Lyft recently confirmed that it is investigating whether its employees were accessing its customer database without appropriate authorization to obtain personal information, including rides taken by Facebook CEO Mark Zuckerberg.  The investigation was announced less than six months after Uber entered into a Federal Trade Commission (FTC) consent order to resolve allegations of similar behavior by its own employees. View Full Post
Last week, the Office of the Comptroller of the Currency (OCC) released its semiannual risk report highlighting credit, operational, and compliance risks to the federal banking system. The report focuses on issues that pose threats to those financial institutions regulated by the OCC and is intended to be used as a resource by those financial institutions to address the key concerns identified by the OCC.  View Full Post
  Last week, the OCC released its semiannual risk report highlighting credit, operational, and compliance risks to the federal banking system.  The report focuses on issues that pose threats to those financial institutions regulated by the OCC and is intended to be used as a resource by those financial institutions to address the key concerns identified by the OCC.  View Full Post
OCC Report: Cybersecurity and Money Laundering Threats are the Key Risks Facing Banks Last week, the Office of the Comptroller of the Currency (“OCC”) released its semiannual risk report (“Report”) highlighting credit, operational, and compliance risks to the federal banking system.  The Report focuses on issues that pose threats to those financial institutions regulated by the OCC and is intended to be used as a resource to by those financial institutions to address the key concerns identified by the OCC.  View Full Post
The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras).  View Full Post
This week, New York Governor Andrew Cuomo issued a press release directing the New York Department of State to issue a new regulation impacting consumer reporting agencies.  The new regulation was adopted on an emergency basis and went into immediate effect in order to protect consumers from identity theft and other potential economic harms that may arise following a data breach. View Full Post
The CFPB has released a set of “Consumer Protection Principles” for participants “in the developing market for services based on the consumer-authorized use of financial data.”  According to the CFPB, the principles “do not themselves establish binding requirements or obligations relevant to the Bureau’s exercise of its rulemaking, supervisory, or enforcement authority” and “are not intended as a statement of the Bureau’s future enforcement or supervisory priorities.”  Rather, the CFPB describes the principles as “express[ing] the Bureau’s vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value” and are intended “to help safeguard consumer interests as the consumer-authorized aggregation services market develops.” In November 2016, the CFPB issued a request for information about market practices related to consumer access to financial information.  View Full Post
The FTC has announced that it will host a workshop on December 12, 2017 in Washington, D.C. to examine consumer injury in the context of privacy and data security. In the workshop, the FTC plans to examine questions about the injury consumers suffer when information about them is exposed or misused such as “how to best characterize these injuries, how to accurately measure such injuries and their prevalence, and what factors businesses and consumers consider when evaluating the tradeoffs involved in collecting, using, or providing information while also potentially increasing their exposure to injuries.” The types of consumer harm that flow from data security and privacy breaches has significant implications both for government enforcement and private actions.  View Full Post
  Last week, New York Governor Andrew Cuomo issued a press release directing the New York Department of Financial Services (“NYDFS”) to impose new rules on consumer reporting agencies (“CRAs”).  The proposed regulation would subject CRAs that issue consumer reports (as defined in a manner similar to the federal Fair Credit Reporting Act) about consumers located in New York to new requirements, including: Annual registration with NYDFS – such registration must identify officers and/or directors that are responsible for the CRAs’ compliance with the new regulation; Annual, and in some cases quarterly, information reporting requirements to NYDFS; NYDFS examinations to be conducted as often as NYDFS considers “necessary”; Prohibitions against various activities, such as including inaccurate information in a consumer report or engaging in any unfair, deceptive, abusive, and/or predatory acts or practices; Communicating with consumers’ authorized representatives; and Compliance with the newly issued NYDFS cybersecurity regulation (see Ballard alert). View Full Post
On July 17th, the Federal Trade Commission (FTC) announced reforms to its civil investigative demand (CID) process designed to streamline information requests and improve transparency in FTC investigations.  The process reforms that will be implemented for consumer protection cases include: Providing plain language descriptions of the CID process and developing business education materials to help small businesses understand how to comply; Adding more detailed descriptions of the scope and purpose of investigations to give companies a better understanding of the information the agency seeks; Where appropriate, limiting the relevant time periods to minimize undue burden on companies; Where appropriate, significantly reducing the length and complexity of CID instructions for providing electronically stored data; Where appropriate, increasing response times for CIDs (for example, often 21 days to 30 days for targets, and 14 days to 21 days for third parties) to improve the quality and timeliness of compliance by recipient; and Ensuring companies are aware of the status of investigations by adhering to the current practice of communicating with investigation targets concerning the status of investigations at least every six months after they comply with the CID. View Full Post
Today, the House Appropriations Committee’s Subcommittee on Financial Services and General Government will mark up its draft fiscal year 2018 appropriations bill.  The draft bill contains multiple provisions to reform the CFPB, which include: Eliminating the CFPB’s supervisory authority; Removing the CFPB’s UDAAP authority; Repealing the CFPB’s authority to place restrictions on arbitration; and Creating an exemption from risk retention requirements for nonresidential mortgages. View Full Post