Category: Consumer Protection

Recent Data Breach Reports: And the Hits Keep on Coming….

Mintz Logo

The ”hits” to data bases, in any event.   Here is a rundown of some of the most recent data breach reports –

Oregon Health & Science University Data Breach Compromises 3,000 Patients’ Records in the Cloud.

Modern Healthcare (subscription may be required) reports that the Oregon Health & Science University announced it is “notifying more than 3,000 of its patients of a breach of their personally identifiable information after their data were placed by OHSU resident physicians on a pair of Google’s cloud-based information-sharing services.” The data breach, which involves “patients’ names, medical record numbers, dates of service, ages, diagnoses and prognoses and their providers’ names” posted to Gmail or Google Drive, was discovered in May by an OHSU faculty member.  According to  Healthcare IT News, this is OHSU’s “fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services.”

Citigroup Reports Breach of Personal Data in Unredacted Court Filings; Settles with Justice Department

American Banker reports that Citigroup recently admitted having failed to safeguard the personal data (including birthdates and Social Security numbers) of approximately 146,000 customers who filed for bankruptcy between 2007 and 2011. Citi apparently failed to fully redact court records placed on the Public Access to Court Electronic Records (PACER) system. “The redaction issues primarily resluted from a limitation in the technology Citi had used to redact personally identifiable information in the filings,” Citi said in a statement. “As a result of this limitation in technology, personally identifiable information could be exposed and read if electronic versions of the court records were accessed and downloaded from the courts’ online docket system and if the person downloading the information had the technical knowledge and software to restore the redacted information.”

In a settlement with the Justice Department’s U.S. Trustee Program, Citi has agreed to redact the customer information, notify all affected debtors and third parties, and offer all those affected a year of free credit monitoring.

University of Delaware Reports Cyberattack – 72,000 Records Affected

The University of Delaware is notifying the campus community that it has experienced a cyberattack in which files were taken that included confidential personal information of more than 72,000 current and past employees, including student employees. The confidential personal information includes names, addresses, UD IDs (employee identification numbers) and Social Security numbers.

Stanford University Reports Hack – Investigating Scope

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.”

Japan’s Railway Company Apologizes for Unauthorized “Sharing”

The Wall Street Journal reported yesterday (registration may be required) that Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent, The Wall Street Journal reports. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states.

Article By:

 of

In Largest Known Data Breach Conspiracy, Five Suspects Indicted in New Jersey

DrinkerBiddle

On July 25, 2013, the United States Attorney for the District of New Jersey announced indictments against five men alleging their participation in a global hacking and data breach scheme in which more than 160 million American and foreign credit card numbers were stolen from corporate victims, including retailers, financial institutions, payment processing firms, an airline, and NASDAQ.  The scheme is the largest of its kind ever prosecuted in the United States.

The Second Superseding Indictment alleges the defendants (four Russian nationals and one Ukrainian national) and other uncharged co-conspirators targeted corporate victims’ networks using “SQL [Structured Query Language] Injection Attacks,” meaning the hackers identified vulnerabilities in their victims’ databases and exploited those weaknesses to penetrate the networks.  Once the defendants had access to the networks, they used malware to create “back doors” to allow them continued access, and used their access to install “sniffers,” programs designed to identify, gather and steal data.

Once the defendants obtained the credit card information, they allegedly sold it to resellers all over the world, who in turn sold the information through online forums or directly to individuals and organizations.  The ultimate purchasers encoded the stolen information on blank cards and used those cards to make purchases or withdraw cash from ATMs.

The defendants allegedly used a number of methods to evade detection.  They used web-hosting services provided by one of the defendants, who unlike traditional internet service providers, did not keep records of users’ activities or share information with law enforcement.  The defendants also communicated through private and encrypted communication channels and tried to meet in person.  They also changed the settings on the victims’ networks in order to disable security mechanisms and used malware to circumvent security software.

Four of the defendants are charged with unauthorized access to computers (18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(i)) and wire fraud (18 U.S.C. § 1343).  All of the defendants are charged with conspiracy to commit these crimes.

Two of the defendants have been arrested, with one in federal custody and the other awaiting an extradition hearing.  The other three defendants, two of whom have been charged in connection with hacking schemes, remain at large.

