Treasury Deputy Secretary Raskin Delivers Remarks on Cybersecurity in the Financial Sector

On July 14, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the American Bankers Association Summer Leadership meeting in Baltimore. Speaking on cybersecurity and cyber-resiliency in banking and the financial sector generally, Raskin’s remarks continued her December 2014 remarks in Austin at the Executive Leadership Cybersecurity Conference regarding three main areas, including (i) baseline protections, (ii) information sharing, and (iii) response recovery. According to Raskin, since December the growing number of cyberattacks – including against health insurers and the federal government’s Office of Personnel Management – has made the government and public more mindful of the serious threat posed by cyberattacks. Accordingly, cybersecurity has seen a “profoundly positive cultural change,” moving beyond just the purview of IT specialists. Deputy Secretary Raskin’s most recent remarks added 10 follow-up questions for banks and financial entities to consider, including whether cybersecurity is incorporated into the bank’s governance systems, security controls are tailored to specific cyber risks presented (as opposed to a “one-size fits all” approach), enhanced controls are implemented and adequate training provided, and basic “cyber hygiene” practices (including multi-factor authentication) are followed.  Raskin also emphasized the need to appropriately tailor cyber risk insurance.

LinkedInFacebookTwitterGoogle+Share

FCC Announces $3.5 Million Settlement with Carriers to Resolve Consumer Privacy Investigation

On July 9, the FCC announced a $3.5 million settlement with carriers TerraCom, Inc. and YourTel America, Inc. to resolve an investigation into the exposure of personal information of over 300,000 of their customers online via unprotected servers used by their vendors to store customer information.  The exposed information included names, addresses, Social Security numbers, driver’s licenses, and other pieces of sensitive information that were viewable by anyone with access to a search engine.  Section 222(a) of the Communications Act imposes on carriers a duty to protect the confidentiality of “proprietary information of… customers” and the FCC Enforcement Bureau viewed this incident as a violation of that duty, as well as its duty under Section 201(b) to employ “just and reasonable” data security practices to protect the confidentiality of consumers’ proprietary information. Under the settlement, TerraCom and YourTel are required to (i) designate a senior corporate manager with certified privacy expertise, (ii) conduct a privacy risk assessment, (iii) put in place a written information security program and data breach response plan, (iv) maintain “reasonable oversight” of third-party vendors, and (v) offer privacy and security training.  FCC-regulated entities should review their privacy and data security practices to ensure that they are taking appropriate steps to protect their customers’ proprietary information.

 

LinkedInFacebookTwitterGoogle+Share

NAAG Urging Congress to Refrain From Passing Federal Data Breach Legislation Preempting State Authority

On July 7, as Congress considers proposed legislation on data breach notification and security, the National Association of Attorneys General (NAAG) sent a letter to leaders of both houses of Congress urging them to refrain from passing federal data breach and identity theft laws that would preempt states’ authority to enforce their own legislation, or pass legislation that exceeds federal standards. The 47 state attorneys general argued that “preempting state law would make consumers less protected than they are right now” because (i) states are closer to people affected consumers and can better respond to their concerns; (ii) states are “better equipped to quickly adjust to the challenges presented by a data-driven economy”; (iii) although helpful for a national data breach, a single federal agency would be unable to “respond effectively” to the large number of smaller data breaches that “have a large impact in a particular state or region”; and (iv) “with the increasing speed rate of technological developments,” states need the ability to surpass minimal and continually obsolete federal requirements.  Accordingly, the state attorneys general asserted it was “crucial” that they “maintain their enforcement authority under their states’ laws, and that any legislation be tailored to ensure complementary enforcement authority.”

LinkedInFacebookTwitterGoogle+Share

Fed Governor Discusses Payment Security

On June 25, Federal Reserve Governor Jerome Powell delivered remarks at a payments conference hosted by the Federal Reserve Bank of Kansas to discuss improvements to the U.S. payments system. Specifically, Powell advised that payment system participants must work together to improve the payment system, stating “[A]t a minimum, banks, merchants, and other institutions that process or store sensitive financial information need to keep their hardware and software current to the latest industry standards.” He noted that the Federal Reserve has established two task forces regarding the U.S. payment system, one geared towards faster payments and the other geared towards payment security. Powell cited the use of EMV chip cards and tokenization technology as examples of effective payment security measures. In addition, Powell discussed the importance of proactive efforts to implement preventative measures to prepare for potential cyber-attacks or data breaches.

