Congressional Leaders Send Letters to Financial Service Providers Regarding Data Breaches

On November 18, Representative Elijah Cummings (D-MD) and Senator Elizabeth Warren (D-MA) sent letters to 16 financial service institutions regarding recent data breaches. The letters requested that the institutions provide information about the data breaches, including “detailed briefings from corporate IT security officers.” The letters were tailored to the specific institutions, with requests to two companies that they provide information on how the “potential data breaches may have affected their administration of government purchase and charge cards under contracts with the General Services Administration.” The letters also remind the institutions of their responsibility to protect and safeguard consumers’ personal information.

LinkedInFacebookTwitterGoogle+Share

Digital Insights & Trends: “Digital Assets” … or Liabilities?

Margo Tank, Head of Digital Commerce Practice

Delaware’s Fiduciary Access to Digital Assets and Digital Accounts Act (H.B. 345) makes Delaware the latest state to regulate access to “digital assets” after death. Unless the account-holder instructs otherwise, legally appointed fiduciaries will: (1) have the same access to digital assets as they have always had to tangible assets, and (2) the same duty to comply with the account-holder’s instructions. In short, the personal representative or guardian of a digital account-holder can access the emails, documents, audio, video, images, social media content, computer programs, software licenses, usernames and passwords created on the deceased’s digital devices or stored electronically. This access could be very helpful, or extremely problematic, depending on what the digital records reveal. Read more…

LinkedInFacebookTwitterGoogle+Share

Payment Industry Council Issues Best Practices For Security Awareness

Recently, the Payment Card Industry (PCI) Security Standards Council published guidance to help organizations strengthen their security awareness. The guidance, developed by retailers, banks, and technology providers, details three recommendations for implementing a security awareness program: (i) Assembling a security awareness team, (ii) Developing appropriate security awareness content for your organization, and (iii) Creating a security awareness checklist. The PCI Security Standards Council is an open global forum comprised of more than 650 organizations, including banks, merchants, processors, and vendors, responsible for the development, management, education, awareness, and standards to increase payment data security.

 

LinkedInFacebookTwitterGoogle+Share

FCC Joins Global Privacy Enforcement Network

On October 28, amid growing threats to consumer privacy, the FCC announced that it has joined the Global Privacy Enforcement Network (GPEN), an international group of privacy regulators and enforcers. The move will allow the FCC to more easily collect and share data among approximately 50 privacy and data protection authorities from around the world. The FCC joins the FTC as the only two agencies representing the United States in cross-border GPEN proceedings.

LinkedInFacebookTwitterGoogle+Share

New York Attorney General’s Office Settles With Large Financial Institution

On October 15, the New York Attorney General’s office announced a settlement with a large financial institution in connection with a 2012 data breach. Of the $850,000 settlement agreement, New York State will receive over $114,000. The terms of the settlement require that the bank reform its former security practices, which caused over one million customer files to be compromised. Specifically, in 2012, the bank lost over one million unencrypted files that contained personal information for over 200,000 customers nationwide. Going forward, the bank must (i) notify state residents of security breaches in a timely manner; and (ii) maintain security policies that will protect personal information.

LinkedInFacebookTwitterGoogle+Share

House Committee On Oversight And Government Reform Request Hearing Regarding Data Security Breach

On October 7, Elijah Cummings, the Ranking Member of the House Committee on Oversight and Government Reform, issued a letter asking committee Chairman Darrell Issa to hold a bipartisan hearing to examine a recent data security breach at a major U.S. financial institution. The breach is believed to have affected approximately 76 million households, in addition to 7 million small businesses. In his letter, Cummings told Issa that he believes an investigation into the breach “will help the Committee learn from [corporations] about security vulnerabilities they have experienced in order to better protect our federal information technology assets.” This is not the first time Cummings has asked Chairman Issa to hold hearings on the issue of data security. Cummings previously called for hearings on the issue in January and September of this year. To date, Chairman Issa has not responded to Cummings’s requests.

LinkedInFacebookTwitterGoogle+Share

GAO Report On CFPB Data Collection And Privacy Practices Finds Room For Improvement

On September 22, the GAO issued a report regarding the privacy and data security implications of the CFPB’s data collection practices. The report, performed in part based on a request by Senator Crapo, notes the CFPB’s data includes three one-time collections of data that contain information that directly identifies individuals: arbitration case records, deposit account data regarding deposit advance products, and borrower-level activity regarding storefront payday loans. The report highlights several areas for improvement: (i) development of written procedures and documentation regarding data intake and information security risk assessments; (ii) implementation of privacy control steps and information security practices; and (iii) Paperwork Reduction Act compliance regarding credit card data. In a comment appended to the report, the CFPB outlines the reasons for its data collection efforts and concurs with the GAO’s recommendations addressed to the CFPB.

