OCCFDIC Final Rule for Banking Organizations Notification RequirementsOCC/FDIC Board Final Rule for Bank Organizations Notification Requirements

OCC/FDIC Board Final Rule for Bank Organizations Notification Requirements

On November 18, 2021, the three primary banking regulatory agencies — the Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC) – jointly approved a final rule with two distinct notification requirements:

  • The rule requires “banking organizations” to notify their primary federal regulator of any significant “computer-security incidents” as soon as possible and no later than 36 hours after the bank determines a “notification incident” has occurred.
  • The rule also requires “bank service providers” to notify any affected banking organization customer of “computer-security incidents” that has “caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”

The rule goes into effect in April 2022, and requires compliance by May 1, 2022.

 

Who is subject to the rule?

As explained above, the rule imposed distinct requirements “banking organizations” and “bank service providers.”

Banking organizations” generally include any organization that is regulated by the OCC, the Board, or the FDIC. Specifically:

  • For the OCC: “national banks, federal savings associations, and federal branches and agencies of foreign banks.”
  • For the Board: “all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations.”
  • For the FDIC: “all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations”

The rule expressly excludes designated financial market utilities (“FMUs”) from its definition of “banking organization” and “bank service provider.” See 12 U.S.C. § 5462(4). To the extent an FMU is supervised by the Securities and Exchange Commission (“SEC”) or the Commodity Futures Trading Commission (“CFTC”), the FMUs are subject to any notification requirements imposed by those agencies. See e.g., SEC Reg. SCI, 17 CFR 242.1000 (SEC); 17 CFR 39.18(g) (CFTC).

When making the rule, the agencies also considered a rule being on “additional entities, such as financial technology firms and non-bank OCC-chartered financial services entities, to the extent the agencies have jurisdiction over those firms.” In the end, the agencies simply concluded that the definition of banking organization under the rule was “consistent with the agencies’ supervisory authorities.”  To the extent that a banking organization is required to make a notification under the rule, that notification must go to the agency with primary regulatory oversight over the organization.

A “Bank Service Provider” includes persons and companies performing “covered services” subject to the Bank Service Company Act, 12 U.S.C. 1861-1867 (“BCCA”). The definition is vague, but the Agencies’ rulemaking explains that the purpose of the definition was to encompass any company that provides services to a banking organization that could be involved in a service disruption.

 

When is notification required?

The respective notification requirements applicable to Banking Organizations and Bank Service Providers are based on the occurrence of a “Computer Security Incident.” For consistency, the Agencies adopted the same definition of “Computer Security Incident” as provided by the National Institute of Standards and Technology (“NIST”). Thus, a “computer-security incident” is “an occurrence that results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.

 

Banking Organizations

Bank Organizations must provide notification to their regulating agency when a “computer-security incident” rises to the level of a “notification incident.” A notification incident is a “computer-security incident” that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:

  • Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • Business line(s) (any product or service that serves or supports business needs), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • Operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The definition of “notification incident” is broad enough to encompass any computer-security incident that impacts the banking organization’s general operations. As a practical matter, a banking organization will want to provide notification for any computer security incident that is likely to materially disrupt its operations or services to ensure compliance.

The banking organization must provide notice to the appropriate agency “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.”

 

Bank Service Providers

Bank Service Providers’ notification requirement is triggered by the occurrence of the computer-security incident that has or is reasonably likely to “materially disrupt or degrade” the services it provides the bank for four or more hours. The rule makes clear that scheduled maintenance, testing, or software updates that have been previously communicated to the banking organization are not subject to the rule’s notification requirement.

The bank service providers must provide notification to the designated point of contact at each banking organization at which any customer will be impacted by the bank services provider’s degradation or disruption of service. The bank service providers must provide notification “as soon as possible.”

 

Takeaways

The joint new rule from OCC, Board, and FDIC is consistent with a recent trend of varying state and federal regulatory bodies imposing independent notification obligations related to a data incident.

The imposition of new notification requirements may lead to the imposition of inconsistent notification requirements (e.g., the Agencies’ rule conflicts with the state incident notification laws). The rule could place the banking organizations between a rock and a hard place. For example, the banking organization could determine that notification is required under the new rule but may need additional time to determine if notification to state agencies and customers is necessary. The perceived delay may serve as a justification for the imposition of fines or to support a theory of liability in litigation related to the incident.

