Third Circuit Affirms District Court’s Decision Asserting FTC’s Authority over Companies’ Data Security Practices

On August 24, the U.S. Court of Appeals for the Third Circuit affirmed the Federal Trade Commission’s authority to hold companies accountable for their data security practices under Section 5 of the FTC Act (15 U.S.C. § 45(a)), which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd Cir. Aug. 24, 2015). The unanimous ruling found that deficient cybersecurity practices that fail to protect consumer data against hackers may be found to be “unfair” practices under the Act, subject to FTC enforcement. The FTC had sued Wyndham for allegedly deficient cybersecurity practices that enabled hackers to obtain payment card information from over 619,000 consumers. Wyndham argued that it lacked fair notice that the FTC had the authority to police data security practices under Section 5, but the Third Circuit disagreed, pointing out that the FTC has offered specific public guidance on data security over the years, and has filed multiple complaints and consent decrees raising unfairness claims based on inadequate cybersecurity that put companies on notice of its enforcement authority in this space.

 

LinkedInFacebookTwitterGoogle+Share

SEC Sues 32 Defendants Involved in Insider Trading Operation; DOJ Files Criminal Charges Against Leaders

On August 10, the SEC filed a complaint against 32 defendants in the District of New Jersey for their alleged involvement in an international scheme to profit from stolen, confidential information regarding corporate earnings announcements. According to the SEC, the defendants hacked at least two newswire services’ computer servers to retrieve unpublished corporate press releases, subsequently using it to make trades generating over $100 million in profits. The SEC further asserted that the two leaders of the scheme designed a “secret web-based location to transmit the stolen data to traders in Russia, the Ukraine, Malta, Cyprus, France, and three U.S. states, Georgia, New York, and Pennsylvania.” The SEC contends that, for five years, the two leaders of the scheme (i) disguised their identity by posing as newswire service employees, using proxy servers, and/or using backdoor access-modules; and (ii) recruited traders by making a video that displayed their ability to steal earnings information prior to public release. In return for information, the traders paid the hackers either a percentage of the profits obtained from trading the stolen information, or a flat fee. The SEC Director called the scheme “one of the most intricate and sophisticated trading rings [the agency has] ever seen.” The U.S. Attorneys’ offices for New Jersey and the Eastern District of New York also announced criminal charges against nine of the same defendants, including the two leaders of the scheme.

LinkedInFacebookTwitterGoogle+Share

Treasury Deputy Secretary Raskin Delivers Remarks on Cybersecurity in the Financial Sector

On July 14, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the American Bankers Association Summer Leadership meeting in Baltimore. Speaking on cybersecurity and cyber-resiliency in banking and the financial sector generally, Raskin’s remarks continued her December 2014 remarks in Austin at the Executive Leadership Cybersecurity Conference regarding three main areas, including (i) baseline protections, (ii) information sharing, and (iii) response recovery. According to Raskin, since December the growing number of cyberattacks – including against health insurers and the federal government’s Office of Personnel Management – has made the government and public more mindful of the serious threat posed by cyberattacks. Accordingly, cybersecurity has seen a “profoundly positive cultural change,” moving beyond just the purview of IT specialists. Deputy Secretary Raskin’s most recent remarks added 10 follow-up questions for banks and financial entities to consider, including whether cybersecurity is incorporated into the bank’s governance systems, security controls are tailored to specific cyber risks presented (as opposed to a “one-size fits all” approach), enhanced controls are implemented and adequate training provided, and basic “cyber hygiene” practices (including multi-factor authentication) are followed.  Raskin also emphasized the need to appropriately tailor cyber risk insurance.

LinkedInFacebookTwitterGoogle+Share

FCC Announces $3.5 Million Settlement with Carriers to Resolve Consumer Privacy Investigation

On July 9, the FCC announced a $3.5 million settlement with carriers TerraCom, Inc. and YourTel America, Inc. to resolve an investigation into the exposure of personal information of over 300,000 of their customers online via unprotected servers used by their vendors to store customer information.  The exposed information included names, addresses, Social Security numbers, driver’s licenses, and other pieces of sensitive information that were viewable by anyone with access to a search engine.  Section 222(a) of the Communications Act imposes on carriers a duty to protect the confidentiality of “proprietary information of… customers” and the FCC Enforcement Bureau viewed this incident as a violation of that duty, as well as its duty under Section 201(b) to employ “just and reasonable” data security practices to protect the confidentiality of consumers’ proprietary information. Under the settlement, TerraCom and YourTel are required to (i) designate a senior corporate manager with certified privacy expertise, (ii) conduct a privacy risk assessment, (iii) put in place a written information security program and data breach response plan, (iv) maintain “reasonable oversight” of third-party vendors, and (v) offer privacy and security training.  FCC-regulated entities should review their privacy and data security practices to ensure that they are taking appropriate steps to protect their customers’ proprietary information.

