Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
The FTC Safeguards Rule, FFIEC Cybersecurity and IT Guidance, and other OCC guidelines (here and here) emphasize the need for cyber threat intelligence (CIT) and threat identification to inform an organization’s overall cyber risk identification, assessment, and mitigation program. Indeed, to successfully implement a risk-based information security program, an organization must be aware of both general cybersecurity risks across all industries, as well as both business-sector risks and organizational risks unique to the organization. Furthermore, proposed revisions to the FTC Safeguards Rule (previously covered by InfoBytes here) emphasize the need for a “through and complete risk assessment” that is informed by “possible vectors through which the security, confidentiality, and integrity of that information could be threatened.”
Threat modeling is generally understood as a formal process by which an organization identifies specific cyber threats to an organization’s information systems and sensitive information, which provides the management insight regarding the defenses needed; the critical risk areas within and across an information system, network, or business process; and the best allocation of scarce resources to address the critical risks. Even today, generally an accepted threat modeling process involves comprehensive system, application, and network mapping and data flow diagrams. Many threat modeling tools are available free to the public, such as Microsoft’s Threat Modeling Tool, which provides diagramming and analytical resources for network and data flow diagrams, utilizing the STRIDE model (spoofing, tampering, repudiation, information disclosure, denial of service, and escalation of privilege) to inform the user of general cyber-attack vectors that each organization should consider. Generally, between cybersecurity frameworks, such as the NIST Cybersecurity Framework (for risk-based analytical approaches), and threat modeling tools identifying generic cyber threats such as STRIDE (for general or sector-specific cyber risks), an organization can achieve a risk-informed information security program.
However, with the increasing amount of large-scale data breaches occurring and with the evolving complexity of cybersecurity threats, many regulatory agencies and other industry-based standards institutions have called for a need to go one step further and understand the techniques, tactics, and procedures (TTPs) utilized by hackers using CIT. By using CIT and other threat-based models, organizations can gain insight into potential attack vectors through red-teaming and penetration testing by simulating each phase of a hypothetical attack into the organization’s information system and determine potential countermeasures that can be employed at each step of the kill chain. For instance, Lockheed Martin’s formal kill chain model involves seven steps (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective) and proposes six potential defensive measures at each step (detect, deny, disrupt, degrade, deceive, and contain). Consequently, an organization can layer its defenses along each step in the kill chain to increase the probability of detection or prevention of the attack. Kill Chain was used as part of a U.S. Senate investigation into the data breach of a major corporation in 2013, identifying several stages along the chain where the attack could have been prevented or detected.
This threat identification process requires greater detail on adversarial TTPs. Fortunately, MITRE has provided for public consumption its ATT&CK (adversarial tactics, techniques, and common knowledge) platform. ATT&CK collects and streamlines adversarial TTPs in specific detail and provides information on each technique and potential mitigating procedures, including commonly used attack patterns for each. For instance, one tactic identified by ATT&CK is to encrypt data being exfiltrated to avoid detection by data loss prevention (DLP) tools or other network anomaly detection tools and identifies more than forty known techniques and tools that have been used to achieve encrypted transmission. ATT&CK also identifies potential detection and mitigation options, such as scanning unencrypted channels for encrypted files using DLP or intrusion detection software. Thus, instead of a generic data breach risk analysis, organizations can understand specific TTPs that may make data breach detection and analysis more difficult, and possibly take measures to prevent it.
By leveraging open-source CIT from tools such as ATT&CK and other reports from third-party sources such as government and industry alerts, organizations can begin the process of designing proactive defenses against cyber threats. It is important to note, however, that ATT&CK can only inform an organization’s threat modeling, and is not a threat model itself; additionally, ATT&CK focuses on penetration and hacking TTPs and, therefore, does not examine other threats that organizations may face, including distributed denial of services (DDoS) attacks that threaten the availability of its systems. Such threats will still need to be accounted for in any financial organization’s risk assessment, particularly if such DDoS prevent its clients from accessing their financial accounts and ultimately, their money.
