On June 20, Florida Governor Rick Scott signed SB 1524, which significantly revises and strengthens the state’s data breach notice law, making it among the toughest in the country. The bill shortens the timeline for providing notice of a data breach to require notice to consumers within 30 days of the “determination of a breach.” The bill also adds a parallel requirement to notify the state attorney general’s office for an incident affecting more than 500 state residents. The bill also provides that consumer notice by email will no longer require an E-SIGN consent. The new law clarifies the application of data breach requirements by amending the definition of “covered entity” to mean “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.” The bill also expands the definition of “personal information” to add, as was done in California last year, user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. The bill requires covered entities to take reasonable measures to (i) protect and secure data in electronic form containing personal information and (ii) dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Finally, the bill revised the risk of harm provision in two noteworthy ways: (i) like Connecticut and Alaska, law enforcement must be consulted to employ the exemption to noticeand (ii) the exemption appears to cover only consumer notice, not AG notice. The changes take effect July 1, 2014.
On June 25, the American National Standards Institute (ANSI) issued a call for organizations with an interest in security to participate in an advisory committee to a new International Organization for Standardization (ISO) technical committee. The ISO is planning to restructure its security sector to consolidate the work of three existing technical committees—Societal security; Fraud countermeasures and controls; and Management system for quality of private security company operations. The new committee will begin work on January 1, 2015 and will cover standardization in the field of security including but not limited to general security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, and homeland security. Organizations interested in participating in the advisory committee must contact ANSI by July 4, 2014.
Eighth Circuit Holds Bank That Complied With Reasonable Security Procedures Not Responsible For Loss Of Funds From Fraudulent Payment
On June 11, the U.S. Court of Appeals for the Eighth Circuit held that under the Uniform Commercial Code a bank that complied with commercially reasonable security measures was not responsible for a customer’s loss resulting from a fraudulent payment. Choice Escrow & Land Title, LLC v. BancorpSouth Bank, No. 13-1879, 2014 WL 2598764 (8th Cir. Jun. 11, 2014). The customer sued the bank claiming that a $440,000 wire transfer from its account through the bank’s internet wire transfer system was fraudulently initiated by a third-party. The court explained that Article 4A of the Uniform Commercial Code permits a bank to take steps to protect itself from liability by implementing commercially reasonable security procedures, and if the bank complies with these procedures in good faith and in accordance with the customer’s instructions, the customer bears the risk of loss from a fraudulent payment order. The parties agreed that the bank complied with its security procedures in accepting the payment order that resulted in the loss for the customer, but disputed whether (i) the bank’s security procedures were commercially reasonable, (ii) the bank accepted the payment order in good faith, and (iii) the bank accepted the payment order in compliance with the customer’s written instructions. The court concluded that the bank’s security procedures, which included password protection, daily transfer limits, device authentication, and dual control, were commercially reasonable because the bank followed 2005 FFIEC guidelines and further enhanced its security to address threats not considered by that potentially outdated guidance. Moreover, the court held that the customer assumed the risk of failure of security procedures by declining some of those procedures. The court also held that in promptly executing a payment order that had cleared its commercially reasonable security procedures, and absent any independent reason to suspect the payment was fraudulent, the bank acted in good faith in processing the payment. Finally, the court determined that an inquiry from the customer as to whether it would be possible for the bank to stop foreign wire transfers did not constitute an instruction to the bank, and therefore the bank did not violate any written instruction from the customer. Based on these holdings, the court concluded that, under the UCC, the loss of funds from the customer’s account fall on the customer and not the bank.
