SEC Settles with New York Financial Firm and Employee Over Alleged Failure to Protect Customer Data

On June 8, the SEC announced that a New York-based financial services firm agreed to pay a $1 million civil monetary penalty to resolve allegations that it violated the “Safeguards Rule,” Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)). According to the SEC, the firm “failed to ensure the reasonable design and proper operation of its policies and procedures in safeguarding confidential customer data.” The SEC further contends that the firm failed to audit or test the authorization models that allowed employees to access the portals hosting customer data. The financial services firm settled the charges without admitting or denying the SEC’s findings. As of result of the company’s alleged failures, between 2011 and 2014, a then-current employee of the firm gained access to and copied data regarding approximately 730,000 customer accounts to his personal server. The SEC alleges that the employee’s personal server was hacked, and portions of the misappropriated data were posted to at least three Internet sites, with an offer to sell more of the stolen data in exchange for payment in digital currency. Per the employee’s separate consent order, the employee agreed to an industry and penny stock bar with the right to apply for reentry after five years. He was previously criminally convicted for his actions and received 36 months of probation and $600,000 in restitution.

LinkedInFacebookTwitterGoogle+Share

FTC to Host Fourth Start with Security Event

On June 15, the FTC will host its fourth Start with Security event in Chicago, Illinois. Featuring agency representatives Todd Kossow, Maureen Ohlhausen, Cora Han, Jim Trilling, Steve Wernikoff, and Andrea Arias, as well as security experts from various industries, the Start with Security event is intended to provide companies with tips for implementing effective data security. The event will host the following four panels: (i) Building a Security Culture; (ii) Integrating Security into the Development Pipeline; (iii) Considering Security when Working with Third Parties; and (iv) Recognizing and Addressing Network Security Challenges. A full day event, the panels “will address how companies can create and prioritize a culture of security, how to integrate security into the development pipeline, what security issues to consider when a company works with third parties, and how to recognize and address network security challenges.”

As recently noted in its 2015 Annual Highlights report, the FTC’s Start with Security efforts, including its June 2015 Guide for Business, are part of the agency’s education outreach programs designed to promote good data security practices within businesses.

LinkedInFacebookTwitterGoogle+Share

AG Schneiderman Reports Increase in Data Breach Notifications; Unveils Electronic Submission Form

On May 4, New York AG Schneiderman announced that, from January 1, 2016 through May 2, 2016, his office received 459 data breach notices – more than a 40% increase compared to the 327 notices received during the same time last year. Due to the increased volume of data breach notices and in an effort to provide greater efficiency in the reporting process, AG Schneiderman announced an electronic breach reporting form. The new form allows companies to submit data breach notices via web submission: “[c]ompanies may now notify the Attorney General’s Office of a data breach via a web submission form in order to expedite and streamline the process. Previously, and consistent with most other state attorneys general offices, companies were required to mail, fax, or email a separate data breach form.” AG Schneiderman’s office expects to receive “well over” 1,000 data breach notices in 2016.

LinkedInFacebookTwitterGoogle+Share

Democratic Senators Commission GAO to Study Fintech Industry

On April 18, Senators Sherrod Brown (D-OH), Jeffrey Merkley (D-OR), and Jeanne Shaheen (D-NH) sent a letter to the Government Accountability Office (GAO) requesting that it complete a study on the fintech industry. Under the Dodd-Frank Act, the GAO is required to examine the regulatory structure of person-to-person (P2P) lending. While the letter recognizes that the GAO issued a report on P2P lending in 2011, the senators urged the GAO to recognize that the lending platforms of financial technology firms (often called fintech) “has changed dramatically and evolved beyond consumer lending,” and that “P2P lending, now generally called marketplace lending, is not the only form of fintech that has developed over the last several years.” The letter further cautions that, “gaps in understanding and regulation of emerging financial products may result in predatory lending, consumer abuse, or systemic issues.” Finally, Senators Brown, Merkley, and Shaheen urged the GAO to provide responses to questions relating to, among other things, (i) the size and structure of the loan portfolios maintained by privately owned fintech lenders; (ii) how fintech lenders’ relationships with financial institutions impact both the financial system at large and regulatory framework; (ii) whether the risks that may arise from the investor base shifting from individual investor to institutional investor have grown since this issue was first noted in the GAO’s 2011 report; and (iii) the anti-money laundering, data security, and privacy requirements fintech companies are subject to.

LinkedInFacebookTwitterGoogle+Share

Article 29 Working Party Assesses Transatlantic Privacy Shield

On April 13, the Article 29 Working Party (WP29) of the European Union released its assessment of the draft framework for transatlantic data flows: EU-US Privacy Shield, which was announced on February 2. According to the assessment, the WP29 evaluated the Privacy Shield from a commercial as well as a national security perspective. Regarding commercial aspects of the Privacy Shield, the WP29 maintained that “key data protection principles as outlined in European law are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions.” The WP29 further opined that it “cannot find in the documents constituting the Privacy Shield any reference to the necessity for data controllers to ensure that the data are deleted once the purpose for which they were collected or further processed has become obsolete. Hence, as it seems, the Principles do not impose to the certified organisations [sic] a limit for the period of retention of the data comparable to what is imposed by the data retention limitation principle under EU law.” Regarding onward transfers and national security, the WP29 commented that, because the Privacy Shield will be used to transfer data outside the U.S., it must ensure the same level of protection on all aspects, including national security, and “should not lead to lower or circumvent EU data protection principles.” According to the WP29, as the Privacy Shield is currently drafted, “onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to Agents.” Finally, the WP29 raised doubts about the effectiveness of the Ombudsperson at the U.S. State Department, questioning whether the designated person would be equal in independence to national security oversight bodies in other countries.

LinkedInFacebookTwitterGoogle+Share