Category: Privacy & Information Security

1
Deepening the Divide: D.C. Circuit Continues Circuit Split Regarding Standing in Data Breach Class Action Based on Risk of Future Harm
2
California Continues Its Role as a Privacy Vanguard: California Consumer Privacy Act Of 2018
3
Dodd-Frank Reform 2.0
4
The Screen Scrape Debate will not Abate
5
District Court Set to Rule on Cross Motions for Summary Judgment in First Amendment Challenge to TCPA
6
No Class Conflict in Data Breach Settlement Involving Class Members With and Without Economic Injury
7
FDIC Economic Inclusion Summit A Good Reminder of Fair and Responsible Banking Practices
8
FCC Begins Rulemaking Process to Allow Blocking of “Spoofed” Number Calls
9
Federal Government Not Successful in Moving to Dismiss First Amendment Challenge to TCPA
10
Eighth Circuit Requires Further Review of Data Breach Settlement Involving Class Members Who Have No Loss

Deepening the Divide: D.C. Circuit Continues Circuit Split Regarding Standing in Data Breach Class Action Based on Risk of Future Harm

Authors: Andrew C. Glass, Matthew N. Lowe

The D.C. Circuit Court of Appeals recently reaffirmed its position that a plaintiff can establish Article III standing (federal court subject matter jurisdiction) based solely on the risk of potential future harm following a data breach involving his or her personal information. The decision continues the split between the federal circuit courts of appeals regarding the issue.

In re Office of Personnel Management arose out of an alleged 2014 data breach of the eponymous office (the “OPM”).[1] The plaintiffs, current and former federal employees and their unions, sought to represent a putative class of individuals whose personal information, including social security numbers, addresses, and birth dates, was allegedly exposed in the breach.[2] The plaintiffs asserted that certain putative class members had experienced financial fraud or identity theft as a result of the breach and that other members faced the “ongoing risk that they … will become victims of financial fraud and identity theft in the future.”[3] The district court ruled that the plaintiffs lacked standing to sue, holding that the putative class members who had allegedly experienced financial fraud had not pleaded facts demonstrating that the fraud was traceable to the OPM, and that the members who had only pleaded risk of future injury did not plausibly allege that such injury was either substantial or clearly impending.[4]

Read More

California Continues Its Role as a Privacy Vanguard: California Consumer Privacy Act Of 2018

By Julia B. Jacobson, Jeffrey S. King, Alidad Vakili                   

On June 28, 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (“CCPA”).[2] CCPA grants new privacy rights to Californian residents and applies a notice and consent framework to most businesses operating in California that collect personal information from those residents.

Read More

Dodd-Frank Reform 2.0

By: Daniel F. C. Crowley, Bruce J. Heiman, William A. Kirk, Karishma Shah Page, Dean A. Brazier, Eric A. Love, Eli M. Schooley

Recent activity in Congress suggests that the return from the July 4th recess will see a continued push to reform the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank”) before year’s end. This alert provides an overview of the current state of play and the most likely outcome.

Read More

The Screen Scrape Debate will not Abate

By Judith E. Rinearson, Rizwan Qayyum

The debate surrounding “screen-scraping” continues as Member States of the European Union are preparing for the impending Second Payment Services Directive (“PSD2”). Screen scraping is the practice in which third-party Payment Initiation Service Providers (“PISPs”) and Account Information Service Providers (“AISPs”) are granted access to bank accounts of a client utilising their credentials to perform a service. As heralded in our discussion in July identifying the problem, the European Banking Authority (“EBA”) maintained their stance of outlawing the practice in the final draft Regulatory Technical Standards (“RTS”) on secure communication and Strong Customer Authentication (“SCA”). Consistent industry pressure has led the European Commission (“EC”) to request of the EBA to permit AISPs and PISPs to utilise screen scraping as a “fallback option”.

Read More

District Court Set to Rule on Cross Motions for Summary Judgment in First Amendment Challenge to TCPA

By Andrew C. Glass, Gregory N. Blase, Christopher J. Valente, Michael R. Creta, and Natasha C. Pereira

Last week, a bi-partisan coalition of political groups and the federal government completed briefing cross motions for summary judgment in American Association of Political Consultants, Inc., et al. v. Sessions, Case No. 5:16-cv-00252-D (E.D.N.C.). The case challenges the constitutionality of a portion of the Telephone Consumer Protection Act (“TCPA”). The plaintiffs contend that the TCPA’s prohibition on making auto-dialed calls or texts to cell phones without the requisite consent, 47 U.S.C. § 227(b)(1)(A)(iii) (the “cell phone ban”), imposes a content-based restriction on speech that fails to pass strict scrutiny and is unconstitutionally under-inclusive (the plaintiffs’ complaint is discussed here). The government is defending the statute’s constitutionality (previously discussed here).

