Dechert Cyber Bits - Issues 57

Hilary Bonaccorsi, Kevin Cahill, Vernon Francis, Daniel Murdock, Allie Ozurovich, Laura Rossi, Madeleine White, Theodore Yale
Dechert LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Dechert LLP

CFPB Director Chopra Emphasizes “Pressing Need” for Data Protections

On June 12, 2024 and June 13, 2024, Consumer Financial Protection Bureau Director Rohit Chopra appeared before the Senate Banking Committee and the House Financial Services Committee, respectively, for hearings on the CFPB’s semi-annual report to Congress. In both hearings, Director Chopra advocated for measures that would increase legal protections for consumers’ personal financial data.

In his opening statement to the Senate Banking Committee, Director Chopra outlined the CFPB’s efforts to develop a regulatory framework aimed at enhancing consumer privacy protections. For example, the director reported that the CFPB is working to a finalize a banking rule that would “develop data sharing standards and privacy protections when people transfer their financial data to competing companies.” He also reported that the CFPB is working on a rule that aims “to restrict uses of certain sensitive data by data brokers.”

Director Chopra’s testimony before the House Financial Services Committee touched on similar themes. More specifically, he identified a “pressing need” for more robust protections of consumers’ personal data and consumers’ financial privacy, as consumers’ personal information continues to be collected and monetized. The Director also explained that his concerns are exacerbated by technology companies playing a more prominent role in the provision of financial services, which, he argued, could increase the collection of personal data. For these reasons, Director Chopra contended that consumer data privacy is a “critical issue with high stakes for our economy, our national security and our liberty.” He urged the House Financial Services Committee to take action in furtherance of consumer privacy protection by “enshrining stronger protections into law.”

Takeaway: Director Chopra’s testimony before these Congressional Committees suggests that the CFPB’s increased focus on consumer privacy protections in the digital age is here to stay and that CFPB will continue to propose new regulations and pursue enforcement actions aimed at limiting the collection and use of consumer data by banks, data brokers, and other companies in the consumer finance ecosystem. Yet another regulator focused on these issues undoubtedly will lead to increased enforcement in this area, particularly with respect to data sharing and data brokers

California's AG Announces Blackbaud Settlement

California Attorney General Rob Bonta announced, on June 13, 2024, a $6.75 million settlement (the “Settlement”) with Blackbaud—a South Carolina-based software company that provides data management software to nonprofit organizations—for violations of California’s Reasonable Data Security Law, Unfair Competition Law, and False Advertising Law. Blackbaud previously settled actions brought by state attorneys general from 49 states and Washington D.C., the Federal Trade Commission, and the Securities and Exchange Commission. For our report on Blackbaud’s settlement with the FTC, see Issue 49.

The Settlement stems from a 2020 data breach allegedly caused by Blackbaud’s failure to implement basic data security practices, such as multi-factor authentication (“MFA”) or monitoring for suspicious activity on systems with personal information, and what authorities alleged were Blackbaud’s misleading statements after the breach. The Attorney General alleged that the company compounded the effect of the breach by issuing misleading statements about the sufficiency of its data security efforts prior to the breach and about the extent of the breach.

In addition to the $6.75 million penalty, the Settlement requires Blackbaud to strengthen its data security and breach notification practices, including:

  • Implementing a process to store database backup files containing personal information to the minimum extent necessary and ensuring the secure disposal of such files.
  • Implementing password confidentiality and password-rotation or authentication protocols.
  • Tightening security infrastructure policies and procedures, including network segmentation and monitoring for suspicious activity.

Takeaway: The California Settlement is the latest in a series of actions against Blackbaud for its alleged mismanagement of its 2020 breach. Importantly and not surprisingly, the California Attorney General’s office considers MFA and system monitoring basic data security practices. This is undoubtedly a stance that most regulators would take. As such, companies should ensure that they have such policies and practices in place and that MFA is enabled on all company accounts. Taken together, the flurry of actions against Blackbaud show that federal and state agencies are increasingly willing to take a hard line against companies they believe have failed to implement basic data security practices and/or have made misleading statements regarding data security practices and data breaches.

