We continue to monitor the progress in Stein v. Bank of
America Corp., a case with important and potentially
far-reaching implications for any company that transfers
confidential customer data abroad. This is a class action suit
brought against Bank of America Corporation and several of its
domestic and foreign subsidiaries, alleging violations of 12 U.S.C.
§ 3403(a), a portion of the Right to Financial Privacy Act
(RFPA). The plaintiffs are seeking statutory damages and injunctive
Plaintiffs originally alleged violations of several provisions of
the Washington D.C. Consumer Protection Act, D.C. Code §
28-3904, as well as claims for unjust enrichment, negligent
bailment and negligence. After a motion to dismiss and two
amendments, the current version of the complaint is limited to the
Plaintiffs' claim has two essential elements: (i) that Bank of
America transmits customer financial information to its affiliates
abroad; and (ii) that the U.S. government has a global electronic
surveillance system that monitors and intercepts all transmissions
sent to or received by foreign nationals residing overseas.
According to plaintiffs, simply by transmitting the data abroad,
where government surveillance of foreign nationals might intercept
it, Bank of America has provided the government with access to that
data, in violation of the RFPA. This expansive interpretation of
the RFPA could subject any financial institution to liability any
time the institution transfers data abroad.
Most recently, Bank of America has moved to dismiss the Second
Amended Complaint. In its motion, Bank of America argues that the
plaintiffs lack standing because they have not alleged any actual
injury resulting from the cross-border data transfer, and that
plaintiffs have failed to state a claim under the RFPA because they
have not alleged that Bank of America affirmatively conveyed
customer data to the government.
Although no hearing has been scheduled, the motion to dismiss is
fully briefed and Judge Walton could issue a ruling at any
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The National Institute of Standards and Technology has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations, and this marks a very important release in the world of data privacy controls and standards.
The obligations of hedge funds, investment managers and service providers to protect confidential information relating to investors and avoid breaches of data privacy legislation is increasingly in focus.
In a recently released decision from the U.S. District Court for the Southern District of Florida, Mais v. Gulf Coast Collection Bureau, et al., Judge Robert N. Scola, Jr., granted in part and denied in part cross motions for summary judgment in a putative class action before considering the issue of class certification.
The report also found that most utilities only comply with mandatory cybersecurity standards, and have not implemented voluntary NERC recommendations regarding general or specific threats (e.g., Stuxnet).