Read More

No Class Conflict in Data Breach Settlement Involving Class Members With and Without Economic Injury

By Andrew Glass, Matthew Lowe, and Brandon Dillman

On remand from the Eighth Circuit,[1] the United States District Court for the District of Minnesota recently recertified a data breach settlement class over an objector’s assertion of an intraclass conflict.  Specifically, the objector asserted that a conflict existed between class members who purportedly had suffered loss and were guaranteed a payout under the proposed settlement, and those who had not suffered loss and were not guaranteed a payout.  See In re Target Customer Data Security Breach Litig., No. 14-2522 (PAM), 2017 WL 2178306 (D. Minn. May 17, 2017).  In rejecting the objector’s alleged conflict, the Court emphasized that “the question is not whether there is any potential or theoretical conflict among class members, it is whether class members’ different interests are antagonistic to each other.”  Id. at *3.

Read More

FDIC Economic Inclusion Summit A Good Reminder of Fair and Responsible Banking Practices

By Soyong Cho

Yesterday, the FDIC hosted a day-long Economic Inclusion Summit that brought together stakeholders in private industry, the government, and non-profit organizations to discuss strategies to expand credit to under-served communities. Speakers stressed the need to understand the personal and financial challenges facing low- and moderate-income (“LMI”) populations in order to more effectively design products and marketing channels to reach LMI communities. Leveraging big data and technology were identified as key factors to reducing costs and profitably serving LMI customers.

Banks are of course rated on their outreach initiatives to under-served communities under the Community Reinvestment Act (“CRA”), but profitably expanding their customer base is also good business. The FDIC’s Summit serves as a reminder of the established programs, partnerships, and networks that exist to assist banks to meet their CRA obligations. However, it is also a good reminder that banks must be sensitive to the regulatory compliance and other risks attendant with marketing to and servicing LMI communities in particular, as even the best intentions can be undermined by flawed implementation or unclear regulatory guidance. Among others, UDAAP, fair lending, and privacy issues should be considered in all phases of product development and delivery. In the coming months, K&L Gates will be hosting a series of webinars focused on the nuts and bolts of consumer protection compliance.

FCC Begins Rulemaking Process to Allow Blocking of “Spoofed” Number Calls

By Pamela J. Garvie, Andrew C. Glass, Joseph Wylie II, Gregory N. Blase, and Matthew T. Houston

The Federal Communications Commission unanimously voted at its March 23, 2017, “open meeting” to begin the process for adopting rules allowing carriers to block “spoofed” number calls. These are calls that use a reputable or commonly-known telephone number to mask the actual originating number. The proposed rules would allow carriers to block calls purporting to originate from telephone numbers that (1) are not assigned to a subscriber, (2) are invalid, or (3) are assigned to a subscriber expressly requesting that its number not be spoofed. In his remarks, Chairman Ajit Pai indicated that the proposed rules are needed to target scammers impersonating federal agencies, such as the Internal Revenue Service, and to protect consumers from unwanted solicitations. Commissioner Michael O’Rielly indicated that the proposed rules aim to address illegal “robocalls” in a manner that does not affect legitimate businesses, as opposed to prior efforts to regulate such calls under the Telephone Consumer Protection Act, 47 U.S.C. § 227. The proposed rules and accompanying comments suggest an effort by the now Republican-controlled FCC to issue rules specifically intended to block unwanted robocalls, often from overseas, intended to defraud consumers.

The FCC approved both a Notice of Proposed Rulemaking and a Notice of Inquiry to solicit feedback from consumers and other parties with an interest in the proposed rules. Comments on the proposed rules will be due within forty-five (45) days after publication in the Federal Register. Final rules are unlikely to take effect earlier than late 2017.

Federal Government Not Successful in Moving to Dismiss First Amendment Challenge to TCPA

By Andrew C. Glass, Gregory N. Blase, Christopher J. Valente, and Michael R. Creta

A North Carolina federal district court recently denied a motion by the federal government to dismiss claims raising a First Amendment challenge to a portion of the Telephone Consumer Protection Act (“TCPA”). See American Ass’n of Political Consultants v. Lynch, Case No. 5:16-00252-D (E.D.N.C.). At this early stage of the case, the government did not address the substance of the constitutional challenge. Rather, the government asserted that the court did not have jurisdiction over the case and that the political organizations which filed the suit did not have standing to maintain suit. The court, however, rejected the government’s arguments and allowed the case to proceed.

Read More

Eighth Circuit Requires Further Review of Data Breach Settlement Involving Class Members Who Have No Loss

By Andrew C. Glass, Matthew N. Lowe, and Brandon R. Dillman

In a decision that could affect the resolution of future data breach class actions, the Eighth Circuit recently set aside the settlement in the Target Corp. data breach litigation. See In re Target Corp. Customer Data Security Breach Litig., No. 15-3909, — F.3d —, 2017 WL 429261 (8th Cir. Feb. 1, 2017). The litigation arose from claims that in 2013, hackers compromised credit and debit card data of up to 110 million Target customers. The parties ultimately agreed to a settle on a class basis. According to the settlement agreement, Target agreed to establish a $10 million settlement fund, which would be allocated first to class members with documented losses and then to members with asserted, but undocumented, losses. Members who had “suffered no loss from the security breach [would] receive nothing from the settlement fund,” but would still be “bound under the settlement to release Target from liability for any claims” that may someday arise in the future. Id. at *1.

Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.