Global communication network concept.

Dechert Cyber Bits


Issue 57 - June 26, 2024

CFPB Director Chopra Emphasizes “Pressing Need” for Data Protections

On June 12, 2024 and June 13, 2024, Consumer Financial Protection Bureau Director Rohit Chopra appeared before the Senate Banking Committee and the House Financial Services Committee, respectively, for hearings on the CFPB’s semi-annual report to Congress. In both hearings, Director Chopra advocated for measures that would increase legal protections for consumers’ personal financial data.

In his opening statement to the Senate Banking Committee, Director Chopra outlined the CFPB’s efforts to develop a regulatory framework aimed at enhancing consumer privacy protections. For example, the director reported that the CFPB is working to a finalize a banking rule that would “develop data sharing standards and privacy protections when people transfer their financial data to competing companies.” He also reported that the CFPB is working on a rule that aims “to restrict uses of certain sensitive data by data brokers.”

Director Chopra’s testimony before the House Financial Services Committee touched on similar themes. More specifically, he identified a “pressing need” for more robust protections of consumers’ personal data and consumers’ financial privacy, as consumers’ personal information continues to be collected and monetized. The Director also explained that his concerns are exacerbated by technology companies playing a more prominent role in the provision of financial services, which, he argued, could increase the collection of personal data. For these reasons, Director Chopra contended that consumer data privacy is a “critical issue with high stakes for our economy, our national security and our liberty.” He urged the House Financial Services Committee to take action in furtherance of consumer privacy protection by “enshrining stronger protections into law.”

Takeaway: Director Chopra’s testimony before these Congressional Committees suggests that the CFPB’s increased focus on consumer privacy protections in the digital age is here to stay and that CFPB will continue to propose new regulations and pursue enforcement actions aimed at limiting the collection and use of consumer data by banks, data brokers, and other companies in the consumer finance ecosystem. Yet another regulator focused on these issues undoubtedly will lead to increased enforcement in this area, particularly with respect to data sharing and data brokers.

California's AG Announces Blackbaud Settlement

California Attorney General Rob Bonta announced, on June 13, 2024, a $6.75 million settlement (the “Settlement”) with Blackbaud—a South Carolina-based software company that provides data management software to nonprofit organizations—for violations of California’s Reasonable Data Security Law, Unfair Competition Law, and False Advertising Law. Blackbaud previously settled actions brought by state attorneys general from 49 states and Washington D.C., the Federal Trade Commission, and the Securities and Exchange Commission. For our report on Blackbaud’s settlement with the FTC, see Issue 49.

The Settlement stems from a 2020 data breach allegedly caused by Blackbaud’s failure to implement basic data security practices, such as multi-factor authentication (“MFA”) or monitoring for suspicious activity on systems with personal information, and what authorities alleged were Blackbaud’s misleading statements after the breach. The Attorney General alleged that the company compounded the effect of the breach by issuing misleading statements about the sufficiency of its data security efforts prior to the breach and about the extent of the breach.

In addition to the $6.75 million penalty, the Settlement requires Blackbaud to strengthen its data security and breach notification practices, including:

  • Implementing a process to store database backup files containing personal information to the minimum extent necessary and ensuring the secure disposal of such files.
  • Implementing password confidentiality and password-rotation or authentication protocols.
  • Tightening security infrastructure policies and procedures, including network segmentation and monitoring for suspicious activity.

Takeaway: The California Settlement is the latest in a series of actions against Blackbaud for its alleged mismanagement of its 2020 breach. Importantly and not surprisingly, the California Attorney General’s office considers MFA and system monitoring basic data security practices. This is undoubtedly a stance that most regulators would take. As such, companies should ensure that they have such policies and practices in place and that MFA is enabled on all company accounts. Taken together, the flurry of actions against Blackbaud show that federal and state agencies are increasingly willing to take a hard line against companies they believe have failed to implement basic data security practices and/or have made misleading statements regarding data security practices and data breaches.

High Court of England and Wales Clarifies Subject Access Request Exemptions

The High Court of England and Wales handed down judgement, on June 7, 2024, in Harrison v. Cameron and ACL—exploring a number of exemptions to subject access requests (“SAR”) under Article 15 of the UK General Data Protection Regulation (“UK GDPR”). The dispute stemmed from business phone calls where the claimant repeatedly made threats of violence that were surreptitiously recorded by one of the defendants, who subsequently shared the recordings with a number of colleagues, friends and family members. The claimant alleged that the recordings were shared with several of his professional peers and competitors, causing his company to lose business. Through a SAR, the claimant sought the identities of the individuals to whom the recordings had been disclosed. The defendants refused to provide the identities, citing numerous exemptions.

