On June 15, the 28 governments of the European Union agreed to a draft Data Protection Regulation that would establish tighter privacy provisions for users of online services – including those provided by U.S. tech companies – in a majority of European countries. The draft Regulation advances a single set of data protection rules for the EU, which include data breach notification obligations, within 24 hours if feasible, a strengthened “right to be forgotten,” and additional enforcement power for Europe’s data protection authorities, including penalties of up to €1 million or up to 2% of global annual turnover of a company. While EU Commissioners say the proposed law would cut costs for businesses, critics argue that its provision requiring data processors to delete individuals’ personal data upon request would inevitably increase costs for European-based internet companies. For the past three and a half years, the EU has tried to reach an agreement to merge the countries’ rules on personal data protection into one set of regulations. If this most recent proposal passes the next phase of European Parliament negotiations, the law will have a 2016 effective date, with a two year transitional period for companies and data protection authorities to adapt to the new regulations.
On June 25, Federal Reserve Governor Jerome Powell delivered remarks at a payments conference hosted by the Federal Reserve Bank of Kansas to discuss improvements to the U.S. payments system. Specifically, Powell advised that payment system participants must work together to improve the payment system, stating “[A]t a minimum, banks, merchants, and other institutions that process or store sensitive financial information need to keep their hardware and software current to the latest industry standards.” He noted that the Federal Reserve has established two task forces regarding the U.S. payment system, one geared towards faster payments and the other geared towards payment security. Powell cited the use of EMV chip cards and tokenization technology as examples of effective payment security measures. In addition, Powell discussed the importance of proactive efforts to implement preventative measures to prepare for potential cyber-attacks or data breaches.
On April 23, Washington Governor Jay Inslee signed bill H.R.1078, which requires covered entities to contact consumers living within the state as soon as possible, and no more than 45 days, after the discovery of a breach of personal information. Under the new law, failure to notify consumers of a data breach would violate the state’s Consumer Protection Act. The legislation also requires covered entities to notify the state attorney general and grants the attorney general authority to pursue enforcement actions on behalf of the state or consumers living within the state. The new law goes into effect July 24, 2015.
On April 13, the FTC announced that two debt brokers agreed to settle two separate cases filed last year involving the leaking of over 55,000 consumers’ personal information. The brokers allegedly shared consumers’ personal information online – including credit card numbers, names, addresses, and bank account numbers – via unencrypted documents. Although the information was geared towards members of the debt collection industry, it was available to anyone with an internet connection. According to the FTC, the publicly available information put consumers at risk of identity theft and/or phantom debt collection. Under the terms of both proposed settlement agreements (Orders), the brokers would be required to: (i) implement and effectively maintain security programs that will protect consumers’ information; and (ii) have their respective security programs examined initially by a certified third party and again, thereafter, every two years for a duration of 20 years after service of the Orders. The FTC unanimously approved the proposed Orders and has filed them in the U.S. District Court for the District of Columbia for final court approval.
On April 15, retail company Target agreed to set aside up to $19 million to settle claims brought by MasterCard and its credit card issuers to cover operational costs and fraud-related losses resulting from a data breach incident in 2013. According to a press release issued by Target, the agreement is dependent upon, among other things, 90 percent of eligible Mastercard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers by May 20, 2015. Eligible issuers, mostly comprising of banks and credit unions, who accept the offer will be required to release any current or future claims towards Target with respect to the data breach. All eligible issuers will receive full details of the Settlement Agreement at a later time.
On March 23, the FTC announced – via blog post – the formation of the Office of Technology Research and Investigation (OTRI), a newly formed research office within its Bureau of Consumer Protection. The OTRI succeeds the Mobile Technology Unit and will have an enhanced mission within the FTC to investigate technology issues encompassing privacy, data security, automobiles, smart phones, smart homes, emerging payment methods, Internet of Things, and big data.
On March 19, a district court granted preliminary approval in which a large retailer agreed to pay $10 million to settle a class-action action suit related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. Under the proposed settlement, the retailer will deposit the settlement amount into escrow to pay individual victims up to $10,000 in damages. In addition, the proposed settlement requires the retailer to (i) maintain a written information security program and (ii) appoint a Chief Information Security Officer. The proposed settlement is pending court approval.
On March 13, a federal credit union filed a class action suit against a national retailer and parent company, alleging their actions during a September 2014 data breach injured credit unions, banks, and other financial institutions. Greater Chautauqua FCU v. Kmart Corp and Sears Holdings Corp., No. 15-cv-2228, (N.D.Ill. Mar.13,2015) The complaint contends that financial institutions (i) were required to, among other things, refund fraudulent charges, respond to a higher volume of customer complaints, and increase fraud monitoring efforts, and (ii) lost revenue due to a decrease in card usage after the breach was disclosed. The complaint alleges that the retailer failed to maintain adequate data security under applicable payment card industry standards, particularly in the wake of well-publicized data breaches at other retailers by third parties using similar techniques and malicious software. Moreover, the retailer failed to detect or notify customers for a period of at least five weeks. The complaint was filed in US District Court for the Northern District of Illinois, and alleges damages in excess of $5,000,000 for violations of the Illinois Personal Information Protection Act, the Illinois Consumer Fraud and Deceptive Business Act, and New York General Business Law, as well as negligence, and negligent misrepresentation and/or omission.
