CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Currently pending in the Massachusetts legislature is Bill S.120 entitled “An Act Relative to Consumer Data Privacy”

Posted on: April 25th, 2019

By: Eric Martignetti

The proposed bill defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.” “Personal information” includes “biometric information.” “Biometric information” is “an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity,” including “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”

Under the proposed bill, a business that collects a consumer’s personal information shall, at or before the point of collection, notify a consumer of: (1) the categories of personal information it will collect; (2) the business purpose for which their personal information will be used; (3) the categories of third parties to whom the business discloses their personal information; (4) the business purpose for the third-party disclosure; and (5) the consumer’s right to request a copy of their personal information, the deletion of their personal information, and the right to opt out of the disclosure of their personal information to third parties. Also, a business must include these five items either in its online privacy policy or on its website.

Under the proposed bill, a business shall also make reasonably available to consumers two or more methods, including a link on the home page of its website, for submitting a consumer verified request. Through a consumer verified request, a consumer can request: (1) the specific pieces of personal information the business has collected about them; (2) the sources from which their personal information was collected; (3) the names of third parties to whom the business disclosed their personal information; and (4) the business purpose for third-party disclosure.

The proposed bill applies to a “business” that: (1) “is organized or operated for the profit or financial benefit of its shareholders or other owners”; (2) “collects Massachusetts consumers’ personal information”; and (3) “has annual gross revenues in excess of $10,000,000” or “derives 50 percent or more of its annual revenues from third party disclosure of consumers’ personal information.”

The proposed bill carves out an exception for “a business collecting or disclosing personal information of the business’s employees so long as the business is collecting or disclosing such information within the scope of its role as an employer.” This exception would, in most cases, protect employers from lawsuits brought by employees under the Act.

The proposed bill creates a private right of action for consumers. In a private right of action, a consumer need not suffer a loss of money or property, and they may recover $750 in statutory damages of their actual damages, whichever is greater. A consumer may also recover costs and attorneys’ fees.

If you have any questions or would like more information, please contact Eric Martignetti at [email protected].

Massachusetts’ Will-o’-the-WISP

Posted on: April 24th, 2019

By: Zach Moura

Massachusetts revised its data breach notification law, effective April 10, 2019, to change the minimum standards for what companies should include in a Written Information Security Plan, or WISP. Companies that experience a data breach incident must now confirm in their breach notice to the Massachusetts Attorney General whether the company maintains a WISP and identify any steps taken or planned to take relating to the incident, including updating the WISP. The requirements apply to companies that handle personal information belonging to Massachusetts’ residents no matter where the company itself is located.

The revisions also reshape the requirements for notifications to impacted individuals. In data breach incidents in which Massachusetts residents’ Social Security numbers are exposed, Massachusetts now requires companies to offer 18 months of free credit monitoring services to impacted individuals. Entities must also now certify to the state’s Attorney General and Office of Consumer Affairs and Business Regulation (“OCABR”) that the credit monitoring services comply with the statute, and provide the name of the person responsible for the breach of security, if known. The revisions also obligate the OCABR to publicly post the sample notice on its website within one business day.

The new statute calls for rolling and continuous notifications to all impacted individuals as they are identified, rather than allowing a business to first determine the total number of impacted individuals before notifying them all at the same time. And if an investigation reveals more information on the data breach that, if known, would have been provided to the impacted individuals in the original notice, additional notices must be sent. Entities must also now identify any parent or affiliated corporation in the notification letter.

For any questions about the above, or whether a WISP complies with Massachusetts law, please contact Zach Moura at [email protected].

SEC Issues Risk Alert Regarding Broker-Dealers and Investment Advisers’ Privacy Practices and Compliance with Regulation S-P

Posted on: April 22nd, 2019

By: Jennifer Lee

On April 16, 2019, the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert summarizing the findings from the examinations of broker-dealers and investment advisers’ privacy practices and compliance with Regulation S-P.

Regulation S-P, 17 C.F.R. § 248.30, was enacted to protect the privacy of customers and their information. It has three major components:

  1. Firms are required to provide their customers with a copy of their privacy policies and procedures at the initial outset of the relationship and also on an annual basis.
  2. Firms are prohibited from sharing customers’ nonpublic information with unaffiliated third parties unless the customer is given prior notice regarding such practices.
  3. Firms must inform customers that they have a right to opt-out of the firm’s data sharing practices with unaffiliated third-parties and provide a method in which customers can opt-out.

During the examinations, which spanned over the course of the past two years, the Office of Compliance Inspections and Examinations (“OCIE”) found common deficiencies in firms’ compliance with Regulation S-P. The OCIE found that some firms did not provide customers with the initial and/or annual privacy policies and procedures. In other instances, the privacy policies and procedures were inadequate to satisfy the requirements under Regulation S-P. For example, the policies and procedures failed to identify the precautions taken to ensure the integrity of customers’ information.

Even when firms gave the required notices and had satisfactory written policies and procedures on the books, the OCIE often found that such policies and procedures were not actually being implemented and firms’ practices diverged from the written policies and procedures. Customers’ personally identifiable information (“PII”) were sent via unencrypted emails and left in unsecured physical locations, firm employees had customer information on unsecured personal devices, and outside vendors were not vetted on their cybersecurity and privacy practices.

These findings are unsurprising because often when a new set of privacy or cybersecurity regulations is introduced, companies will invest an incredible amount of time and resources to develop policies and procedures that comply with the new requirements. Usually, most of this work is done by the COO or Chief Information Security Officer (“CISO”). However, it does not and cannot stop there as most enforcement actions and customer actions are brought based on the firm’s failure to implement its policies and procedures.

