Data Breach, UDAPs and the Federal Thrift Charter
advertisement
Data Breach, UDAPs and the Federal Thrift Charter: States’ Rights And Federal Prerogatives V. GERARD COMIZIO AND KEVIN L. PETRASIC The authors analyze the conflict between federal preemption and state unfair or deceptive acts or practices laws in the context of the jurisdiction of the Office of Thrift Supervision, the primary federal regulator of federal savings associations, commonly referred to as the thrift industry. The authors also explore the parameters of federal preemption under the privacy provisions of the Gramm-Leach-Bliley Act of 1999. T wo phenomena likely to have a significant impact on banking in the coming years are the risks of data breach and exposure to an increasing array of laws, rules and regulations involving unfair or deceptive acts or practices (“UDAPs”). The intersection of these two phenomena raises particularly difficult and unique challenges for depository institutions. While a data breach in and of itself may be actionable under a number of existing laws,1 a UDAP action brought by a state or federal regulator, or by private litigants asserting a private right of action on behalf of a class of adversely impacted customers/consumers, ups the ante from both a legal perspective and a public relations point of view. V. Gerard Comizio is the senior partner in the Financial Services Practice Group of Paul, Hastings, Janofsky & Walker LLP, resident in the firm’s Washington, D.C., office. He can be reached at vgerardcomizio@paulhastings.com. Kevin L. Petrasic is a senior associate at Paul Hastings and is former Special Counsel and Managing Director of External Affairs at the Office of Thrift Supervision. He can be reached at kevinpetrasic@paulhastings.com. Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. 765 PRIVACY & DATA SECURITY LAW JOURNAL This article analyzes the conflict between federal preemption and state UDAP laws in the context of the jurisdiction of the Office of Thrift Supervision, the primary federal regulator of federal savings associations, commonly referred to as the thrift industry. It also explores the parameters of federal preemption under the privacy provisions of the GrammLeach-Bliley Act of 1999 (“GLBA”).2 FEDERAL AND STATE UDAP LAWS Recently, all five federal financial institution regulators signaled increased vigilance and muscle-flexing in asserting their UDAP authority. The Federal Reserve Board (“FRB”) and the Office of Thrift Supervision (“OTS”), along with the National Credit Union Administration (NCUA”), issued a joint proposal defining certain UDAPs, primarily with respect to certain credit card practices.3 The Office of the Comptroller of the Currency (“OCC”) entered into a settlement agreement with a major national bank for UDAPs arising out of the bank’s relationship with several telemarketing firms and third party payment processors. The Federal Deposit Insurance Corporation (“FDIC”) also announced a significant UDAP enforcement action against two banks and a credit card company providing services to the banks and a third bank that entered into a settlement with the FDIC based on deceptive credit card marketing activities. Complicating the UDAP picture for depository institutions are litigation risks from customers and other affected parties asserting a private right of action under various state UDAP laws. While the Federal Trade Commission Act (“FTC Act”) does not provide for a private right of action for UDAP violations of its Section 5 provisions,4 numerous state UDAP laws allow for such a right,5 including the ability to pursue relief in a class action suit.6 As more data breaches occur, it is likely that pressure will increase at the state and local level to provide ways for citizens to protect their own privacy rights. It is reasonable to expect that some of these efforts will include private rights of action under various UDAP-like laws. In many respects, whether a private right of action exists may be less important than the negative publicity associated with a group of customers attempting, even unsuccessfully, to assert a private right of action 766 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. DATA BREACH, UDAPS, AND THE FEDERAL THRIFT CHARTER under an existing state/local UDAP law or quasi-UDAP provision. On the data breach front, depository institutions and depository institution customers continue to become increasingly captive to technological systems to store and protect their transactional data and other sensitive customer information. And perhaps more significant, most