The task force’s focus will be to assist the SEC in defining clear rules and boundaries for regulatory oversight and develop practical and achievable ways for companies, securities, or financial products to comply with SEC registration requirements. It will also create guidelines for companies to provide necessary and meaningful disclosures to investors without being overly burdensome or impractical.

The SEC perceives such the task force as way to both ensure that the agency itself performs better and to provide more clarity when it comes to crypto regulation. According to the SEC the task force will collaborate with agency staff and the public to “set the SEC on a sensible regulatory path that respects the bounds of the law.”

While under the leadership of former Chair Gary Gensler, the SEC faced much criticism on its approach to crypto regulation. Until the launch of this task force, the SEC primarily relied on enforcement actions that would have a retroactive regulatory effect on crypto rather than proposing clearcut rules.

“To date, the SEC has relied primarily on enforcement actions to regulate crypto retroactively and reactively, often adopting novel and untested legal interpretations along the way,” according to a SEC press release. “Clarity regarding who must register, and practical solutions for those seeking to register, have been elusive. The result has been confusion about what is legal, which creates an environment hostile to innovation and conducive to fraud. The SEC can do better.”

The Task Force’s Specific Focuses

According to the SEC, the task force’s undertaking will “take time, patience, and much hard work. It will succeed only if the task force has input from a wide range of investors, industry participants, academics, and other interested parties.” Many crypto firms have already begun submitting proposals such as allowing traditional broker-dealers to operate in the cryptocurrency market. in its mission to create a regulatory framework

Although it has and continues to receive ideas from crypto firms, the task force will prioritize the following objectives  its mission to create a regulatory framework:

• Security Status: The task force is studying different types of crypto assets to determine how securities laws apply to them, as this affects many other regulatory questions.
• Defining Jurisdiction: The task force is identifying areas that may not fall under SEC oversight.
• Coin and Token Offerings: The task force is considering temporary rules to allow certain token offerings to operate without uncertainty, as long as the issuer provides regular, accurate disclosures and agrees to SEC oversight in fraud cases. This would offer clarity until permanent rules or legislation are established.
• Registered Offerings: The task force will explore ways to improve existing registration options, to make it easier for token issuers to comply with SEC rules.
• Special Purpose Broker-Dealer: The task force is looking at revising the special-purpose broker-dealer framework, including allowing firms to hold both securities and non-securities crypto assets, and identifying other registration challenges.
• Custody Solutions for Investment Advisors: The task force will work with investment advisers to provide an appropriate regulatory framework within which advisers can safely, legally, and practically custody client assets themselves or with a third-party.
• Crypto Lending and Staking: The task force aims to clarify whether crypto lending and staking programs are subject to securities laws and, if so, how they can be structured to comply with regulations.
• Crypto Exchange-Traded Products (“ETPs”): The task force will help the SEC clarify its decision-making process for approving or rejecting new crypto ETPs. It will also consider updates to existing ETPs, like allowing staking or different ways of handling fund shares, but custody and other issues must be addressed first.
• Clearing Agencies and Transfer Agents: The task force will explore how blockchain and crypto assets fit within clearing and transfer rules, including their role in modernizing traditional financial markets.
• Cross-Border Sandbox: Since many crypto projects operate globally, the task force is considering ways to support limited, temporary international regulatory experiments, with the possibility of long-term solutions.

Although the task force initially said that it is open to ideas from industry participants and academics, it also welcomes public input. Anyone who would like to submit a comment to the task force can do so at Crypto@sec.gov.  

The post SEC Launches Cyrpto Task Force appeared first on Compliance Chief 360.

The CFPB’s lawsuit describes how hundreds of thousands of consumers filed fraud complaints and were largely denied help, with some being told to contact the fraudsters directly to recover their money. Bank of America, JPMorgan Chase, and Wells Fargo also allegedly failed to properly investigate complaints or reimburse consumers for fraud and errors as is required by law.