This conspiracy is noteworthy for its massive scale, and for the patience the hackers demonstrated in siphoning data from the networks.  The U.S. Attorney “conservatively” estimates more than 160 million credit card numbers were compromised in the attacks, and alleges that the hackers had access to many victims’ computer networks for more than a year.  Many prominent retailers were targets, including convenience store giant 7-Eleven, Inc.; multi-national French retailer Carrefour, S.A.; American department store chain JCPenney, Inc.; New England supermarket chain Hannaford Brothers Co.; and apparel retailer Wet Seal, Inc.  Payment processors were also heavily targeted, including one of the world’s largest credit card processing companies, Heartland Payment Systems, Inc., as well as European payment processor Commidea Ltd.; Euronet, Global Payment Systems and Ingenicard US, Inc. The hackers also targeted financial institutions such as Dexia Bank of Belgium, “Bank A” of the United Arab Emirates; the NASDAQ electronic securities exchange; and JetBlue Airways.  Damages are difficult to estimate with precision, but they total several hundred million dollars at least.  Just three of the corporate victims suffered losses totaling more than $300 million.

Article By:

of

Consumer Financial Services Basics 2013 – September 30 – October 01, 2013

The National Law Review is pleased to bring you information about the upcoming  Consumer Financial Services Basics 2013.

CFSB Sept 30 2013

When

September 30 – October 01, 2013

Where

  • University of Maryland
  • Francis King Carey School of Law
  • 500 W Baltimore St
  • Baltimore, MD 21201-1701
  • United States of America

Facing the most comprehensive revision of federal consumer financial services (CFS) law in 75 years, even experienced consumer finance lawyers might feel it is time to get back in the classroom. This live meeting is designed to expose practitioners to key areas of consumer financial services law, whether you need a primer or a refresher.

It is time to take a step back and think through some of these complex issues with a faculty that combines decades of practical experience with law school analysis. The classroom approach is used to review the background, assess the current policy factors, step into the shoes of regulators, and develop an approach that can be used to interpret and evaluate the scores of laws and regulations that affect your clients.

Federal Trade Commission (FTC) Settles with HTC America Over Charges it Failed to Secure Smartphone Software

RaymondBannerMED

Smartphone manufacturer HTC agreed in February to settle Federal Trade Commission (FTC) charges that the company failed to take reasonable steps to secure software it developed for its mobile devices including smartphones and tablet computers. In its complaint, the FTC charged HTC with violations of the Federal Trade Commission Act.  On July 2 the FTC approved a final order settling these charges.

trade FTC smartphone HTC

The FTC alleged HTC failed to employ reasonable security measures in its software which led to the potential exposure of consumer’s sensitive information. Specifically, the FTC alleged HTC failed to implement adequate privacy and security guidance or training for engineering staff, failed to follow well-known and commonly accepted secure programming practices which would have ensured that applications only had access to users’ information with their consent. Further, the FTC alleged the security flaws exposed consumers to malware which could steal their personal information stored on the device, the user’s geolocation information and the contents of the user’s text messages.

HTC is a manufacturer of smartphones but it also installs its own proprietary software on each device. It is this software that the FTC targeted. While HTC smartphones run Google’s Android operating system, the HTC software allegedly introduced significant vulnerabilities which circumvented some of Android’s security measures.

As part of the settlement consent order, HTC agreed to issue security patches to eliminate the vulnerabilities. HTC also agreed to establish a comprehensive security program to address the security risks identified by the FTC and to protect the security and confidentiality of consumer information stored on or transmitted through a HTC device. HTC further agreed to hire a third party to evaluate its data and privacy security program and to issue reports every two years for the consent order’s 20 year term. The implication of the FTC’s policy makes it clear that companies must affirmatively address both privacy and data security issues in their custom applications and software for consumer use.

Consumer Financial Services Basics 2013 – September 30 – October 01, 2013

The National Law Review is pleased to bring you information about the upcoming  Consumer Financial Services Basics 2013.

CFSB Sept 30 2013

When

September 30 – October 01, 2013

Where

  • University of Maryland
  • Francis King Carey School of Law
  • 500 W Baltimore St
  • Baltimore, MD 21201-1701
  • United States of America

Facing the most comprehensive revision of federal consumer financial services (CFS) law in 75 years, even experienced consumer finance lawyers might feel it is time to get back in the classroom. This live meeting is designed to expose practitioners to key areas of consumer financial services law, whether you need a primer or a refresher.

