InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed issues final rule for FMUs to update risk management requirements, noting cyber and climate risks
On March 8, the Federal Reserve Board announced a final rule that will update risk management requirements for financial market utilities (FMUs) supervised by the Fed. FMUs provide the financial infrastructure to clear and settle payments and transactions. The rule will go into effect 30 days after publication in the Federal Register, and FMUs are expected to comply with certain updates by 90 days and all updates by 180 days after publication. The Fed reported the final rule is “substantially similar” to the proposed rule and provided additional details to the exiting requirements for the following: (i) review and testing; (ii) incident management; (iii) business continuity management; and (iv) third-party risk management.
Ginnie Mae now requires issuers to disclose cybersecurity incidents within 48 hours
On March 4, the President of Ginnie Mae released All Participants Memorandum (APM) 24-02, which set forth a new requirement applicable to all issuers, including issuers that subservice loans for others. The memo mandated that all approved issuers must notify Ginnie Mae of any significant cybersecurity incident within 48 hours of detection. Ginnie Mae defined a “Cyber Incident” as “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constituted a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the Issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.” If a Cyber Incident has occurred, issuers must it report to Ginnie Mae via a specified email address and must include (i) the date and time of the incident, (ii) a summary of the incident, and (iii) points of contact responsible for coordinating any follow-up questions regarding the incident. These requirements are also now reflected in Chapter 03, Part 18 of the Mortgage-Backed Securities Guide, 5500.3, REV-1.
NYDFS orders digital currency trading company to pay $8 million
On January 12, NYDFS announced that it had entered into a consent order with a digital currency trading company after an investigation that found the company responsible for compliance failures that violated NYDFS’s virtual currency and cybersecurity regulations, leaving the company vulnerable to illicit activity and cybersecurity threats.
NYDFS found that the company failed to meet its compliance obligations due to (i) deficiencies in the company’s AML program; (ii) failure to file compliant suspicious activity reports; (iii) failure to conduct required OFAC screening; and (iv) failure to maintain an adequate cybersecurity program. In connection with the settlement, the company will surrender its BitLicense, the license required to be held by any company conducting virtual currency business in New York state and pay an $8 million penalty.
OCC’s Fall 2023 report highlights risks in banking system
On December 7, the OCC reported key issues facing the federal banking system in its Semiannual Risk Perspective for Fall 2023. In evaluating the overall soundness of the federal banking system, the OCC emphasized the need for banks to maintain prudent risk management practices. The key themes that the OCC underscored in the report included (i) credit risk due to high interest rates, commercial real estate lending, and inflation; (ii) market risks from rising deposit rates, liquidity contraction, and reliance on wholesale funding; (iii) operational risks from cyber threats, increased digitization, and fraud; and (iv) compliance risks from equal access to credit, fair treatment of consumers, fintech partnerships, and BSA/AML risk. The OCC noted that deposit and liquid asset trends stabilized in the latter half of 2023, and the stability was sustained through a greater dependence on wholesale funding.
The report included a special discussion of emerging risks linked to artificial intelligence (AI) in banking. The OCC noted the potential benefits of widespread AI adoption, which could reduce costs, improve products, strengthen risk management, and expand access to credit. At the same time, the OCC cautioned that AI use can create risk and banks must manage its use carefully.
DOJ reports on cybersecurity and announces seizure of $500,000 from hackers
On July 19, Deputy Attorney General Lisa O. Monaco spoke before the International Conference on Cyber Security (ICCS) 2022 regarding DOJ’s efforts to combat the increase of cyberattacks. Monaco also announced the release of the Comprehensive Cyber Review, which reflects “the need to prioritize prevention, to ensure we are doing all we can to help victims, and above all else – to use all the tools at our disposal, working with partners here and around the globe, across the government and across the private sector.” The report noted that the “failure of certain technology companies” to meet their legal obligations “is a major factor in allowing criminals to escape detection and apprehension.” The report also noted that over the last decade,” companies have “proactively taken independent actions” against cybercriminals without prior coordination with U.S. law enforcement officials. The report argues that “there is no reason that criminal activities in the cyber context should be handled differently than in the real world, where it would almost be unheard of for private companies to observe criminal activity” without informing law enforcement as soon as possible and then working with law enforcement to further identify and disrupt the criminal activity. The report recommends that the Justice Department and U.S. technology companies “develop a voluntary set of principles regarding the proactive and systematic reporting of cybercriminal activities using their platforms.”
