Online Lenders Alliance – 2020 Compliance University

Data Privacy and Data Security: What Every Compliance Professional Should Know

This program will discuss the key laws and regulations governing data privacy and data security that all compliance professionals need to know. The panel will provide an overview of the provisions of key federal and state laws and regulations, and identify areas undergoing change. The panel also will highlight significant areas of compliance risk.

The program will cover the following topics: I. GLBA Privacy Rules: Regulation P a. General Rule: Notice and Opt-out Requirements b. Exceptions c. Model Form d. Enforcement and Liability

II. Data Security Rules a. GLBA Safeguards Rules of FTC and Federal Banking Agencies b. Basic Provisions of Safeguards Rules

1. Common Aspects of FTC and Federal Banking Agency Rules 2. Differences between FTC and Federal Banking Agency Rules 3. Enforcement and Liability

c. Proposed Revisions to FTC Safeguards Rule d. State Data Security Rules: New York DFS Cybersecurity Rule

III. California Consumer Privacy Act (“CCPA”)

a. Scope and Definitions b. Key Requirements

2

c. Key Exceptions d. Enforcement and Liability e. Proposed Rules from California Attorney General

IV. Data Breach a. Breach Notification Requirements: Federal and State b. Data Breach and Unfair or Deceptive Acts or Practices

1. Deceptive: Misrepresentations about Data Security Measures 2. Unfair: Failure to Take Reasonable Security Measures to Prevent Data Breach

c. Advance Preparation for a Data Breach d. Responding to a Data Breach

3

David Stein Of Counsel Washington +1 202 662 5074 dstein@cov.com

David Stein advises clients on credit reporting, financial privacy, financial technology, payments, retail financial services, and fair lending issues. He assists a broad range of financial services firms, consumer reporting agencies, financial technology companies, and their vendors with regulatory, compliance, supervision, enforcement, and transactional matters.

Mr. Stein has significant experience advising clients on compliance with the FCRA, GLBA, ECOA, EFTA, E-Sign Act, TILA, TISA, FDCPA, Dodd-Frank Wall Street Reform and Consumer Protection Act, and FTC Act, as well as state financial privacy laws. Mr. Stein is a member of the firm’s fintech and artificial intelligence initiatives and works with clients on issues related to cutting edge technologies, such as blockchain, virtual currencies, big data and data analytics, artificial intelligence, online lending, and payments technology.

Mr. Stein previously served in senior regulatory, policy-making, and management positions at the Consumer Financial Protection Bureau (CFPB) and the Federal Reserve Board (FRB). He played a significant role in developing regulations and policy on credit reporting, financial privacy, retail payments systems, consumer credit, fair lending, overdraft services, debit interchange, unfair or deceptive acts or practices, and mortgage origination and servicing. Mr. Stein draws upon his government experience in representing clients before the CFPB, the FRB, and other regulatory agencies and leverages his insights into the regulatory process to provide clients with practical, actionable advice.

Mr. Stein received his J.D., from The George Washington University Law School in 1991, where he was a Member of The George Washington University Law Review, a Member of The George Washington University Moot Court Board and was elected Order of the Coif. He received his J.D. from Johns Hopkins University in 1986.

© 2020 Covington & Burling LLP. All rights reserved.

Data Privacy and Data SecurityOnline Lenders Alliance Compliance U,

July 22, 2020

Presenters

Erin Jane Illman, Partner, Bradley eillman@bradley.com

David Stein, Of Counsel, Covington & Burling LLP dstein@cov.com

2

• Gramm Leach Bliley Act

• Address Confidentiality Programs

• California Consumer Privacy Act

• California Privacy Rights (and Enforcement) Act

• Recent Data Breach Issues

3

Agenda

Gramm Leach Bliley Act

• Federal rules on:• Data Privacy (The Consumer Financial Protection Bureau’s Regulation P): Privacy

notices, opt-out rights, limits on reuse and redisclosure• Data Security (The Federal Trade Commission’s Safeguards Rule): Safeguarding

customer information• For banks, the federal banking agencies have separate information security guidelines

• Implemented and enforced by regulatory agencies• No private rights of action

5

GLBA Rules and Enforcement

GLBA Privacy Rules

• The GLBA privacy rule requires financial institutions to provide notice of their privacy policies

• The GLBA privacy rule’s focus is on any financial institution• Includes banks, non-bank lenders, consumer reporting agencies, and debt

collectors, among others

• That collects and shares nonpublic personal information (“NPI”) about a customer or a consumer

• With a nonaffiliated third party

7

Scope of GLBA Privacy Rule

• Notice and opt-out: Financial institutions generally must provide notice and a reasonable opportunity and method to opt-out before disclosing nonpublic personal information (NPI) about customers or consumers to nonaffiliated third parties, unless an exception applies.

