumers’ health data at undue risk.

Smith said that the FTC’s call for papers to present at PrivacyCon this year included matters related to mobile health, interconnected devices, online ad delivery assistance, technological developments that could be a boon to consumers but also pose risks to privacy, security and equal opportunity.  Consistent with this approach, the first panel, consisting of researchers from Harvard Medical School, the University of Toronto and Elektra Labs, discussed various technology related concerns pertaining to the development of healthcare apps.  Based on the panelists’ comments, it is possible that areas of focus regarding healthcare apps could include evaluating and securing the connected sensor technologies that power health apps, as well as broader concerns related to cybersecurity, data aggregation, de-identification and informed consent.

This a fast-growing area that, in light of Director Smith’s comments, is anticipated to evolve in the near future.  CPW is here every step of the way and will report on these developments to keep you informed.

 

 

Those of you familiar with the area of data privacy already know that the International Association of Privacy Professionals’ (“IAPP”) CIPP/US certification is the global gold standard for privacy professionals and a key industry benchmark.  The CIPP/US designation demonstrates familiarity with U.S. privacy laws and regulations.  Well, CPW is proud to announce that one of our extremely talented litigators Kristin Bryan has joined the group of CIPP/US certified attorneys. As you may know, here at CPW we have assembled one of the most experienced and dedicated consumer privacy teams on the planet—powerful class action litigators working together with privacy compliance professionals who have real-world experience operationalizing cutting-edge guidance.  Adding this important certification to our deep bench of litigators further enhances our team’s capabilities.

Do you know Kristin?  Kristin is a world class litigator who graduated with honors from Columbia Law School.  She has a multi-faceted data privacy practice, which includes experience defending clients in federal class action and multidistrict litigation concerning allegations that their online privacy and marketing practices violated federal and state privacy laws.  But that’s not all folks.  As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing practical, business-oriented privacy advice to a wide range of clients and has represented them in government investigations regarding their privacy practices.  Kristin is a regular contributor to CPW and routinely publishes and speaks on cutting edge developments in data privacy.  She is also the co-chair of the IAPP Knowledge Net Chapter of Cleveland and admitted to practice in New York and Ohio.

Bravo Zulu, Kristin.

Once a lawsuit has been filed, standing is often the first issue that defense counsel will address.  After all, if standing opens the door to the merits of a suit, then counsel is generally tempted to keep that door shut and locked.  A recent case reminds us that standing is always an issue, even when counsel does not argue against it, and a court may not hesitate to lock the door itself.

In Hebert v. Barnes & Noble, No. 19-cv-591-BEN (JLB), 2020 U.S. Dist. LEXIS 123325, at *11 (S.D. Cal. July 13, 2020), the court remanded a case to state court at the summary judgment stage after sua sponte finding against standing on the basis that the plaintiff did not allege any actual harm.  At issue was the sufficiency of a FCRA disclosure provided by Barnes & Noble to job applicants.  If an employer wants to obtain a consumer report to screen a prospective employee, then the FCRA requires that employer to provide applicants with a FCRA disclosure in a document containing nothing other than the disclosure itself.  The plaintiff here claimed that between 2016 and 2018, Barnes & Noble provided defective FCRA disclosures to 27,000 job applicants.  Despite the large number of applicants that received the allegedly defective disclosures, Barnes & Noble did not receive any complaints, including from the plaintiff, who eventually accepted a job offer from it.

Although the defendant never made the argument, the Hebert court found that the plaintiff lacked standing due to her failure to allege actual harm.  To make this point, the court cited a recent case, Sierra Club v. Trump, 2020 WL 3478900, at *6 & n.9 (9th Cir. June 26, 2020), to state that “[a] federal court has an independent obligation to satisfy itself that a plaintiff has standing at all stages of litigation.”