On April 16, Comptroller of the Currency Thomas Curry spoke to attendees of the Consumer Electronics Show Government Conference, taking his concerns about banks’ vendor relationships and cybersecurity risks to potential third-party technology service providers. Comptroller Curry explained the banking system’s vulnerability to cyberattacks given its significant reliance on technology and telecommunications, and expressed particular concern about potential attacks on community banks. He reiterated several of the specific risk issues he recently discussed with community bankers. Comptroller Curry (i) outlined risks related to the consolidation of bank vendors; (ii) identified as a “special problem” banks’ reliance on foreign vendors, and cautioned banks to consider the legal and regulatory implications of where their data is stored or transmitted; and (iii) expressed concern about vendors’ access to important and confidential bank and customer data. He assured attendees that the OCC is not trying to discourage the use of third-party vendors, but in explaining the OCC’s particular focus on controls and risk management practices employed by vendors that provide services to banks and thrifts, Comptroller Curry advised vendors of the OCC’s authority under the Bank Service Company Act to issue enforcement actions and its authority to examine vendors designated as Technology Service Providers. He reported that banks have asked the OCC to more actively supervise critical service providers and stated that in working to protect the banking system the OCC will have to “look beyond individual financial institutions to the range of vendors and customers that have access to some part of its infrastructure and systems.”
On April 15, the SEC’s Office of Compliance Inspections and Examinations announced that it will be conducting cybersecurity examinations of more than 50 registered broker-dealers and registered investment advisers. The examinations will assess each firm’s cybersecurity preparedness and collect information about the industry’s recent experiences with certain types of cyber threats. Specifically, examiners will focus on (i) cybersecurity governance; (ii) identification and assessment of cybersecurity risks; (iii) protection of networks and information; (iv) risks associated with remote customer access and funds transfer requests; (v) risks associated with vendors and other third parties; (vi) detection of unauthorized activity; and (vii) and experiences with certain cybersecurity threats. The SEC included with the announcement a sample document and information request it plans to use in this examination initiative.
On April 10, Kentucky Governor Steve Beshear signed into law HB 232 to establish a data breach notice requirement. The new law requires any person or business that operates in the state to provide written or electronic notice to affected state residents of any breach of a security system that exposes unencrypted personally identifiable information. The law requires notification “in the most expedient time possible and without unreasonable delay” upon discovery or notification of a breach, and permits certain substitute forms of notice if the person or business subject to the breach demonstrates that the notice exceeds certain cost or scope thresholds. The law does not require separate notice to the state attorney general, nor does it apply to entities subject to Title V of the Gramm-Leach-Bliley Act or HIPPA. The bill takes effect July 14, 2014. Kentucky’s adoption of a data breach notice law leaves only three states—Alabama, New Mexico, and South Dakota—without such a statutory requirement.
On April 17, the FTC announced it is seeking additional public comments on issues explored during a 2013 forum on mobile security. The announcement includes a series of specific questions within the following categories: (i) secure platform design; (ii) secure distribution channels; (iii) secure development practices; and (iv) security lifecycle and updates. The announcement indicates that the FTC is planning a report based on the forum and this subsequent information request. Comments are due by May 30, 2014.
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 7, the U.S. District Court for the District of New Jersey denied a hotel company’s motion to dismiss the FTC’s claims that the company engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act by failing to maintain reasonable and appropriate data security for customers’ personal information. FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). The company moved to dismiss the FTC’s suit, arguing that the FTC (i) lacks statutory authority to enforce data security standards outside of its explicit data security authority under statutes such as the Gramm-Leach-Bliley Act (GLBA) and FCRA; (ii) violated fair notice principles by failing to first promulgate applicable regulations; and (iii) failed to sufficiently plead certain elements of the unfairness and deception claims. The court rejected each of these arguments. First, the court held that the FTC does not need specific authority under Section 5 to enforce data security standards. The court reasoned that the data-security legislation the followed the FTC Act, such as GLBA and FCRA, provide the FTC additional data security tools that complement, rather than preclude, the FTC’s general authority under Section 5. Second, the court held that, to bring a Section 5 data security claim, the FTC is not required to provide notice of reasonable standards by issuing a new regulation because regulations are not the only means of providing sufficient fair notice. According to the court, industry standards, past FTC enforcement actions, and FTC business guidance provided sufficient notice of what constitutes reasonable security measures. Third, the court held that the FTC properly pled its unfairness and deception claims under the FTC Act.