 

LinkedInFacebookTwitterGoogle+Share

NAAG Urging Congress to Refrain From Passing Federal Data Breach Legislation Preempting State Authority

On July 7, as Congress considers proposed legislation on data breach notification and security, the National Association of Attorneys General (NAAG) sent a letter to leaders of both houses of Congress urging them to refrain from passing federal data breach and identity theft laws that would preempt states’ authority to enforce their own legislation, or pass legislation that exceeds federal standards. The 47 state attorneys general argued that “preempting state law would make consumers less protected than they are right now” because (i) states are closer to people affected consumers and can better respond to their concerns; (ii) states are “better equipped to quickly adjust to the challenges presented by a data-driven economy”; (iii) although helpful for a national data breach, a single federal agency would be unable to “respond effectively” to the large number of smaller data breaches that “have a large impact in a particular state or region”; and (iv) “with the increasing speed rate of technological developments,” states need the ability to surpass minimal and continually obsolete federal requirements.  Accordingly, the state attorneys general asserted it was “crucial” that they “maintain their enforcement authority under their states’ laws, and that any legislation be tailored to ensure complementary enforcement authority.”

LinkedInFacebookTwitterGoogle+Share

Fed Governor Discusses Payment Security

On June 25, Federal Reserve Governor Jerome Powell delivered remarks at a payments conference hosted by the Federal Reserve Bank of Kansas to discuss improvements to the U.S. payments system. Specifically, Powell advised that payment system participants must work together to improve the payment system, stating “[A]t a minimum, banks, merchants, and other institutions that process or store sensitive financial information need to keep their hardware and software current to the latest industry standards.” He noted that the Federal Reserve has established two task forces regarding the U.S. payment system, one geared towards faster payments and the other geared towards payment security. Powell cited the use of EMV chip cards and tokenization technology as examples of effective payment security measures. In addition, Powell discussed the importance of proactive efforts to implement preventative measures to prepare for potential cyber-attacks or data breaches.

LinkedInFacebookTwitterGoogle+Share

European Union Reaches Agreement Regarding New Data Protection Law

On June 15, the 28 governments of the European Union agreed to a draft Data Protection Regulation that would establish tighter privacy provisions for users of online services – including those provided by U.S. tech companies – in a majority of European countries. The draft Regulation advances a single set of data protection rules for the EU, which include data breach notification obligations, within 24 hours if feasible, a strengthened “right to be forgotten,” and additional enforcement power for Europe’s data protection authorities, including penalties of up to €1 million or up to 2% of global annual turnover of a company. While EU Commissioners say the proposed law would cut costs for businesses, critics argue that its provision requiring data processors to delete individuals’ personal data upon request would inevitably increase costs for European-based internet companies. For the past three and a half years, the EU has tried to reach an agreement to merge the countries’ rules on personal data protection into one set of regulations. If this most recent proposal passes the next phase of European Parliament negotiations, the law will have a 2016 effective date, with a two year transitional period for companies and data protection authorities to adapt to the new regulations.

LinkedInFacebookTwitterGoogle+Share

Washington Enacts Legislation Strengthening Data Breach Notification Requirements

On April 23, Washington Governor Jay Inslee signed bill H.R.1078, which requires covered entities to contact consumers living within the state as soon as possible, and no more than 45 days, after the discovery of a breach of personal information. Under the new law, failure to notify consumers of a data breach would violate the state’s Consumer Protection Act. The legislation also requires covered entities to notify the state attorney general and grants the attorney general authority to pursue enforcement actions on behalf of the state or consumers living within the state. The new law goes into effect July 24, 2015.

LinkedInFacebookTwitterGoogle+Share

FTC Settles With Debt Brokers For Leaking Sensitive Consumer Information

On April 13, the FTC announced that two debt brokers agreed to settle two separate cases filed last year involving the leaking of over 55,000 consumers’ personal information. The brokers allegedly shared consumers’ personal information online – including credit card numbers, names, addresses, and bank account numbers – via unencrypted documents. Although the information was geared towards members of the debt collection industry, it was available to anyone with an internet connection. According to the FTC, the publicly available information put consumers at risk of identity theft and/or phantom debt collection. Under the terms of both proposed settlement agreements (Orders), the brokers would be required to: (i) implement and effectively maintain security programs that will protect consumers’ information; and (ii) have their respective security programs examined initially by a certified third party and again, thereafter, every two years for a duration of 20 years after service of the Orders. The FTC unanimously approved the proposed Orders and has filed them in the U.S. District Court for the District of Columbia for final court approval.