The proper timing for notification will always be a case-by-case decision. Banking organizations and bank service providers should work closely and proactively with experienced incident response counsel to ensure compliance with notification laws and to mitigate against creating any bases for the imposition of penalties or civil liability.

Beckage closely monitors developments in laws and regulations governing cybersecurity. Beckage’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.


Sources: 12 C.F.R. Part 53; 12 C.F.R. Part 255; 12 C.F.R. Part 304

Copy of the final rule: https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf

GDPRThe EU Commission Releases the Long-Awaited Updated SCCs for Continued Cross-Border Data Transfers

The EU Commission Releases the Long-Awaited Updated SCCs for Continued Cross-Border Data Transfers

One of the most highly contentious areas under the European Union’s General Data Protection Regulation (“GDPR”) is the cross-border data transfer of Personal Data out of the EU and into other regions, especially the US. Last year, the Court of Justice released its highly anticipated decision, Schrems II, where it invalidated the EU-US Privacy Shield as a lawful mechanism to transfer Personal Data into the US but upheld the continued use of the Standard Contractual Clauses (“SCCs”). However, the Court signaled a heightened tension around the transfer of data, even using the SCCs, from the EU to the US, directing companies to consider whether those transfers would require “supplemental measures” prior to utilizing the SCCs to transfer Personal Data from the EU to the US.

In the wake of that decision, the EU Commission, charged with adopting the SCCs, announced its plans to update the SCCs to align with the Schrems II decision, to generally update the document. To date, the current form SCCs used for cross-border data transfers were adopted under the GDPR’s predecessor, the EU Directive on Data Protection, in 2001.

For the last two decades, companies across the globe leveraged the SCCs to validate the on-going transfers of personal data across many borders. However, with the increasing complexities of technology and multi-party data transactions, the limited form and nature of the SCCs continued to create challenges in leveraging the standard documents to fit varying types of cross-border data transfers. On Friday, June 4, 2021, the EU Commission released its long anticipated updated form of the Standard Contractual Clauses, available here.

The New Form Standard Contractual Clauses

The new SCCs include robust obligations on both importers and exporters of personal data under the GDPR and the Schrems II decision. Further, the new SCCs are intended to provide more flexibility and options for companies to better address the complex nature of data transfers.

The new SCCs also include modules for entities to leverage depending on the relationship between the parties involved in the transfer, i.e., controller to processer; processor to processor; etc.  These changes are intended to further align with modern data transfers and to promote the free flow of data. In the EU Commission Press-Release, Vice-President for Values and Transparency, Vera Jourová emphasized that the SCCs provide a useful tool for the free-flow of data:

“In Europe, we want to remain open and allow data to flow, provided that the protection flows with it. The modernized Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two.”

The Impact of the New SCCs

The new SCCs are expected to impact and streamline the process of adopting the appropriate contractual language to allow for the cross-border exchange of personal data. Further, the clauses are intended to align closer to the GDPR requirements, which went into effect in 2018, and the recent Schrems II guidance. Commissioner for Justice, Didier Reynders, emphasized that:

“In our modern digital world, it is important that data can be shared with the necessary protection – inside and outside the EU. With these reinforced clauses, we are giving more safety and legal certainty to companies for data transfers. After the Schrems II ruling, it was our duty and priority to come up with user-friendly tools, which companies can fully rely on. This package will significantly help companies to comply with the GDPR.”

The updated SCCs focus on the following key updates:

  • Align with the GDPR and Schrems II decision;
  • Provide simple and flexible model clauses for international transfers;
  • Include more robust data protection obligations (e.g., requiring importers to allow regular audits upon exporter request); and
  • Allow for third parties to acceded to existing SCCS as data exporter or importer (under the Docking Clause).

Transition to New SCCs

The new SCCs go into effect in approximately 20 days. Businesses leveraging previous versions of the SCCs have 18 months to transition to the new SCCs.

