Search results for: GLBA

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Two Significant AI Announcements:  Spooky for AI Developers? | Privacy World

Last Chance to Register for In-Person CLE: The Important Role Legal Plays in an Era of Growing Data Risks: Key Findings From the 2023 ACC CLO Report | Privacy World

Cyber and AI talks in Tokyo | Privacy World

Join us for a Roundtable: Preparing for the EU Artificial Intelligence Act – Brussels | Privacy World

UPDATED BLOGPOST: Online Safety in Digital Markets Needs a Joined-Up Approach with Competition Law in the UK | Privacy World

FTC Amends GLBA Safeguards Rule to Require Reporting of Certain Data Breaches | Privacy World

Unclear on AI Contracting in the EU – the European Commission Is Pleased to Help | Privacy World

Congress’ Growing Focus on AI Policy | Privacy World

California Attorney General Appeals Federal Court Ruling That Online Child Safety Act Is Likely Unconstitutional | Privacy World

After much anticipation, the Securities and Exchange Commission (the “Commission”) has adopted Regulations (the “Regulations”) regarding public companies’ obligations to include disclosure in annual reports on Form 10-K (Form 20-F for foreign issuers) regarding material cybersecurity risks, risk management and governance, and to file current reports on Form 8-K (for 6-K for foreign issuers) to report material cybersecurity incidents. The Commission adopted many of the reporting requirements proposed in the March 2022 draft of the Regulations and discussed in our prior blog post. Notably, the obligation to disclose information regarding the Board of Directors’ cybersecurity expertise was eliminated from the final Regulations based on feedback from commentors who objected to this requirement. In the coming days, we will publish a thorough article regarding public companies’ new reporting obligations, but in this post we briefly summarize the new requirements adopted.

Continue Reading SEC Adopts Final Cybersecurity Risk Management and Incident Disclosure Regulations

Privacy teams have more to do with Gov. Abbot signing the Texas Data Privacy and Security Act, also known as TX HB 4 (the “Act”), after several last minute amendments. This is in addition to new comprehensive privacy laws from Tennessee (also amended late in the game before submission to the Governor), Indiana, Iowa, Montana and Florida that have passed this spring alone.

Importantly, there is not a minimum number of records processed or annual revenue threshold for businesses to be in the scope of the law. It has broad applicability to companies who do business in the state and who process or sell personal data. It does contain the usual entity and data level exceptions (e.g., GLBA, HIPAA, FCRA, etc.) and explicitly excludes data collected in the human resources or business-to-business context. Continue Reading Don’t Mess with Texas: The Lone Star State Enacts Comprehensive Consumer Privacy Law

Today, Governor Jay Inslee signed into law the My Health My Data Act (SB 1155) (the “Act” or “MHMD”), a first-of-its-kind consumer health data law. Passage of the Act was, in part, a direct response by Washington state lawmakers to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Org. overturning Roe v. Wade. Recognizing that the nation’s federal health law, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), has blind spots in protecting health-related information collected outside of contexts involving HIPAA covered entities (e.g., healthcare institutions), the legislature in passing MHMD sought to “close the gap” in privacy protections for health data that falls outside the scope HIPAA, including information related to reproductive health and gender-affirming care. Continue Reading Governor Inslee Signs Washington My Health My Data Act Into Law: First-of-Its-Kind Consumer Health Data Law, Explained

One of the most notable trends in Illinois Biometric Information Privacy Act (“BIPA”) class action litigation is the marked increase in the number of class actions targeting third-party biometric technology vendors, such as identity authentication systems and employee timekeeping devices. Importantly, because these vendors do not maintain any direct relationship with the end users of their technology, compliance with Illinois’s biometric privacy statute—especially its notice and consent requirements—can be a challenging undertaking. Despite this, to date, the majority of courts have held that BIPA nonetheless applies equally to vendors vis-à-vis employers and other entities that maintain direct relationships with biometric data subjects.

Earlier this month, an Illinois federal court rejected a selfie ID facial recognition identity verification vendor’s bid for dismissal of a BIPA class action in Davis v. Jumio Corp., No. 22 CV 776, 2023 WL 2019048 (N.D. Ill. Feb. 14, 2023). The Davis decision illustrates the scope of exposure faced by vendors for alleged non-compliance with BIPA, as well as the challenges and complexities in obtaining dismissals of biometric privacy class actions prior to the commencement of costly discovery.

Background

Plaintiff maintained a membership with the online cryptocurrency marketplace operated by Binance. Jumio Corporation provides facial recognition identity verification services for its clients, including Binance. Plaintiff sued Jumio, alleging that the company violated BIPA’s Section 15(b) notice and consent requirements when it collected his biometric data during the process of verifying his identity for Binance.