institutions have become extremely dependent on third party service providers for solutions to guard and protect the security and integrity of sensitive customer and transactional information. As a result, financial institution risks associated with data breach have increased exponentially. These risks include business, litigation, reputation, regulatory/compliance and numerous related risks. Assessing the level and extent of these risks is often difficult and usually involves balancing a number of competing interests depending on the facts and circumstances of a particular situation. While the circumstances surrounding a breach incident typically are varied, generally, there are two basic varieties of data breach. The first is caused by a malicious attack and/or unauthorized intruder actively pursuing and exploiting an institution or network data system vulnerability. The second involves the inadvertent loss or release of sensitive customer data by an institution, its agent or service provider with access to and/or control of sensitive customer information. While the latter case may not appear to expose an institution’s customers to the same immediate threat of identity theft as the former case, both situations have to be treated the same — as an actual threat that must be contained quickly to avoid potential exposure to the institution’s customer base. Recognizing the potential exposure to their citizens, numerous states and local jurisdictions have enacted laws and/or applied existing laws in an attempt to hold institutions and other entities liable for data breach incidents. Many of these efforts involve the promulgation and application of UDAP laws modeled after Section 5(a)(1) of the FTC Act.7 Typically, these state UDAP laws are guided by interpretations given by the Federal Trade Commission and the courts to the federal provision. In addition to significant civil penalties and potential criminal sanctions depending on the state/local law and nature of a data breach incident, some state and local laws authorize or leave open the possibility of a UDAP private right of action to pursue a party responsible or culpable for a data breach. 767 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. PRIVACY & DATA SECURITY LAW JOURNAL While the application of state/local UDAP laws to state-chartered institutions and other state-licensed entities may be difficult to challenge from a jurisdictional standpoint, the application of these laws to federally chartered depository institutions raises unique jurisdictional issues. On the one hand, a state or local jurisdiction has a legitimate interest in protecting the privacy rights of its citizens in the conduct of their business affairs and banking activities. On the other hand, a federally chartered depository institution is already subject to a plethora of federal (and sometimes state and local) laws that control, regulate and monitor virtually every aspect of their operations and daily contact with their customer base. More specifically, a federally chartered depository institution is subject to federal laws and rules that address data breaches, supervise depository institution data and customer information systems (including those of agents and service providers), and protect the privacy and security of depository institution customers. These laws include: • • • • • • • Section 501(b) of the GLBA;8 provisions of the Bank Service Company Act and Section 5(d)(7) of the Home Owners’ Loan Act (“HOLA”);9 the Bank Protection Act;10 the Fair and Accurate Credit Transactions Act (“FACTA”);11 existing and proposed federal banking agency UDAP rules;12 the federal banking agencies’ Interagency Guidelines Establishing Information Security Standards;13 and the federal banking agencies’ Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.14 A quick review of the above provisions reveals a comprehensive and far-reaching regulatory scheme that is largely redundant of state and local privacy protection laws. Thus, the question that remains is what laws apply to a federally chartered depository institution in the context of a data breach and, more specifically, are state/local UDAP laws preempted by 768 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. DATA BREACH, UDAPS, AND THE FEDERAL THRIFT CHARTER federal law in such circumstances? The OTS, which regulates federal thrifts and is regarded as holding the strongest federal preemption powers of the two regulators of federally chartered depository institutions, has developed a strong track record and unique supervisory approach with respect to