We continue to monitor the progress in Stein v. Bank of
America Corp., a case with important and potentially
far-reaching implications for any company that transfers
confidential customer data abroad. This is a class action suit
brought against Bank of America Corporation and several of its
domestic and foreign subsidiaries, alleging violations of 12 U.S.C.
§ 3403(a), a portion of the Right to Financial Privacy Act
(RFPA). The plaintiffs are seeking statutory damages and injunctive
Plaintiffs originally alleged violations of several provisions of
the Washington D.C. Consumer Protection Act, D.C. Code §
28-3904, as well as claims for unjust enrichment, negligent
bailment and negligence. After a motion to dismiss and two
amendments, the current version of the complaint is limited to the
Plaintiffs' claim has two essential elements: (i) that Bank of
America transmits customer financial information to its affiliates
abroad; and (ii) that the U.S. government has a global electronic
surveillance system that monitors and intercepts all transmissions
sent to or received by foreign nationals residing overseas.
According to plaintiffs, simply by transmitting the data abroad,
where government surveillance of foreign nationals might intercept
it, Bank of America has provided the government with access to that
data, in violation of the RFPA. This expansive interpretation of
the RFPA could subject any financial institution to liability any
time the institution transfers data abroad.
Most recently, Bank of America has moved to dismiss the Second
Amended Complaint. In its motion, Bank of America argues that the
plaintiffs lack standing because they have not alleged any actual
injury resulting from the cross-border data transfer, and that
plaintiffs have failed to state a claim under the RFPA because they
have not alleged that Bank of America affirmatively conveyed
customer data to the government.
Although no hearing has been scheduled, the motion to dismiss is
fully briefed and Judge Walton could issue a ruling at any
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Illinois Attorney General Lisa Madigan has issued a binding opinion under the state's FOIA that email messages sent or received through public employees' personal email accounts may be public records subject to disclosure...
Triggering a landslide of legislative reforms and legal battles, the European Court of Justice's ("ECJ") landmark judgment of April 8, 2014, Digital Rights Ireland (C-293/12), invalidated the Data Retention Directive 2006/24/EC, which provided that providers of publicly available communications services must retain certain data.
Following the July 12, 2016, adoption by the European Commission of the EU-U.S. Privacy Shield (the "Privacy Shield"), companies engaging in trans-Atlantic data sharing can now register for the Privacy Shield.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).