Jumio moved to dismiss the class action pursuant to Federal Civil Rule 12(b)(6). Jumio raised two arguments in support of dismissal. First, Plaintiff’s suit was barred by BIPA’s financial institution exemption. Second, dismissal of the complaint was warranted under Illinois’s extraterritoriality doctrine.

The Decision

The court first considered whether BIPA’s exemption for financial institutions precluded Plaintiff’s claims against Jumio. BIPA Section 25(c) provides that “[n]othing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 [(“GLBA”)] and the rules promulgated thereunder.”

In raising this argument, Jumio did not contend that it was a financial institution itself; rather, Jumio argued that Binance was a financial institution and, as a result, applying BIPA to Jumio in connection with use of the Binance App would effectively result in applying BIPA to Binance, an action that is proscribed by BIPA.

The court disagreed, finding several flaws in Jumio’s argument. First, the court rejected consideration of materials submitted by Jumio in support of its motion to dismiss, which Jumio had argued allowed the court to take judicial notice of Binance’s qualification as a financial institution for purposes of BIPA’s Section 25(c) exemption. The court instead held that “Binance’s self-serving statements (such as characterizing itself as a financial institution in other litigation to avoid liability under BIPA) need not be accepted as true and do not support taking judicial notice of the contested fact that Binance is, in fact, a financial institution.” Additionally, the court also held that the allegations in the complaint were similarly inadequate to demonstrate Binance’s status as a financial institution, as other than using the term “cryptocurrency marketplace,” the complaint contains no further factual allegations about the financial activities of Binance.

Second, the court found that even if Binance was found to be a financial institution within the meaning of the GLBA—thus triggering the Section 25(c) exemption—it did not necessarily follow that the claim against Jumio was barred. In so doing, the court rejected Jumio’s argument that because its software was embedded and integrated into the Binance App, BIPA would be applied to Binance “in any manner” in contravention of Section 25(c) in the event the court granted the Plaintiff’s requested relief under the Illinois biometrics law. The court explained that even if Jumio were ordered to comply with BIPA’s notice and consent requirements, Jumio might have to modify the software it provided to Binance; Binance, however, would still nonetheless have no affirmative obligation under BIPA to change the Binance App. Without further information regarding how the Binance App functioned and how Jumio’s software was integrated into the Binance App, the court was unable to determine the extent to which requiring Jumio’s compliance with BIPA would necessitate changes to how Binance did business, such that BIPA could be construed as applying “in any manner” to Binance.

Accordingly, the court declined to dismiss the class action pursuant to BIPA’s financial institution exemption.

The court then turned to Jumio’s argument that Illinois’s extraterritoriality doctrine barred Plaintiff’s lawsuit. In Illinois, a statute is without extraterritorial effect unless a clear intent appears from the express provisions of the statute. Both parties agreed that BIPA did not apply extraterritorially. Therefore, for BIPA to apply to Jumio’s conduct, the circumstances giving rise to the suit must have occurred “primarily and substantially in Illinois.”

Jumio argued that the complaint did not allege that any relevant conduct giving rise to the class action occurred in Illinois, aside from Plaintiff’s allegation that he was an Illinois resident. Notably, after Jumio filed its motion to dismiss, Plaintiff added allegations in his response brief to bolster his opposition to Jumio’s extraterritoriality argument. In its reply, Jumio posited that dismissal was still warranted, as Plaintiff’s new allegations failed to allege that any of Jumio’s conduct took place within the borders of Illinois.

Considering the allegations in the complaint, as supplemented by additional facts in his response brief, the court found that Plaintiff sufficiently alleged a plausible claim that Jumio’s BIPA violations occurred primarily and substantially in Illinois. Specifically, the court found that the following allegations, without more, were enough at the pleading stage to avoid dismissal based on Jumio’s extraterritoriality argument: (1) Plaintiff was an Illinois resident; (2) Jumio conducted business transactions in Illinois; and (3) Plaintiff submitted photographs of his driver’s license and face through the Binance App while in Illinois.