the application of federal preemption to state UDAP laws. In part due to the significant preemption powers wielded by the OTS with respect to the operations of federal thrifts under the HOLA, OTS opinions and precedent provide a good road map for analyzing the differing state and federal interests in the application of state UDAP laws — including a possible private right of action — to a federal thrift in the context of a data breach incident. FEDERAL PREEMPTION OF STATE UDAP LAWS UNDER THE HOLA The OTS has issued a number of opinions on the applicability of federal preemption under the HOLA to state consumer protection and UDAP laws. For example, in July 2003, the OTS opined on the application of a New Jersey predatory lending law to federal thrifts.15 In concluding that the New Jersey law was preempted by the HOLA, the OTS opinion noted that one of the aspects of the New Jersey law’s compliance scheme involved the ability to pursue a private right of action under the New Jersey Consumer Fraud Act rather than an action under the New Jersey Home Ownership Security Act (i.e., the predatory lending law). The OTS opinion specifically preempted the application to a federal thrift of causes of action brought under both New Jersey laws. The OTS further provided that, “in enacting the [HOLA], Congress required the [OTS] to provide for the organization, incorporation, examination, operation, and regulation of federal savings associations ‘giving primary consideration of the best practices of thrift institutions in the United States.’”16 Noting that application of the New Jersey law to a federal thrift would “thwart the more general congressional objective that OTS have exclusive responsibility for regulating the operations of federal savings associations,” the opinion further provided that “Congress gave OTS, not the States, the task of determining the best practices for federal 769 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. PRIVACY & DATA SECURITY LAW JOURNAL [thrifts] and creating nationally uniform rules.” More recently, in June 2006, the OTS addressed the issue of federal preemption of state consumer protection laws targeted at the issuance, marketing and terms of gift cards.17 The state laws at issue included specific laws governing gift cards and similar instruments, as well as laws that were part of broader state UDAP laws. In preempting the application of the various state laws, the OTS opined that it had affirmed through its rulemaking process the agency’s long-held position that “it totally occupies the field of the regulation of the operations of federal savings associations.” The opinion further noted that Section 545.2 of the agency’s regulations,18 which implements the HOLA, provides that the agency’s operations rule at Part 545 “is promulgated pursuant to the ‘plenary and exclusive authority of the [OTS] to regulate all aspects of the operations of Federal Savings associations’ and that the agency’s exercise of such authority is ‘preemptive of any state law purporting to address the subject of the operations of a Federal savings association’” (emphasis added).19 Commenting on the comprehensiveness of this authority, the opinion provides that “[c]ourts have consistently ruled that when the federal government preempts by ‘occupying the field,’ no state law can operate in the area.”20 In this regard, the agency has “consistently opined that the federal regulatory scheme ‘occupies the field’ of regulation affecting the operations of federal thrifts.”21 A March 1999 OTS opinion addressed the application of the California Unfair Competition Act (“CUCA”) to federal savings associations.22 In that instance, the OTS opined that provisions of the CUCA purporting to apply to three areas of a federal thrift’s lending operations — advertising (requiring a specific form of interest rate disclosure), forced placement of insurance (restricting the parameters by which an institution may force place hazard insurance), and restricting certain fees the institution may charge on a loan — are preempted by HOLA § 5(a). In explaining the scope of federal preemption, the OTS stated that federal law preempts the manner in which specified provisions of state law applied to the institution. In particular, the agency noted a “preemption analysis requires consideration of the relationship between federal 770 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. DATA BREACH, UDAPS, AND THE FEDERAL THRIFT CHARTER and state laws as they are interpreted and applied, not merely as they are written.”23 Thus, state laws must be analyzed