• Timing and frequency:• Initial notice to a “customer” no later that when customer relationship is

established or before sharing information about a “consumer” who is not a customer

• Annual notice, but not required if all sharing is within a GLBA exception and no change in practices

8

GLBA Privacy: Notice and Opt-out

• Privacy notices must include:• The types of NPI that the institution collects and discloses• The types of affiliated and nonaffiliated third parties to whom the institution

discloses NPI• An explanation of the consumer’s right to opt out of the disclosure of NPI to

nonaffiliated third parties if applicable• A description of how the institution protects this information

• Model form of privacy notice• Appendix to Regulation P with instructions for use• Use of model privacy notice is not required, but provides a compliance safe harbor

9

Content of Privacy Notices

• The GLBA notice and opt-out requirements do not apply when a financial institution discloses information to a nonaffiliated third party for:• To service or process a financial product or service a consumer requests or authorizes;• To maintain or service an account (account servicing, debt collection); • For fraud prevention and institutional risk control;• To respond to civil, criminal, or regulatory investigative demand, subpoena, or judicial

process; • To furnish information to a consumer reporting agency or when acting as a CRA; and• With the consent of the consumer.

• Exception for sharing with a service provider (including for joint marketing) if the financial institution provides a privacy notice and, by contract, limits the service provider’s use of NPI to only performing relevant services.

10

GLBA Exceptions

• The GLBA limits the reuse and redisclosure of NPI received from a nonaffiliated financial institution

• If a financial institution receives NPI from a nonaffiliated financial institution under an exception, the receiving financial institution may only:• Use and disclose the information pursuant to an exception; and• Disclose the information to the affiliates of the financial institution that provided the

information and to its own affiliates.• If a financial institution receives NPI from a nonaffiliated financial institution outside

of an exception, the receiving financial institution may only:• Disclose the information to the affiliates of the financial institution that provided the

information and to its own affiliates; and• Disclose the information to any other person, if the nonaffiliated financial institution itself

could provide the information to the other person.

11

Reuse and Redisclosure

• Application to finders:• For banks, the rules apply to finders (lead generators); for non-banks, the rules

currently do not apply to finders. • Under an FTC proposal, the rules could be adjusted to cover finders in all cases

• GLBA exception to California Consumer Privacy Act (“CCPA”)• Discussed below• Fitting within GLBA is a way to limit the scope of CCPA coverage.

12

Key Issues

GLBA Data Security

• The FTC “Safeguards Rule” and the Federal banking agencies’ information security guidelines implement the GLBA information security requirements.• FTC rule applies to non-banks• Federal banking agency guidelines apply to banks

• A financial institution is subject to the Safeguards Rule for all “customer information” in its possession, including:• Its own customer information; and• Information about another financial institution’s customer

14

The GLBA Safeguards Rule and Its Scope

• A financial institution must develop, implement and maintain an information security program that:• Is written and comprehensive; and• Includes administrative, technical and physical safeguards appropriate to:

• The financial institution’s size and complexity;• The nature and scope of its activities; and• The sensitivity of customer information it maintains.

• Safeguards must be reasonably designed to:• Insure the security and confidentiality of customer information;• Protect against any anticipated threats or hazards to the security or integrity of such

information; and• Protect against unauthorized access to, or use of, such information that could result in

substantial harm or inconvenience to customers.

15

Information Security Program

• To comply with the Safeguards Rule, a financial institution must:• Designate an employee to coordinate the program;• Identify internal and external risks to customer information and assess the

sufficiency of any safeguards in place to control these risks;• Design and implement information safeguards to control the identified risks and

regularly test or monitor the effectiveness of these safeguards;• Evaluate and adjust the program based on testing/monitoring, material changes in

operations or any other circumstances that may have a material impact on the program; and

• Oversee its service providers.