Analysis & Takeaways

Continued Trend of Broad Exposure for Third-Party Biometrics Vendors and Service Providers

Since the start of the year, the Illinois Supreme Court has issued two notable plaintiff-friendly opinions, which resolved the uncertainty surrounding the applicable statute of limitations for BIPA claims and the issue of claim accrual in BIPA litigation, respectively, and significantly expanded the scope of potential liability exposure for BIPA non-compliance even further in the process. However, the applicability of BIPA to third-party vendors continues to persist as a significant area of ambiguity. To date, the majority of courts to analyze the issue have held that BIPA is applicable to vendors and service providers, even if they do not directly interface with end users. This line of reasoning was most recently affirmed in early February 2023 by an Illinois federal court in Johnson v. NCR Corp., No. 22 CV 3061, 2023 WL 1779774 (N.D. Ill. Feb. 6, 2023) (for more information on the Johnson opinion, you can read Privacy World team member David Oberly’s article analyzing the decision for Biometric Update here).

Davis further illustrates the potential perils that vendors face if they fail to satisfy the full range of BIPA compliance requirements when offering biometrics-related products and services to their commercial clients.

Scope of BIPA’s Financial Institution Exemption Not Unlimited

To date, the Section 25(c) financial institution exemption has been one of the most robust defenses to BIPA class actions, resulting in the dismissal of a number of defendants not traditionally known as “financial institutions,” such as colleges and universities. The Davis decision, however, demonstrates that the contours of the financial institution exemption are not unlimited.

In rejecting the vendor’s assertion of the financial institution exemption as a bar to the BIPA claims asserted against it, the Davis court relied primarily on the lack of sufficient evidence demonstrating that the defendant’s customer was, in fact, a financial institution entitled to seek refuge under BIPA Section 25(c). The reasoning of the Davis court comports with other courts that have denied motions to dismiss asserting BIPA’s financial institution exemption as a complete defense to liability—which have also found inadequate evidence demonstrating that the defendant or a related entity satisfied the GLBA’s definition of a financial institution so as to make Section 25(c) applicable to bar BIPA claims.

Importantly, Davis illustrates that defendants seeking dismissal pursuant to the financial institution exemption need to ensure that their motions are properly supported with sufficient evidence to permit a finding that Section 25(c) applies to the specific activities engaged in by the entity at issue in order to maximize the likelihood of a favorable outcome on a motion seeking to definitively end class action litigation. This task is especially critical when pursuing motions to dismiss, where the scope of evidence that can be considered by the court is curtailed.

Challenges Faced by Defendants in Procuring Dismissals from BIPA Litigation at the Pleading Stage

BIPA class actions have been challenging to defeat at the pleading stage, which is due to a combination of factors that include the deference given to Plaintiff’s allegations for purposes of a motion to dismiss, the lack of guidance offered to courts by BIPA’s statutory text, and courts’ willingness to interpret BIPA’s compliance requirements in a manner that heavily favors the plaintiff’s bar.

Davis is a textbook example of these challenges that are often faced by defendants in attempting to obtain dismissals of BIPA disputes before proceeding to the discovery phase of litigation. Of note, although courts are generally only permitted to consider the allegations in the complaint on a motion to dismiss, the Davis court permitted the Plaintiff’s elaborations to the complaint’s factual allegations in his response brief to be considered in ruling on the defendant’s motion to dismiss. Further, the court found that the Plaintiff’s allegations were sufficient at the pleading stage to plausibly allege circumstances that the alleged BIPA violation occurred in Illinois so as to avoid dismissal on extraterritoriality grounds, even though the Plaintiff only alleged a single fact relating directly to the defendant’s conduct—that it engaged in business transactions in Illinois. More than that, in rejecting Jumio’s extraterritoriality argument, the court acknowledged that discovery might reveal that the connection to Illinois is “sufficiently tenuous” as to warrant revisiting the matter at summary judgment, but that was not enough to prevent the case from moving past the pleading stage.

To mitigate BIPA litigation risk, all types of entities that use biometric data in their operations should consider taking a conservative approach to compliance—one that ensures all applicable BIPA requirements are satisfied—even where it is not definitively clear that Illinois’s biometrics statute applies to organizational operations.

Specifically, companies should ensure they maintain flexible, comprehensive biometric privacy compliance programs, which should include (among other things) the following:

  • A publicly-available, biometrics-specific privacy policy;
  • Set data retention and destruction guidelines and schedules containing a clear and unambiguous description of the event trigger(s) that will prompt the immediate and permanent destruction of an individual’s biometric data;
  • A mechanism for ensuring written notice is supplied to all data subjects before the time biometric data is collected; and
  • A separate mechanism for ensuring written consent is obtained, allowing the vendor to collect, possess, retain, store, and disseminate biometric data before the time any such data is obtained.

For more, stay tuned. Privacy World will be there to keep you in the loop.