AG coalition calls on Department of Education to discharge loans for students who attended closed for-profit school
On November 13, a coalition of 22 state attorneys general led by the Massachusetts attorney general sent a letter to the Department of Education’s Federal Student Aid Chief Operating Officer to determine whether the Department has complied with federal regulations that allow student borrowers to qualify for automatic discharge relief if they attended a school within 120 days of its closure date and have not continued their education elsewhere. The letter referred to an estimate provided by the Department in May, which stated that approximately 52,000 former students of a now-closed for-profit college qualified for automatic closed-school discharge relief. The letter notes, however, that recent information obtained from Congress indicates that only 7,000 student borrowers have been granted automatic discharges. Among other things, the AGs ask the Department to clarify whether all eligible students are now receiving automatic discharges, and request that the 120-day window be expanded “due to the deeply compromised nature of the school and its offerings in the months before its national collapse.” In addition, the letter requests details about the number of students with discharged loans and the methodology the Department is using to implement the automatic closed-school discharge.
On November 13, the Washington attorney general announced an office supply company has agreed to pay $900,000 to resolve an investigation into deceptive computer repair services. According to the AG’s office, the company allegedly used a software program, called “PC Health Check” or similar names, to facilitate the sale of diagnostic and repair services to retail customers that cost up to $200, regardless of whether their computer was actually infected with viruses or malware. The company claimed that the program, which allegedly detected malware symptoms on consumers’ computers, actually based the results on answers to four questions consumers were asked by a company employee at the beginning of the service, including whether the computer had slowed down, had issues with frequent pop-up ads, received virus warnings, or crashed often. After the questions were asked, the responses were entered into the program and a simple scan of the computer was run. The AG’s office claims that the scan had no connection to the malware symptoms results because an affirmative answer by the consumer to any of the four questions always led to the report of actual or potential malware symptoms. The release also states that in 2012, a company employee informed management that “the software reported malware symptoms on a computer that ‘didn’t have anything wrong with it,’” but that the company continued to sell the repair services until 2016 to an estimated 14,000 Washington consumers. According to the AG’s release, Washington is the only state to reach an agreement with the company over the alleged practices in addition to the $35 million national settlement the company and its software vendor reached with the FTC in March for similar conduct. (Previous InfoBytes coverage here.)
On November 12, the Financial Crimes Enforcement Network (FinCEN) issued an advisory on the Financial Action Task Force (FATF)-identified jurisdictions with “strategic deficiencies” in their anti-money laundering and combating the financing of terrorism (AML/CFT) regimes. As previously covered by InfoBytes, in October, FATF updated the list of jurisdictions to include the Bahamas, Botswana, Cambodia, Ghana, Iceland, Mongolia, Pakistan, Panama, Syria, Trinidad and Tobago, Yemen, and Zimbabwe. At the time, FATF noted that several jurisdictions had not yet been reviewed, and that it “continues to identify additional jurisdictions, on an ongoing basis, that pose a risk to the international financial system.”
The FinCEN advisory reminds financial institutions of the FATF October updates and emphasizes that financial institutions should consider both the FATF Public Statement and the Improving Global AML/CFT Compliance: On-going Process documents when reviewing due diligence obligations and risk-based policies, procedures, and practices. Moreover, the advisory includes public statements on the status of, and obligations involving, the Democratic People’s Republic of Korea (DPRK) and Iran, in particular. The advisory reminds jurisdictions of the actions the United Nations and the U.S. have taken with respect to sanctioning the DPRK and Iran and emphasizes that financial institutions must comply “with the extensive U.S. restrictions and prohibitions against opening or maintaining any correspondent accounts, directly or indirectly, with foreign banks licensed by the DPRK or Iran.”
