On September 9, the FFIEC updated its Information Security booklet, a key element of its Information Technology Examination Handbook. The booklet is intended to provide examiners with guidance on assessing a financial institution’s information security operations, and is divided into the following four main sections: (i) Governance of the Information Security Program; (ii) Information Security Program Management; (iii) Security Operations; and (iv) Information Security Program Effectiveness. In addition to offering technology-centric recommendations such as encryption, the booklet advises firms to create security processes and risk assessment “commensurate with their operational complexities.” It also advises financial institutions to “have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” As expected, the booklet highlights the importance of implementing effective oversight of third-party service providers. Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third-parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”
On September 13, the New York Department of Financial Services (DFS) issued a proposed rule establishing cybersecurity requirements for financial services companies, and has thus ventured into new territory for state regulators. In the words of Governor Cuomo, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”
Given the concentrated position of financial service companies in New York and the regulation’s definition of a Covered Entity – which includes “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” – it could create an almost de facto national standard for medium to large financial services companies, regardless of where they keep their servers or suffer a cyberattack. This type of state-level regulation is not unprecedented. In 2003, California passed a data breach notification law that requires companies doing business in California to notify California residents of the breach and more recently amended the law to require 12 months of identity protection and strengthen data security requirements. In 2009, Massachusetts enacted a regulation mandating businesses implement security controls to protect personal information relating to state residents.
The DFS designed the regulation to protect both consumers and the financial industry by establishing minimum cybersecurity standards and processes, while allowing for innovative and flexible compliance strategies by each regulated entity. Yet the proposed regulation goes further than to just ask financial entities to conduct a risk assessment and to design measures to address the identified risks.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- John P. Kromer, (202) 349-8040
- Elizabeth E. McGinn, (202) 349-7968
- Margo H. K. Tank, (202) 349-8050
- James T. Shreve, (202) 461-2994
- Dana V. Syracuse, (212) 600-2326
On August 5, New York AG Schneiderman announced that an online retailer will pay $100,000 in penalties to settle allegations that its weak security practices led to a data breach that potentially exposed more than 25,000 credit card numbers and cardholder data. According to AG Schneiderman, after a third party accessed the retailer’s website on August 7, 2014, a merchant bank notified the retailer on June 5, 2015 that customers’ credit card accounts were showing fraudulent charges. The retailer subsequently hired a company to conduct a forensic investigation, during which malware was found on and subsequently removed from the retailer’s website. AG Schneiderman contends that the retailer violated various sections of the New York State General Business Law by failing to notify its customers or law enforcement of the breach and by misrepresenting the safety and security of its website, also in breach of Executive Law § 63(12). In addition to the $100,000 penalty, the settlement requires that the retailer (i) conduct thorough and efficient investigations of future data security breaches; (ii) promptly notify New York law enforcement and affected customers of data security breaches; (iii) “maintain reasonable security policies and procedures designed to protect the personal information of consumers in accordance with New York State General Business laws”; (iv) remediate security vulnerabilities on its websites; and (v) train its employees with the most current data security practices.
On July 29, the FTC announced the issuance of an Opinion and Final Order reversing an Administrative Law Judge (ALJ) Initial Decision to dismiss a 2013 FTC complaint against a Georgia-based medical testing laboratory (Respondent). In a 3-0 vote, the Commission determined that Respondent “failed to implement reasonable security measures to protect the sensitive consumer information on its computer network and therefore that its data security practices were unfair under Section 5 of the [FTC] Act.” In reversing the Initial Decision, the Commission concluded that Respondent’s security practices lacked “even basic precautions” to protect consumers’ sensitive information by, among other things, failing to (i) “use an intrusion detection system or file integrity monitoring”; (ii) “monitor traffic coming across its firewalls”; (iii) provide adequate data security training to its employees, finding that “essentially no data security training” was provided; and (iv) delete “any of the consumer data it had collected.” According to the Commission, such failures led to the exposure of medical and other sensitive information for 9,300 consumers on a peer-to-peer (P2P) network to which millions of users had access. Read more…
Department of Agriculture Requests Comments on Continuation of, and Changes to, Registration Form to Request Electronic Access Code Information
On July 22, the Federal Register published the U.S. Department of Agriculture’s (USDA) request for comments on the Office of the Chief Information Officer’s (OCIO) intent to “request approval for the continuation of and changes to the [USDA] Registration Form to Request Electronic Access Code information collection to allow USDA customers to securely and confidently share data and receive services electronically.” The USDA’s eAuthentication Service (eAuth) collects customer and employee information in order to provide “public citizens as well as federal government employees with a secure single sign-on capability for USDA applications, management of user credentials, and verification of identity, authorization and electronic signatures.” The online self-registration process and identity proofing service, which is voluntary, permits USDA customers and employees to access to USDA Web applications and services via the Internet. As it currently exists, the eAuth service allows customers to access USDA Web site portals through two Levels of Assurance (LOAs). LOA 1 provides limited access to portals and applications that have minimal security requirements. LOA 2 “enables users to conduct official electronic business transactions via the Internet, enter into a contract with the USDA, and submit forms electronically via the Internet to USDA agencies.” The OCIO is developing LOA 3, which, if authorized, would provide public citizens with accounts. LOA 3 would require the same level of self-registration and identity proofing, but would also incorporate strong multi-factor authentication credentials for access to secure, high risk, or sensitive systems. Comments on the USDA’s notice are due by September 20, 2016.