Companies that transfer confidential customer data abroad, even
to their own subsidiaries and corporate affiliates, should follow
the progress in Stein v. Bank of America Corp., No.
1:11-cv-1400-RWB (D.D.C.), a case at the intersection of Offshoring
and Data Privacy now pending in the United States District Court
for the District of Columbia.
Stein is a class action suit brought against Bank of America Corporation and several of its domestic and foreign subsidiaries, including those in India, the Philippines, Costa Rica and Mexico. The plaintiffs allege that, by transferring customer data to its subsidiaries outside the United States, Bank of America has violated 12 U.S.C. § 3403(a), part of the Right to Financial Privacy Act.
Section 3403(a) provides, in relevant part, that "No financial institution, or officer, employees, or agent of a financial institution, may provide to any Government authority access to or copies of, or the information contained in, the financial records of any customer."
The Stein plaintiffs allege that Bank of America violates section 3403(a) by transferring customer information to foreign entities either directly, or by having customers speak with call center employees located abroad. Specifically, the plaintiffs assert that (1) because the protections of the Fourth Amendment to the U.S. Constitution do not apply extraterritorially, the Government can and does engage in extensive electronic surveillance abroad, including review of plaintiffs' financial records; (2) foreign authorities can access the plaintiffs' financial information for their own purposes; and (3) foreign authorities that access plaintiffs' financial information are unconstrained in their ability to transfer that information to the U.S. government. The plaintiffs are seeking damages of $100 per violation, as well as injunctive relief.
The case is noteworthy because the plaintiffs do not allege that Bank of America was hacked, or otherwise failed to take reasonable measures to protect their data. Rather, the simple act of engaging in cross-border transactions is enough, in plaintiffs' view, to violate the statute. Although the plaintiffs' claims seem somewhat attenuated, the implications are important for any company that transmits any of its customers' data outside the United States. The case therefore merits our attention through resolution.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.