LinkedInFacebookTwitterGoogle+Share

Delaware Enacts Law Governing Access To Digital Records After Death

On August 12, Delaware Governor Jack A. Markell signed the Digital Access and Digital Accounts Act, the first law in the nation to comprehensively govern access to a person’s digital assets, including social media and email accounts, after the person dies or becomes incapacitated. Under the new law, a Delaware resident’s digital assets will become part of his or her estate after death, and these assets will be accessible to heirs to the same extent as the deceased person’s physical, tangible assets. Digital assets are defined broadly to include data, texts, email, audio, video, images, sounds, social media and social networking content, health care and insurance records, computer codes and programs, software and software licenses, and databases, along with usernames and passwords. The law expressly does not apply to digital accounts of an employer regularly used by an employee in the usual course of business. The law requires any company that controls a person’s digital assets to give the legal fiduciary for the deceased’s estate the usernames, passwords, and any other information needed to gain access to the digital assets upon a valid written request. Any contrary provisions in service agreements or privacy policies that limit a fiduciary’s access to digital accounts are void, although the account owner can specify that the account should remain private after death. The law also grants the company controlling the digit assets immunity for complying with valid requests for account access. The new law takes effect January 1, 2015.

LinkedInFacebookTwitterGoogle+Share

Nebraska Federal Court Refuses To Dismiss Suit Claiming Breach Of Contract, Violation of State Law for Unauthorized Credit Card Transactions Following Bank Data Breach

On August 20, the U.S. District Court for the District of Nebraska denied motions to dismiss filed by a Nebraska bank and two credit card processing companies in response to a purported class action filed by a merchant alleging that it suffered damages following a data breach at the defendants’ premises. Wines, Vines & Corks, LLC v. First Nat’l of Neb., Inc., No. 8:14CV82 (D. Neb. Aug. 20, 2014). According to the merchant’s complaint, the merchant maintained a credit card processing account with the defendants and, following the breach, had unauthorized credit card transactions processed and fees withdrawn from its account. The merchant alleged breach of contract, negligence, and violations of the Nebraska Consumer Protection Act and the Nebraska Uniform Deceptive Trade Practices Act based on the defendants’ failure to adequately secure and protect account information and refusal to refund the fees. In denying the motions to dismiss, the court determined that the merchant sufficiently pled the existence of a contract and resulting damages in support of its breach of contract claim, as well as a breach of the duty of due care in support of its negligence claim. Also, the court found that the merchant’s state law claims were adequately supported and determined that the defendants’ argument that the economic loss doctrine barred these claims was misplaced.

LinkedInFacebookTwitterGoogle+Share

FTC Finalizes Mobile Application Privacy Settlements

On August 19, the FTC approved final orders resolving allegations that two companies: (i) misrepresented the level of security of their mobile applications; and (ii) failed to secure the transmission of millions of consumers’ sensitive personal information. The FTC alleged that one company’s application assured consumers that their credit card information was stored and transmitted securely even though the company disabled a higher level of security validation, which allowed such credit card information to be intercepted. In addition, the company allegedly failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties. The FTC alleged that the second company also disabled enhanced security validation despite claiming that it followed industry-leading security precautions, which also left consumers’ information vulnerable to interception. The final settlement orders require both companies to establish comprehensive programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit the companies from misrepresenting the level of privacy or security of their products and services.

LinkedInFacebookTwitterGoogle+Share

Payment Cards Security Standards Organization Publishes Third-Party Security Assurance Guidance

On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.

LinkedInFacebookTwitterGoogle+Share

ANSI Seeks Participants For Technical Committee On Security

On June 25, the American National Standards Institute (ANSI) issued a call for organizations with an interest in security to participate in an advisory committee to a new International Organization for Standardization (ISO)  technical committee. The ISO is planning to restructure its security sector to consolidate the work of three existing technical committees—Societal security; Fraud countermeasures and controls; and Management system for quality of private security company operations. The new committee will begin work on January 1, 2015 and will cover standardization in the field of security including but not limited to general security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, and homeland security. Organizations interested in participating in the advisory committee must contact ANSI by July 4, 2014.