To address the strength of the plaintiff’s allegations, the Hebert court looked to Syed v. M-I, 853 F.3d 492, n.4 (9th Cir. 2017) and contrasted it against this case.  Syed was a case of first impression that interpreted Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1550 (2016) to state, “bare technical violations of the FCRA may not result in a concrete injury.”  In Syed, the plaintiff alleged that he was “confused by the inclusion of the liability waiver with the [FCRA] disclosure and would not have signed it had it contained a sufficiently clear disclosure, as required in the statute.”  The court found that this was a sufficient allegation of actual harm and not only a “bare procedural violation,” which would not pass muster under its interpretation of Spokeo.

In contrast, the Hebert court found that its plaintiff did not allege harm.  The court noted that the plaintiff neither alleged confusion nor an unwillingness to consent to a consumer report had she “clearly understood the required FCRA disclosure.”  The court went on to note that the situation was “[q]uite the opposite” – the plaintiff wanted a job, she understood that it required a background screening, she consented to the consumer report, and ultimately went on to obtain a job with Barnes & Noble.

Between its lines, Hebert has two takeaways.  First, Sierra Club has highlighted a court’s ability to examine standing regardless of whether the issue has been briefed or how far the litigation has proceeded.  The Hebert defendant never disputed standing and the court brought it up at the summary judgment stage.  Second, even if a defendant finds itself pleased with the court evaluating standing sua sponte, the elation should be tempered.  Hebert did not dismiss the case, but rather remanded it back to the state trial court where it started for further consideration.

On 16 July 2020, the Court of Justice of the EU (“CJEU” or the “Court”) delivered another landmark decision on international data transfers – the so-called Schrems II judgment.  In its decision, the CJEU invalidated the EU Commission’s adequacy decision on the EU-US Privacy Shield Framework (“Privacy Shield”), on which thousands of US companies have been relying to lawfully transfer personal data from the EU to the US.  In the same decision, the CJEU confirmed the validity of the Standard Contractual Clauses (“SCCs” or “Clauses”) in principle, but made clear that their legality must considered on a case-by-case basis in light of the circumstances of the particular transfer.

US companies currently relying on Privacy Shield will need to move quickly to evaluate their ability to make use of alternative data transfer mechanism such as the SCCs, Binding Corporate Rules (“BCRs”) or, where applicable, one of the specific transfer-related derogations provided for in the EU General Data Protection Regulation (“GDPR”). Continue Reading CJEU Invalidates the EU-US Privacy Shield Framework but Leaves the Standard Contractual Clauses Intact, Subject to Major Caveats

Digital Facial RecognitionLast week (9th July), the ICO announced that it would join forces with the Office of the Australian Information Commissioner (OAIC) to investigate the use of personal information, including biometric data, by Clearview AI, Inc. (Clearview). Limited information is available so far, but given the focus of the investigation, this is an important step in determining data protection rights and obligations, where information is ‘scraped’ from ‘publicly available’ sources, for the purposes of tackling crime. Continue Reading ICO and Australian Information Commissioner Team-up to Investigate Clearview AI, Inc. Facial Recognition Tool and Data Scraping

On July 7, 2020, the CFPB issued its much-anticipated final rule (the “Revocation Rule”) on small dollar lending rescinding the mandatory underwriting provisions of its 2017 rule governing payday, vehicle title, and certain high-cost installment loans (the “2017 Rule”).  Consistent with its proposal last year, the Revocation Rule rescinds the Mandatory Underwriting Provisions of the 2017 Rule, including those that provide (1) that it is an unfair and abusive practice for a lender to make a covered short-term or longer-term balloon-payment loan without reasonably determining that consumers have the ability to repay those loans according to their terms; (2) prescribe mandatory underwriting requirements for making the ability-to-repay determination; (3) exempt certain loans from the mandatory underwriting requirements; and (4) establish related definitions, reporting, recordkeeping, and compliance date requirements.  The amendments in the Revocation Rule are based on the Bureau’s “re-evaluation of the legal and evidentiary bases for these provisions.”

Specifically, the Bureau revoked the 2017 Rule’s determination that it is an unfair practice for a lender to make covered short-term loans or covered longer-term balloon-payment loans without reasonably determining that consumers will have the ability to repay the loans according to their terms.  And, it also rescinded the 2017 Rule’s determination that such a practice is abusive, concluding that a lender does not take unreasonable advantage of consumer vulnerabilities when the lender does not consider a borrower’s ability to repay.