Jane Khodos, a spokesperson for Zelle, said that the CFPB’s arguments are “legally and factually flawed, and the timing of this lawsuit appears to be driven by political factors unrelated to Zelle.”

“Zelle leads the fight against scams and fraud and has industry-leading reimbursement policies that go above and beyond the law,” Khodos said. “The CFPB’s misguided attacks will embolden criminals, cost consumers more in fees, stifle small businesses and make it harder for thousands of community banks and credit unions to compete. Zelle is relied upon by 143 million enrolled American consumers and small businesses, and we are fully prepared to defend this meritless lawsuit to ensure their service does not suffer.”

The Alleged Failures and Neglect

According to statement made by CFPB Director Rohit Chopra, this lawsuit results from an investigation that launched in 2021. The investigation found that three of the nation’s largest banks allegedly “rushed to launch a payment system without implementing basic protections for their customers.”

The CFPB alleges widespread consumer losses since Zelle’s 2017 launch due to the platform’s and the banks’ failure to implement appropriate fraud prevention and detection safeguards. The CFPB alleges that Bank of America, JPMorgan Chase, Wells Fargo, and Early Warning Services violated federal law through critical failures including:

• Leaving the door open to scammers: Zelle’s limited identity verification methods have allowed scammers to quickly create accounts and target Zelle users. For example, criminals often exploited Zelle’s design and features to link a victim’s token to the fraudster’s deposit account, which caused payments intended for the consumer’s account to instead flow to the fraudster account.
• Allowing repeat offenders to hop between banks: Early Warning Services and the banks were too slow to restrict and track criminals as they exploited multiple accounts across the network. The banks did not share information about known fraudulent transactions with other banks on the network. As a result, the fraudsters could carry out repeated fraud schemes across multiple institutions before being detected, if they were detected at all.
• Ignoring red flags that could prevent fraud: Despite receiving hundreds of thousands of fraud complaints, the banks failed to use this information to prevent further fraud. They also allegedly violated the Zelle Network’s own rules by not reporting fraud incidents consistently or on time.
• Abandoning consumers after fraud occurred: Despite obligations under the Electronic Fund Transfer Act and Regulation E, the banks failed to properly investigate Zelle customer complaints and take appropriate action for certain types of fraud and errors.

The lawsuit aims reimburse those who suffered financial losses due to the alleged neglect of fraud. It also seeks to impose penalties on the banks and implement measures to prevent similar violations in the future.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post CFPB Sues Major Banks and Zelle Operator for Alleged Fraud appeared first on Compliance Chief 360.

new report predicts that compliance and assurance functions could double the amount they spend on new technology by 2027. According to the research, issued by Gartner Inc., generative AI, machine learning, and large language models will fuel a surge in spending by compliance, risk management, and assurance functions.

The news isn’t all good. The report also predicts a wave of disillusionment with advanced technologies as expectations are exceeding capabilities in many cases. Accordingly, Gartner experts have placed AI at the “peak of inflated expectations” in the 2024 “Hype Cycle” for legal, risk, compliance and audit technologies.

“Some assurance leaders are prematurely expecting AI technology to greatly enhance productivity,” said Weston Wicks, senior director analyst in the Gartner Legal & Compliance Practice. “While these technologies show promise, in the near-term Gartner recommends assurance leaders identify where they can pilot and experiment with them while maintaining healthy skepticism as they are implemented.”

Gartner experts believe that GenAI will have a foreseeable impact on adjacent innovations in the analytics space, and therefore certain innovations, such as data and analytics governance, audit analytics, legal analytics, and advanced contract analytics, have moved further toward the trough as the te to plateau for these innovations becomes nearer-term — two-to-five years.

“Certain notable movements on the 2024 Hype Cycle are driven by assurance leaders convinced that incorporating new technology and generative AI (GenAI) tools is necessary to manage the growing burden of new rules and regulations imposed on executives and enterprises globally,” said Wicks. “Select emerging innovations, such as compliance monitoring solutions, have been directly impacted by GenAI and have seen substantial movement along the Hype Cycle as a result.”