16

Design of Information Security Program

• In March 2019, the FTC proposed revisions to the Safeguards Rule that would make the rule more prescriptive and require, among other things:• Designating a Chief Information Security Officer• Adding new risk assessment requirements• Requiring access controls, encryption at rest and in transit, and multi-factor

authentication• Requiring regular testing and monitoring of key controls• Requiring incident response plans.

• Based in part on the NY DFS Cybersecurity Rule• A final rule has not been issued.

17

FTC Proposed Update of Safeguards Rule

• In 2017, the New York Department of Financial Services adopted cybersecurity regulations for financial institutions doing business in New York.

• Requirements are more prescriptive than the Safeguards Rule and include:• Conduct cyber risk assessments• Develop and implement cybersecurity programs• Implement written cybersecurity policy • Conduct continuous monitoring or periodic penetration testing and vulnerability

assessments• Establish written incident response plan• Notify NY DFS within 72 hours of Cybersecurity Event

18

New York Cybersecurity Regulations

Address Confidentiality Programs“Safe At Home”

19

• Designed to protect certain populations• Victims of domestic violence,

stalking, human trafficking, sexual assault, etc.

• Two Main Pillars• Use of Designated Address• Prohibition on disclosure of

shielded information

• 39 states have adopted ACPs• Federal Legislation

20

What are AddressConfidentiality Programs?

• Applicable to private entities in certain states• Determine scope of population• Seek to obtain participant consent• Use designated address for program participants• Pay attention to states that prohibit disclosure of address in property records• Note expiration of status• Strategize handling of accounts where no consent is give

21

Practical Considerations for Address Confidentiality Programs

State Privacy Law--Overview

California Consumer Privacy Act or CCPA

• “Consumer” is a natural person who is a California resident.• Not limited to personal, family, or household purposes.• Applies to natural persons engaged in business or commercial transactions.

• “Personal information” is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.• Includes identifiers, personal characteristics, data protected by data security laws,

biometric information, geolocation data, IP addresses, browsing history, and much more.

24

Scope and Definitions

• A “business” is a for-profit entity that collects personal information on California residents, determines the purposes and means of processing the PI, does business in California, and does one of the following:• Has annual gross revenues > $25M;• Annually buys, receives/shares for commercial purposes, or sells personal information of

≥ 50,000 residents, households, or devices; or• Derives 50% or more of its annual revenues from selling California residents’ personal

information.• Certain affiliates sharing common brand not a separate “business.”• A “service provider” is a for-profit entity that

• Receives personal information from a business for a “business purpose”; and• Processes personal information on behalf of a business pursuant to a written contract

that prohibits the retention, use, or disclosure of the personal information for purposes other than performing the services.

25

Scope and Definitions (cont.)

• A business that collects a consumer’s personal information must disclose to a consumer upon receipt of a verifiable consumer request:• The categories of personal information collected;• The sources of the information;• The business or commercial purpose for collecting or selling personal information;• The categories of third parties with whom the business shares personal

information; and • The “specific pieces of personal information” collected.

26

Data Access and Disclosure

• A business that sells or discloses for a business purpose a consumer’s personal information must disclose to a consumer upon receipt of a verifiable consumer request: • The categories of personal information collected;• The categories of personal information sold (or the fact that no information has

been sold) and the categories of third parties to whom the information was sold;• The categories of personal information disclosed for a business purpose.

• Businesses must respond to verifiable consumer requests to access personal information within 45 days (though can request an extension up to 90 days).

27

Data Access and Disclosure (cont.)

• Disclosures must:• Cover the 12 months preceding the request;• Be provided free of charge; • Be delivered in writing or electronically; and• Be provided in a portable and (where possible) readily useable format, if provided

electronically.

28

Data Access and Disclosure (cont.)

• A business must delete any personal information it has collected from the consumer upon receipt of a verifiable consumer request, subject to certain exceptions.

• Exceptions apply if the data is necessary to:• Complete a transaction or provide a service the consumer requested;• Engage in activities reasonably anticipated within the context of an ongoing business

relationship with the consumer;• Protect against fraud or other illegal activity;• Comply with the law;• Engage in certain research;• Exercise free speech rights; or• Enable internal uses reasonably aligned with consumer expectations.

• A business that collects personal information must disclose to consumers the right to request deletion of that information.