LinkedInFacebookTwitterGoogle+Share

European Union Reaches Agreement Regarding New Data Protection Law

On June 15, the 28 governments of the European Union agreed to a draft Data Protection Regulation that would establish tighter privacy provisions for users of online services – including those provided by U.S. tech companies – in a majority of European countries. The draft Regulation advances a single set of data protection rules for the EU, which include data breach notification obligations, within 24 hours if feasible, a strengthened “right to be forgotten,” and additional enforcement power for Europe’s data protection authorities, including penalties of up to €1 million or up to 2% of global annual turnover of a company. While EU Commissioners say the proposed law would cut costs for businesses, critics argue that its provision requiring data processors to delete individuals’ personal data upon request would inevitably increase costs for European-based internet companies. For the past three and a half years, the EU has tried to reach an agreement to merge the countries’ rules on personal data protection into one set of regulations. If this most recent proposal passes the next phase of European Parliament negotiations, the law will have a 2016 effective date, with a two year transitional period for companies and data protection authorities to adapt to the new regulations.

LinkedInFacebookTwitterGoogle+Share

Washington Enacts Legislation Strengthening Data Breach Notification Requirements

On April 23, Washington Governor Jay Inslee signed bill H.R.1078, which requires covered entities to contact consumers living within the state as soon as possible, and no more than 45 days, after the discovery of a breach of personal information. Under the new law, failure to notify consumers of a data breach would violate the state’s Consumer Protection Act. The legislation also requires covered entities to notify the state attorney general and grants the attorney general authority to pursue enforcement actions on behalf of the state or consumers living within the state. The new law goes into effect July 24, 2015.

LinkedInFacebookTwitterGoogle+Share

FTC Settles With Debt Brokers For Leaking Sensitive Consumer Information

On April 13, the FTC announced that two debt brokers agreed to settle two separate cases filed last year involving the leaking of over 55,000 consumers’ personal information. The brokers allegedly shared consumers’ personal information online – including credit card numbers, names, addresses, and bank account numbers – via unencrypted documents. Although the information was geared towards members of the debt collection industry, it was available to anyone with an internet connection. According to the FTC, the publicly available information put consumers at risk of identity theft and/or phantom debt collection. Under the terms of both proposed settlement agreements (Orders), the brokers would be required to: (i) implement and effectively maintain security programs that will protect consumers’ information; and (ii) have their respective security programs examined initially by a certified third party and again, thereafter, every two years for a duration of 20 years after service of the Orders. The FTC unanimously approved the proposed Orders and has filed them in the U.S. District Court for the District of Columbia for final court approval.

LinkedInFacebookTwitterGoogle+Share

Target and MasterCard Reach $19 Million Agreement Over Data Breach

On April 15, retail company Target agreed to set aside up to $19 million to settle claims brought by MasterCard and its credit card issuers to cover operational costs and fraud-related losses resulting from a data breach incident in 2013. According to a press release issued by Target, the agreement is dependent upon, among other things, 90 percent of eligible Mastercard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers by May 20, 2015. Eligible issuers, mostly comprising of banks and credit unions, who accept the offer will be required to release any current or future claims towards Target with respect to the data breach. All eligible issuers will receive full details of the Settlement Agreement at a later time.

LinkedInFacebookTwitterGoogle+Share

FTC Creates New Office To Investigate Consumer Technologies

On March 23, the FTC announced – via blog post – the formation of the Office of Technology Research and Investigation (OTRI), a newly formed research office within its Bureau of Consumer Protection. The OTRI succeeds the Mobile Technology Unit and will have an enhanced mission within the FTC to investigate technology issues encompassing privacy, data security, automobiles, smart phones, smart homes, emerging payment methods, Internet of Things, and big data.

LinkedInFacebookTwitterGoogle+Share

Large Retailer Agrees to Pay $10 Million Related to Data Breach Incident

On March 19, a district court granted preliminary approval in which a large retailer agreed to pay $10 million to settle a class-action action suit related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. Under the proposed settlement, the retailer will deposit the settlement amount into escrow to pay individual victims up to $10,000 in damages. In addition, the proposed settlement requires the retailer to (i) maintain a written information security program and (ii) appoint a Chief Information Security Officer. The proposed settlement is pending court approval.

