We continue to monitor the progress in Stein v. Bank of
America Corp., a case with important and potentially
far-reaching implications for any company that transfers
confidential customer data abroad. This is a class action suit
brought against Bank of America Corporation and several of its
domestic and foreign subsidiaries, alleging violations of 12 U.S.C.
§ 3403(a), a portion of the Right to Financial Privacy Act
(RFPA). The plaintiffs are seeking statutory damages and injunctive
Plaintiffs originally alleged violations of several provisions of
the Washington D.C. Consumer Protection Act, D.C. Code §
28-3904, as well as claims for unjust enrichment, negligent
bailment and negligence. After a motion to dismiss and two
amendments, the current version of the complaint is limited to the
Plaintiffs' claim has two essential elements: (i) that Bank of
America transmits customer financial information to its affiliates
abroad; and (ii) that the U.S. government has a global electronic
surveillance system that monitors and intercepts all transmissions
sent to or received by foreign nationals residing overseas.
According to plaintiffs, simply by transmitting the data abroad,
where government surveillance of foreign nationals might intercept
it, Bank of America has provided the government with access to that
data, in violation of the RFPA. This expansive interpretation of
the RFPA could subject any financial institution to liability any
time the institution transfers data abroad.
Most recently, Bank of America has moved to dismiss the Second
Amended Complaint. In its motion, Bank of America argues that the
plaintiffs lack standing because they have not alleged any actual
injury resulting from the cross-border data transfer, and that
plaintiffs have failed to state a claim under the RFPA because they
have not alleged that Bank of America affirmatively conveyed
customer data to the government.
Although no hearing has been scheduled, the motion to dismiss is
fully briefed and Judge Walton could issue a ruling at any
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
This is a friendly reminder to all covered entities that, by March 1, 2017, they must report to the Secretary of Health and Human Services any breaches of unsecured protected health information (PHI) that were discovered in 2016 and involved fewer than 500 individuals.
On February 16, the New York State Department of Financial Services (NYDFS) issued cybersecurity regulations for banks, insurance companies and other financial institutions subject to NYDFS jurisdiction.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).