On November 11, the Massachusetts attorney general announced a $4 million settlement with a Virginia-based debt collection company to resolve allegations that it engaged in deceptive and unfair debt collection practices. The AG’s release stated that an assurance of discontinuance filed in the Suffolk Superior Court alleges that the company “aggressively” collected on purchased defaulted loans, credit card accounts, car loans, and other consumer debts by using a network of in-house collectors who contacted consumers through multiple letters and phone calls, and used law firms to take consumers to court. An investigation revealed that the company “routinely pursued consumers with only exempt sources of income such as social security, social security disability, and supplemental security income,” and that consumers who informed the company of their reliance on such income “were pressured by the company to pay money they should have been entitled to keep.” Among other things, the AG’s office claimed that the company also (i) collected on debts it could not substantiate; (ii) failed to verify whether the consumer information it reported to credit reporting agencies was accurate; (iii) ignored the statute of limitations when collecting debt; and (iv) failed to notify consumers of their rights to request proof of a debt and to provide proof of a debt upon request. In addition to the $4 million payment, the company has agreed to stop collecting from consumers using only exempt income, will obtain documentation that debts are valid before collecting, will inform consumers when debt is beyond the statute of limitations, and will refrain from calling consumers more than twice in a seven-day period. The company also agreed to stop reporting debts it cannot substantiate to credit reporting agencies and to investigate consumer credit report accuracy disputes.
On November 12, the U.S. Court of Appeals for the Eleventh Circuit issued an order reversing in part and affirming in part a district court’s dismissal of claims brought by a consumer who claimed a bank violated the Fair Credit Reporting Act (FCRA) and the FDCPA when it allegedly provided debt information using a “false name” to a credit reporting agency and requested the consumer’s credit report without a proper purpose. In 2016, the consumer filed a lawsuit asserting the bank (i) violated the FDCPA by using a name other than its true name in connection with the collection of debt; and (ii) violated the FCRA when it failed to investigate the accuracy of the information provide to the credit reporting agency, and requested his credit report without a permissible purpose. The district court dismissed the complaint for failure to state a claim.
On appeal, the 11th Circuit affirmed the dismissal of the FDCPA claim, concluding that, while the false-name exception stipulates that the FDCPA applies to a creditor that uses any name other than its own when collecting its own debts (which may indicate a third party was collecting or attempting to collect the debt), the exception does not apply in this instance because “even the least sophisticated consumer” would understand that the bank and the entity named in the consumer report were related. However, the appellate court held that the district court erred in dismissing the FCRA claims. According to the opinion, the consumer stated three plausible claims for relief, including that the bank failed to investigate the accuracy of the information it sent, as required when a dispute arises, and that it unlawfully obtained his credit report. The 11th Circuit noted that while it has never addressed the meaning of “false pretenses” under the FCRA, it now joins other courts in holding that “intentionally obtaining a credit report under the guise of a permissible purpose while intending to use the report for an impermissible purpose can constitute false pretenses.” Moreover, the appellate court noted that while the bank may have obtained the consumer’s credit report for proper purposes, or that it may have disclosed the true purpose to the credit reporting agency, “this fact question cannot be resolved on a motion to dismiss.”
On November 8, the U.S. Court of Appeals for the Seventh Circuit reversed a district court’s dismissal of an action against a debt collector, concluding that tax consequence language in a debt collection letter may violate the FDCPA. According to the opinion, the debt collector sent a consumer four collection letters with at least one letter stating in part that “[s]ettling a debt for less than the balance owed may have tax consequences and [the creditor] may file a 1099C form.” The consumer filed an action against the debt collector alleging that the language violated the FDCPA because the creditor is not obligated to file a 1099C with the IRS unless it has forgiven at least $600 in principal. The consumer also claimed that the creditor at issue would never file a 1099C unless it was legally obligated to do so, and as applied to the consumer’s debt at issue, none of the settlement options offered in the dunning letter would have reached the $600 threshold. The district court granted the debt collector’s motion to dismiss the action and the consumer appealed.
On appeal, the 7th Circuit focused on the letter’s reference to the possible 1099C filing. The court noted that “it is impermissible for a creditor to make a ‘may’ statement about something that is illegal or impossible,” and while it is not technically illegal or impossible for the creditor to file a 1099C form for amounts less than $600, the debt collector did not dispute that the creditor “would never file a 1099C form with the IRS unless required to do so by law.” The court observed that the “language of a collection letter can be literally true and still be misleading in a way that violates the Act.” Thus, the consumer plausibly alleged that “it is, in fact, misleading to state that [the creditor] may file a Form 1099C, when it never would.” And because questions as to whether specific statements are deceptive or misleading are “almost always questions of fact,” the appellate court reversed the dismissal and remanded the case back to district court for further proceedings.