29

Data Deletion

• Consumers have the right, at any time, to direct a business not to sell his or her personal information to third parties. This is the right to opt-out.

• A business must provide a clear and conspicuous link on its Internet home page titled “Do Not Sell My Personal Information” that enables the consumer to opt-out and must describe the opt-out right.

• Special rules for minors:• Minors aged 13-16 must opt-in or affirmatively consent to sale of personal information.• A parent or guardian must opt-in or affirmatively consent to sale of personal information

for children under age 13.

• “Sale” or “sell” means processing “for monetary or other valuable consideration.”

30

Opt-Out of Sale

• A business may not discriminate against a consumer for exercising any rights under the CCPA by:• Denying goods or services to the consumer;• Providing a different level or quality of goods or services to the consumer; or • Charging different prices based on the exercise of CCPA rights.

• A business can offer different quality services if the difference is reasonably related to the value provided by the consumer’s data.

• A business can provide financial incentives to encourage users’ participation in the collection of personal information.

31

Non-Discrimination

• The CCPA does not apply to:• GLBA Exception: Personal information collected, processed, sold, or disclosed

pursuant to the GLBA, its implementing regulations, or the California Financial Information Privacy Act.

• FCRA Exception: The sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined in the FCRA, and use of that information is limited by the FCRA.

32

Exceptions

• Privacy violations – Attorney General enforcement only• Violations of data access and disclosure, data deletion, opt-out of sale, and non-

discrimination provisions.• Data security violations – Attorney General enforcement and private rights of action

(individual or class actions)• Standard: Unauthorized access and exfiltration, theft, or disclosure of personal

information that was not encrypted or redacted, and the breach occurred because the business failed to maintain reasonable security practices.

• Data encryption provides a safe harbor against litigation.• Administrative penalties -- up to $2,500 for each negligent violation; and up to

$7,500 for each intentional violation.• Civil penalties -- statutory damages between $100-$750 per consumer per incident,

or actual damages• Right to cure alleged violation within 30 days of notice.

33

Enforcement

• Attorney General required to issue implementing regulations by June 30, 2020.

• Final proposed regulations released on June 1, 2020.• California Office of Administrative Law has 30 working days plus an additional 60

calendar days to review and approve the regulations for compliance with the California Administrative Procedure Act.

• Final proposed regulations generally follow the statute and also include items not addressed in or addressed differently in the CCPA, such as:• Recordkeeping requirements;• Notice and calculation of the value of financial incentives;• Disclosures in languages other than English and in a form accessible to persons with

disabilities;• Requests related to household information.

34

California Attorney General Regulations

California Privacy Rights (and Enforcement Act) of 2020

CPRA

• Builds on CCPA framework• New California Privacy Protection Agency

• Consumer Rights• Expand initial notification obligations• New right to opt-out of data sharing• Broader private right of action for data breaches• New rights relating to automated processing• Consent and correction rights

• Business Responsibilities• New obligations relating to automated processing• Limits retention of data/PI• Express information security requirements• New contractual and service provider obligations• Limits use of sensitive personal information

• Implementation and Enforcement• November 3rd Ballot• Certain provisions effective immediately• Agency rulemaking process begins on July 1, 2021 and fully effective January 1, 2023

CPRA -- Overview

36

Data Breach Notification Laws and Recent Issues

• January 2020• An Iranian hacking group launched an attack on the U.S. based research company Wesat as part of a

suspected effort to gain access to the firm’s clients in the public and private sectors• The UN was revealed to have covered up a hack into its IT systems in Europe conducted by an

unknown but sophisticated hacking group.• Turkish government hackers targeted at least 30 organizations across Europe and the Middle East,

including government ministries, embassies, security services, and companies.• Mitsubishi announces that a suspected Chinese group had targeted the company as part of a massive

cyberattack that compromised personal data of 8,000 individuals as well as information relating to partnering businesses and government agencies, including projects relating to defense equipment.

• The FBI announced that nation state hackers had breached the networks of two U.S. municipalities in 2019, exfiltrating user information and establishing backdoor access for future compromise

• A Russian hacking group infiltrated a Ukrainian energy company where Hunter Biden was previously a board member, and which has featured prominently in the U.S. impeachment debate.

