On January 8, Kofax Limited, a California-based software company, released SignDoc Enterprise, a product that allows lenders to capture and process electronic signatures. The software gives consumers the ability to sign and return documents securely from their personal computer or mobile device. The software also supports “click to sign” and handwritten signatures, and can capture biometrics at the time of signing for greater security and authentication.
On January 15, New York AG Eric Schneiderman announced that he intends to propose legislation that would “overhaul New York State’s data security law and require new and unprecedented safeguards for the personal data of consumers.” Specifically, the bill would (i) make companies responsible for protecting a broader range of information by expanding the definition of “private information;” (ii) require better data security measures for entities that collect and/or store private information; and (iii) create a safe harbor for companies that would shield them from liability if they adopt heightened security practices. In addition, the proposal would incentivize companies to share forensic data with authorities in the event of a data breach by ensuring that disclosure does not affect the company’s privileges. The proposed legislation follows New York AG’s release of a July 2014 report, which examined the growing number of data breaches occurring within the state. Schneiderman expects the new law to be “the strongest, most comprehensive in the nation… [making] [New York] a national model for data privacy and security.”
On December 16, the NIST announced the release of its new guidance on assessing the security and privacy safeguards for federal information systems and organizations. The updated guidance will be used by government IT security professionals to “assess a wide range of software configurations, physical security measures and operating procedures meant to safeguard information systems from both chance failures and hostile attacks.” The new guidance complements the NIST’s Security and Privacy Controls for Federal Information Systems and Organizations catalogue.
On December 10, the U.S. Senate passed by voice vote S. 2519, the National Cybersecurity and Communications Integration Center Act of 2014. The bill would amend the Homeland Security Act of 2002 (12 U.S.C. § 121 et seq.) by codifying the current operations center in the Department of Homeland Security, which serves as a federal civilian information sharing interface for cybersecurity on behalf of the Homeland Security’s Under Secretary. The information center oversees cross-sector coordination of shared information related to cybersecurity risk and incidents that could adversely impact multiple private sectors. In addition, the bill prescribes the composition of the information center and requires it file yearly status reports. The bill will be submitted to the President for approval and signature.
On December 8, a large bank settled with the state of Massachusetts for $825,000 over a data breach that exposed the personal information of at least 260,000 customers. In March 2012, the bank allegedly lost unencrypted backup tapes with customer information and failed to report the missing tapes until October 2012. According to the Massachusetts AG, the bank violated state law by failing to (i) sufficiently protect information; and (ii) provide timely notification of the data breach. In the settlement agreement, Massachusetts credited the bank with $200,000 to upgrade its security procedures, while $325,000 will be paid in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a consumer aid education fund.
On December 2, District Judge Paul Magnuson denied Target’s motion to dismiss the class action suit brought by banks in response to its 2013 data breach. In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (D. Minn., Dec. 2, 2014). The banks have alleged four claims against Target: (i) a general negligence claim that Target breached its duty to provide security and prevent the data breach; (ii) that Target violated Minnesota’s Plastic Security Card Act (PSCA) by retaining customer data which was subsequently stolen; (iii) that a violation of the PSCA is negligence per se; and (iv) a negligent misrepresentation by omission claim that Target made public statements regarding the strength of their data security system when they knew or should have known it was deficient. The first three were allowed to proceed and the last was dismissed with leave to amend the complaint for a failure to allege the requisite reliance upon Target’s assertion of its secure system. Notably, Judge Magnuson found that the PSCA applies to all transactions completed by a company operating in Minnesota, not just transactions occurring within the state.
On December 3, the Merchant and Financial Associations Cybersecurity Partnership (“Partnership”) submitted a letter to Congress requesting its consideration of adopting cybersecurity information sharing legislation. Created in February in response to high profile security breaches, the Partnership aims to protect retailers and financial institutions against cyber attacks. In its letter, the Partnership suggests that Congress adopt legislation that would “increase the current level of voluntary cybersecurity information sharing, while recognizing and responding to key privacy concerns.”
On November 18, Representative Elijah Cummings (D-MD) and Senator Elizabeth Warren (D-MA) sent letters to 16 financial service institutions regarding recent data breaches. The letters requested that the institutions provide information about the data breaches, including “detailed briefings from corporate IT security officers.” The letters were tailored to the specific institutions, with requests to two companies that they provide information on how the “potential data breaches may have affected their administration of government purchase and charge cards under contracts with the General Services Administration.” The letters also remind the institutions of their responsibility to protect and safeguard consumers’ personal information.