Proceed with Caution

While there are some expectations that the advancements in GenAI will be transformative in assurance, Gartner experts caution that early adopters must acknowledge the risks of these new advancements and their impact on teams’ ability to manage them.

“Early lessons learned by assurance leaders include understanding the importance of information management and data governance, and the importance of intentionally including humans in the loop to mitigate bias and other risks,” said Wicks. “For these reasons, Gartner estimates the innovations will achieve high benefit ratings across the next five years.” 

The post Report: Compliance Functions Could Double Tech Spend by 2027 appeared first on Compliance Chief 360.

With risks constantly changing and driving new compliance requirements, compliance programs must be able to respond to changes with agility. This highlights the importance of incorporating a continuous monitoring approach. Fill out the form at right and hit “Submit” to get the report.

NIST defines continuous monitoring as: “Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” This enables an organization to quickly pivot and respond strategically as new compliance requirements come into scope. Compliance programs are often developed with short-term goals in mind; for example, complying with an industry standard. However, compliance is not stagnant. Without scalable policies and procedures in place, no matter how well-conceived your program is, decentralization will ultimately hinder the growth and scalability of your program as time goes on.

A strong continuous monitoring foundation can help enable an organization to pivot as new requirements come into scope. Learn seven steps to incorporate continuous monitoring into your compliance program at any stage, including a checklist of key metrics to track.

FILL OUT THE FORM AT RIGHT TO DOWNLOAD THE REPORT >>

7 Steps to Incorporate Continuous Monitoring in Your Compliance Program

Complete the form to receive an email with a link to the Report.

Please enable JavaScript in your browser to complete this form.

Name *

First

Last

Business Email *

Company or Organization *

Organization Business Title

Job Title *

Address *

Address Line 1

Address Line 2

City

State / Province / Region

Postal Code

--- Select country ---AfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia (Plurinational State of)Bonaire, Saint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCabo VerdeCambodiaCameroonCanadaCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo (Democratic Republic of the)Cook IslandsCosta RicaCroatiaCubaCuraçaoCyprusCzech RepublicCôte d'IvoireDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatini (Kingdom of)EthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHondurasHong KongHungaryIcelandIndiaIndonesiaIran (Islamic Republic of)IraqIreland (Republic of)Isle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea (Democratic People's Republic of)Korea (Republic of)KosovoKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia (Federated States of)Moldova (Republic of)MonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth Macedonia (Republic of)Northern Mariana IslandsNorwayOmanPakistanPalauPalestine (State of)PanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRomaniaRussian FederationRwandaRéunionSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandSyrian Arab RepublicTaiwan, Republic of ChinaTajikistanTanzania (United Republic of)ThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkmenistanTurks and Caicos IslandsTuvaluTürkiyeUgandaUkraineUnited Arab EmiratesUnited Kingdom of Great Britain and Northern IrelandUnited States Minor Outlying IslandsUnited States of AmericaUruguayUzbekistanVanuatuVatican City StateVenezuela (Bolivarian Republic of)VietnamVirgin Islands (British)Virgin Islands (U.S.)Wallis and FutunaWestern SaharaYemenZambiaZimbabweÅland IslandsCountry

Phone (optional)

Submit

The post 7 Steps to Incorporate Continuous Monitoring in Your Compliance Program appeared first on Compliance Chief 360.

ompliance management has traditionally been marked by accessibility issues, which lead to barriers to adhering to regulations. These long-established frameworks can be so complicated that they make it hard for those who don’t have specialized knowledge to navigate them. Automated solutions, however, have marked a shift in the landscape, making regulatory compliance something that a broader audience can better understand

So how have they done that? Automation can streamline processes and reduce associated risks so that as regulations change over time, compliance can keep up with the pace. Businesses are facing increased scrutiny from regulatory bodies, so conducting smoother audits and staying in good financial condition are important considerations.