Overall, these new SCCs will allow companies to use contractual agreements in the cross-border transfer of personal data that better align to the increasingly complex nature of these transactions. Further, the new versions come at a critical juncture, when companies are struggling to implement the guidance of Schrems II and continue to leverage data processing in multiple regions around the world.  In the wake of the invalidation of the EU-US Privacy Shield, and heightened challenges with cross-border data transfers, the SCCs demonstrate the EU’s commitment to addressing data protection while continuing to allow the continued data flows out of the EU.

In light of this critical development, Beckage recommends that clients taken immediate steps to evaluate all existing agreements that will need to be updated with the new SCCs.  As stated above, companies will have up to 180 days to amend previously executed DPAs to include the new form SCCs. As such, companies will need to discuss a process to review its previously executed contracts and develop a plan to roll out amendments. Additionally, moving forward, companies will need to leverage the updated form SCCs in all new Data Processing Agreements.

At Beckage, we have a team of highly skilled attorneys certified in comprehensive GDPR knowledge that can help your company work towards compliance and data protection in both Europe and the United States.  Beckage works with clients to review current policies and assess data security practices.  Our team can help implement a plan to address the new SCCs.  

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to ourNewsletter

BiometricsIn the Face of Huge Settlements, BIPA May Soon Be Losing Its Bite

In the Face of Huge Settlements, BIPA May Soon Be Losing Its Bite

Illinois lawmakers are considering a bill which has the potential to dramatically rein in the state’s strict Biometric Information Privacy Act (“BIPA”).  On March 9, 2021, the Illinois House judiciary committee advanced House Bill 559 (the “Bill”) which would amend BIPA.  The Bill has a couple of key amendments that may impact your business.

First, the Bill changes BIPA’s “written release” requirement to instead simply require “written consent”.  Thus, under the Bill, businesses would no longer be required obtain written release, but instead could rely on electronic consent.

Second, whereas BIPA currently requires that a business in possession of biometric identifiers draft and provide a written policy regarding its handling of biometric data to the general public, under the Bill, businesses would only be required to provide this written policy to affected data subjects.

Third, the Bill creates a one-year statute of limitations for BIPA claims.  Moreover, the Bill provides that prior to initiating a claim, a data subject must provide a business with 30 days’ written notice identifying the alleged violations.  If the business cures these violations within the 30 day window, and provides the data subject an express written statement indicating the issues have been corrected and that no further violations shall occur, then no action for individual statutory damages or class-wide statutory damages can be taken against the business.  If the business continues to violate BIPA in breach of the express written statement, then the data subject can initiate an action against the business to enforce the written statement and may pursue statutory damages.  Therefore, not only does the Bill finally create a statute of limitations, but also provides a mechanism by which businesses can respond to alleged violations of BIPA prior to engaging in costly litigation.

Fourth, the Bill modifies BIPA’s damages provisions.  Currently BIPA provides that prevailing plaintiff is entitled liquidated damages of $1,000 or actual damages, whichever is greater, when a business is found to have negligently violated BIPA.  The Bill would limit a prevailing plaintiff’s recovery to only actual damages.  Similarly, in its current form, BIPA provides that a prevailing plaintiff is entitled to liquidated damages of $5,000 or actual damages, whichever is greater, when a business is found to have willfully violated BIPA.  The Bill would limit a prevailing plaintiff’s recovery to actual damages plus liquidated damages up to the amount of actual damages.  Therefore, the Bill would limit a businesses exposure in BIPA claims to what a prevailing Plaintiff can demonstrate as actual damages.

Finally, the Bill provides that BIPA would not apply to a business’ employees if the those employees were covered by a collective bargaining agreement.  Something which has been at issue in recent BIPA litigation as discussed here.