both on their face and in the manner of their application to a federal thrift. Where a state law does not appear targeted at affecting the operations of a federal thrift but its application or impact interferes with the institution’s operations or activities, then such state laws will be preempted by the HOLA (subject to certain limitations). Another opinion on the subject, issued by the OTS in December 1996, addressed certain Indiana UDAP laws.24 That opinion involved the applicability to a federal thrift of various provisions of the Indiana Uniform Consumer Credit Code. While the OTS preempted provisions of the Indiana law involving disclosures and loan-related charges, the agency concluded that federal preemption did not extend to override provisions of the state law prohibiting fraudulent and deceptive loan practices. Notably, the Indiana law prohibited specified acts and representations in all consumer transactions, not just those involving extensions of credit. The OTS stated that while the impact of this portion of the law may affect a thrift’s lending operations, the impact was incidental to the state’s legitimate interest in regulating and ensuring ethical business practices in Indiana commerce. Since this portion of the Indiana law had no measurable impact on a thrift’s lending operations, the OTS opined that this aspect of the law was not preempted. While the Indiana opinion appears at odds with the agency’s view three years later in the March 1999 California opinion, the OTS specifically addressed this issue in the latter opinion. Comparing the Indiana and California UDAP provisions, the OTS noted that the Indiana UDAP laws, addressed in its December 1996 opinion, were targeted and narrowly drawn to certain specific acts or representations that were deemed “deceptive.”25 In contrast, the OTS highlighted the breadth, open-ended scope and liberal interpretations of the courts with respect to the reach of the CUCA and concluded that, as applied, the California law “has more than an incidental impact on [a federal thrift’s] lending activities and is contrary to the purpose of uniform standards of operations.”26 It is noteworthy that the OTS highlighted the liberal standing rules under the California law, including a private right of action that could be 771 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. PRIVACY & DATA SECURITY LAW JOURNAL brought by any individual without the requirement of proving actual harm from an alleged UDAP.27 The OTS also noted the inconsistency under the FTC Act — which does not provide for a private right of action by consumers to pursue alleged UDAPs — and various state laws that permit such a cause of action. ANALYSIS OF A UDAP DATA BREACH CLAIM For purposes of analysis of state/local UDAP laws, it appears well settled by the courts and in opinions issued by the OTS that the operations of federal thrifts are subject to the exclusive oversight and regulation of the OTS.28 It also appears well settled that the OTS regulates all aspects of the operations of a federal thrift, and the agency’s exercise of this authority preempts any state law purporting to address a federal thrift’s operations.29 As set forth in various court cases and cited in numerous interpretive opinions, the OTS “occupies the field” of regulation affecting a federal thrift’s operations.30 With respect to the application of a state/local UDAP law to a federal thrift by a state/local agency pursuant to a data breach, as the OTS noted in its March 1999 California UDAP opinion, the HOLA also preempts the manner in which specified provisions of state law apply to a federal thrift. Where state laws are broadly construed and applied by state/local regulatory and enforcement agencies, such laws have more than an incidental impact on the operations of a federal thrift and, therefore, are preempted by the HOLA. Generally, state/local UDAP provisions fit squarely within the types of state laws preempted by the HOLA. Rather than having an incidental effect on the activities of a federal thrift, most state/local UDAP laws have a broad application and empower agencies to conduct extensive and far-reaching investigations to protect their citizenry. The possibility remains that the OTS could opine, or the courts could rule, that a state/local UDAP law is narrowly targeted and specifically drawn, as the OTS did in its December 1996 opinion with the Indiana UDAP law. It appears far more likely, however, that the OTS or the courts would view the application of a state/local UDAP law in connection with a data breach incident as having