To reduce the risk of enforcement and customer actions, firms must ensure that the policies and procedures in its books are put into practice. This requires buy-in from everyone at the executive level—from the CEO to the CMO—and cooperation from multiple departments in the firm that may not necessarily work closely with each other on a regular basis. In addition, firms should shift their perspective on compliance with Regulation S-P and other privacy or cybersecurity regulation. It is not a one-off event. Instead, it should be seen as an active and on-going process that requires constant training and monitoring.

If you have any questions regarding your firm’s compliance with Regulation S-P or other privacy and cybersecurity regulations, please contact Jennifer Lee at [email protected].

Largest Jury Verdict in TCPA History: Defendant Faces $925 Million in Damages

Posted on: April 18th, 2019

By: Jennifer Lee

On Friday, April 12, 2019, a federal jury in Oregon rendered a verdict in a certified class action that could leave ViSalus, Inc. on the hook for $925 million for making more than 1.85 million unsolicited robocalls in violation of the Telephone Consumer Protection Act (“TPCA”). The case is Wakefield v. ViSalus Inc., Case No. 3:15-cv-01857, in the U.S. District Court for the District of Oregon.

The TCPA prohibits prerecorded calls to cell phones and home phones without prior written consent from the recipient. The TCPA also prohibits the use of an automated dialing system (“ATDS”) to place calls to cell phones without prior written consent. This was a non-issue as ViSalus had already conceded that it used an ATDS for the calls at issue.

During the three-day trial, the named plaintiff and class representative Lori Wakefield testified that she had received four prerecorded calls from ViSalus on her home phone even though she did not consent to such calls. The jury believed her and concluded that the four calls received by Wakefield and the 1.85 million calls received by members of the certified class violated the TCPA.

Statutory damages for TCPA violations are $500 per call, and with more than 1.85 million calls at issue, this verdict could translate into approximately $925 million in damages for ViSalus. But there is more. Since the TCPA allows for treble damages for deliberate violations, if U.S. District Judge Michael Simon finds that ViSalus “willfully or knowingly” violated the statute, ViSalus may be subject to $2.775 billion in damages.

This verdict has wide-reaching implications for companies. It shows that jurors are receptive to TCPA class actions and do not view them as nuisance cases. This is in part because consumers are being bombarded by unwanted telemarketing calls, which are at historical highs and increasing every year. It also means that companies will have a harder time settling these cases and will lead to higher settlement amounts as the plaintiffs’ bar becomes more willing to take TCPA class actions all the way to trial.

If you have any questions regarding the TCPA, including compliance and defending against a TCPA class action, please contact Jennifer Lee at [email protected].

SEC Holds Public Forum as Part of Increasing Efforts to Regulate Digital Assets, Cryptocurrency Exchanges, and ICOs

Posted on: March 28th, 2019

By: Jennifer Lee

The Securities and Exchange Commission will be hosting a public forum on distributed ledger technology and digital assets in Washington DC on May 31, 2019. This is a part of the SEC’s increasing efforts to regulate cryptocurrency exchanges and initial coin offerings (ICOs) that have been proliferating unchecked until very recently.

Since digital assets are still an emerging concept, regulators, such as the SEC and the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of Treasury, have been struggling to figure out how the existing regulatory framework applies to cryptocurrencies, exchanges, and ICOs. However, as established financial institutions, such as Fidelity, begin to enter the digital asset space, the SEC has ramped up its efforts to ensure that companies are aware of and are in compliance with all applicable laws and regulations. Depending on the nature of the services provided, companies may be subject to the Securities Exchange Act of 1934, Bank Secrecy Act, and states’ money transmitter licensing statutes.

The push for more oversight over cryptocurrencies comes at the heels of high-profile scandals involving cryptocurrency exchanges and ICOs that left consumers and investors alike with nothing but questions after losing their fiat and digital currencies.

The very first incident involved Mt. Gox, a bitcoin exchange based in Tokyo, Japan that operated between 2010 and 2014. Cryptocurrency exchanges allow its users to exchange fiat currency (e.g., U.S. Dollars) into cryptocurrency and provide digital wallets for users to store their cryptocurrency. At its heyday, it was handling over 70% of all bitcoin transactions worldwide. However, it ran into a host of problems in 2013 continuing on to 2014 until it stopped operations and filed for bankruptcy. During the litigation that ensued, it was revealed that Mt. Gox somehow lost approximately 750,000 of its customers’ bitcoins, valued at around $473 million at that time.

More recently, in February 2019, the cryptocurrency exchange QuadrigaCX announced that it was missing approximately $145 million in digital assets. Its executives, consumers, and law enforcement are in a frenzy to determine what happened to the missing digital assets as the only person who had access was QuadrigaCX’s founder Gerry Cotten, who had passed away the month prior.

These incidents are not limited to cryptocurrency exchanges, especially as ICOs have become more popular in recent years. ICOs are similar to IPOs in the sense that investors can buy a stake in a particular cryptocurrency (referred to as a token), but unlike IPOs, a token’s value is not tied to the value or performance of an underlying company. In November 2018, the SEC settled charges against professional boxer Floyd Mayweather Jr. and singer/producer DJ Khaled for failing to disclose payments they received for promoting investments in ICOs. This suggests that despite the decentralized nature of cryptocurrencies and ICOs, the SEC has assumed jurisdiction over the space and its players.

Accordingly, broker-dealers and investment advisory firms looking to get involved in the digital asset space, including operating cryptocurrency exchanges, providing trading platforms for cryptocurrencies, or facilitating ICOs, must ensure that they are in compliance with all existing laws and regulations that govern traditional financial transactions and investments.

For more information or to inquire about the firm’s services related to digital currencies, please contact Jennifer Lee at [email protected].