Monaco also announced that the FBI and DOJ “disrupted” a North Korean state-sponsored hacking group that targeted U.S. medical facilities and other public health sector organizations. According to the DOJ’s press release, the Department seized $500,000 in cryptocurrency paid as ransom to North Korean hackers who used a ransomware strain to encrypt the files and servers of a medical center in Kansas. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of their computers and equipment. Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers.
9th Circuit: Networking site cannot deny data scraping access to publicly available profiles
On April 18, on remand from the U.S. Supreme Court, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order preliminarily enjoining a professional networking site from denying a data analytics company access to publicly available member profiles. At issue are allegations brought by the networking site claiming the data analytics company used automated bots to extract user data from the networking site’s website (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The networking site sent the data analytics company a cease-and-desist letter, asserting violations of state and federal law, including the Computer Fraud and Abuse Act (CFAA). The data analytics company responded that it had a right to access the public pages and later sought a preliminary injunction. In granting the preliminary injunction, the district court ordered the networking site to, among other things, “remove any existing technical barriers to [its] public profiles, and to refrain from putting in place any legal or technical measures” that would block access.
The 9th Circuit previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the data analytics company’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States.
On remand, the appellate court reviewed whether the data analytics company accessed data “without authorization” in violation of the CFAA after it received the cease-and-desist letter. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested that the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. “A defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser,” the appellate court wrote. “In other words, applying the ‘gates’ analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place.” Therefore, the court held, the phrase “without authorization” does not apply to public websites.
In determining that a preliminary injunction was appropriate, the appellate court held that the district court did not abuse its discretion in concluding that the data analytics company met the standard of establishing that the plaintiff is likely to succeed on the merits, is likely to suffer irreparable harm without such relief, that the “balance of equities” is in the favor of the plaintiff, and that the injunction would be in the public interest. The court found that the data analytics company showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” In considering the balance of hardships, the 9th Circuit agreed that the scales “tipped sharply” in favor of the data analytics company “when weighing the likelihood that [the data analytics company] would go out of business against [the networking site’s] assertion that an injunction threatened its members’ privacy” and therefore risked the goodwill it had developed with its members. Finally, the court rejected the networking site’s claims that the data analytics company violated the CFAA, which would have preempted the remaining state law claims.
District Court grants motion to dismiss in privacy suit
On February 17, the U.S. District Court for the District of Delaware granted a motion to dismiss a putative class action suit for lack of Article III standing, in which plaintiffs alleged that the defendant violated their privacy rights by intercepting and recording mouse clicks and other website visit information. According to the memorandum opinion, the plaintiffs alleged defendant’s recording of that information violated, among other things, the California Invasion of Privacy Act (CIPA) and the Federal Wiretap Act. In finding the plaintiffs’ failed to plead a concrete injury, the district court found while the “[p]laintiffs have a legally cognizable interest in controlling their personal information and that intrusion upon that interest would amount to a concrete injury[,]” they failed to identify how any of their personal information was implicated in the complaint. The court explained: “[p]laintiffs fail to explain how either [the defendants] possession of anonymized, non-personal data regarding their browsing activities on [the defendant’s] website harms their privacy interests in any way.” The district court also noted that the plaintiffs did not make any allegations to suggest a risk of imminent or substantial future harm.
New Jersey settles CFA and HIPAA violations following 2019 data breach
On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately safeguard patient data. The settlement resolved allegations that patients’ personal and protected health information, including health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers, were exposed when several employee email accounts were compromised in a 2019 data breach. The AG additionally contended that while notifying clients of the initial data breach, the defendants “improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin.” Federal and state law require medical providers to implement appropriate safeguards to protect consumers’ sensitive health and personal information and identify potential threats—measures, the AG alleged, the defendants failed to take. Without admitting to any violation of law, the defendants agreed to the terms of the consent order and will pay $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. The defendants will also adopt additional comprehensive privacy and security measures to safeguard consumers’ protected information and will obtain a third-party assessment of their policies and practices related “to the collection, storage, maintenance, transmission, and disposal of patient data.”