In the United States, for example, businesses must consider state and local regulations, in addition to federal regulations, when developing strategic plans or plans for new lines of business.  Whether this is through investing in compliance software or hiring specific legal experts they need to stay on top of the rapidly developing regulatory environment. Let’s dive into the reasons why automation is redefining compliance management.

Reducing Errors and Streamlining Compliance

Compliance management has traditionally involved so many manual processes that were time-consuming and prone to human errors. Processes such as audits, vulnerability assessments, and remediation efforts have often required tight-knit coordination between different teams, which can cause huge gaps in communication and missed compliance risks. This is where automation can be a game-changer, by integrating compliance tasks and automating manual processes.

Automated systems, for example, can assess IT environments for vulnerability, compare any configurations against regulatory standards, and then let the team know if there are any discrepancies. This lessens the manual workload and the possibility of overlooked patches or misconfigured systems. This type of monitoring also means that organizations can identify issues before they escalate into regulatory violations or costly breaches.

Automation also permits businesses to be able to handle complex compliance requirements more effectively. For example, regulations like the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley (SOX) need to be consistently analyzed, but automation in this case enables regular audits without compliance teams getting overwhelmed.

Avoiding Regulatory Penalties and Ensuring Smooth Audits

If businesses don’t comply with regulations, the costs can be severe, with hefty fines and reputational damage both possibilities. Data breaches can lead to fines of up to $500,000 per incident, alongside ongoing monthly fines. So as these regulations tighten and audits keep coming in, businesses need to be wary to avoid penalties.

Automation means that businesses can be on top of records and generate reports to reflect their compliance status. Automated compliance tools also mean that reports can be more accurate and comprehensive, and the time and effort required for audit preparation are reduced. Documentation is the other aspect that can give real-time access to compliance records and demonstrate adherence to regulators.

Systems like asset inventory and PC lifecycle management solutions can help to bridge the gap between security and operations by integrating vulnerability assessments with remediation processes. This allows for the streamlining of security handoffs and accelerates patching, which in turn, reduces the window of vulnerability and prevents non-compliance issues from accumulating.

Further Strategies for Complying with Changing Regulations

To be able to maintain compliance while federal, state, and even global regulations are constantly changing is obviously a massive challenge. However, businesses can follow a few additional best practices to stay on top of things. First, organizations should define the compliance states with sufficient detail. Predefined policies that we briefly touched on, such as SOX, HIPAA, or PCI DSS, can serve as templates, and businesses can customize these policies to address their specific needs.

Automation needs to work in tandem with any change management processes to ensure that compliance actions are governed in line with the business’ priorities. By documenting changes and tracking exceptions, organizations can avoid compliance drift and maintain control over their compliance efforts.

Automation is undoubtedly transforming compliance management by reducing the amount of manual work while minimizing costly errors, and finally ensuring that organizations are ready for an audit when called upon. Due to the fact that processes like discovery, audit, and remediation are unified and integrated, businesses can stay compliant with the shifting regulatory landscape.  

Shagun Malhotra is founder of SkyStem LLC, a provider of automated account reconciliation software.

The post How Automation Is Redefining Compliance Management appeared first on Compliance Chief 360.

The complaint alleges that TikTok and ByteDance failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of 13.

“TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country,” said FTC Chair Lina Khan. “The FTC will continue to use the full scope of its authorities to protect children online—especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data.”

“The Justice Department is committed to upholding parents’ ability to protect their children’s privacy,” said Principal Deputy Assistant Attorney General Brian Boynton. “This action is necessary to prevent the defendants, who are repeat offenders and operate on a massive scale, from collecting and using young children’s private information without any parental consent or control.”

ByteDance and its related companies allegedly were aware of the need to comply with the COPPA Rule and the 2019 consent order and knew about TikTok’s compliance failures that put children’s data and privacy at risk. Instead of complying, ByteDance and TikTok spent years knowingly allowing millions of children under 13 on their platform designated for users 13 years and older in violation of COPPA, according to the complaint.