High Court of England and Wales Clarifies Subject Access Request Exemptions

The High Court of England and Wales handed down judgement, on June 7, 2024, in Harrison v. Cameron and ACL—exploring a number of exemptions to subject access requests (“SAR”) under Article 15 of the UK General Data Protection Regulation (“UK GDPR”). The dispute stemmed from business phone calls where the claimant repeatedly made threats of violence that were surreptitiously recorded by one of the defendants, who subsequently shared the recordings with a number of colleagues, friends and family members. The claimant alleged that the recordings were shared with several of his professional peers and competitors, causing his company to lose business. Through a SAR, the claimant sought the identities of the individuals to whom the recordings had been disclosed. The defendants refused to provide the identities, citing numerous exemptions.

The defendants asserted that the sharing of the recordings with friends and family fell outside the scope of the UK GDPR because the UK GDPR does not apply to the processing of personal data “in the course of a purely personal or household activity.” The High Court, however, relied on a pre-Brexit Court of Justice of the European Union (“CJEU”) decision that emphasized the word “purely”, holding that because the recordings were of business calls, the defendant was not acting in the course of a “purely” personal or household activity and the sharing was therefore in scope.

Turning to the issue of disclosure of the identities of the recording recipients, the High Court agreed with the post-Brexit CJEU decision in Austrian Post, holding that Article 15 required the defendants to provide the actual identity of the recipients (rather than just categories of recipient, as argued by the defendants) unless it was impossible to identify them or the defendants demonstrated that the SAR was manifestly unfounded or excessive.

Having held that the specific identities were required to be disclosed, the High Court’s final deliberation related to the ‘rights of others’ exemption and whether the defendants could exercise their discretion to decide not to provide those identities on the basis that it would adversely affect the rights of the recipients. The defendants alleged that it would not be reasonable to provide the identities because doing so would put those recipients at significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation, in light of the claimant’s behavior. The High Court concluded that it was within the defendant’s discretion to reach this decision and accordingly the exemption applied.

Takeaway: The High Court’s judgment provides additional clarity on the scope of the UK GDPR and the extent of the obligation to provide information under, and exemptions to, SARs. Interestingly, despite having the freedom to decide otherwise on the Austrian Post point as this was a post-Brexit CJEU decision, the High Court chose to follow the direction of the EU. Controllers dealing with SARs should note that data subjects are entitled to be informed of specific recipients (and not just categories of recipient) and ensure that their records are sufficiently complete to allow for this. The case is also an excellent example of a situation where the rights of others were considered to be adversely affected, although this would always be fact-specific and should be considered on a case-by-case basis.

No Privacy Bill for Vermont: Legislature Fails to Override Governor’s Veto

As reported in Issue 56 of Cyber Bits, the Vermont House and Senate recently passed H.121, the Vermont Data Privacy Act (“VDPA”), but this bill will not become law. Vermont Governor Phil Scott vetoed the bill, and the legislature’s attempt to override Scott’s veto was defeated.

According to its sponsors, Vermont’s bill was meant to “enhanc[e] consumer privacy” and adopt an “age-appropriate design code.” After the measure passed both houses of the Vermont legislature, on June 13, 2024, Governor Scott vetoed the bill. In a letter to the legislature, the Governor made clear that while he would be open to signing a revised privacy bill, he believed that the version passed by the legislature was an “outlier” in U.S. data privacy regulation that would have been too onerous for businesses and nonprofits operating in Vermont.

More specifically, Governor Scott argued that the “bill created an unnecessary and avoidable level of risk.” Among other critiques, he noted that the “bill’s ‘private right of action’” would not only make Vermont a “national outlier,” but also would make Vermont “more hostile than any other state to many businesses and non-profits,” including by “negatively impact[ing] mid-sized employers” and “generating significant fear and concern among many small businesses.” The Governor also expressed concern that the bill would exacerbate Vermont’s regional reputation of being hostile to business, especially in light of other bills imposing new obligations on businesses recently passed by the legislature.

On the Monday following Governor Scott’s action, the State’s legislature took up but failed to override his veto. Vermont’s House voted decisively to override but its Senate sustained the Governor’s decision.

Takeaway: Companies will be relieved the onerous and unique requirements in the Vermont privacy bill have not yet become law. That said, the legislature’s failure to override Governor Scott’s veto will not end legislative efforts to enact a privacy law in Vermont. Companies can remain hopeful that the legislature follows the Governor’s lead and adopts a law similar to those enacted in other states, like Connecticut’s data privacy law, a move Governor Scott noted would promote regional “consistency” that “is good for both consumers and the economy."

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dechert LLP | Attorney Advertising

Written by:

Dechert LLP
Dechert LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Dechert LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide