In a thoughtful opinion that diverges from how other circuit courts have addressed the issue, the Second Circuit recently issued a ruling clarifying the circumstances when data breach plaintiffs can rely on fear of identity theft to establish Article III standing. Continue Reading Second Circuit Ruling Clarifies When Data Breach Plaintiffs Have Adequately Plead Article III Standing
In a unanimous decision, the U.S. Supreme Court limited the reach of the Telephone Consumer Protection Act (“TCPA”) by narrowing what technology qualifies as an Automatic Telephone Dialing System (“ATDS”). Among other restrictions, the TCPA prohibits calls to phone numbers using an ATDS without prior express consent. The TCPA defines an ATDS as “equipment which has the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.”
In Facebook v. Duguid, the Court held that the key phrase “using a random or sequential number generator” modifies both “to store” and “to…produce.” Therefore, automatic dialing technology only qualifies as an ATDS if it has the capacity to store numbers “using a random or sequential number generator” or to produce numbers “using a random or sequential number generator.”
Although the Court repeatedly mentioned “capacity,” it likewise highlighted current use. Practically then, “equipment that merely stores and dials telephone numbers” (as Justice Sotomayor, writing for the Court, described the devices that would be an autodialer under the plaintiff’s interpretation), no longer necessarily runs afoul of the TCPA’s ATDS prohibitions. Importantly, as the Court makes clear, the ruling does not affect the TCPA’s prohibition on calls that use “an artificial or prerecorded voice,” such as prerecorded voice messages.
While this ruling will likely curb litigation, clients should remember that they can still face stiff statutory penalties for violations of other TCPA provisions unaffected by the ruling as well as other federal and state statutes that restrict communication. The Supreme Court’s opinion can be found here.
We will soon be releasing a podcast discussing the ruling and will publish a separate blog post to announce the release.
Sixth Post in an Extended Series on Legislative Changes to BSA/AML Regulatory Regime
As we have blogged, the Anti-Money Laundering Act of 2020 (“AMLA”) contains major changes to the Bank Secrecy Act (“BSA”), coupled with other changes relating to money laundering, anti-money laundering (“AML”), counter-terrorism financing (“CTF”), and protecting the U.S. financial system against illicit foreign actors.
A recurring theme of the changes offered by AMLA is information sharing. AMLA mandates that the Department of Treasury’s supervision priorities must include “appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury, and law enforcement authorities.” The increased emphasis on information sharing is accompanied by provisions requiring confidentiality and data security protocols.
The Financial Crimes Enforcement Network (“FinCEN”) is already beginning to address AMLA’s focus on the sharing and protection of information, as it explained in its recent detailed Report on FinCEN’s Innovation Hours Program, which focuses on fostering technological innovation in AML/CTF compliance. In this post, we explore AMLA’s expansion of information sharing, corresponding privacy and data security protections, and the tensions that lie therein.
AMLA is replete with new avenues for information sharing. We address those provisions here, which fall into three categories: (1) the information-sharing provisions of the Corporate Transparency Act (“CTA”), (2) expansions to information sharing via public-private partnerships, and (3) expansions to information sharing within financial institutions, specifically between a domestic and foreign branch.
Information Sharing under the CTA
Arguably, the most important information-sharing provisions are in the CTA. The CTA establishes a beneficial ownership (“BO”) database housed within the Department of Treasury. This database will include a BO’s full name, date of birth, current address, and a unique identifying number from an acceptable identification document (or an acceptable FinCEN identifier). In a previous blog post in this series, we discussed how the new BO database may relieve financial institutions of some customer due diligence obligations and could allow regulators to spend more time on investigation of substance, rather than determining an entity’s BOs. Although the BO database will be stored at the Department of Treasury, the CTA provides for interagency, state, cross-border, and public-private sharing of BO information to assist in law enforcement and prosecution efforts. If requested, access will be given to regulators and law enforcement only to the information needed and only to those individuals that require access. Financial institutions may also satisfy customer due diligence requirements by requesting information from the BO database, but only if given consent by the reporting company.
Although we discuss AMLA’s privacy and data security provisions in detail below, the CTA’s privacy and data security provisions are important enough to highlight here. While the privacy and data security regulations described by the CTA are likely not to be published until later in 2021, their general contents are explained by AMLA.