LinkedInFacebookTwitterGoogle+Share

Target and MasterCard Reach $19 Million Agreement Over Data Breach

On April 15, retail company Target agreed to set aside up to $19 million to settle claims brought by MasterCard and its credit card issuers to cover operational costs and fraud-related losses resulting from a data breach incident in 2013. According to a press release issued by Target, the agreement is dependent upon, among other things, 90 percent of eligible Mastercard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers by May 20, 2015. Eligible issuers, mostly comprising of banks and credit unions, who accept the offer will be required to release any current or future claims towards Target with respect to the data breach. All eligible issuers will receive full details of the Settlement Agreement at a later time.

LinkedInFacebookTwitterGoogle+Share

FTC Creates New Office To Investigate Consumer Technologies

On March 23, the FTC announced – via blog post – the formation of the Office of Technology Research and Investigation (OTRI), a newly formed research office within its Bureau of Consumer Protection. The OTRI succeeds the Mobile Technology Unit and will have an enhanced mission within the FTC to investigate technology issues encompassing privacy, data security, automobiles, smart phones, smart homes, emerging payment methods, Internet of Things, and big data.

LinkedInFacebookTwitterGoogle+Share

Large Retailer Agrees to Pay $10 Million Related to Data Breach Incident

On March 19, a district court granted preliminary approval in which a large retailer agreed to pay $10 million to settle a class-action action suit related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. Under the proposed settlement, the retailer will deposit the settlement amount into escrow to pay individual victims up to $10,000 in damages. In addition, the proposed settlement requires the retailer to (i) maintain a written information security program and (ii) appoint a Chief Information Security Officer. The proposed settlement is pending court approval.

LinkedInFacebookTwitterGoogle+Share

Financial Institutions File Class Action Suit In Response to Data Breach

On March 13, a federal credit union filed a class action suit against a national retailer and parent company, alleging their actions during a September 2014 data breach injured credit unions, banks, and other financial institutions. Greater Chautauqua FCU v. Kmart Corp and Sears Holdings Corp., No. 15-cv-2228, (N.D.Ill. Mar.13,2015) The complaint contends that financial institutions (i) were required to, among other things, refund fraudulent charges, respond to a higher volume of customer complaints, and increase fraud monitoring efforts, and (ii) lost revenue due to a decrease in card usage after the breach was disclosed.  The complaint alleges that the retailer failed to maintain adequate data security under applicable payment card industry standards, particularly in the wake of well-publicized data breaches at other retailers by third parties using similar techniques and malicious software. Moreover, the retailer failed to detect or notify customers for a period of at least five weeks. The complaint was filed in US District Court for the Northern District of Illinois, and alleges damages in excess of $5,000,000 for violations of the Illinois Personal Information Protection Act, the Illinois Consumer Fraud and Deceptive Business Act, and New York General Business Law, as well as negligence, and negligent misrepresentation and/or omission.

LinkedInFacebookTwitterGoogle+Share

Wyoming Amends State Consumer Protection Act

On March 2, the Wyoming legislature passed S.F. 35 and S.F. 36, which amend the state’s Consumer Protection Act to enhance privacy protections for sensitive personal information. With limited exception for entities covered by the Health Insurance Portability and Accountability Act, S.B. 35 subjects individuals and commercial entities to additional data breach notification requirements, including providing Wyoming residents with information such as (i) the type of information subject to the breach, (ii) a general description of the breach incident, (iii) the approximate date of the breach, (iv) the steps taken by the individual or entity to prevent further breaches, (v) advice on how to review accounts and monitor credit reports, and (vi) whether notification was delayed by a law enforcement investigation. S.B. 36 expands the categories of personal identifying information that trigger protections under the Consumer Protection Act. Assuming signature by Governor Mead, the laws will take effect July 1, 2015.

LinkedInFacebookTwitterGoogle+Share

Industry Trade Groups Urge Congress to Pass Legislation to Protect Consumers from Data Breaches

On February 12, seven industry trade associations co-authored a letter to Congress regarding anticipated data breach legislation. The letter urges Congress to protect its constituents from the impact of identity theft and financial fraud resulting from data breaches by (i) considering a national data security and breach standard; (ii) recognizing the existing fraud protection standards (e.g., HIPAA and GLBA) and having them serve as a model for sectors where there are none; and (iii) encouraging shared responsibility between entities, including costs. The letter is the latest effort among the industry to lobby Congress in passing legislation to combat increasing data breaches and fraud.

LinkedInFacebookTwitterGoogle+Share