CONCLUSIONES SOBRE LA ENTIDAD ANALIZADA

There is a huge gap in the law related to data security. No comprehensive federal data security law establishing standards or substantive rights and responsibilities exists, nor are there statutes mandating any level of security when consumers make mobile payments. Instead, there are federal and state laws that provide partial coverage. The primary federal law is the Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA). It provides that “each financial institution has an affirmative and continuing obligation to respect the privacy of its customer and to protect the security and confidentiality of those customers’ nonpublic

personal information.”284 It defines “financial institution” very broadly to include any company that is significantly engaged in providing financial products or services.285

Pursuant to GLBA, federal agencies have required financial institutions to establish, monitor, and evaluate information security systems.286 According to a guidance issued by the prudential regulators, an institution’s review of its security system should include consideration of relevant changes in technology and the sensitivity of its customer information, as well as internal and

55

external threats to information. The FTC has issued a rule requiring financial institutions under its authority to establish measures to keep customer information secure.287 Companies are required to evaluate and adjust their information security program in light of material changes to their operations and any other circumstances that they know or have reason to know may have a material impact on their information security program.288

GLBA requires companies to establish and monitor security programs, but its regulations impose only general standards of conduct. In light of the significant number of data security breaches affecting tens of millions of consumers, Congress has attempted to draft cybersecurity legislation that will be more effective. The approach taken in most bills has been to establish a structure in which government and private companies share information in order to prevent security breaches. But despite years of effort by both Congress and the Obama administration, disagreement over the details among the various parties involved—private and public, state government, and the federal government—has impeded final passage of any legislation.289 Some states have enacted data security regulations, while many have not, creating a patchwork of legal rules.290

Federal and state agencies are authorized to enforce GLBA.291 _{In addition, the FTC has sued} companies for violating the FTC Act. The FTC has brought several cases against companies that it said engaged in deceptive representations regarding their security practices and unfair practices for failure to provide reasonable security.292 _{Companies have challenged the FTC’s} authority to sue them for unfair practices in regard to data security.293 _{In addition, they} maintain that even if the FTC has the authority, it must first issue regulations subject to prior notice and hearing in order to give businesses fair notice of what constitutes an unfair practice in this context. As of this writing, the litigation is still pending.

Courts have created a serious gap in the law by holding that individuals have no private right of action under GLBA.294 However, consumers may be able to use FTC lawsuits on data security to support using state UDAP laws when there is a data security breach. As noted, the FTC alleges that some companies’ security measures violate the FTC Act because they constitute unfair or deceptive acts or practices. As explained in detail later in this report, state UDAP laws also prohibit unfair or deceptive acts or practices, and all states except Iowa permit a private right of action so consumers can sue companies that engage in prohibited conduct.295 _{Consequently,} consumers may be able to sue companies for practices related to security using their state’s UDAP laws, even though they cannot sue them for violating GLBA’s requirements for security programs.

56

The Communications Act of 1934 restricts a telecommunications carrier’s use and disclosure of customary proprietary network information (CPNI) in order to protect the confidentiality of such personal call record information.296 _{The Federal Communications Commission has issued} rules to ensure that confidentiality by requiring carriers to “take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.”297 In addition, the Communications Act provides that all practices must be “just and reasonable” and any practice that is “unjust or unreasonable is declared to be unlawful.”298 _{The FCC applied these laws in a} case it brought against AT&T, the second-largest wireless carrier in the U.S.299 The FCC alleged that an internal data breach occurred when some of the company’s employees in call centers in Mexico, Colombia, and the Philippines sold information about customers to a third party. The FCC contended that the company violated its rules by failing to properly protect the

confidentiality of sensitive personal information and account-related information. The matter was settled through a consent decree in 2015.300

The FCC also has adopted data breach notification rules. These may overlap with the state breach notification laws described below. The Communications Act of 1934 protects the privacy of consumer information by permitting wireless carriers to disclose or permit access to personal information about consumers only as “necessary.”301 _{To ensure that measures are taken when} there has been unauthorized access, the FCC issued a rule requiring telecommunications carriers to notify the Secret Service and the FBI of any breach of its customers’ CPNI as soon as practicable, but no later than seven business days after determining that a breach occurred.302 After notifying law enforcement, the carrier must notify its customers of the breach or disclose it publicly.303

Since 2003, 47 states and the District of Columbia have enacted data breach notification laws.304 These laws vary significantly from state to state in terms of what entities are required to provide notices to individuals and how “security breach” is defined, as well as how and when the entity must notify individuals.305 An entity’s duty to notify is triggered by a breach that may result or is likely to result in harm to the individuals whose personal information has been acquired. However, statutes have different definitions of what personal information is covered. North Carolina defines personal information to include information that mobile devices may use for authentication, such as digital signatures, biometric data, and fingerprints.306 _Finally, these statutes typically include a provision for substitute notice if an entity can show that it would cost more than $250,000 to provide notice in the way required by the statute, if the affected class of individuals exceeds 500,000 people, or if the entity can show it does not have sufficient information to contact those individuals. The substitute notice can be made using methods that could involve mobile devices, such as an email notice or posting a notice of the breach on the entity’s website.307

57

These laws benefit consumers by alerting them to security breaches. With this information, consumers can take measures to try to protect themselves, such as carefully reviewing their billing statements and notifying card issuers of unauthorized transfers. In addition, they can obtain services that will monitor their accounts and alert them to possible unauthorized transactions. However, critics contend that some forms of identity theft may not be picked up by a credit monitoring service and that consumers may experience a delay in finding out about a problem because of the lag time in reporting. In addition, some companies have engaged in illegal practices when selling these products.308

Moreover, because of gaps, the statutes have several deficiencies from a consumer protection perspective. Some states have much weaker laws, so their residents risk the possibility of greater injury.309 Although government databases are often targeted by wrongdoers, many states exempt government agencies.310 _{Many states do not require notification if the breach} involves encrypted data.311 _{Many states do not require notification if an entity determines that} the security breach has not resulted or is unlikely to result in harm to the individuals whose data has been breached.312 Finally, some of the statutes do not provide individuals with a private right of action; only government agencies can enforce the laws in those states.313 _Even if the breach notification statute provides a private right of action, the individual may not be able to satisfy a court’s requirement to show injury.314

When a company that holds consumers’ funds discovers that a data breach occurred, it can protect consumers from unauthorized withdrawal of those funds by freezing consumers’

accounts. But neither state nor federal laws require prompt notification to consumers that their accounts are frozen. Furthermore, no law requires the company to take steps to provide

consumers access to their funds.315

Some states have enacted statutes intended to prevent breaches. They require companies to establish and maintain reasonable security measures to protect personal information from unauthorized access.316

Since federal and most state statutes do not expressly provide consumers a cause of action for security breaches, consumers have relied on various legal theories instead.317 _{They have faced} obstacles proving damages in the courts. Because companies usually have reimbursed

consumers for their direct monetary losses when the companies’ security is breached, in some cases consumers have been unable to satisfy federal courts that they have standing.318 _State courts, however, are not constrained by the U.S. Constitution’s Article III requirements that dictate strict standing rules, and some have permitted lawsuits to go forward that the federal

58

courts would have dismissed.319 These courts may be more amenable to consumer suits based on data breaches.