Last week, on March 15, 2023, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) continued its aggressive push to regulate the cybersecurity of entities in the financial services sector, proposing three rules affecting a variety of SEC-regulated entities, including broker-dealers, investment companies, and investment advisers, as we covered here on Privacy World.  These proposals have been in the works since at least early 2022, when SEC Chair Gary Gensler previewed rulemaking his staff was considering.

In addition, the SEC reopened the comment period with respect to the regulations relating to investment advisers, investment companies, and business development funds for an additional 60 days, after the regulation was initially made available in February 2022.  However, similar regulations for publicly traded companies from March 2022, relating to Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, remain in draft form, and are still awaiting finalization.  Notwithstanding, the Commission has continued to release regulations, in accordance with the Biden-⁠Harris Administration National Cybersecurity Strategy to secure the digital ecosystem for all Americans.

Accordingly, the three new proposals—totaling over 1000 pages—are summarized below.  The public has at least 60 days to submit comments to the SEC on the proposed rules.

Regulation S-P

Following the enactment of the Gramm-Leach-Bliley Act of 1999, the SEC promulgated current Regulation S-P, which imposes three requirements on registered broker-dealers, investment companies, and investment advisers (“covered institutions”) related to protecting certain “nonpublic personal information”.  First, covered institutions must adopt policies to protect nonpublic personal information (the “Safeguards Rule”).  Second, covered institutions must dispose of “consumer report information” in a secure manner (the “Disposal Rule”).  Third, covered institutions must implement a privacy notice regarding the nonpublic personal information collected and allow customers to opt out of sharing with non-affiliated third parties.

The SEC’s new proposal would augment the requirements of the Regulation S-P’s Safeguards and Disposal Rules, while imposing new requirements related to investigation and reporting of data breaches.  If adopted, the proposed rules would expand the scope of the previous rules to cover “customer information,” defined as any “nonpublic personal information” about a “customer of a financial institution.”  § 248.30(e)(5)(i).  Currently, Regulation S-P applies to “customer records and information”, which is undefined by the GLBA and Regulation S-P.  Accordingly, the amendment is intended to align Regulation S-P with “the objectives of the GLBA” and the definition of “customer information” in the FTC’s Safeguards Rule.

Under the proposal, covered institutions would be required to implement an “incident response program” that is “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.”  § 248.30(b)(3).  As part of the incident response program, covered entities would be required to notify their customers within 30 days “after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.”  § 248.30(b)(4)(iii).

However, an entity is not required to provide notice if it determines that “sensitive customer information” was not likely to be use “used in a manner that would result in substantial harm or inconvenience.”  § 248.30(b)(4)(i).  The term “sensitive customer information” is defined as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”  § 248.30(e)(9)(i).  As SEC Commissioner Hester M. Peirce noted in her accompanying statement, the limits of this definition are unclear.  In its request for comment, the SEC inquires whether “the proposed standard for providing notification is sufficiently clear[.]”

Finally, the proposed rule would extend these requirements to include “transfer agents” registered with the SEC as covered entities subject to Regulation S-P.

Market Entities: Rule 10 and Form SCIR

By a 3-2 vote, the SEC proposed a new Rule 10 and form SCIR for certain “Market Entities” that operate critical infrastructure for the securities markets: broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.  The proposed Rule 10 consists of the three main requirements.

First, Market Entities would be “required to establish, maintain, and enforce written policies and procedures that are reasonably designed to address the [Market Entity’s] cybersecurity risks.” § 242.10(b)(1), (e)(1).  At a minimum (except for small broker-dealers), these policies and procedures would need to include provisions addressing: (1) periodic risk assessments, (2) minimizing user risk, (3) protecting system information, (4) managing cybersecurity threats, and (5) responding to cybersecurity incidents. § 242.10(b)(1)

Second, Market Entities would be required to give the SEC “immediate written electronic notice upon having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring” § 242.10(c)(1), (e)(2).  Under the draft regulations, significant cybersecurity incidents are those that: (1) “significantly disrupt or degrade the ability of the Market Entity to maintain critical operations”; and (2) result in unauthorized access or use of information or information systems that leads to either “substantial harm to the Market Entity” or “substantial harm to a customer, counterparty, member, registrant, or user of the Market Entity, or to any other person that interacts with the Market Entity.” See Proposal sec. II.A.2. Market Entities (other than small broker-dealers) would be required to file a report to the SEC within 48 hours upon having a reasonable basis to conclude a significant cybersecurity incident occurred.  § 242.10(b)(2)(i).  The form and required content of the report would be set by the SEC in its new form SCIR.