LinkedInFacebookTwitterGoogle+Share

Financial Institutions File Class Action Suit In Response to Data Breach

On March 13, a federal credit union filed a class action suit against a national retailer and parent company, alleging their actions during a September 2014 data breach injured credit unions, banks, and other financial institutions. Greater Chautauqua FCU v. Kmart Corp and Sears Holdings Corp., No. 15-cv-2228, (N.D.Ill. Mar.13,2015) The complaint contends that financial institutions (i) were required to, among other things, refund fraudulent charges, respond to a higher volume of customer complaints, and increase fraud monitoring efforts, and (ii) lost revenue due to a decrease in card usage after the breach was disclosed.  The complaint alleges that the retailer failed to maintain adequate data security under applicable payment card industry standards, particularly in the wake of well-publicized data breaches at other retailers by third parties using similar techniques and malicious software. Moreover, the retailer failed to detect or notify customers for a period of at least five weeks. The complaint was filed in US District Court for the Northern District of Illinois, and alleges damages in excess of $5,000,000 for violations of the Illinois Personal Information Protection Act, the Illinois Consumer Fraud and Deceptive Business Act, and New York General Business Law, as well as negligence, and negligent misrepresentation and/or omission.

LinkedInFacebookTwitterGoogle+Share

Wyoming Amends State Consumer Protection Act

On March 2, the Wyoming legislature passed S.F. 35 and S.F. 36, which amend the state’s Consumer Protection Act to enhance privacy protections for sensitive personal information. With limited exception for entities covered by the Health Insurance Portability and Accountability Act, S.B. 35 subjects individuals and commercial entities to additional data breach notification requirements, including providing Wyoming residents with information such as (i) the type of information subject to the breach, (ii) a general description of the breach incident, (iii) the approximate date of the breach, (iv) the steps taken by the individual or entity to prevent further breaches, (v) advice on how to review accounts and monitor credit reports, and (vi) whether notification was delayed by a law enforcement investigation. S.B. 36 expands the categories of personal identifying information that trigger protections under the Consumer Protection Act. Assuming signature by Governor Mead, the laws will take effect July 1, 2015.

LinkedInFacebookTwitterGoogle+Share

Industry Trade Groups Urge Congress to Pass Legislation to Protect Consumers from Data Breaches

On February 12, seven industry trade associations co-authored a letter to Congress regarding anticipated data breach legislation. The letter urges Congress to protect its constituents from the impact of identity theft and financial fraud resulting from data breaches by (i) considering a national data security and breach standard; (ii) recognizing the existing fraud protection standards (e.g., HIPAA and GLBA) and having them serve as a model for sectors where there are none; and (iii) encouraging shared responsibility between entities, including costs. The letter is the latest effort among the industry to lobby Congress in passing legislation to combat increasing data breaches and fraud.

LinkedInFacebookTwitterGoogle+Share

Digital Insights & Trends: What Keeps You Up At Night (Round 2) – Data INsecurity

We’re still wide awake, focusing on what keeps us (and our financial institution clients) up at night. Let’s pick up where we left off following our December webinar, but this time address data INsecurity from the perspective of its “other” victims, i.e., consumers. Last months’ webinar reviewed the benefits of risk-based approaches to organizational cybersecurity frameworks and identified potential obstacles to their achievement. Today, we’re thinking about another risk of cybersecurity breakdowns – the loss of consumer confidence. This risk threatens companies as surely as the regulatory, media and legal fallout.

Despite the proliferation of data breach notification and consumer financial privacy laws, data-breach-fueled identity theft is increasing. A recent report of the National Consumers League & Javelin Strategy reveals that consumer fraud victims don’t discriminate between business organizations and financial institutions when assigning blame for data breaches. Rather, they avoid doing business with all organizations involved. Ironically, nearly one-third of fraud victims take no action to prevent further fraud, even when they’ve been notified that their data has been compromised. The majority of consumer victims, according to the NCL/Javelin report, say both businesses and FIs should be held accountable, and want to be able to sue the breached companies. An even greater majority think the federal government should protect them — and lawmakers are listening. Senator Amy Klobuchar (D-MN), for example, favors a national security breach notification law. Read more…

LinkedInFacebookTwitterGoogle+Share

FTC Releases Report on the “Internet of Things”

On January 28, the FTC released a comprehensive report detailing what the so-called “Internet of Things” is, how it is being used, and how both consumers and businesses can protect themselves.  The report defines the Internet of Things as “devices or sensors – other than computers, smartphones, or tablets – that connect, store or transmit information with or between each other via the Internet,” and that are sold to or used by consumers.  The report focuses on consumer privacy and security and offers a variety of recommendations for those companies offering devices that fall within the definition, including that security be a key part of the design process and data collection be limited where possible.  The report does not call for new legislation specific to the Internet of Things because the FTC believes such legislation would be premature.  The FTC states that it will use existing authority under laws such as the FTC Act, the Fair Credit Reporting Act, the Hi-Tech Act, and the Children’s Online Privacy Protection Act to take actions against Internet of Things products and services as necessary to protect consumers.

LinkedInFacebookTwitterGoogle+Share