As of 2020, TikTok had a policy of maintaining accounts of children that it knew were under 13 unless the child made an explicit admission of age and other rigid conditions were met, according to the complaint. TikTok employees allegedly spent an average of only five to seven seconds reviewing each account to make their determination of whether the account belonged to a child.

The company allegedly continued to collect personal data from these underage users, including data that enabled TikTok to target advertising to them—without notifying their parents and obtaining their consent as required by the COPPA Rule. Even after it reportedly changed its policy not to require an explicit admission of age, TikTok still continued to unlawfully maintain and use personal information of children, according to the complaint.

TikTok’s practices prompted its own employees to raise concerns. As alleged, after failing to delete numerous underage child accounts, one compliance employee noted, “We can get in trouble … because of COPPA.”

TikTok Allowed Children to Bypass the Age Requirement

In addition, the complaint alleges that TikTok built back doors into its platform that allowed children to bypass the age gate aimed at screening children under 13. TikTok allegedly allowed children to create accounts without having to provide their age or obtain parental consent to use TikTok by using credentials from third-party services like Google and Instagram. TikTok classified such accounts as “age unknown” accounts, which grew to millions of accounts, according to the complaint.

TikTok also allegedly made it difficult for parents to request that their child’s accounts be deleted. When parents managed to navigate the multiple steps required to submit a deletion request, TikTok often failed to comply with those requests. TikTok also imposed unnecessary and duplicative hurdles for parents seeking to have their children’s data deleted. That practice allegedly continued even after the executive responsible for child safety issues told TikTok’s then-CEO, “we already have all the info that’s needed” to delete a child’s data when a parent requests it, yet TikTok would not delete it unless the parent fills out a second, duplicative form. If the parent did not do that, the executive allegedly added, “then we have actual knowledge of underage user[s] and took no action!”

Additionally, the complaint alleges that TikTok failed to:

• Notify parents about all of the personal data they were collecting from children;
• Obtain parental consent for the collection and use of that data;
• Limit the collection, use, and disclosure of children’s personal information; and
• Delete children’s personal information when requested by parents or when it was no longer needed.

The complaint asks the court to impose civil penalties against ByteDance and TikTok and to enter a permanent injunction against them to prevent future violations of COPPA.  

The post FTC Investigation Triggers Lawsuit Against TikTok for Children’s Privacy Violations appeared first on Compliance Chief 360.

In his final ruling, Judge Amit Mehta held that as a result of suppressing competition by paying billions of dollars to operators of web browsers and phone manufacturers to be their default search engine, Google has become a monopolist and “it has acted as one to maintain its monopoly.”

Judge Mehta emphasized that Google’s illegal practices has resulted in anticompetitive behavior. The tech giant’s exclusive deals with Apple and other large mobile companies that resulted in the preloading of Google’s search engine as the exclusive and default engine displays the company’s illegal practices. These contracts drove Google’s online advertising business as it transformed its search engine into the most convenient platform to access.

“This victory against Google is an historic win for the American people,” said Attorney General Merrick Garland. “No company — no matter how large or influential — is above the law. The Justice Department will continue to vigorously enforce our antitrust laws.” “This landmark decision holds Google accountable. It paves the path for innovation for generations to come and protects access to information for all Americans,” said Assistant Attorney General Kanter. “This victory is a reflection on the tireless efforts of the dedicated public servants at the Antitrust Division and our state law enforcement partners whose work made today’s decision possible.”

In response to the final ruling as well as Attorney Garland’s statement Google’s head of global affairs Kent Walker released his own statement that that displays the company’s dissatisfaction with the ruling. “This decision recognizes that Google offers the best search engine but concludes that we shouldn’t be allowed to make it easily available,” he said in a written statement that quoted complimentary passages from Mehta’s decision. “As this process continues, we will remain focused on making products that people find helpful and easy to use.”

