We continue to monitor the progress in Stein v. Bank of
America Corp., a case with important and potentially
far-reaching implications for any company that transfers
confidential customer data abroad. This is a class action suit
brought against Bank of America Corporation and several of its
domestic and foreign subsidiaries, alleging violations of 12 U.S.C.
§ 3403(a), a portion of the Right to Financial Privacy Act
(RFPA). The plaintiffs are seeking statutory damages and injunctive
Plaintiffs originally alleged violations of several provisions of
the Washington D.C. Consumer Protection Act, D.C. Code §
28-3904, as well as claims for unjust enrichment, negligent
bailment and negligence. After a motion to dismiss and two
amendments, the current version of the complaint is limited to the
Plaintiffs' claim has two essential elements: (i) that Bank of
America transmits customer financial information to its affiliates
abroad; and (ii) that the U.S. government has a global electronic
surveillance system that monitors and intercepts all transmissions
sent to or received by foreign nationals residing overseas.
According to plaintiffs, simply by transmitting the data abroad,
where government surveillance of foreign nationals might intercept
it, Bank of America has provided the government with access to that
data, in violation of the RFPA. This expansive interpretation of
the RFPA could subject any financial institution to liability any
time the institution transfers data abroad.
Most recently, Bank of America has moved to dismiss the Second
Amended Complaint. In its motion, Bank of America argues that the
plaintiffs lack standing because they have not alleged any actual
injury resulting from the cross-border data transfer, and that
plaintiffs have failed to state a claim under the RFPA because they
have not alleged that Bank of America affirmatively conveyed
customer data to the government.
Although no hearing has been scheduled, the motion to dismiss is
fully briefed and Judge Walton could issue a ruling at any
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On Friday, November 13, Federal Trade Commission ("FTC" or the "Commission") Chief Administrative Law Judge ("ALJ") D. Michael Chappell issued an Initial Decision in In the Matter of LabMD, Inc. (FTC Docket No. 9357), dismissing the Commission's Complaint against LabMD, Inc. ("LabMD"), upon a finding that the FTC had failed to "demonstrate a likelihood that [LabMD's] computer network will be breached in the future and cause substantial computer injury."
Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic. So first, take a deep breath and calm down.
Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York.
High-profile data breaches seem to hit the headlines almost every day. These breaches have proved terrifying for many companies, particularly as the attackers release embarrassing emails and other information.