It is time to take a step back and think through some of these complex issues with a faculty that combines decades of practical experience with law school analysis. The classroom approach is used to review the background, assess the current policy factors, step into the shoes of regulators, and develop an approach that can be used to interpret and evaluate the scores of laws and regulations that affect your clients.

Consumer Financial Services Basics 2013 – September 30 – October 01, 2013

The National Law Review is pleased to bring you information about the upcoming  Consumer Financial Services Basics 2013.

CFSB Sept 30 2013

When

September 30 – October 01, 2013

Where

  • University of Maryland
  • Francis King Carey School of Law
  • 500 W Baltimore St
  • Baltimore, MD 21201-1701
  • United States of America

Facing the most comprehensive revision of federal consumer financial services (CFS) law in 75 years, even experienced consumer finance lawyers might feel it is time to get back in the classroom. This live meeting is designed to expose practitioners to key areas of consumer financial services law, whether you need a primer or a refresher.

It is time to take a step back and think through some of these complex issues with a faculty that combines decades of practical experience with law school analysis. The classroom approach is used to review the background, assess the current policy factors, step into the shoes of regulators, and develop an approach that can be used to interpret and evaluate the scores of laws and regulations that affect your clients.

Recent Consumer Financial Protection Bureau (CFPB) Developments

Rules Creating Exemptions to the ATR Rule Finalized

The Consumer Financial Protection Bureau (CFPB) recently finalized rules that modified and created specific exemptions to the CFPB’s Ability-to-Repay Rule. The rules have three main effects.

  1. They exempt certain community development lenders and nonprofits—specifically those that lend only to low- and moderate-income consumers, and make 200 or fewer such loans per year—from the ATR Rule.
  2. They facilitate lending by community banks and credit unions that have less than $2 billion in assets, and make 500 or fewer first lien mortgages per year.
  3. They no longer require that compensation paid by a broker or lender to a loan originator counts towards the Dodd-Frank points and fees limits.

These changes to the ATR Rule will take effect on January 10, 2014.

Effective Date of Prohibitions on Financing Credit Insurance Premiums Delayed

The CFPB has delayed the effective date of a regulation prohibiting creditors from financing credit insurance premiums secured by a dwelling. The regulation, previously effective June 1, 2013, has been delayed until January 10, 2014. The CFPB wanted to clarify how the rule applied to transactions other than those where a lump-sum premium was added to the loan amount at closing.

CFBP Seeking Comments on Possible Revisions to the Civil Penalty Rule

The CFPB is seeking comments on possible revisions to the Consumer Financial Civil Penalty Fund Rule. The CFBP uses this fund, established by the Dodd-Frank Act, to deposit civil penalties obtained in judicial or administrative actions under federal consumer financial laws. The fund can be used to pay victims of violations of federal consumer financial laws, or, if victims cannot be found, to educate consumers and provide financial literacy programs. The rule articulates the CFPB’s interpretations of what kind of victim payments are appropriate and how to otherwise allocate the funds. Comments are due on July 8, 2013.

White Paper Concerning Overdraft Practice Concerns Published

The CFPB published a white paper concerning overdraft practice concerns and institutional practices. The paper finds that a large portion of consumer checking account revenue continues to come from overdraft fees. Furthermore, those consumers who choose, let alone use, overdraft coverage have higher costs and a higher chance of having their checking accounts involuntary closed. No action, other than further research, is currently planned.

CFPB Launches New Mortgage Rule Implementation Page

The new mortgage rule implementation page is part of an effort to help lenders comply with the Dodd-Frank Act reforms and CFPB rules. Debtors and potential debtors can find potentially useful information, including quick reference charts, video guides, manuals, etc.—related to the new 2013 mortgage rules. While the CFPB’s intention for the site is to help understand the rules, the materials are not a substitute for the rules themselves.

Ryan C. Fairchild, summer law clerk at Poyner Spruill, co-authored this article.

Article By:

 of

The Consumer Financial Protection Bureau, Week in Review: June 10 – June 14, 2013

GT Law

CFPB Launches Regulatory Implementation Page

In an effort to streamline resources and better assist financial institutions implementing the many new rules and policies promulgated by the CFPB, the CFPB announced the launch of its “Regulatory Implementation” webpage, available here. The page is a one-stop shop for financial institutions looking for assistance in understanding some of the more salient differences and requirements of the rules. In addition to a number of quick-reference guides, the page also contains compliance guides for the following rules: (i) Ability to Repay/Qualified Mortgage; (ii) 2013 HOEPA Rule; (iii) Loan Originator Compensation; (iv) ECOA Valuations; (v) TILA HPML Appraisals; (vi) Escrows; and (vii) TILA and RESPA Servicing.