What Does This Mean For the Future of Tech

Since Judge Mehta has yet to impose any penalties since Google has yet to appeal, the implication of this ruling is not completely clear. According to many, the most likely penalty imposed on Google will be a court order to terminate its existing contracts with Apple and other mobile companies. Ultimately, this case paves the way for AI-powered search engines to enter the industry and take control of what Google has to relinquish.

This case also teaches a valuable lesson to big tech companies to be cautious when drafting a contract that entails a sense of exclusivity. “If you’ve got a dominant product, you’ve got to be very careful to make sure that your licensing and contract agreements are open, because making them exclusive can be dangerous,” said University of Pennsylvania Carey Law School antitrust scholar, Herbet Hovenkamp. No longer can companies form contracts that aim to transform a product into a default platform for all users.

Although this decision will play a significant role in Google’s future business practices, it will have an even larger role for the tech industry as a whole. For now on, companies will have to be very careful when engaging in business agreements with third parties to use its products or else they will face a similar result to Google. This case is only the start of big tech antitrust lawsuits as companies such as Apple, Amazon and Meta face their own respective antitrust allegations.  

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post Google Loses Antitrust Case For Having Dominant Search Engine appeared first on Compliance Chief 360.

The lawsuit accused Meta of using its users biometric data that is contained in photos and videos on Facebook without receiving permission to do so. As a result of this activity Facebook exploited the personal information of users and non-users alike to grow its empire and reap historic windfall profits.

“Companies that operate in Texas must be held accountable for their actions, particularly when it puts the privacy of Texans at risk. We’re grateful to have had the opportunity to work with the Office of the Attorney General, and we appreciate how the court handled this lawsuit,” attorneys Sam Baxter and Jennifer Truelove said in a written statement.

Texas Alleged that Meta Violated its Data Privacy Laws

AG Paxton alleged Meta of violating Texas’s Capture or Use of Biometric Identifier Act and the Deceptive Trade Practices Act (CUBI). The claimed violation rose out of Meta’s “Tag Suggestions” feature on Facebook that consisted of an automated photo tagging feature when users upload photos or videos. Facebook introduced the facial recognition technology in 2010 which provided users with an easier way of tagging their friends. In 2021, the company announced that it would cease to use the technology after settling a case in which it was sued for violating Illinois’ ​​biometric privacy law.

“It was the first time the State of Texas sought to enforce its biometric-privacy law since enactment, requiring our team to develop novel litigation approaches and analyze important questions of first impression,” Zina Bash, representative attorney for Texas, said in a written statement. “And it was the first time a single state has ever achieved a settlement of this magnitude — which is even more rewarding because of the record time in which we obtained it. When we filed the case in 2022, we knew the state wanted to move quickly, and our team was relentless in litigating the case.”

In February 2022, Paxton filed a lawsuit in Texas state court against Facebook’s parent company, accusing it of violating the CUBI act by failing to obtain consent from Facebook users before collecting their data. The state also claimed that Meta unlawfully disclosed this data to third parties and failed to delete the data within the time frame specified by CUBI.

A Meta spokesperson said the company was “pleased to resolve this matter and look forward to exploring future opportunities to deepen our business investments in Texas, including potentially developing data centers.”  

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post Meta Reaches Historic Settlement Over Biometric Data Violations appeared first on Compliance Chief 360.

The orders are aimed at helping the FTC better understand the dense market for products by third-parties that claim to use advanced algorithms, artificial intelligence and other technologies, along with personal information about consumers—such as their location, demographics, credit history, and browsing or shopping history—to categorize individuals and set a targeted price for a product or service. The study is aimed at helping the FTC better understand how surveillance pricing is affecting consumers, especially when the pricing is based on surveillance of an individual’s personal characteristics and behavior.

“Firms that harvest Americans’ personal data can put people’s privacy at risk. Now firms could be exploiting this vast trove of personal information to charge people higher prices,” said FTC Chair Lina Khan. “Americans deserve to know whether businesses are using detailed consumer data to deploy surveillance pricing, and the FTC’s inquiry will shed light on this shadowy ecosystem of pricing middlemen.”

