News

10:40 AM
K.C. Jones, TechWeb
K.C. Jones, TechWeb
News
Connect Directly
RSS
E-Mail
50%
50%

Bank to Pay $50 Million for Buying Personal Data

Fidelity Federal Bank and Trust is ordered to pay $50 million for buying the personal information of thousands of drivers.

Fidelity Federal Bank and Trust (West Palm Beach, Fla.) has been ordered to pay a $50 million settlement for buying more than half a million names and addresses from the Florida Department of Highway Safety and Motor Vehicles. The Electronic Privacy Information Center (EPIC), which filed an amicus brief in favor of the plaintiffs in the case, announced the decision in late August.

EPIC said the $4 billion-asset bank bought 565,600 names and addresses for use in direct marketing, claiming that the purchase violated the Drivers Privacy Protection Act. The federal law was enacted in 1994 to prevent the distribution of drivers' personal information.

From 2000 to 2003, Fidelity purchased the data containing the personal information of drivers living in Palm Beach, as well as Martin and Broward counties, for only $5,656, or a penny per driver record, according to papers filed in Kehoe v. Fidelity Federal Bank and Trust. The bank sought the information for car loan solicitations, according to the class-action lawsuit.

"This is a pretty hefty settlement that Fidelity Federal is going to have to pay for a law that hasn't gotten much publicity," says Charlotte Bahin, partner in the Washington, D.C., office of law firm Lord Bissell & Brook. Banks should take note of the settlement, Bahin stresses, as it is an indication of how seriously consumer privacy is being taken. Although the Drivers Privacy Protection Act is a federal law, banks need to see how their home states intend to enforce it, Bahin adds.

In addition to the monetary settlement, according to a Securities and Exchange Commission form 8K filed by Fidelity Federal, the bank has agreed to other terms, including certifying that it did not keep or maintain any data obtained from the state of Florida, agreeing that it will not disclose or sell any such data, and agreeing to a privacy audit. "For a $5,600 purchase, this is a pretty big risk," Bahin says. The filing also noted that all terms were contingent upon National City Corp.'s (Cleveland) pending acquisition of Fidelity Federal for $1 billion.

In 2004, the U.S. District Court for the Southern District of Florida ruled that James Kehoe had to demonstrate actual damages before obtaining monetary compensation under the Drivers Privacy Protection Act. Kehoe appealed, and that ruling was overturned.

The case represents a step in trying to address the collective threat that the data trade poses to privacy, according to EPIC. "While Kehoe involves just a single bank using data for marketing, thousands of other businesses are trading in your personal information, resulting in a society that is losing autonomy and control over personal data," the organization stated on its Web site.

Marc Rotenberg, the executive director of EPIC, said during an interview in late August that the organization joined the suit to push for damage awards, which are critical to ensuring privacy laws are effective. "The message here is that ensuring privacy protection for consumers is vital and will be enforced," Rotenberg says.

Fidelity Federal representatives could not provide immediate comment on the settlement. The Florida law firm representing the bank did not return calls seeking comment.

Courtesy of TechWeb, a CMP Media property. Includes additional reporting by BS&T's Nancy Feig.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.