Delaware’s Fiduciary Access to Digital Assets and Digital Accounts Act (H.B. 345) makes Delaware the latest state to regulate access to “digital assets” after death. Unless the account-holder instructs otherwise, legally appointed fiduciaries will: (1) have the same access to digital assets as they have always had to tangible assets, and (2) the same duty to comply with the account-holder’s instructions. In short, the personal representative or guardian of a digital account-holder can access the emails, documents, audio, video, images, social media content, computer programs, software licenses, usernames and passwords created on the deceased’s digital devices or stored electronically. This access could be very helpful, or extremely problematic, depending on what the digital records reveal. Read more…
Recently, the Payment Card Industry (PCI) Security Standards Council published guidance to help organizations strengthen their security awareness. The guidance, developed by retailers, banks, and technology providers, details three recommendations for implementing a security awareness program: (i) Assembling a security awareness team, (ii) Developing appropriate security awareness content for your organization, and (iii) Creating a security awareness checklist. The PCI Security Standards Council is an open global forum comprised of more than 650 organizations, including banks, merchants, processors, and vendors, responsible for the development, management, education, awareness, and standards to increase payment data security.
On October 28, amid growing threats to consumer privacy, the FCC announced that it has joined the Global Privacy Enforcement Network (GPEN), an international group of privacy regulators and enforcers. The move will allow the FCC to more easily collect and share data among approximately 50 privacy and data protection authorities from around the world. The FCC joins the FTC as the only two agencies representing the United States in cross-border GPEN proceedings.
On October 15, the New York Attorney General’s office announced a settlement with a large financial institution in connection with a 2012 data breach. Of the $850,000 settlement agreement, New York State will receive over $114,000. The terms of the settlement require that the bank reform its former security practices, which caused over one million customer files to be compromised. Specifically, in 2012, the bank lost over one million unencrypted files that contained personal information for over 200,000 customers nationwide. Going forward, the bank must (i) notify state residents of security breaches in a timely manner; and (ii) maintain security policies that will protect personal information.
On October 7, Elijah Cummings, the Ranking Member of the House Committee on Oversight and Government Reform, issued a letter asking committee Chairman Darrell Issa to hold a bipartisan hearing to examine a recent data security breach at a major U.S. financial institution. The breach is believed to have affected approximately 76 million households, in addition to 7 million small businesses. In his letter, Cummings told Issa that he believes an investigation into the breach “will help the Committee learn from [corporations] about security vulnerabilities they have experienced in order to better protect our federal information technology assets.” This is not the first time Cummings has asked Chairman Issa to hold hearings on the issue of data security. Cummings previously called for hearings on the issue in January and September of this year. To date, Chairman Issa has not responded to Cummings’s requests.
On September 22, the GAO issued a report regarding the privacy and data security implications of the CFPB’s data collection practices. The report, performed in part based on a request by Senator Crapo, notes the CFPB’s data includes three one-time collections of data that contain information that directly identifies individuals: arbitration case records, deposit account data regarding deposit advance products, and borrower-level activity regarding storefront payday loans. The report highlights several areas for improvement: (i) development of written procedures and documentation regarding data intake and information security risk assessments; (ii) implementation of privacy control steps and information security practices; and (iii) Paperwork Reduction Act compliance regarding credit card data. In a comment appended to the report, the CFPB outlines the reasons for its data collection efforts and concurs with the GAO’s recommendations addressed to the CFPB.
On August 12, Delaware Governor Jack A. Markell signed the Digital Access and Digital Accounts Act, the first law in the nation to comprehensively govern access to a person’s digital assets, including social media and email accounts, after the person dies or becomes incapacitated. Under the new law, a Delaware resident’s digital assets will become part of his or her estate after death, and these assets will be accessible to heirs to the same extent as the deceased person’s physical, tangible assets. Digital assets are defined broadly to include data, texts, email, audio, video, images, sounds, social media and social networking content, health care and insurance records, computer codes and programs, software and software licenses, and databases, along with usernames and passwords. The law expressly does not apply to digital accounts of an employer regularly used by an employee in the usual course of business. The law requires any company that controls a person’s digital assets to give the legal fiduciary for the deceased’s estate the usernames, passwords, and any other information needed to gain access to the digital assets upon a valid written request. Any contrary provisions in service agreements or privacy policies that limit a fiduciary’s access to digital accounts are void, although the account owner can specify that the account should remain private after death. The law also grants the company controlling the digit assets immunity for complying with valid requests for account access. The new law takes effect January 1, 2015.