a clearly measurable impact 772 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. DATA BREACH, UDAPS, AND THE FEDERAL THRIFT CHARTER on a federal thrift. If so, the UDAP law will be preempted by the HOLA. For the same reasons, it is also likely that the application of a state/local UDAP law pursuant to a private right of action asserted by individuals affected by a data breach would be preempted by the HOLA. FEDERAL PREEMPTION UNDER THE GLBA PRIVACY PROVISIONS In addition to preemption under the HOLA, it appears a state/local UDAP data breach claim may be successfully challenged by preemption under the federal privacy provisions of the GLBA. As the OTS noted in a December 1998 opinion, there are several alternatives by which a state law may be preempted by federal law.31 That opinion involved the provisions of the Massachusetts Electronic Branches and Electronic Fund Transfers statute, which mandated compliance with state approval requirements in connection with the operation of electronic branches and ATMs. Under the facts, it was evident that the Massachusetts Commissioner of Banks viewed the law as a registration and consumer protection statute. In concluding that certain provisions of the Massachusetts law (that is, a state approval requirement to operate an off-site electronic branch, an annual assessment fee, and a restriction on out-of-state institutions operating electronic branches) were preempted, the OTS noted that there were three operative categories of federal preemption: • • • Express preemption (Congress enacts a law expressly preempting state law); Field preemption (federal law occupies the field in a specific area or activity); and Conflicts preemption (state law conflicts with federal law and either compliance with both laws is not possible or state law is an obstacle to accomplishing Congress’s objectives in enacting a federal law). In addition to field preemption under the HOLA, an action pursued under a state/local UDAP law for the release of private customer data by 773 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. PRIVACY & DATA SECURITY LAW JOURNAL a federal thrift — as well as a national bank and, arguably, any state-chartered, federally-insured depository institution32 — is in conflict with the privacy provisions of the GLBA and, thus, preempted by federal law pursuant to that conflict. In this regard, whether a state/local UDAP law can be used as a basis for pursuing a cause of action based on privacy depends on the availability of this remedy under state and federal law. Pursuant to GLBA § 507(a),33 the federal privacy provisions of the GLBA “shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of [the GLBA privacy provisions], and then only to the extent of the inconsistency” (emphasis added).34 Under GLBA § 501(b)(1), financial institutions are subject to various safeguards to “insure the security and confidentiality of customer records and information.”35 These safeguards are set forth in regulations and implemented for financial institutions by each of the agencies with authority to enforce the GLBA privacy provisions under GLBA § 505(a).36 Section 505(a) further provides that the GLBA privacy provisions “shall be enforced by the Federal functional regulators, the State insurance authorities [under State insurance law, with respect to persons engaged in providing insurance], and the Federal Trade Commission with respect to [institutions and persons] subject to their jurisdiction.”37 Most importantly, the GLBA does not authorize the states to enforce its provisions. Rather, Congress made clear within the context of the GLBA that the only enforcement remedy is by action of the enumerated agencies in GLBA § 505(a). The same holds true with respect to the application of a state/local UDAP law pursuant to a private right of action asserted by individuals affected by a data breach. The GLBA does not provide for a private right of action for enforcement of its privacy provisions. Again, the only enforcement remedy is by action of the enumerated agencies in GLBA § 505(a). As noted above, in the GLBA, Congress authorized the states to enact more stringent state privacy requirements, provided the state requirements are not inconsistent with the federal GLBA provisions. While some states 774 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. DATA BREACH, UDAPS, AND THE FEDERAL THRIFT CHARTER have done so, in a number of other instances, state and local privacy laws establish only a general prohibition on releasing nonpublic information and lack more stringent and specific safeguards