The CTA requires each requesting agency to establish and maintain a secure system to store BO information, establish privacy and data security protocols, and certify compliance with the Secretary of Treasury on a semi-annual basis. The regulations will also limit access to the BO database information in two ways. First, the BO database information will only be available to requesting agencies upon written request describing the reasons for the request. Second, access to the BO database information is limited to personnel who must go through appropriate training, use identity verification to obtain access to the BO database information, and must also be authorized—by agreement with the Secretary of Treasury—to access that information.
Finally, the CTA requires regulations enforcing strict compliance with minimum data security protocols and access requirements. The regulations will require recordkeeping by the requesting agency showing what information was requested (and by whom), audits by the requesting agency and the Secretary of Treasury, and any other additional safeguards deemed necessary by the Secretary of Treasury. Violations of these regulations may lead to criminal or civil penalties.
AMLA also codifies public-private partnerships for information sharing in three ways. First, AMLA creates the “Office of the Domestic Liaison,” which reports to FinCEN’s Director. The Office of the Domestic Liaison will contain a Chief Domestic Liaison and regional, Domestic Liaisons. The Domestic Liaisons will be a conduit between the federal functional regulators and BSA officers at financial institutions. Importantly, the Domestic Liaisons will receive confidential feedback from financial institutions on BSA examinations and will help coordinate public-private information sharing matters. Having individuals dedicated to facilitating and strengthening these public-private partnerships may help foster more and more useful information sharing.
Second, AMLA acknowledges the FinCEN Exchange, a “public-private information sharing partnership among law enforcement agencies, national security agencies, financial institutions, and FinCEN” that has existed since December 2017. AMLA codifies this ad hoc program into the statutory scheme. Although AMLA does not provide details, it appears the FinCEN Exchange will continue to share information on “broader typologies” and “high priority issues” for AML/CTF issues with financial institutions.
Third, AMLA instructs the Secretary of the Treasury to “convene a supervisory team of relevant Federal agencies, private sector experts in banking, national security, and law enforcement, and other stakeholders to examine strategies to increase cooperation between the public and private sectors.” This supervisory team may use its diverse perspectives to offer insights into future avenues for information sharing within public-private partnerships.
Information Sharing within Financial Groups
AMLA also contains a pilot program allowing financial institutions to share information related to suspicious activity reports (“SARs”), as well as the fact that a SAR has been filed, with foreign branches. This would allow financial institutions to more effectively combat cross-border money laundering or terrorist financing. While the animating regulations must be developed, the contours of the pilot program are relatively clear. The pilot program will allow information sharing with foreign branches, but will impose penalties on foreign branches for public disclosure of the information shared. The pilot program will also not permit financial institutions to share information with foreign branches in China, Russia, or jurisdictions that are state-sponsors of terrorism or are subject to sanctions.
Privacy and Data Security Provisions
Along with information sharing, AMLA provides additional provisions on privacy and data security. Most notably, AMLA creates the role of Bank Secrecy Act Information Security Officers (“BSA ISOs”), each of whom will serve within the federal functional regulators, FinCEN, and the IRS. The BSA ISOs will be central to marrying the new information-sharing provisions to data security protocols. To perform this function, the BSA ISOs will help create data security regulations and internal protocols, be consulted on information-sharing policies and data security concerns, and may help develop new technologies to strengthen future data security.
They will also be given a seat at the table on the Subcommittee on Information Security and Confidentiality, an AMLA-created subcommittee within the Bank Secrecy Act Advisory Group. AMLA instructs that the Subcommittee will “advise the Secretary of the Treasury regarding the information security and confidentiality implications of regulations, guidance, [and] information[-]sharing programs.” In addition to the BSA ISOs, the Subcommittee will also include the heads of the federal functional regulators and representatives from financial institutions, law enforcement, and FinCEN. The Report on FinCEN’s Innovation Hours Program details that FinCEN’s BSA ISO and the Subcommittee will work closely with the Bank Secrecy Act Advisory Group on Innovation and Technology to “support responsible AML/CFT innovation.” The combination of voices hopefully will provide the necessary BSA expertise, technological know-how, and industry experience to advise the Secretary of Treasury into the future.