• More than two dozen Pakistani government officials had their mobile phones infected with spyware developed by the Israeli NSO Group

• A suspected nation state targeted the Austrian foreign ministry as part of a cyber attack lasting several weeks.

38

Recent Attacks--Analyzed

• February 2020• The U.S. Department of Justice indicted two Chinese nationals for laundering cryptocurrency for North Korean hackers• Mexico’s economy ministry announced it had detected a cyber attack launched against the ministry’s networks, but that no sensitive data had been

exposed.• The U.S. Defense Information Systems Agency announced it had suffered a data breach exposing the personal information of an unspecified number of

individuals• A hacking group of unknown origin was found to be targeting government and diplomatic targets across Southeast Asia as part of a phishing campaign

utilizing custom malware• Chinese hackers targeted Malaysian government officials to steal data related to government-backed projects in the region.• Iran announced that it has defended against a DDoS against its communications infrastructure that caused internet outages across the country• More than 10 countries accused Russia of being behind a series of cyber attacks against Georgia in 2019 that took thousands of websites for private,

state, and media institutions offline• March 2020

• North Korean hackers targeted individuals involved with North Korean refugees issues as part of a cyber espionage campaign• Suspected South Korean hackers were found to have used five previously unreported software vulnerabilities to conduct a wide-ranging espionage

campaign against North Korean targets• Saudi mobile operators exploited a flaw in global telecommunications infrastructure to track the location of Saudis traveling abroad• Chinese hackers targeted over 75 organizations around the world in the manufacturing, media, healthcare, and nonprofit sectors as part of a broad-

ranging cyber espionage campaign• A suspected nation state hacking group was discovered to be targeting industrial sector companies in Iran• Human rights activists and journalists in Uzbekistan were targeted by suspected state security hackers in a spearphishing campaign intended install

spyware on their devices• Chinese cybersecurity firm Qihoo 360 accused the CIA of being involved in an 11-year long hacking campaign against Chinese industry targets, scientific

research organizations, and government agencies• April 2020

• Iranian government-backed hackers attempted to break into the accounts of WHO staffers in the midst of the Covid-19 pandemic39

Recent Attacks--Analyzed

• Federal:• GLBA and implementing regulations and guidance• Federal Trade Commission Act (Section 5) and Consumer Financial Protection Act

(Sections 1031 and 1036)

• State:• State breach notification laws and regulations• Mini-FTC Acts

• Private sector codes:• PCI – DSS (Payment Card Institute – Data Security Standards)

40

Sources of Law

• GLBA: • Federal Banking Agencies’ Interagency Guidance on Response Programs for

Unauthorized Access to Customer Information and Customer Notice provide for notifying:• Primary federal regulator when the institution becomes aware of an incident involving

unauthorized access to or use of sensitive customer information;• Appropriate law enforcement authorities consistent with the Agency’s Suspicious

Activity Report (“SAR”) regulations; and • Customers when warranted.

• FTC Act (Section 5) and CFPA (Sections 1031 and 1036):• UDAP/UDAAP statutes used by FTC, CFPB, and Federal banking agencies to bring

enforcement actions for failure to provide timely notice of breach.

41

Federal Law

• States and territories all have some form of data breach notification law.• The specific requirements of state laws vary so there is no one-size-fits-all approach

to compliance.• Common features include:

• Defining what constitutes a “breach” and what “personal information” is protected by the law;

• Level of harm necessary to trigger notification requirements;• Notice to consumers, timing of notice, and notice delays at request of law enforcement;• Notice to regulators (not required in every state), and timing and conditions for such

notice;• Safe harbor for encrypted or redacted data; and• Enforcement (administrative, private rights of action).

42

State Laws

Responding to Cyber Incidents Just Got More Complicated

• Applicability of privilege post-incident is not guaranteed

• Outside counsel MUST direct the scope of the cyber-work

• Enter into new engagements with forensic firms and vendors

• The court explained that “[m]aterials prepared in the ordinary course of business or pursuant to regulatory requirements . . . are not documents prepared in anticipation of litigation” and “[i] In order to be entitled to protection, a document must be prepared ‘because of’ the prospect of litigation and the court must determine ‘the driving force behind the preparation of each requested document’ in resolving a work product immunity question.”

43

Questions/Discussion

If you would like to ask a question, you can ASK or type your question into the CHAT feature NOW.

44