On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 10, Kentucky Governor Steve Beshear signed into law HB 232 to establish a data breach notice requirement. The new law requires any person or business that operates in the state to provide written or electronic notice to affected state residents of any breach of a security system that exposes unencrypted personally identifiable information. The law requires notification “in the most expedient time possible and without unreasonable delay” upon discovery or notification of a breach, and permits certain substitute forms of notice if the person or business subject to the breach demonstrates that the notice exceeds certain cost or scope thresholds. The law does not require separate notice to the state attorney general, nor does it apply to entities subject to Title V of the Gramm-Leach-Bliley Act or HIPPA. The bill takes effect July 14, 2014. Kentucky’s adoption of a data breach notice law leaves only three states—Alabama, New Mexico, and South Dakota—without such a statutory requirement.
On April 7, the U.S. District Court for the District of New Jersey denied a hotel company’s motion to dismiss the FTC’s claims that the company engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act by failing to maintain reasonable and appropriate data security for customers’ personal information. FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). The company moved to dismiss the FTC’s suit, arguing that the FTC (i) lacks statutory authority to enforce data security standards outside of its explicit data security authority under statutes such as the Gramm-Leach-Bliley Act (GLBA) and FCRA; (ii) violated fair notice principles by failing to first promulgate applicable regulations; and (iii) failed to sufficiently plead certain elements of the unfairness and deception claims. The court rejected each of these arguments. First, the court held that the FTC does not need specific authority under Section 5 to enforce data security standards. The court reasoned that the data-security legislation the followed the FTC Act, such as GLBA and FCRA, provide the FTC additional data security tools that complement, rather than preclude, the FTC’s general authority under Section 5. Second, the court held that, to bring a Section 5 data security claim, the FTC is not required to provide notice of reasonable standards by issuing a new regulation because regulations are not the only means of providing sufficient fair notice. According to the court, industry standards, past FTC enforcement actions, and FTC business guidance provided sufficient notice of what constitutes reasonable security measures. Third, the court held that the FTC properly pled its unfairness and deception claims under the FTC Act.
Data Breach Class Settlement Approved After Eleventh Circuit Held Identity Theft Following Breach Presents Cognizable Injury
Recently, the U.S. District Court for the Southern District of Florida approved a class settlement in a case in which the plaintiffs claimed financial harm from a health care company’s failure to protect their personal information. Resnick v. AvMed Inc., No. 10-24513 (S.D. Fla. Feb. 28, 2014). The settlement follows a September 2012 decision from the U.S. Court of Appeals for the Eleventh Circuit, in which the court reversed the district court’s dismissal of the case and held that because the complaint alleged financial injury, and because monetary loss is cognizable under Florida law, the plaintiffs alleged a cognizable injury. The court explained that the plaintiffs demonstrated “a sufficient nexus between the data breach and the identity theft beyond allegations of time and sequence” because the plaintiffs plead that they were careful in protecting their identities and had never been victims of identity theft. The settlement requires the company to pay $3 million, with each class member receiving up to $10 for each year they paid an insurance premium, up to a maximum of $30. The company also agreed to implement new data security measures.
Last week, as part of the White House’s initiative on “big data” and privacy (led by John Podesta), the White House Office of Science and Technology Policy issued a request for information seeking public input regarding broad privacy-related issues. The request defines “big data” as “datasets so large, diverse, and/or complex, that conventional technologies cannot adequately capture, store, or analyze them.” It seeks comments on a number of issues, including: (i) the public policy implications of the collection, storage, analysis, and use of big data; (ii) the types of uses of big data that could measurably improve outcomes or productivity with further government action, funding, or research, and uses of big data that raise the most public policy concerns; (iii) the technological trends or key technologies which will affect the collection, storage, analysis and use of big data, and whether any are particularly promising for safeguarding privacy; (iv) how the policy frameworks or regulations for handling big data should differ between the government and the private sector; and (v) issues raised by the use of big data across jurisdictions. Comments are due by March 31, 2014.
Recently, the CFTC’s Division of Swaps Oversight issued Staff Advisory No. 14-21, which recommends best practices for CFTC-regulated intermediaries to comply with applicable Gramm-Leach-Bliley (GLB) Act privacy requirements, consistent with the Division’s intention to focus more resources on GLB privacy compliance. The advisory states that its recommendations are generally consistent with guidelines and regulations issued by other federal financial regulators, and the majority of the specific best practices are supported with references to prior rules and guidance. A number of the best practices cite the Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness and a parallel FTC rule. Notably, several of the recommendations rely on a rule proposed by the SEC in 2008 but which has not yet been finalized. For example, the CFTC recommends based on that SEC proposal and the Interagency Guidelines that covered entities establish a breach investigation and notice process to alert potentially impacted individuals and to notify the CFTC. In addition, without referencing any other federal rule or guidance the Staff Advisory recommends that covered entities engage at least once every two years an independent party to test and monitor the safeguards’ controls, systems, policies and procedures, maintaining written records of the effectiveness of the controls.