The information-sharing provisions discussed above also contain their own requirements. Whether information sharing is interagency, between federal and state or federal and foreign authorities, or between public and private actors, the privacy and data security provisions remain the same:
- AMLA requires the collecting agency to, by regulation or otherwise, establish protocols for privacy and data security;
- AMLA requires the collecting agency to impose its protocols for privacy and data security on those receiving the information;
- AMLA restricts sharing to the narrowest possible group of individuals on the narrowest possible amount of information and generally restricts its use to AML/CTF functions; and
- AMLA suggests the collecting agency should revisit its privacy and data security protocols often, by requiring annual or biannual reports or by requiring the protocols to be created by regulation (as opposed to baking them into the statutory scheme).
AMLA provides more avenues for information to be shared between agencies, states, foreign law enforcement, and financial institutions. As the opportunities for information sharing expand and personal, confidential information continues to spread, concerns over privacy and data security multiply—especially when that information has national security implications.
AMLA acknowledges the centrality of information sharing as a regulatory response to increasingly complex, cross-border and interagency schemes. Allowing more—and more seamless—information sharing may give regulators and law enforcement the ability to use that information to more effectively fuel their investigations and track down wrongdoers. Information sharing will also give financial institutions insight into regulatory focus and industry trends, theoretically allowing the financial institutions to better track and triage AML/CTF priorities.
But increased information sharing is necessarily in tension with privacy and data security concerns. With more people given access to sensitive information, there are more chances for inadvertent disclosure or nefarious actors to gain access. Moreover, to the extent a small subset of agencies or vendors may serve as a hub for information-sharing purposes, lessons from the SolarWinds hack apply (which we blogged about). A data security weakness in one is a weakness for all. Finally, sharing across borders brings its own set of challenges, including translating protocols linguistically and technologically and ensuring maintenance of proper systems and data security protocols.
Pursuit of increased information—and increased information sharing—almost always leads to heightened privacy and data security concerns. But these concerns need not lead to barriers. AMLA contains a number of provisions that require creation of protocols and procedures, mandate continuing maintenance, narrowly restricts access, and solicits ideas from a variety of perspectives. These are sensible solutions on paper, but only time will tell whether this legislative vision will create both robust information sharing and adequate privacy and data protection.
If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team. Please also visit CyberAdviser, our blog focused on the latest news and developments in privacy and cybersecurity law, produced by the members of our Privacy and Data Security Group.
The latest wrinkle in the ever-changing world of data privacy litigation is the recent surge in state wiretap claims. What began as a trickle over the summer of 2020 has grown into a clear wave as plaintiffs have filed dozens of lawsuits against prominent tech, eCommerce, entertainment, and retail companies under state wiretap laws. These lawsuits seek statutory damages for the alleged interception of consumers’ electronic communications through the defendant’s use of various website analytic tools. Insofar as the use of website analytics tools is ubiquitous on the internet, privacy litigators are carefully watching the progress of these state wiretap claims. If successful, state wiretap claims could become the next TCPA, threatening virtually every company with a sizable web presence in the U.S. Continue Reading Exploring the Rise in State Wiretap Claims
After a pandemic-related hiatus in 2020, a number of U.S. states have proposed new data privacy laws in 2021 – and several are very close to passage. Virginia’s proposed data privacy law appears to be the closest and is likely to be signed into law by Governor Northam in the near future. Washington and Florida’s legislatures also have privacy bills that are making their way through the legislative process, with a good likelihood of becoming law this year. The following is an overview of some of the similarities and differences among the three bills most likely to become law in the near future.
|WAPA||VCDPA||FL Proposed Bill|
|Applicability Thresholds||Conducts business in WA and: (i) controls or processes the personal data of 100,000 consumers or more; or (ii) derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.
*The WAPA would apply to nonprofit corporations starting July 31, 2026.
|Conducts business in VA and: (i) controls or processes the personal data of 100,000 consumers or more; or (ii) processes or controls personal data of 25,000 consumers or more and derives over 50% of gross revenue from the sale of personal data.