CFPB Examines Impact of Overdraft Practices on Consumers

On June 11, 2013, the CFPB released its “CFPB Study of Overdraft Programs” (the Report), which is available here. The Report was based upon (i) responses the CFPB received to a request for information published in the Federal Register in February 2012, and (ii) aggregate, institution-level information data and random samples of consumer checking accounts. Through the inquiry, the CFPB determined that overdraft programs are costly to consumers, provide substantial sources of checking account revenue for financial institutions, and vary widely across financial institutions.

The Report noted that overdraft practices employed by financial institutions are frequently very complex. Not only do the fees charged for overdraft protection vary, but many other differences exist throughout the industry, including: the number of times a consumer can be charged; whether there are caps on such charges; the amount of such caps; the scope of overdraft protection; and even the order in which transactions are posted. Each of these factors can play a significant role in determining the fees consumers will face. Accordingly, the CFPB’s report raises concerns about consumers’ ability to understand, navigate and anticipate fees.

In light of the Report’s findings, the CFPB has announced its intention to engage in further review of account-level data to better understand how differences in practices affect consumers.

CFPB Proposes New Redress System for Victims of Unlawful Activities

Under Section 1055(a) of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the CFPB may obtain various types of monetary relief, such as restitution, refunds and damages, in both judicial and administrative proceedings. The CFPB collectively refers to such relief as “redress”, and can be required to receive such redress from a defendant and then distribute it to victims of unlawful activities. In order to better assist this process, which is known as “Bureau-Administered Redress,” the CFPB is proposing a new system of records that will enable the CFPB to manage distributions to consumers.

Specifically, the new system will enable the CFPB to: (i) track the collection, allocation and distribution of funds in the Civil Penalty Fund and redress monies; (ii) identify and locate victims who may receive such payments; (iii) determine the amounts that the CFPB will distribute to such victims; (iv) maintain associated account and financial information; and (v) develop reports to applicable tax officials regarding such payments.

The proposal, which is available here, states that any comments on the proposed system must be received no later than July 11, 2013. The new system will become effective on July 22, 2013, unless comments are received that result in a contrary determination.

CFPB Releases New Training Module to Combat Financial Exploitation of Older Americans

On June 12, 2013, the CFPB along with the Federal Deposit Insurance Corporation (FDIC), released a tool called “Money Smart for Older Adults.” The purpose of the module is to assist older adults (age 62 and older), as well as their caregivers, in avoiding and preventing financial exploitation. In addition, it provides information to educate consumers about planning for a secure financial future and making informed financial decisions.

The module, which consists of a scripted instructor guide, a participant/resource guide and Power Point slides, has been designed to be presented and administered by financial institution representatives, adult protective services agencies, senior advocacy organizations, law enforcement, and similar organizations and agencies.  The module is available, free of charge, on the FDIC website. Click here to view.

CFPB Assistant Director Tells Nonbanks to Quickly Implement Compliance Management Systems

During the American Bankers Association’s Regulatory Compliance Conference on June 12, 2013, Peggy Twohig, the CFPB’s Assistant Director for Supervision Policy, urged nonbank entities to implement compliance management systems without delay. She specifically pointed to many payday lenders, consumer reporting agencies, mortgage lenders and servicers, student lenders and debt collectors that have yet to implement these compliance management systems.

Article By:

of

New Data Breach Class Action has Two Million Plaintiffs

RaymondBannerMED

Cyber breaches resulting in the release of personal identifiable information (PII) are increasingly common and now we are starting to see class action lawsuits filed as a result. In what will likely be the beginning of a wave of lawsuits filed as a result of cyber breaches, Schnucks Markets, operator of 100 supermarkets across the Midwest, recently removed a class action lawsuit filed against it to federal court stemming from a data breach that occurred in March in which 2.4 million credit card numbers were stolen.