to protect the security and confidentiality of personally identifiable customer information by a financial institution. Where general privacy laws are used as a basis for pursuing a breach of privacy claim under a state/local UDAP law for failure to safeguard customer records, it is likely that such actions will be preempted by the GLBA. GLBA § 505(a) provides that the privacy provisions of the GLBA may be enforced against a financial institution by the various designated agencies with authority over such institutions. Notably, the GLBA does not provide for a private right of action, nor does it authorize agencies other than those enumerated to pursue enforcement of the privacy protections set forth under the GLBA. And where a state/local UDAP law is interpreted as safeguarding the security and confidentiality of financial institutions’ customer information, GLBA § 501(b)(1) already imposes this requirement. Thus, rather than being a more restrictive state requirement permissible under GLBA § 507(b), such laws are merely redundant of the federal GLBA standard and, thus, should be preempted. EXCLUSIVE EXAMINATION AND ENFORCEMENT AUTHORITY OF THE OTS As previously discussed, there may be instances where a state/local UDAP law is narrowly drawn and/or construed in a manner such that the law remains applicable to a federal thrift (or other institution) despite federal preemption. A unique situation exists where a federally chartered depository institution remains subject to a state/local provision that affects its lending and/or deposit-taking operations, particularly where the state/local agency charged with enforcing the law may lack the access to determine compliance and/or the ability to compel compliance. From a practical perspective, it may be the case that such laws are only enforceable by the institution’s primary federal regulator. In fact, this is the view taken by the OTS and endorsed by the Ninth Circuit Court of Appeals in a case affirmed by the U.S. Supreme Court. In particular, the OTS takes 775 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. PRIVACY & DATA SECURITY LAW JOURNAL the position that only it has the authority to examine the operations of a federal thrift and enforce the provisions of applicable state/local laws against a federal thrift.38 And it is reasonable to conclude that the agency would take this position with respect to a private right of action asserted under a state/local UDAP law in a civil suit. In March 2006, the OTS opined on the applicability to federal thrifts of certain UDAP provisions added to the Code of Montgomery County, Maryland.39 In concluding that provisions of the County Code purporting to prohibit certain lending practices for federal thrifts are preempted by federal law, the OTS again noted that it “occupies the field of the regulation of the operations of federal savings associations…to enhance safety and soundness and enable federal savings associations to conduct their operations in accordance with best practices by efficiently delivering low-cost credit to the public free from undue regulatory duplication and burden.”40 The OTS further noted that the provisions of the County Code “would thwart the more general congressional objective that OTS shall have exclusive responsibility for regulating the operations of federal savings associations ‘giving primary consideration of the best practices of thrift institutions in the United States.’”41 In this regard, the opinion states that Congress gave the OTS, not state or local governments, the task of determining the best practices for federal thrifts. Extending this notion to situations where provisions of a state or local law would not be preempted by federal law and could be applicable to a federal thrift, the opinion provides that the authority to enforce any such law would remain with the OTS. In particular, while noting that the March 2006 opinion does not address certain other provisions of the County Code, the OTS stated, “to the extent that those provisions may be applicable to federal savings associations or their operating subsidiaries, [the] County may not take action against these entities.” The OTS further specified that it has “comprehensive and exclusive authority to enforce laws against federal savings associations,” and concluded that a federal thrift “would not be subject to the procedures for investigation and enforcement by [the] County under the County Code.” In explaining the authority for the OTS’s exclusive role in examining and pursuing enforcement actions against a federal thrift, the March 2006 