*Nonprofits are exempt from the provisions under the VCDPA.
|Conducts business in FL and: (i) has global annual gross revenues of more than $25 million; (ii) annually buys, receives for business purposes, or shares for commercial purposes the personal data of 50,000 or more consumers, households, or devices; or (iii) derives 50% or more of its global annual revenues from selling or sharing personal data.
* Nonprofits are exempt from the provisions under Florida’s proposed bill.
|Contractual Requirements Imposed Between Data Controllers and Processors?||Yes||Yes||Yes|
|Consumer Rights||Right to access, correct, delete, and opt out of the sale of personal data or certain types of processing of personal data (e.g., targeted advertising, profiling for decisions that have legal consequences).||Right to access, correct, delete, and object to the sale of personal data or certain types of processing of personal data (e.g., targeted advertising).||Right to access, correct, delete, and opt out of the sale or sharing of personal data.|
|Risk Assessments (or similar measures)||Required||Required||Not required|
|Private Cause of Action||No||No||Yes (limited) – private plaintiffs can seek damages of not less than $100 and not more than $750, whichever is greater, if their non-encrypted personal information or email address (together with information that would allow account access) is subject to unauthorized access due to a business’ failure to implement reasonable security measures.|
|Consent||Generally not required except for the processing of sensitive data.||Required where a consumer has restricted processing or a risk assessment indicates the risks of processing outweigh the benefits to the consumer.||Required before a business may enter a consumer in a financial incentive program.|
|Opt-Out||Required for targeted advertising, sale of personal information, or profiling decisions that have legal effects.||Required for targeted advertising, sale of personal information, or profiling.||Required for the sale or sharing of personal information.|
|Exceptions||Does not apply to personal data regulated under HIPPA, the FCRA, the GLBA, the DPPA, the FERPA, the Federal Farm Credit Act, clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46), and employment-related data.||Does not apply to protected health information under HIPAA, personal data regulated under the GLBA, employment-related data, certain types of data regulated under the FCRA, personal data under the DPPA, and clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46).||Does not apply to personal data regulated under HIPPA, the FCRA, the GLBA, the DPPA, the FERPA, clinical trial data collected pursuant to the Common Rule (45 C.F.R. 46), and employment-related data.|
|Cure Period?||Yes – 30 days after receipt of a warning letter from the Attorney General.||Yes – 30 days after receipt of notice of alleged noncompliance.||Yes – 30 days after being notified in writing of alleged noncompliance.|
|Damages/Penalties||Up to $7,500 per violation.||Up to $7,500 per violation.||Not less than $100 and not more than $750 per consumer per incident or actual damages, whichever is greater.
Attorney General can seek up to $2,500 for each unintentional violation or $7,500 for each intentional violation.
As noted in the table above, the WAPA, VCDPA, and Florida’s proposed bill contain similarities with one another, such as imposing contractual requirements between data controllers and processors, providing various consumer privacy rights such as the right to access, correct, delete, and opt out of/object to the sale or certain types of processing of personal data, and requiring transparent privacy notices concerning the collection and sharing of personal data. Further, the WAPA, VCDPA, and Florida’s proposed bill do not impose a fiduciary duty on data controllers, unlike the proposed New York Privacy Act, which is currently pending in the New York state legislature. One notable difference between the WAPA and the VCDPA and Florida’s proposed bill, however, is that the WAPA and the VCDPA do not include a private right of action whereas Florida’s proposed bill allows consumers to bring a private cause of action for actual or statutory damages.
The VCDPA has passed in both the state House and Senate and its enactment appears imminent. If enacted, the VCDPA would become effective on January 1, 2023. The WAPA and Florida’s proposed bill are currently pending review by their respective legislatures, but momentum appears strong for passage in 2021.
The new year began with an unusual amount of activity related to the Health Insurance Portability and Accountability Act (HIPAA). Health care providers, health plans, health care clearinghouses, and business associates subject to HIPAA will need to consider three significant developments—one regulatory, one legislative, and one judicial—relating to the Privacy and Security Rules under HIPAA and the related Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
In an opinion that deepens an existing circuit court split, the Eleventh Circuit recently held that the future risk of identity theft is not sufficient to establish Article III standing. Continue Reading 11th Circuit Finds No Standing Based on Fear of Future Identity Theft
On February 10, 2021, Phil Yannella, Chair of Ballard’s Privacy & Data Security Group, will join Ankura for a webinar, “2020 Cyber Year in Review”, which will recap cybersecurity events for 2020. Panel members will also offer their predictions for what cybersecurity issues will dominate headlines in 2021. You can register for the event here.