The Class action complaint alleges Schnucks failed to properly and adequately safeguard its customer’s personal and financial data. In addition to common law negligence and disclosure, the plaintiffs allege a violation of the Illinois Personal Information Protection Act which requires a data collector of personal information to notify individuals in the most expedient manner possible and without unreasonable delay. The complaint alleges Schnucks waited over two weeks to notify its customers and then did so only through a press release as opposed to providing actual notice to individual consumers. Apparently Schnucks struggled to find the source of the breach and this delay may have continued to expose the PII of people who shopped at its stores.

cybercrime graphicSchnuck’s notice of removal to federal court states the grounds for removal include a class size of more than 100 people and damages at issue are greater than $5 million. Schnucks also explains that the data breach was the result of criminals hacking into its electronic payment systems at 23 stores. Further, during the relevant period, 1.6 million credit or debit card transactions took place at these stores. Schnucks calculates that 500,000 unique credit or debit cards were involved thus the putative class has at least 500,000 members.

Damages alleged by the plaintiffs include having their credit card data compromised, incurring numerous hours cancelling their compromised cards, activating replacement cards and re-establishing automatic withdrawal payment authorizations as well as other economic and non-economic harm. Given that data breaches are becoming increasingly common it is likely that there will be more lawsuits filed similar to Schnucks in the near future. Legal counsel experienced in cyber risk and insurance can assist retailers and insurance companies with handling such problems as they arise.

FTC v. Actavis, Inc.: Supreme Court Rules That Reverse Patent Settlements May Violate Antitrust Laws

Womble Carlyle

On April 29, 2013, the Supreme Court declined to review a decision that had created uncertainty as to when a manufacturer’s customer loyalty program may violate antitrust laws. Most circuits considering the issue have found that companies can use loyalty programs or long-term agreements, as long as the rebates do not price the product below cost. The Third Circuit, however, found that a manufacturer’s customer loyalty program amounted to an unlawful “de facto exclusive dealing contract,” despite the above-cost price of the product. The Supreme Court’s decision to allow the Third Circuit opinion to stand raises many questions as to when manufacturers may use incentive programs and which legal standard will be used to analyze these agreements. Regardless of where a company is located, if the company’s products are sold within the Third Circuit (Pennsylvania, New Jersey, Delaware and the U.S. Virgin Islands), then that company may be impacted by this decision.

The case of ZF Meritor, LLC v. Eaton Corp., 696 F.3d 254 (3d Cir. 2012) cert. denied, ___ U.S. __, 2013 WL 673880 (U.S. Apr. 29, 2013), involved two manufacturers of heavy-duty truck transmissions. The defendant, a leading supplier of these transmissions in North America, signed long-term agreements with its customers. Those agreements provided incentives to its customers, offering rebates to those who purchased a specified percentage of their parts from the defendant manufacturer. The plaintiff, a competitor in the heavy-duty transmission market, brought suit, claiming that the defendant’s long-term agreements constituted illegal exclusive dealing contracts. After trial, a jury found that the agreements stifled competition and violated antitrust laws. The defendant sought to overturn the jury verdict, arguing that its agreements were lawful, because it priced its transmissions above cost. The U.S. District Court for the District of Delaware upheld the jury verdict, however, finding that there was sufficient evidence to conclude that defendant’s conduct unlawfully foreclosed competition. Defendant appealed to the Third Circuit.

On appeal, the defendant urged the Third Circuit to follow the First, Second, Sixth, Eighth, and Ninth Circuits, which apply a “price-cost test” when analyzing long-term agreements which offer above-cost rebates. Under the “price-cost test,” a company is not engaging in anticompetitive conduct if it prices its products above cost. Instead, the Third Circuit applied the “rule of reason” test and found that the customer loyalty program constituted a “de facto exclusive dealing arrangement.” Under the rule of reason, “exclusive dealing arrangements can exclude equally efficient (or potentially equally efficient) rivals, and thereby harm competition, irrespective of below-cost pricing.” Therefore, the Third Circuit upheld the District Court jury verdict, stating that defendant’s  “conduct unlawfully foreclosed a substantial share of the HD transmission market, which would otherwise have been available for rivals.” The defendant then appealed to the Supreme Court, which declined to hear the case, allowing the Third Circuit’s decision to stand.

In refusing to consider the Third Circuit’s decision, the Supreme Court has failed to resolve a conflict in the circuits as to how long-term agreements containing rebates or other incentives will be analyzed by the courts. This conflict removes the predictability of a single “price-cost” standard applied across all circuits and creates uncertainty for manufacturers who wish to offer loyalty programs to their customers. In the future, manufacturers hoping to offer such programs may want to ensure that their agreements can withstand both the price-cost test and rule of reason analysis.