We continue to monitor the progress in Stein v. Bank of
America Corp., a case with important and potentially
far-reaching implications for any company that transfers
confidential customer data abroad. This is a class action suit
brought against Bank of America Corporation and several of its
domestic and foreign subsidiaries, alleging violations of 12 U.S.C.
§ 3403(a), a portion of the Right to Financial Privacy Act
(RFPA). The plaintiffs are seeking statutory damages and injunctive
Plaintiffs originally alleged violations of several provisions of
the Washington D.C. Consumer Protection Act, D.C. Code §
28-3904, as well as claims for unjust enrichment, negligent
bailment and negligence. After a motion to dismiss and two
amendments, the current version of the complaint is limited to the
Plaintiffs' claim has two essential elements: (i) that Bank of
America transmits customer financial information to its affiliates
abroad; and (ii) that the U.S. government has a global electronic
surveillance system that monitors and intercepts all transmissions
sent to or received by foreign nationals residing overseas.
According to plaintiffs, simply by transmitting the data abroad,
where government surveillance of foreign nationals might intercept
it, Bank of America has provided the government with access to that
data, in violation of the RFPA. This expansive interpretation of
the RFPA could subject any financial institution to liability any
time the institution transfers data abroad.
Most recently, Bank of America has moved to dismiss the Second
Amended Complaint. In its motion, Bank of America argues that the
plaintiffs lack standing because they have not alleged any actual
injury resulting from the cross-border data transfer, and that
plaintiffs have failed to state a claim under the RFPA because they
have not alleged that Bank of America affirmatively conveyed
customer data to the government.
Although no hearing has been scheduled, the motion to dismiss is
fully briefed and Judge Walton could issue a ruling at any
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Kentucky is now the 47th state with a data breach notification law, a development that should be of interest not only to Kentucky-based entities, but also to entities that do business in Kentucky and have personal information about its residents