Monetary penalties are the attention-grabbing headline when the FTC or any regulator brings an enforcement action against a company. They are the looming threat to incentivize and influence compliance. Over the summer, FTC Chairman Joseph J. Simons (“Chairman Simons”) issued a statement in connection with a settlement that Chairman Simons believes “the goal of a civil penalty should be to make compliance more attractive than violation. Said another way, violation should not be more profitable than compliance.”
Federal Data Privacy Legislation: Will it Help the US Remain Competitive in the Global Marketplace?
On September 17, 2020, four Republican Senators (Roger Wicker – Mississippi, Chairman, John Thune – South Dakota, Deb Fischer – Nebraska, and Marsha Blackburn – Tennessee) introduced sweeping federal privacy legislation entitled: Setting an American Framework to Ensure Data Access, Transparency, and Accountability (“SAFE DATA”) Act. This proposed comprehensive national privacy law has three main components:
Hacked Patient Records Land Athens Orthopedic Clinic in Hot Water with OCR
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) reached a settlement for $1,500,000 and entered into a substantial corrective action plan with Athens Orthopedic Clinic (AOC) as a result of AOC’s alleged systemic noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. AOC, located in Georgia, provides a wide range of orthopedic services to approximately 138,000 patients a year.
Problems began for AOC in June 2016, when the practice was notified by a journalist that AOC patient records may have been posted for sale on the internet. Shortly thereafter, AOC was contacted by a hacker demanding payment for the stolen patient records. It was later determined that the hacker had accessed AOC’s electronic medical records using a vendor’s credentials on June 14, 2016, and continued to access protected health information (PHI) until July 16, 2016. AOC filed a breach report with OCR on July 29, 2016, revealing that the names, dates of birth, social security numbers, and other PHI of over 200,000 patients had been compromised by this breach.
FinCEN Rule Ends AML Program Exemption for Banks that Lack a Federal Regulator
On September 15, 2020, the Financial Crimes Enforcement Network (“FinCEN”) published a Final Rule bringing banks that lack a federal functional regulator further under its purview. The rule subjects these institutions to minimum standards for anti-money laundering (“AML”) requirements, including a BSA officer, AML policies and procedures, and regular employee training, among other obligations. It
NYDFS State of Mind: Regulator Focus and Enforcement Trends
On July 21, the New York Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for violating multiple sections of the New York Cybersecurity Regulation, 23 NYCRR 500.00, et seq. The significance of the NYDFS enforcement action cannot be overemphasized. This is the first action filed under the Cybersecurity Regulation, signaling a more aggressive enforcement stance by the regulator. The good news is the filings provide important guidance on best practices and red flags to avoid agency sanctions.
The NYDFS Statement of Charges alleges that First American knowingly exposed tens of millions of documents containing consumer sensitive personal information (e.g., bank account numbers, bank statements, mortgage records, Social Security numbers, wire transaction receipts, drivers’ license images, etc.). The charges further allege that for almost 5 years (from October 2014 through May 2019) these records were available on First American’s public-facing website to anyone with a web browser. The fact that First American failed to remediate the vulnerability, even after it was discovered by a penetration test in December 2018, was particularly troublesome for the regulators. The charges state that, “Remarkably, [First American] allowed unfettered access to the personal and financial data of millions of its customers for six more months. . .” Clearly, the NYDFS found this treatment of sensitive consumer data unconscionable and that First American demonstrated a total disregard for the Cyber Regulations.
Subject Access Requests and Cross-Border Privilege: Tips for In-House Counsel
The EU’s General Data Protection Regulation (“GDPR”) contains the much-publicised right of subject access, which gives an individual the right to access a copy of all the personal data a controller holds in relation to him or her.
Under the GDPR, anything that can identify a living individual is personal data. Obvious examples include names, dates of birth, and addresses. Less obvious examples include photographs, identification numbers, or statements of opinion or fact about a person.
The GDPR also has extra-territorial scope, which means that it applies to organisations and businesses outside the borders of the EU if they meet certain criteria. Organisations based outside the EU could therefore find themselves on the receiving end of a subject access request (“SAR”) from an employee, customer or any other individual whose data they process.
Mobile Banking Startup Varo Money Becomes First Fintech Company Granted a National Bank Charter
On July 31, 2020, Varo Money Inc. announced that it was granted a national bank charter by the U.S. Office of the Comptroller of the Currency (OCC). The charter will allow Varo, a mobile banking fintech, to launch a national bank and offer a range of financial services and products that are backed by the Federal Deposit Insurance Corp (FDIC).
The announcement marks a historic moment for fintech companies, as Varo will become the first fintech company to obtain a national bank charter with the OCC.
New York, California and Illinois – the First to Challenge to the OCC’s Valid-When-Made Rule
It did not take long for the Office of the Comptroller of the Currency’s (“OCC”) May 29 Final Rule codifying the valid-when-made principal to face challenges in court. On July 29, the attorneys general for New York, California and Illinois filed suit in the Northern District of California to block the rule, which extended
New York Files Brief in Support of Dismantling OCC’s Fintech Charter
On July 23, 2020, the New York Department of Financial Services (“DFS”) filed its appellate brief asking the Second Circuit Court of Appeals to uphold the lower court’s decision to block the Office of Comptroller of the Currency’s (“OCC”)’s special purpose national bank charter (“fintech charter”).
The DFS initially challenged the OCC’s fintech charter in
Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities?
On July 16, 2020, Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of education administration, fundraising, and financial management software, notified users of its services that it had suffered a ransomware attack in May 2020 in relation to personal data stored on their servers. Numerous colleges, universities, foundations, and other non-profits across the U.K., U.S. and Canada were affected.
Blackbaud’s handling of the attack has raised some questions. Blackbaud has confirmed in a statement on its website that they paid the cyber-criminal’s ransom demand in return for confirmation that the stolen data had been destroyed. Paying ransom demands is not unlawful, but it goes against the official advice issued by many law enforcement agencies, including the FBI. In addition, Blackbaud has faced criticism for taking many weeks to inform its customers of the breach.