On January 12, 2021, the federal District Court for the Central District of California dismissed a data breach law suit—including a claim filed under the California Consumer Privacy Act (“CCPA”)—against Marriott International, Inc. The holding, which dismissed the claims for lack of standing, will likely play a role in a number of CCPA cases that have motions to dismiss pending.
The case stems from a cybersecurity breach announced by Marriott on March 31, 2020, in which two employees of a Marriott franchise in Russia allegedly accessed some personal information without authorization. The class action was filed asserting claims for negligence, breach of express and implied contract, violation of California’s Unfair Competition Law, and violation of the CCPA. However, at the time the class action was filed, Marriott’s investigation was still ongoing.
Marriott’s investigation concluded that the only personal information that had been accessed was the class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers—it did not involve sensitive personal information such as social security numbers, credit card information, or passwords/access credentials. Marriott moved to dismiss for lack of Article III standing, and the District Court granted the motion.
The District Court engaged in a fairly standard Article III standing analysis, starting with whether there was injury-in-fact. The Court relied on established precedent that, for there to be a credible risk of injury sufficient for standing, the data at issue must have a certain level of sensitivity. Because the investigation revealed that the data at issue was not sensitive in nature, the Court held that the plaintiffs could not establish standing.
The four-page opinion did not specifically address the CCPA claim. If it had, it likely could have dismissed that claim on separate grounds at the data that had been accessed without authorization did not fall into the subset of information subject to the CCPA’s private right of action. However, the Marriott case demonstrates that even if plaintiffs could successfully argue that the CCPA is ambiguous with respect to the scope of its private right of action, they would still face standing challenges for data breaches involving non-sensitive personal information. As there are numerous CCPA cases with motions to dismiss pending, we expect to see additional case law emerging on this front.
The Administrative Office of the U.S. Courts (the “AO”) recently disclosed that it has initiated an investigation into an apparent compromise in security of the Judiciary’s Case Management/Electronic Case Files System (“CM/ECF”) as a result of vulnerabilities associated with SolarWinds Orion products. The AO noted that it is currently working with the Department of Homeland Security on an audit of security vulnerabilities that may pose a confidentiality risk for non-public documents stored on CM/ECF. In other words, the AO is auditing whether sealed filings in federal cases have been compromised.
As background, SolarWinds is a vendor that works with the federal government and a range of companies to monitor their IT networks. On December 31, 2020, SolarWinds issued a security advisory noting that it was a victim of a cyberattack that exploited vulnerabilities with products utilizing its Orion software. After SolarWinds’ announcement, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive which calls on all federal civil agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
According to public reporting, the SolarWinds hack may have included unauthorized access to the federal court’s electronic filing system, meaning that the hackers may have had access to documents filed under seal. As a result, the compromise has put “at risk a range of highly sensitive competitive and financial information and trade secrets, including companies’ sales figures, contracts, and product plans” that companies have filed with the courts in connection with litigation.
The Judiciary has now suspended all national and local use of its Orion IT networking monitoring and management tool. In addition, under newly announced procedures, highly sensitive documents (“HSDs”) filed with federal courts will now be accepted in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system, rather than uploaded to CM/ECF.
The AO anticipates each court will issue a standing order to address the types of filings that it does and does not consider to be HSDs. The AO memorandum suggests most documents similar to and including presentence reports, pretrial release reports, pleadings related to cooperation in most criminal cases, Social Security records, and administrative immigration records will likely not be sufficiently sensitive to require HSD treatment and can continue to be sealed in CM/EFC as necessary.
In the meantime, companies and firms should start taking inventory of what sensitive information has been filed under seal, whether as part of a civil or criminal federal case, and consider whether any preventive or protective measures may be possible to mitigate harms in the event that the information was compromised.