BIPA litigation has increased dramatically and resulted in a number of recent high-profile settlements, including TikTok’s $92 million dollar settlement and Facebook’s $650 million dollar settlement.  This Bill has the potential to greatly curtail this spiral of litigation and high settlement figures.  Beckage will continue to monitor any developments regarding the Bill and will update its guidance accordingly.  Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to not only develop a comprehensive and scalable biometric privacy compliance program but also handle any resulting litigation.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

Meal Kit Provider - California Automatic Renewal LawCalifornia Automatic Renewal Laws and Recent Litigation

California Automatic Renewal Laws and Recent Litigation

Automatic renewal contracts have become ubiquitous in our everyday lives; however, few give thought to the laws and regulations governing them.  Whereas the federal government has regulations governing automatic renewal contracts[1], most states, similarly, have laws governing automatic renewal contracts, or automatic renewal laws (“ARL”).  Perhaps unsurprisingly, in 2009 California enacted one of the strictest ARLs intended to end the practice of charging consumer credit cards without a customers’ explicit consent for ongoing shipments of product or deliveries of a service.[2]

What is an Automatic Renewal under the Under California’s Automatic Renewal Law?

An “automatic renewal” is defined as “a plan or arrangement in which a paid subscription or purchasing agreement is automatically renewed at the end of a definite term for a subsequent term.”[3]  Similarly, a “continuous service” is defined as “a plan or arrangement in which a subscription or purchasing agreement continues until the consumer cancels the service.”[4]  While these definitions may appear to be esoteric, we encounter a number of automatic renewals or continuous services in our everyday lives – everything from meal kit boxes such as HelloFresh and Blue Apron, to monthly subscription boxes like Birchbox or LootCrate, to digital subscription services like Netflix, Hulu, Apple Music, or Spotify.

What Does California’s Automatic Renewal Law Require?

If a business wants to offer an automatically renewing contract it must:

  1. Clearly and conspicuously disclose, before a contract is fulfilled, the “automatic renewal offer terms” or “continuous service offer terms” of the contract;
  2.  Obtain the “affirmative consent” of a costumer to the “automatic renewal offer terms” or “continuous service offer terms”;
  3. Disclose any cancellation policies; and
  4. Provide notice of any “material changes” to the terms of the “automatic renewal offer terms” or “continuous service offer terms”[5]

What Terms Must Be Disclosed Under California’s Automatic Renewal Law?

The California automatic renewal law requires that “automatic renewal offer terms” and “continuous service offer terms” be disclosed in a clear and conspicuous manner before the contract is made or fulfilled and must include:

  1. That the subscription or purchasing agreement will continue until the consumer cancels;
  2. A description of the cancellation policy that applies to the offer;
  3. That reoccurring charges that will be charged to the consumer’s credit or debit card or payment account with a third party as part of the automatic renewal plan or arrangement and the among of the charge;
  4. The length of the automatic renewal term; and
  5. The minimum purchase obligation[6]

In 2018, the California ARL was amended to include that if the offer included a free gift or free trial than it must clearly and conspicuously notice the customer of the price that they will be charged and when the free trial expires.

What Happens If My Business Does Not Comply with California’s Automatic Renewal Law?

The California ARL does not provide for a private right of action, meaning a California resident cannot directly sue a business for violating the automatic renewal law.  The law simply provides that “all available civil remedies that apply to a violation of [the California ARL] may be employed.”[7] 

That is not to say that the California ARL is without teeth.  To be sure, an organization known as the California Auto Renewal Task Force (CART), made up of District Attorneys from a variety of Californian counties, has filed numerous actions against businesses for allegedly violating the ARL.  An action brought by CART recently settled with the business agreeing to pay $400,000 in penalties and an additional $150,000 in restitution for violating California ARL by failing to get the customers’ affirmative consent as outlined above.[8]

Are There Any Other Concerns If My Business Engages in Automatic Renewal Contracts?

In addition to California, the federal government may impose regulatory requirements regarding automatic renewal contracts of which your businesses should be aware. Under Restore Online Shoppers’ Confidence Act (ROSCA), the Federal Trade Commission is tasked with investigating businesses who fail to:

  1. Clearly and conspicuously disclose material terms of contract such as whether it is reoccurring;
  2. Obtain the consumer’s express and informed consent before making a charge; and
  3. Provide a simple mechanism to stop reoccurring charges.[9]

A recent case involving a California based company, Age of Learning, Inc. d/b/a ABCmouse, resulted in a $10,000,000 settlement after FTC alleged that ABCmouse failed to provide a sufficiently simple mechanism to stop the reoccurring charges for educational content.[10]

As transparency remains a cornerstone of compliance initiatives, whether under California’s ARL or ROSCA, it is critical for businesses to have great foundation for their business before scaling to avoid potential settlements or fines.  Our experienced litigation and compliance attorneys at Beckage can help your business navigate the complexities of drafting appropriate notices, or handling litigation resulting from California’s or any other states’ ARL.