Consistent with its proposal last year, however, the Revocation Rule does not amend the Payment Provisions of the 2017 Rule, which address certain requirements and limitations with respect to attempts to withdraw payments on the loans from a consumer’s account.  Rather, with the Revocation Rule, the Bureau issued a ratification of the Payment Provisions in light of the Supreme Court’s recent decision in Seila Law.  And, it noted that although the Payment Provisions are currently stayed by court order, the Bureau will seek to have the provisions go into effect within a reasonable period to permit entities to come into compliance.

It’s a difficult task for an agency to reverse course as dramatically as the Bureau did here, and any time it does there is inevitably some risk.  The industry will need to be on guard against efforts to exploit any gaps between the original rule and the revocation.  The Revocation Rule is effective 90 days after its publication in the Federal Register.

If you are a financial institution, you likely won’t want to miss this FTC All Day Workshop today (Monday, July 13, 2020) because it will be a day full of panelist discussing all things information security and what proposed changes are being discussed.  Namely, “the workshop will continue to focus on some of the issues raised in response the FTC’s proposed amendment to the Gramm-Leach-Bliley Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program.”  The FTC will be streaming it live from its website.

In 2019, the FTC published its request for public comment on its proposal to amend the Safeguarding Customer Information (“Safeguards Rule”).  In the Notice, the FTC outlined five “main modifications” to the current rule:  (1) “add provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program”; (2) “add[] provisions designed to improve the accountability of financial institutions’ information security programs;” (3) “exempt[] small businesses from certain requirements; (4) “expand[] the definition of ‘financial institution’; and (5) “include the definition of ‘financial institution’ and related examples in the Rule itself rather than cross-reference them from a related FTC rule, the Privacy of Consumer Financial Information Rule.”  And, here in July, 2020, these changes are still being discussed.

Indeed, the FTC extended the comment deadline until August 12, 2020 to allow for more input.  So, there is time to still get engaged if you want to have a voice in the proposed changes.  That first starts with watching today to learn where things stand, and then being on lookout for Consumer Privacy World’s detailed follow up on this important FTC update.

 

Just a few weeks ago, the Honorable Laurie J. Michelson of the Eastern District of Michigan, Southern Division commented on the high number of identical lawsuits against Michigan First, covered here. Unfortunately, it did not take very long for Michigan First to be dragged into court again (See Euring v. Equifax Info. Servs., LLC, Civil Action No. 19-CV-11675, 2020 U.S. Dist. LEXIS 119454 (E.D. Mich. July 8, 2020,) for the same charge, “negligently fail[ing] to conduct a proper investigation of Plaintiff’s dispute as required by 15 USC 1681s-2(b).” Plaintiff here also alleged that Michigan First “fail[ed] to direct Equifax and Trans Union to report the [] Tradelines with a monthly payment of $0,” and that the “Tradelines are inaccurate and creating a misleading impression on Plaintiff’s consumer credit file.” Plaintiff also asserted a claim against Michigan First for willful violation of the FCRA based on the same allegations.

Michigan First sought summary judgment on a number of grounds, but the Court focused on just the dispositive ground, which was that the “tradelines at issue … are not inaccurate.” (Emphasis added.) Adopting the FCRA analysis from Euring v. Equifax Info. Servs., LLC, No. 19-CV-11675, 2020 WL 1508344 (E.D. Mich. Mar. 30, 2020),the Court emphasized that the reported monthly payments plainly indicated that both of plaintiff’s accounts were closed and charged off in 2015. Therefore, the non-$0 reported monthly payments could only be understood as the amounts plaintiff had agreed to pay when the loans were extended. And indeed, the “touchstone of the FCRA is accuracy.” Thus, the monthly payment amounts at issue were historically accurate, as was all of the other reported information, such as the date the accounts were opened, when plaintiff stopped making payments, and the credit limits.

Michigan First’s Summary Judgment was granted, adding to its winning streak, which we definitely would not want to jinx!