On November 7, the FCC released a public notice seeking comment on a petition filed by a financial institution requesting a declaratory ruling on whether a company can send a follow-up clarification text message in response to an opt-out message from a consumer without violating the TCPA. More specifically, in connection with informational texts that the consumer previously consented to receive, the institution desires to “discern the scope of that opt-out,” because “[s]ome customers want to opt-out of all texts; others merely want to opt-out of the specific category of text message alert they received most recently.” The institution notes it filed the petition “in an abundance of caution” in light of the highly technical nature of TCPA compliance, and that it believes the FCC’s 2012 ruling in SoundBite Communications, Inc. Petition for Expedited Declaratory Ruling is clear that a sender may clarify in an opt-out confirmation message the scope of the consumer’s request without violating the TCPA as long as the message does not contain marketing or promotional content or seek to encourage or persuade the recipient to reconsider the opt-out.
Comments on the FCC’s public notice are due by December 9, with reply comments by December 24.
On November 12, the FTC announced a proposed settlement, which requires a technology service provider to implement a comprehensive data security program to resolve allegations of security failures, which allegedly allowed a hacker to access the sensitive personal information of about one million consumers. According to the complaint, the FTC asserts that the service provider and its former CEO violated the FTC Act by engaging in unreasonable data security practices, including failing to (i) have a systematic process for inventorying and deleting consumers’ sensitive personal information that was no longer necessary to store on its network; (ii) adequately assess the cybersecurity risk posed to consumers’ personal information stored on its network by performing adequate code review of its software and penetration testing; (iii) detect malicious file uploads by implementing protections such as adequate input validation; (iv) adequately limit the locations to which third parties could upload unknown files on its network and segment the network to ensure that one client’s distributors could not access another client’s data on the network; and (v) implement safeguards to detect abnormal activity and/or cybersecurity events. The FTC further alleges in its complaint that the provider could have addressed each of the failures described above “by implementing readily available and relatively low-cost security measures.”
The FTC alleges more particularly that, between May 2014 and March 2016, an unauthorized intruder accessed the service provider’s server over 20 times, and in March 2016, “accessed personal information of approximately one million consumers, including: full names; physical addresses; email addresses; telephone numbers; SSNs; distributor user IDs and passwords; and admin IDs and passwords.” Because the information obtained can be used to commit identity theft and fraud, the FTC alleged that the service provider’s failure to implement reasonable security measures violated the FTC’s prohibition against unfair practices.
The proposed settlement requires the service provider to, among other things, create certain records and obtain third-party assessments of its information security program every two years for the 20 years following the issuance of the related order that would result from the settlement.
On November 8, the Department of Veterans Affairs (VA) issued Circular 26-19-29, encouraging mortgagees to provide relief for VA borrowers affected by Tropical Storm Imelda. Among other forms of assistance, the Circular encourages loan holders and servicers to (i) extend forbearances to borrowers in distress because of the disaster; (ii) establish a 90-day moratorium from the disaster declaration date on initiating new foreclosures on affected loans; (iii) waive late charges on affected loans; and (iv) suspend credit reporting related to affected loans. The Circular is effective until January 1, 2021. Mortgage servicers and veteran borrowers are also encouraged to review the VA’s Guidance on Natural Disasters.
Find continuing InfoBytes coverage on disaster relief guidance here.
- Sherry-Maria Safchuk to speak on the "California Consumer Privacy Act (CCPA) Workshop" panel at the California Mortgage Banker's 2019 Legal Issues & Regulatory Compliance Conference
- Jon David D. Langlois to discuss "Legal and operational considerations" at the Mortgage Bankers Association's Whole Loan Trading Workshop
- Daniel P. Stipano to discuss “Connecting the dots on your CDD program” at the ABA/ABA Financial Crimes Enforcement Conference
- Daniel P. Stipano to discuss “Beneficial Ownership: You have questions – We have quick answers” at the ABA/ABA Financial Crimes Enforcement Conference
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at an American Bar Association webinar
- Kari K. Hall and Christopher M. Walczyszyn to speak on the "Understanding updates to Regulation CC to ensure effective check processing" at a National Association of Federal Credit Unions webinar