LinkedInFacebookTwitterGoogle+Share

Florida Strengthens Data Breach Law

On June 20, Florida Governor Rick Scott signed SB 1524, which significantly revises and strengthens the state’s data breach notice law, making it among the toughest in the country. The bill shortens the timeline for providing notice of a data breach to require notice to consumers within 30 days of the “determination of a breach.” The bill also adds a parallel requirement to notify the state attorney general’s office for an incident affecting more than 500 state residents. The bill also provides that consumer notice by email will no longer require an E-SIGN consent. The new law clarifies the application of data breach requirements by amending the definition of “covered entity” to mean “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.” The bill also expands the definition of “personal information” to add, as was done in California last year, user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. The bill requires covered entities to take reasonable measures to (i) protect and secure data in electronic form containing personal information and (ii) dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Finally, the bill revised the risk of harm provision in two noteworthy ways: (i) like Connecticut and Alaska, law enforcement must be consulted to employ the exemption to noticeand (ii) the exemption appears to cover only consumer notice, not AG notice. The changes take effect July 1, 2014.

LinkedInFacebookTwitterGoogle+Share

Eighth Circuit Holds Bank That Complied With Reasonable Security Procedures Not Responsible For Loss Of Funds From Fraudulent Payment

On June 11, the U.S. Court of Appeals for the Eighth Circuit held that under the Uniform Commercial Code a bank that complied with commercially reasonable security measures was not responsible for a customer’s loss resulting from a fraudulent payment. Choice Escrow & Land Title, LLC v. BancorpSouth Bank, No. 13-1879, 2014 WL 2598764 (8th Cir. Jun. 11, 2014). The customer sued the bank claiming that a $440,000 wire transfer from its account through the bank’s internet wire transfer system was fraudulently initiated by a third-party. The court explained that Article 4A of the Uniform Commercial Code permits a bank to take steps to protect itself from liability by implementing commercially reasonable security procedures, and if the bank complies with these procedures in good faith and in accordance with the customer’s instructions, the customer bears the risk of loss from a fraudulent payment order. The parties agreed that the bank complied with its security procedures in accepting the payment order that resulted in the loss for the customer, but disputed whether (i) the bank’s security procedures were commercially reasonable, (ii) the bank accepted the payment order in good faith, and (iii) the bank accepted the payment order in compliance with the customer’s written instructions. The court concluded that the bank’s security procedures, which included password protection, daily transfer limits, device authentication, and dual control, were commercially reasonable because the bank followed 2005 FFIEC guidelines and further enhanced its security to address threats not considered by that potentially outdated guidance. Moreover, the court held that the customer assumed the risk of failure of security procedures by declining some of those procedures. The court also held that in promptly executing a payment order that had cleared its commercially reasonable security procedures, and absent any independent reason to suspect the payment was fraudulent, the bank acted in good faith in processing the payment. Finally, the court determined that an inquiry from the customer as to whether it would be possible for the bank to stop foreign wire transfers did not constitute an instruction to the bank, and therefore the bank did not violate any written instruction from the customer. Based on these holdings, the court concluded that, under the UCC, the loss of funds from the customer’s account fall on the customer and not the bank.

LinkedInFacebookTwitterGoogle+Share

Comptroller Curry Takes Vendor Management Message To Third-Party Providers

On April 16, Comptroller of the Currency Thomas Curry spoke to attendees of the Consumer Electronics Show Government Conference, taking his concerns about banks’ vendor relationships and cybersecurity risks to potential third-party technology service providers. Comptroller Curry explained the banking system’s vulnerability to cyberattacks given its significant reliance on technology and telecommunications, and expressed particular concern about potential attacks on community banks. He reiterated several of the specific risk issues he recently discussed with community bankers. Comptroller Curry (i) outlined risks related to the consolidation of bank vendors; (ii) identified as a “special problem” banks’ reliance on foreign vendors, and cautioned banks to consider the legal and regulatory implications of where their data is stored or transmitted; and (iii) expressed concern about vendors’ access to important and confidential bank and customer data. He assured attendees that the OCC is not trying to discourage the use of third-party vendors, but in explaining the OCC’s particular focus on controls and risk management practices employed by vendors that provide services to banks and thrifts, Comptroller Curry advised vendors of the OCC’s authority under the Bank Service Company Act to issue enforcement actions and its authority to examine vendors designated as Technology Service Providers. He reported that banks have asked the OCC to more actively supervise critical service providers and stated that in working to protect the banking system the OCC will have to “look beyond individual financial institutions to the range of vendors and customers that have access to some part of its infrastructure and systems.”

LinkedInFacebookTwitterGoogle+Share