The defendants asserted that the sharing of the recordings with friends and family fell outside the scope of the UK GDPR because the UK GDPR does not apply to the processing of personal data “in the course of a purely personal or household activity.” The High Court, however, relied on a pre-Brexit Court of Justice of the European Union (“CJEU”) decision that emphasized the word “purely”, holding that because the recordings were of business calls, the defendant was not acting in the course of a “purely” personal or household activity and the sharing was therefore in scope.

Turning to the issue of disclosure of the identities of the recording recipients, the High Court agreed with the post-Brexit CJEU decision in Austrian Post, holding that Article 15 required the defendants to provide the actual identity of the recipients (rather than just categories of recipient, as argued by the defendants) unless it was impossible to identify them or the defendants demonstrated that the SAR was manifestly unfounded or excessive.

Having held that the specific identities were required to be disclosed, the High Court’s final deliberation related to the ‘rights of others’ exemption and whether the defendants could exercise their discretion to decide not to provide those identities on the basis that it would adversely affect the rights of the recipients. The defendants alleged that it would not be reasonable to provide the identities because doing so would put those recipients at significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation, in light of the claimant’s behavior. The High Court concluded that it was within the defendant’s discretion to reach this decision and accordingly the exemption applied.

Takeaway: The High Court’s judgment provides additional clarity on the scope of the UK GDPR and the extent of the obligation to provide information under, and exemptions to, SARs. Interestingly, despite having the freedom to decide otherwise on the Austrian Post point as this was a post-Brexit CJEU decision, the High Court chose to follow the direction of the EU. Controllers dealing with SARs should note that data subjects are entitled to be informed of specific recipients (and not just categories of recipient) and ensure that their records are sufficiently complete to allow for this. The case is also an excellent example of a situation where the rights of others were considered to be adversely affected, although this would always be fact-specific and should be considered on a case-by-case basis.

No Privacy Bill for Vermont: Legislature Fails to Override Governor’s Veto 

As reported in Issue 56 of Cyber Bits, the Vermont House and Senate recently passed H.121, the Vermont Data Privacy Act (“VDPA”), but this bill will not become law. Vermont Governor Phil Scott vetoed the bill, and the legislature’s attempt to override Scott’s veto was defeated.

According to its sponsors, Vermont’s bill was meant to “enhanc[e] consumer privacy” and adopt an “age-appropriate design code.” After the measure passed both houses of the Vermont legislature, on June 13, 2024, Governor Scott vetoed the bill. In a letter to the legislature, the Governor made clear that while he would be open to signing a revised privacy bill, he believed that the version passed by the legislature was an “outlier” in U.S. data privacy regulation that would have been too onerous for businesses and nonprofits operating in Vermont.

More specifically, Governor Scott argued that the “bill created an unnecessary and avoidable level of risk.” Among other critiques, he noted that the “bill’s ‘private right of action’” would not only make Vermont a “national outlier,” but also would make Vermont “more hostile than any other state to many businesses and non-profits,” including by “negatively impact[ing] mid-sized employers” and “generating significant fear and concern among many small businesses.” The Governor also expressed concern that the bill would exacerbate Vermont’s regional reputation of being hostile to business, especially in light of other bills imposing new obligations on businesses recently passed by the legislature.

On the Monday following Governor Scott’s action, the State’s legislature took up but failed to override his veto. Vermont’s House voted decisively to override but its Senate sustained the Governor’s decision.

Takeaway: Companies will be relieved the onerous and unique requirements in the Vermont privacy bill have not yet become law. That said, the legislature’s failure to override Governor Scott’s veto will not end legislative efforts to enact a privacy law in Vermont. Companies can remain hopeful that the legislature follows the Governor’s lead and adopts a law similar to those enacted in other states, like Connecticut’s data privacy law, a move Governor Scott noted would promote regional “consistency” that “is good for both consumers and the economy.”

We are honored to have been recognized in The Legal 500 2023, Chambers USA 2023, nominated by The American Lawyer for the Best Client-Law Firm Team award with our client Flo Health, Inc., and named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to these recognitions.

Content Editors

Connor Flannery, Daniel Murdock, Allie Ozurovich, Theodore Yale

Production Editors

Hilary Bonaccorsi and Madeleine White

Senior Editor

Vernon Francis

Partner Committee Editors

Kevin Cahill and Laura Rossi

Dechert Cyber Bits Partner Committee

Brenda R. Sharton
Partner, Chair, Cyber, Privacy and AI

Vernon L. Francis
Partner, Senior Editor

"Dechert has assembled a truly global team of privacy and data security lawyers. The cross-practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis or a litigation."

"The privacy and security team collaborates seamlessly across the globe when advising clients."
- Quotes from The Legal 500, 2023

Dechert’s global Cyber, Privacy and AI practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.

View Previous Issues