On March 2, the Wyoming legislature passed S.F. 35 and S.F. 36, which amend the state’s Consumer Protection Act to enhance privacy protections for sensitive personal information. With limited exception for entities covered by the Health Insurance Portability and Accountability Act, S.B. 35 subjects individuals and commercial entities to additional data breach notification requirements, including providing Wyoming residents with information such as (i) the type of information subject to the breach, (ii) a general description of the breach incident, (iii) the approximate date of the breach, (iv) the steps taken by the individual or entity to prevent further breaches, (v) advice on how to review accounts and monitor credit reports, and (vi) whether notification was delayed by a law enforcement investigation. S.B. 36 expands the categories of personal identifying information that trigger protections under the Consumer Protection Act. Assuming signature by Governor Mead, the laws will take effect July 1, 2015.
On February 12, seven industry trade associations co-authored a letter to Congress regarding anticipated data breach legislation. The letter urges Congress to protect its constituents from the impact of identity theft and financial fraud resulting from data breaches by (i) considering a national data security and breach standard; (ii) recognizing the existing fraud protection standards (e.g., HIPAA and GLBA) and having them serve as a model for sectors where there are none; and (iii) encouraging shared responsibility between entities, including costs. The letter is the latest effort among the industry to lobby Congress in passing legislation to combat increasing data breaches and fraud.
We’re still wide awake, focusing on what keeps us (and our financial institution clients) up at night. Let’s pick up where we left off following our December webinar, but this time address data INsecurity from the perspective of its “other” victims, i.e., consumers. Last months’ webinar reviewed the benefits of risk-based approaches to organizational cybersecurity frameworks and identified potential obstacles to their achievement. Today, we’re thinking about another risk of cybersecurity breakdowns – the loss of consumer confidence. This risk threatens companies as surely as the regulatory, media and legal fallout.
Despite the proliferation of data breach notification and consumer financial privacy laws, data-breach-fueled identity theft is increasing. A recent report of the National Consumers League & Javelin Strategy reveals that consumer fraud victims don’t discriminate between business organizations and financial institutions when assigning blame for data breaches. Rather, they avoid doing business with all organizations involved. Ironically, nearly one-third of fraud victims take no action to prevent further fraud, even when they’ve been notified that their data has been compromised. The majority of consumer victims, according to the NCL/Javelin report, say both businesses and FIs should be held accountable, and want to be able to sue the breached companies. An even greater majority think the federal government should protect them — and lawmakers are listening. Senator Amy Klobuchar (D-MN), for example, favors a national security breach notification law. Read more…
On January 28, the FTC released a comprehensive report detailing what the so-called “Internet of Things” is, how it is being used, and how both consumers and businesses can protect themselves. The report defines the Internet of Things as “devices or sensors – other than computers, smartphones, or tablets – that connect, store or transmit information with or between each other via the Internet,” and that are sold to or used by consumers. The report focuses on consumer privacy and security and offers a variety of recommendations for those companies offering devices that fall within the definition, including that security be a key part of the design process and data collection be limited where possible. The report does not call for new legislation specific to the Internet of Things because the FTC believes such legislation would be premature. The FTC states that it will use existing authority under laws such as the FTC Act, the Fair Credit Reporting Act, the Hi-Tech Act, and the Children’s Online Privacy Protection Act to take actions against Internet of Things products and services as necessary to protect consumers.
On January 15, New York AG Eric Schneiderman announced that he intends to propose legislation that would “overhaul New York State’s data security law and require new and unprecedented safeguards for the personal data of consumers.” Specifically, the bill would (i) make companies responsible for protecting a broader range of information by expanding the definition of “private information;” (ii) require better data security measures for entities that collect and/or store private information; and (iii) create a safe harbor for companies that would shield them from liability if they adopt heightened security practices. In addition, the proposal would incentivize companies to share forensic data with authorities in the event of a data breach by ensuring that disclosure does not affect the company’s privileges. The proposed legislation follows New York AG’s release of a July 2014 report, which examined the growing number of data breaches occurring within the state. Schneiderman expects the new law to be “the strongest, most comprehensive in the nation… [making] [New York] a national model for data privacy and security.”
On January 8, Kofax Limited, a California-based software company, released SignDoc Enterprise, a product that allows lenders to capture and process electronic signatures. The software gives consumers the ability to sign and return documents securely from their personal computer or mobile device. The software also supports “click to sign” and handwritten signatures, and can capture biometrics at the time of signing for greater security and authentication.
On December 16, the NIST announced the release of its new guidance on assessing the security and privacy safeguards for federal information systems and organizations. The updated guidance will be used by government IT security professionals to “assess a wide range of software configurations, physical security measures and operating procedures meant to safeguard information systems from both chance failures and hostile attacks.” The new guidance complements the NIST’s Security and Privacy Controls for Federal Information Systems and Organizations catalogue.