On March 6, the FTC released a memorandum of understanding (MOU) it signed with the UK’s Information Commissioner’s Office (ICO), which is designed to strengthen the agencies’ privacy enforcement partnership. The FTC stated that over the last several years it has worked with the ICO on numerous investigations and international initiatives to increase global privacy cooperation. The MOU establishes a formal framework for the agencies to provide mutual assistance and exchange of information for the purpose of investigating, enforcing, and/or securing compliance with certain privacy violations. The FTC also announced a joint project with the European Union (EU) and Asia-Pacific Economic Cooperation (APEC) economies to map together the requirements for APEC Cross Border Privacy Rules and EU Binding Corporate Rules, which is designed to provide a practical reference tool for companies that seek “double certification” under the APEC and EU systems, and shows the substantial overlap between the two.
Federal Reserve Board Proposes To Repeal Duplicative Regulations Amend Identity Theft Red Flags Rule
On February 12, the Federal Reserve Board proposed to repeal its Regulation DD, which implements the TISA, and Regulation P, which implements Section 504 of the GLBA because the Dodd-Frank Act transferred rulemaking authority for those laws to the CFPB, and the CFPB has already issued interim final rules implementing them. The Board also proposed to amend the definition of “creditor” in its Identity Theft Red Flags rule, which implements Section 615 of the FCRA. Generally, the Indemnity Theft Red Flags rule requires each financial institution and creditor that holds any consumer account to develop and implement an identity theft prevention program. The proposed revision will exclude from the foregoing requirements businesses that do not regularly and in the ordinary course of business (i) obtain or use consumer reports in connection with a credit transaction; (ii) furnish information to consumer reporting agencies in connection with a credit transaction; or (iii) advance funds to or on behalf of a person. The Board will accept comments on the proposal for 60 days from publication in the Federal Register.
On February 12, the Obama Administration released the Cybersecurity Framework prepared by NIST, as called for by Executive Order 13636 issued by President Obama one year ago. The Framework organizes best practices regarding cyber risks into three components—the Framework Core, Profiles and Tiers—each of which “reinforces the connection between business drivers and cybersecurity activities.” The Framework Core component is described as a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped into five functions—Identify, Protect, Detect, Respond, and Recover—which provide a high-level view of an organization’s management of cyber risks. The second component, Profiles, is designed to assist organizations in aligning their cybersecurity activities with business requirements, risk tolerances, and resources. Finally, the Tiers component provides a mechanism for organizations to view their approach and processes for managing cyber risk. The Department of Homeland Security has established a voluntary program intended to increase awareness and use of the Framework to help organizations of all sizes manage cybersecurity risks and improve security and resilience of critical infrastructure. NIST hopes the Framework will serve as a model for international cooperation on strengthening critical infrastructure cybersecurity. NIST will continue to update and improve the Framework as the industry provides feedback on implementation. NIST also issued a Roadmap that discusses its next steps with the Framework and identifies key areas of cybersecurity development, alignment, and collaboration.
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
On February 3, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) again expanded his investigation of data brokers when he asked six brokers for information on the compilation and sale of products that identify consumers based on their financial vulnerability or health status. The issue was raised recently in a majority staff report, which was released in connection with a December 2013 committee hearing. The Chairman cited “serious concerns regarding the sale and dissemination of lists identifying a consumer’s fragile health or financial circumstances without the consumer’s knowledge or permission,” which Mr. Rockefeller believes can be used by businesses seeking to target vulnerable customers for financially risky lending products or fraud schemes. The Chairman seeks a broad range of information about the companies’ data collection and sales practices conducted over a five year period. The letters are the latest in an ongoing review by the Committee, which previously expanded the scope of the review in September 2013.
On January 24, the California Attorney General (AG) sued a health care company over its alleged failure to timely submit notice of a 2011 data breach. According to the complaint, the company learned of the breach at the end of September 2011, completed a preliminary investigation in December 2011, and subsequently continued the investigation through mid-February 2012. The company allegedly did not begin mailing notice letters to affected individuals until mid-March. The complaint alleges the company failed to provide such notice in the most expedient time possible, which the AG alleges could have commenced in December 2011. The complaint also includes allegations regarding the actual breach at issue. The AG is seeking statutory penalties of $2500 per violation. Among other things, the suit demonstrates the AG’s inclination to take privacy and data security actions beyond the California Online Privacy Protection Act.
On January 21, the FTC announced agreements with 12 companies to resolve allegations that the companies falsely claimed compliance with an international privacy framework. The FTC complaints explain that the U.S.-EU Safe Harbor Framework provides a method for U.S. companies to transfer personal data outside of the EU that is consistent with the requirements of the European Union Directive on Data Protection. The Directive sets forth EU requirements for privacy and the protection of personal data and requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the European Commission has made a determination that the recipient jurisdiction’s laws ensure the protection of such personal data. To participate in the Framework, a U.S. company must self-certify to the U.S. Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard. The FTC claimed that the companies indicated compliance with the Safe Harbor principles, for example through privacy policies or certification marks, when the companies had allowed their self-certifications to lapse. The FTC alleged that this conduct violated Section 5 of the FTC Act. The companies did not admit the allegations, and the FTC acknowledged that the allegations do not necessarily mean that the companies committed any substantive violations of the privacy principles of the Safe Harbor framework. The proposed settlement agreements would prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
On January 15, NIST updated the status of its efforts to finalize the voluntary Cybersecurity Framework directed by President Obama’s Executive Order 13636. According to the update, NIST expects to publish the final framework on February 13, 2014, but the initial final version will not include an appendix with specific privacy standards. Citing insufficient support from stakeholders, NIST instead will include an alternative methodology that it believes will better allow organizations to incorporate general privacy principles when implementing a cybersecurity program.