On April 3, Iowa Governor Terry Branstad signed SF 2259, which amends the state’s data breach notice law to add a requirement that businesses that experience a data breach notify the state attorney general’s office within five days of discovering or being notified of the breach. Previously, state law required that businesses notify only consumers after discovery or notification. Several existing exemptions to the consumer notice requirement, including for businesses subject to Title V of the Gramm-Leach-Bliley Act, also apply to the attorney general notice requirement. SF 2259 also amends (i) the definition of “breach of security” to cover personal information maintained in any medium that was transferred to that medium from computerized form, e.g., printed records originally maintained in electronic form; and (ii) the definition of “personal information” to include encrypted, redacted, or otherwise protected data. The changes take effect July 1, 2014.
Data Breach Class Settlement Approved After Eleventh Circuit Held Identity Theft Following Breach Presents Cognizable Injury
Recently, the U.S. District Court for the Southern District of Florida approved a class settlement in a case in which the plaintiffs claimed financial harm from a health care company’s failure to protect their personal information. Resnick v. AvMed Inc., No. 10-24513 (S.D. Fla. Feb. 28, 2014). The settlement follows a September 2012 decision from the U.S. Court of Appeals for the Eleventh Circuit, in which the court reversed the district court’s dismissal of the case and held that because the complaint alleged financial injury, and because monetary loss is cognizable under Florida law, the plaintiffs alleged a cognizable injury. The court explained that the plaintiffs demonstrated “a sufficient nexus between the data breach and the identity theft beyond allegations of time and sequence” because the plaintiffs plead that they were careful in protecting their identities and had never been victims of identity theft. The settlement requires the company to pay $3 million, with each class member receiving up to $10 for each year they paid an insurance premium, up to a maximum of $30. The company also agreed to implement new data security measures.
Last week, as part of the White House’s initiative on “big data” and privacy (led by John Podesta), the White House Office of Science and Technology Policy issued a request for information seeking public input regarding broad privacy-related issues. The request defines “big data” as “datasets so large, diverse, and/or complex, that conventional technologies cannot adequately capture, store, or analyze them.” It seeks comments on a number of issues, including: (i) the public policy implications of the collection, storage, analysis, and use of big data; (ii) the types of uses of big data that could measurably improve outcomes or productivity with further government action, funding, or research, and uses of big data that raise the most public policy concerns; (iii) the technological trends or key technologies which will affect the collection, storage, analysis and use of big data, and whether any are particularly promising for safeguarding privacy; (iv) how the policy frameworks or regulations for handling big data should differ between the government and the private sector; and (v) issues raised by the use of big data across jurisdictions. Comments are due by March 31, 2014.
On March 7, Visa and Mastercard announced the formation of a cross-industry payment security working group, which the payment system providers state will be focused on “enhancing payment system security to keep pace with the expectations of consumers, retailers and financial institutions.” The group’s initial focus will be on supporting the adoption of EMV chip technology in the United States. In addition, the group will promote tokenization and point-to-point encryption, and will develop “an actionable roadmap for securing the future across all segments of the payments industry.” The group will include representatives from banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups.
State Banking Associations Object To Senators’ Request For Increased Bank Payment System Security Oversight
On March 5, 53 state bankers associations sent a letter to Federal Reserve Board Chair Janet Yellen defending banks’ efforts to secure consumer financial data and highlighting the responsibilities of other parties, in particular merchants, to do the same. The banking associations, representing bankers in every state and Puerto Rico, took issue with a letter Democratic Senators Dick Durbin (D-IL) and Al Franken (D-MN) sent last month to the Federal Reserve Board Chair seeking information about the Board’s oversight of card issuers’ fraud prevention policies and recommending that the Board do more to verify the effectiveness of such policies. The banking associations contend that the Senators’ letter is a “thinly veiled effort to once again advance the regulation of interchange under the guise of current concerns over data security,” and criticize the Senators for converting a discussion about security responsibilities into one about interchange fees.
On February 27, California Attorney General Kamala Harris issued a guide to assist small businesses in defending against the threat of cybercrime. The guide, which was developed with the California Chamber of Commerce and Lookout, a mobile security company, stresses that small businesses should assume that they are a target for cybercrime and act accordingly. In addition to providing actionable steps to prevent cyber-attacks, the guide encourages every small business to develop a “game plan” for responding to the inevitability of an actual incident: “Experience has shown that many organizations wait until they have actually suffered a serious data breach before attempting to come up with a process for dealing with such a situation – which amounts, effectively, to building an airplane in the air.”