Third, similar to other pending cybersecurity proposals from the SEC, Market Entities (other than small broker-dealers) would be required to disclose “a summary description of the cybersecurity risks that could materially affect the covered entity’s business and operations and how the covered entity assesses, prioritizes, and addresses those cybersecurity risks.”  § 242.10(d)(1)(i).  Additionally, the Market Entity would be required to disclose a summary of significant cybersecurity incidents for the previous calendar year.  § 242.10(d)(1)(ii).

Regulation SCI

By another 3-2 vote, the SEC proposed both expanding the scope of entities subject to its Regulation Systems Compliance and Integrity (“Regulation SCI”) and adding to its requirements.  Under the current Regulation SCI, certain “SCI Entities”—including stock exchanges, clearinghouses, and alternative trading systems—must satisfy certain technological and business continuity requirements.

The proposal would add to the list of SCI Entities (1) registered security-based swap data repositories, (2) large broker-dealers, and (3) all clearing agencies exempt from SEC registration.  § 242.1000.  As Chair Gensler noted in his accompanying statement, the proposal would grow the number of SCI entities from roughly four dozen today to six dozen.

Regulation SCI’s new requirements include several provisions relating to management of third-party service providers, including a requirement that such entities be part of an SCI Entity’s annual business continuity and disaster recovery testing.  § 242.1001(a)(2)(v), (ix).  Additionally, SCI Entities must conduct risk assessments regarding third-party service providers, “including analyses of third-party provider concentration, of key dependencies if the third-party provider’s functionality, support, or service were to become unavailable or materially impaired, and of any potential security, including cybersecurity, risks posed.” See Proposal sec. III.C.2.a. Other more technical requirements include: (1) mandating an inventory of the SCI Entity’s systems, (2) increasing the required frequency of penetration testing, (3) mandating disclosures of distributed denial of service (DDoS) attacks and other indirect disruptions to the SEC, (4) detailing further the review SCI Entities must conduct, and (5) adopting a safe harbor for SCI Entities that employ industry standards like the National Institute of Standards and Technology’s (“NIST”) Framework for Improving Critical Infrastructure CybersecuritySee Proposal sec. III.C.1, .3–.5.

***

As the dissenting Commissioners stressed in their statements, the proposals, if adopted, would introduce significant regulatory overlap for several kinds of SEC registrants, including broker-dealers.  It is likely that public feedback submitted during the comment period will point to other issues raised by any or all of the cybersecurity proposals.  Privacy World will be following the rulemaking process and be here to keep you in the loop.

Almost one year to the day after Utah enacted the Utah Consumer Privacy Act (“UCPA”), Iowa is one (Kim Reynolds’) signature away from passing the sixth comprehensive consumer data privacy law, joining California, Colorado, Virginia, Connecticut, and Utah. Continue Reading Iowa is the Latest State to Pass Comprehensive Privacy Legislation

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.   Continue Reading Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Welcome to the 2022 Q3 edition of the Artificial Intelligence & Biometric Privacy Report, your go-to source for keeping you in the know on all recent major artificial intelligence (“AI”) and biometric privacy developments that have taken place over the course of the last three months. We invite you to share this resource with your colleagues and visit Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets and Privacy & Data Breach Litigation homepages for more information about our capabilities and team.

Also, we are extremely pleased to announce that our own Kristin Bryan was named as a 2022 Law360 Cybersecurity & Privacy MVP. As Law360 notes, “[t]he attorneys chosen as Law360’s 2022 MVPs have distinguished themselves from their peers by securing hard-earned successes in high-stakes litigation, complex global matters and record-breaking deals.” You can read more about Kristin’s Law360 award here: Law360 MVP Awards Go to 188 Attorneys From 78 Firms.

Continue Reading 2022 Q3 Artificial Intelligence & Biometric Privacy Report

For almost four years now, attorneys have remained relentless in their quest to extend the outer boundaries of the Illinois Biometric Information Privacy Act (BIPA) as far as courts are willing to allow. During this period, many defendants have struggled with procuring dismissals of BIPA class claims.

One particular defense, however, has developed into an extremely robust tool for companies engaged in biometric privacy class suits: BIPA’s “financial institution” exemption. Contrary to what its name suggests, the benefits of this entity-level carve-out extend to a range of entities well beyond traditional banks and financial institutions. A recent BIPA opinion issued by a Northern District of Illinois court demonstrates the expansive scope of the exemption and provides several key takeaways for defendants to defend against—and outright defeat—BIPA claims at a time when biometric privacy class action exposure continues to grow.

Continue Reading Federal Court Dismisses Biometric Privacy Class Action Brought Against University, On Basis It Was a Regulated “Financial Institution”