776 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. DATA BREACH, UDAPS, AND THE FEDERAL THRIFT CHARTER opinion points out that “the HOLA expressly authorizes OTS to ‘provide for the …examination, operation, and regulation’ of federal savings associations.”42 In addition, the opinion references the authority granted the OTS under the Federal Deposit Insurance Act to take enforcement actions against a federal thrift. As the opinion provides, both grants of authority are well established, recognized by the courts, and exclusive to the OTS. In this regard, as detailed in the March 2006 opinion, the Ninth Circuit Court of Appeals, ruling in Conference of Federal Savings and Loan Associations v. Stein,43 a case affirmed by the U.S. Supreme Court, held that only the OTS’s predecessor agency, the Federal Home Loan Bank Board (“FHLBB”), could enforce a state anti-discrimination law against a federal thrift. As the Ninth Circuit noted and the OTS referenced, “the regulatory control of the [FHLBB] over federal savings and loan associations is so pervasive as to leave no room for state regulatory control.”44 Pursuant to Stein and numerous opinions of the OTS and its predecessor,45 it is well settled that state laws and regulations providing for or authorizing examination and/or enforcement by a state of a federal thrift are preempted by the HOLA. Further, it is reasonable to conclude the OTS’s exclusive examination and enforcement authority would also operate to preclude the activities of civil litigants attempting to enforce a state/local law by a private right of action against a federal thrift. Based on Stein, the OTS March 2006 opinion and numerous other agency opinions,46 it appears that to the extent any provision of a UDAP law asserted by a state/local agency or in a civil suit is applicable to a federal thrift, such provision could only be applied to the thrift by the OTS. State/local agency efforts and/or a private right of action based on the UDAP law would be preempted by the OTS’s comprehensive and exclusive authority under the HOLA to enforce laws — including any applicable state laws — against federal savings associations. CONCLUSION Based on the statutory language of the HOLA, various court decisions and numerous OTS opinions, the application to a federal thrift of a state/local UDAP and/or privacy law, including a private right of action 777 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. PRIVACY & DATA SECURITY LAW JOURNAL under any such law, is likely preempted by the HOLA. Similarly, based on a conflict with the federal privacy provisions of the GLBA, the application of a state/local UDAP or privacy law to a federal thrift (or other depository institution), including a private right of action under any such law, appears to be preempted by the GLBA. Finally, to the extent that a provision of a state/local UDAP or privacy law survives preemption by the HOLA and GLBA and would apply to a federal thrift, it appears that only the OTS has the authority to investigate or examine the thrift and enforce such provisions against the institution. While a federal thrift confronting potential liability for a data breach remains accountable to the OTS under applicable federal laws, given the scope of federal preemption provided by the HOLA and GLBA, it appears that the institution will not be subject to numerous state and local laws in connection with the incident — including private rights of action under such laws. State/local privacy laws also appear to be preempted for other depository institutions to the extent of a conflict with the privacy provisions of the GLBA. Finally, it is important to bear in mind that legal liability is just one of the risks facing a depository institution in the context of a data breach incident. Depending on the context and manner in which an institution handles an incident, factors such as reputation risk may be far more significant in the final analysis. NOTES See infra, notes 7-13 and accompanying text. 15 U.S.C. §§ 6801 et seq. 3 12 Fed. Reg. 28904 (May 19, 2008). 4 15 U.S.C. § 45. 