The FTC is using its authority to conduct wide-ranging studies that do not have a specific law enforcement purpose, to obtain information from eight firms that advertise their use of AI and other technologies along with historical and real-time customer information to target prices for individual consumers. The orders were sent to Mastercard, Revionics, Bloomreach, JPMorgan Chase, Task Software, PROS, Accenture, and McKinsey & Co.

The orders are seeking information on four major areas:

• Types of products and services being offered: The types of surveillance pricing products and services that each company has produced, developed, or licensed to a third party, as well as details about the technical implementation and current and intended uses of this technology;
• Data collection and inputs: Information on the data sources used for each product or service, including the data collection methods for each data source, the platforms and methods that were used to collect such data, and whether that data is collected by other parties (such as other companies or other third parties);
• Customer and sales information: Information about whom the products and services were offered to and what those customers planned to do with those products or services; and
• Impacts on consumers and prices: Information on the potential impact of these products and services on surveilled consumers including the prices they pay.

The FTC has long been on the front lines of documenting and investigating the hidden ecosystem of data brokers, digital platforms, and other intermediaries that specialize in monitoring and selling user data. The FTC orders aim to shed light on how the current data ecosystem may facilitate the ability to target consumers with individual prices.  

The post FTC Issues Orders to Companies Seeking Information on Surveillance Pricing appeared first on Compliance Chief 360.

The lawsuit arises out of an incident that took place in May 2022 in which hackers downloaded phone call and text message records belonging to “nearly all” the AT&T’s wireless customers. AT&T admitted to the hack and said that the breached data included a record of every AT&T customers’ phone and text logs however, it did not include the content of calls and text messages suchg as social security numbers, dates of birth or customer names.

The lawsuit claims that AT&T was negligent and alleges that the company was not sufficiently transparent about the “nature and extent of data security lapses impacting its customers,” including how the attacks put them in danger of identity fraud. “Plaintiff and other data breach victims provided their [personally identifiable information] to AT&T with the reasonable expectations and mutual understanding that AT&T would comply with its obligations to keep such information confidential and secure from unauthorized access,” the complaint said.

Dina Winger, the plaintiff in the Texas lawsuit emphasized that AT&T should have known the risks within the cellular industry and should have implemented protocols to mitigate such risks. “Because the data breach was an intentional hack by cybercriminals seeking information of value that they could exploit, victims are at imminent risk of severe identity theft and exploitation,” Winger said, adding that AT&T knew or should have known that its systems were targets for cybersecurity attacks.

In the Montana federal court, AT&T was accused of “failing to properly secure and safeguard their personal information, including phone call and text message records for “nearly all” of the company’s 110 million cellular customers.” That lawsuit seeks to collect money from AT&T as compensation in addition to an injunction that requires the company to modify its data security processes and granting the victims credit monitoring and identity theft insurance, as well as attorney fees and litigation costs.

The New Jersey case mainly repeats the Montana and Texas accusations and simply emphasizes that AT&T disregarded its customers’ rights by failing to implement adequate measures to protect their sensitive information. All the plaintiffs aim to represent nationwide classes of data breach victims, potentially getting the class to millions of individuals.

AT&T Explains How the Breach Occurred

According to AT&T, its investigation revealed that a hacker accessed an AT&T workspace on a third-party cloud platform. The hacker then extracted files containing records of customer call and text interactions from approximately May 1 to October 31, 2022. The cellular service company said that it immediately activated its incident response process as well as hired external cybersecurity to help with the issue.

Since then, AT&T has assured its customers that none of their sensitive information has been leaked and that it has now secured its systems in order to discontinue the breach.  

PHOTO BY: BROWNINGS, USED UNDER CC BY-SA 3.0

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post AT&T Sued for Failing to Protect Customer Data in Cybersecurity Breach appeared first on Compliance Chief 360.