Companies that transfer confidential customer data abroad, even
to their own subsidiaries and corporate affiliates, should follow
the progress in Stein v. Bank of America Corp., No.
1:11-cv-1400-RWB (D.D.C.), a case at the intersection of Offshoring
and Data Privacy now pending in the United States District Court
for the District of Columbia.
Stein is a class action suit brought against Bank of
America Corporation and several of its domestic and foreign
subsidiaries, including those in India, the Philippines, Costa Rica
and Mexico. The plaintiffs allege that, by transferring customer
data to its subsidiaries outside the United States, Bank of America
has violated 12 U.S.C. ยง 3403(a), part of the Right to
Financial Privacy Act.
Section 3403(a) provides, in relevant part, that "No
financial institution, or officer, employees, or agent of a
financial institution, may provide to any Government authority
access to or copies of, or the information contained in, the
financial records of any customer."
The Stein plaintiffs allege that Bank of America violates
section 3403(a) by transferring customer information to foreign
entities either directly, or by having customers speak with call
center employees located abroad. Specifically, the plaintiffs
assert that (1) because the protections of the Fourth Amendment to
the U.S. Constitution do not apply extraterritorially, the
Government can and does engage in extensive electronic surveillance
abroad, including review of plaintiffs' financial records;
(2) foreign authorities can access the plaintiffs'
financial information for their own purposes; and (3) foreign
authorities that access plaintiffs' financial information
are unconstrained in their ability to transfer that information to
the U.S. government. The plaintiffs are seeking damages of $100 per
violation, as well as injunctive relief.
The case is noteworthy because the plaintiffs do not allege that
Bank of America was hacked, or otherwise failed to take reasonable
measures to protect their data. Rather, the simple act of engaging
in cross-border transactions is enough, in plaintiffs'
view, to violate the statute. Although the plaintiffs'
claims seem somewhat attenuated, the implications are important for
any company that transmits any of its customers' data
outside the United States. The case therefore merits our attention
through resolution.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.