*Attorney Advertising: Prior results do not guarantee a similar outcome. 

Subscribe to our newsletter. 


[1] See e.g. Section 5 of the FTC Act, 15 U.S.C. § 45(a) (regulating unfair or deceptive practices); Restore Online Shopper’s Confidence Act (ROSCA), 15 U.S.C. § 8403 et seq (prohibiting charging customers unless there has been clear disclosure of, and express consent to, the material terms).

[2] Cal Bus & Prof Code § 17600 et seq.

[3] Cal Bus & Prof Code § 17601(a).

[4] Cal Bus & Prof Code § 17601(e).

[5] Cal Bus & Prof Code § 17602.

[6] Cal Bus & Prof Code § 17601(b)(1-5).

[7] Mayron v. Google LLC, 54 Cal. App. 5th 566, 570 (2020); Cal Bus & Prof Code § 17604(a)

[8] DA Announces Consumer Protection Settlement In Auto-Renewal Case (Mar. 7, 2021 at 5:48pm), https://patch.com/california/santacruz/da-announces-consumer-protection-settlement-auto-renewal-case

[9] 15 U.S.C. §§ 8401-8405 et seq.

[10] See FTC, 10 million ABCmouse settlement: Avoiding auto-renewal traps (Sep. 2, 2020 at 12:10pm), https://www.ftc.gov/news-events/blogs/business-blog/2020/09/10-million-abcmouse-settlement-avoiding-auto-renewal-traps

UtahUtah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

Utah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

On March 11, 2021, Utah Governor Spencer Cox signed the Cybersecurity Affirmative Defense Act (the “Act”) into law.  The Act creates affirmative defenses to certain causes of action arising out of a breach of system security.  See generallyUtah Code Ann. §78B-4-701 et seq. 

The Act defines a breach of system security as including “an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.”  Utah Code Ann. § 13-44-102(1)(a).  Similarly, the Act defines personal information as including a person’s first name and last name when combined with a social security number, financial account number in combination with a required security code, and a driver’s license.  Utah Code Ann. § 13-44-102(1)(a).

The Act provides that business that “creates, maintains, and reasonably complies with a written cybersecurity program” and that is “in place at the time of breach of system security” shall be afforded an affirmative defense to tort claims arising out of the business alleged “fail[ure] to implement reasonable information security controls that resulted in the breach of system security.”  Utah Code Ann. § 78B-4-702.

Whereas the Act requires a written cybersecurity program, it does not set forth a new technical cybersecurity standard.  Instead, the Act requires that a written cybersecurity program “shall provide administrative, technical, and physical safeguards to protect personal information” and that a cybersecurity program should “reasonably conforms to the current version of” NIST 800-171, NIST 800-53, ISO 2700, and the HIPAA Security rule.  Utah Code Ann. § 78B-4-702(4); Utah Code Ann. § 78B-4-703(1)(b).  Altogether this requirement for a written cybersecurity program is not entirely dissimilar to a business cybersecurity program requirements under New York’s “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act), which we further outlined here.

There are a couple other notable provisions to the Act.  First, the Act does not create a private right of action if a business failed to comply with the Act.  Utah Code Ann. § 78B-4-704.  Second, the Act provides that if an action is brought in another state, but is governed by Utah law, then the Act should apply.  Utah Code Ann. § 78B-4-705. As such, if a Utah business is sued in court for an alleged failure to implement information security standards and a resulting breach, it may rely on the Cybersecurity Affirmative Defense Act to the extent that it had and followed its written cybersecurity program.  Moreover, Utah isn’t alone in providing for an affirmative defense as Ohio adopted similar legislation in 2018.  See Ohio Rev. Code Ann. § 1354 et seq.

Beckage closely monitors for any and all changes in the law related to breaches of system security, data breaches, or other cyber security incidents.  Beckage’s team of attorneys and technologist are especially entuned with both responding to a data breach and understand what a robust written cyber security program would entail.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

1 2