5 See, e.g., Alabama Code § 8-19-8; California Business and Professional Code § 17203; Delaware Code Title 6 § 2522; District of Columbia Code § 28-3905; Florida Deceptive and Unfair Trade Practices Act, Florida Code § 501.203; Georgia Code § 10-1-398; Hawaii Code § 481A-4; Idaho Consumer Protection Act, Idaho Code § 48-608; Illinois Code (815 ILCS 510/3); Kansas Consumer Protection Act, Kansas Code § 50-634; Kentucky Consumer Protection Act, Kentucky Code § 367.220; Louisiana Unfair Trade Practices 1 2 778 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. DATA BREACH, UDAPS, AND THE FEDERAL THRIFT CHARTER and Consumer Protection Law, Louisiana Code § 51:1409; Maine Code, Title 5 §§ 209 and 213; Maryland Code § 13-401; Massachusetts Chap. 93A, Code § 9; Minnesota Code § 325 D.45; Mississippi Code § 75-24-15; Montana Unfair Trade Practices and Consumer Protection Act of 1973, Montana Code § 30-14-121; Nebraska Code § 87-303; Nevada Code § 598.0963; New Jersey Code § 56.8-11; New Mexico Code § 57-12-10; New York Code Gen. Bus. § 350-e; North Carolina Code § 75-16; North Dakota Code § 51-10-6; Oklahoma Consumer Protection Act, Oklahoma Code Title 15 § 761.1; Oregon Code § 646.638; Pennsylvania Unfair Trade Practices and Consumer Protection Law, Pennsylvania Code Title 73 § 201-9.2; South Carolina Unfair Trade Practice Act, South Carolina Code § 39-5-140; South Dakota Code § 37-24-31; Tennessee Consumer Protection Act of 1977; Tennessee Code § 47-18-107; Texas Deceptive Trade Practices–Consumer Protection Act, Texas Bus. & Com. Code § 17.48; Utah Code § 13-11a-4; Vermont Code Title 9 § 2461; Virginia Consumer Protection Act of 1977, Virginia Code § 59.1-204; Washington Code § 19.86.090; and West Virginia Code § 46A-6-106. 6 See, e.g., Alaska Code § 45.50.531; Colorado Consumer Protection Act, Colorado Code § 6-1-113; Connecticut Unfair Trade Practices Act, Connecticut Code §§ 42-110d and -110g; Indiana Code § 24-5-0.5-4; Michigan Consumer Protection Act, Michigan Code § 445.910 (State Attorney General must bring class action); Missouri Code § 407.100; New Hampshire Code §§ 358A:10 and :10a; Ohio Code §§ 1345.07 and .09; Rhode Island Code § 6-13.1-5.2; Wisconsin Consumer Act, Wisconsin Code § 426.110; and Wyoming Consumer Protection Act, Wyoming Code § 40-12108. 7 15 U.S.C. § 45(a)(1). 8 15 U.S.C. § 6801(b). 9 12 U.S.C. §§ 1867(c) and 1464(d)(7). 10 12 U.S.C. § 1881 et seq. 11 Pub. L. 108-159, amending the Fair Credit Reporting Act of 1970, 15 U.S.C. § 1681 et seq., and other laws. 12 See 12 C.F.R. Parts 226, 227 and 535, and 12 Fed. Reg. 28904 (May 19, 2008). 13 See 66 Fed. Reg. 8616 (Feb. 1, 2001) and 69 Fed. Reg. 77610 (Dec. 28, 2004). 14 See 70 Fed. Reg. 15736 (March 29, 2005). 15 OTS Op. Chief Counsel July 22, 2003. 779 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. PRIVACY & DATA SECURITY LAW JOURNAL Id., citing 12 U.S.C. § 1464(a). OTS Op. Chief Counsel June 9, 2006. 18 12 C.F.R. § 545.2. 19 Id., quoting 12 C.F.R. § 545.2 (2006). 20 Id., citing Fidelity Federal Savings and Loan Association v. de la Cuesta, 458 U.S. 141 (1982); Pacific Gas and Electric Company v. State Energy Resources and Development Comm., 461 U.S. 190, 203-04 (1983). 21 Id. 22 OTS Op. Chief Counsel March 10, 1999. 23 Id. 24 OTS Op. Chief Counsel December 24, 1996. 25 OTS Op. Chief Counsel March 10, 1999. 26 Id. 27 Id. 28 See OTS Op. Chief Counsel July 22, 2003. 29 12 C.F.R. § 545.2 (2006). 30 See notes 6-9, supra. 31 OTS Op. Chief Counsel December 22, 1998. 32 Pursuant to the provisions of the GLBA, the federal banking agencies, including the Federal Deposit Insurance Corporation for state non-member banks and Federal Reserve Board for state member banks, are the agencies charged with application of the federal privacy protections. 33 15 U.S.C. § 6807(a). 34 Id. 35 15 U.S.C. § 6801(b)(1). 36 See 15 U.S.C. §§ 6801(b) and 6805(a). 37 15 U.S.C. § 6805(a). 38 The OTS position is with respect to state/local laws within its sphere of supervisory and regulatory influence and control. In particular, the OTS defers to state/local jurisdictions with respect to issues or matters that involve personal safety, the application of state/local real estate laws, criminal acts, and certain other related areas. 39 OTS Op. Chief Counsel March 7, 2006. 40 Id., citing 12 C.F.R. § 560.2(a) (2005). 41 Id., citing 12 U.S.C. § 1464(a). 42 Id., citing 12 U.S.C. § 1464(a). 43 Conference of Federal Savings and Loan Associations v. Stein, 604 F.2d 16 17 780 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC. DATA BREACH, UDAPS, AND THE FEDERAL THRIFT CHARTER 1256 (9th Cir. 1979), aff’d mem., 445 U.S. 921 (1980). 44 Id. at 1260. 45 See OTS Op. Chief Counsel March 7, 2006, note 20 and accompanying text, referencing FHLBB Op. Gen. Counsel (January 26, 1979); FHLBB Op. Gen. Counsel (July 9, 1985); OTS Mem. Chief Counsel (May 10, 1995); OTS Op. Chief Counsel (January 18, 1996); OTS Op. Chief Counsel (July 1, 1998); and OTS Op. Chief Counsel (January 15, 1999). 46 Id. 781 Published in the September 2008 Privacy & Data Security Law Journal. Copyright ALEXeSOLUTIONS, INC.
