InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NIST Releases Draft Outline of Cybersecurity Framework
On July 2, the National Institute of Standards and Technology (NIST) released a draft outline of a framework to improve the cybersecurity of certain critical infrastructure. It proposes a core structure for the framework and includes a user's guide and an executive overview that describes the purpose, need, and application of the framework in business. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. It solicited and recently analyzed public comments about the voluntary framework. Based on certain comments that emphasized the importance of executive involvement in managing cyber risks, the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts. NIST also released a draft compendium of existing standards, practices, and guidelines to reduce cyber risks to critical infrastructure industries. It plans to publish the official draft Cybersecurity Framework for public comment in October 2013.
California AG Releases Data Breach Report, Proposes Data Security Policy Changes
On July 1, California Attorney General Kamala Harris (AG) released a report analyzing data breaches reported to her office in 2012, the first year companies were required to report to the AG any breach involving more than 500 state residents. The report identifies 131 data breach incidents that put the personal information of 2.5 million individuals at risk. The AG noted that the report is not required by the law, but provides support for the AG’s recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved. Those policy recommendations focus on (i) data encryption, (ii) information security, (iii)notice letters, and (iv) the definition of personal information.
Specifically, the AG claimed that the information for 1.4 million Californians would have been protected if companies had encrypted data, and urges companies to encrypt digital personal information when moving or sending it out of their secure network. The AG pledged to prioritize enforcement investigations of breaches involving unencrypted personal information. The AG’s report notes that a large percentage of breaches surveyed resulted from the failure of information security controls and references requirements under state law to protect the personal information of California residents.
The AG also stated that companies should make their data breach notices to consumers easier to read, and that the state legislature should consider expanding breach notice requirements to cover breaches involving passwords. The AG highlighted a pending bill, SB 46, that would revise the notice requirement’s definition of personal information to require reporting of breaches involving information that would permit access to an online account - user name or email address, in combination with a password or security question and answer. That bill has already passed the state Senate and was approved by the Assembly’s Judiciary Committee. It is scheduled to be considered by the Assembly’s Appropriations Committee on July 3, 2013.
FTC Updates Guidance for Search Engines on Advertising
On June 25, the FTC announced updated guidance for the search engine industry on distinguishing paid search results from natural search results. The updated guidance was in the form of letters sent to seven general purpose search engines and 17 high traffic specialized search engines. The FTC noted that the principles of its original 2002 guidance still apply, but that changes in the search industry and requests from industry and consumer groups led the agency to issue the revised guidance. The guidance states that the failure to clearly and prominently distinguish advertising from natural search results, such as through visual cues, labels, or other techniques, could constitute a deceptive practice. The FTC also noted that the principles of the guidance should be applied to new means used by consumers to search for information, such as social media, mobile applications and voice assistants on mobile devices.
NIST Issues Mobile Device Security Guidelines
On June 25, the National Institute of Standards and Technology (NIST) released a mobile device management guide to help federal agencies centrally manage the security of mobile devices. While the NIST document was developed for use by federal agencies, the device management principles may be applicable to other organizations facing similar security concerns. The guide focuses on smart phones and tablets and provides recommendations for selecting, implementing, and using centralized management technologies. It also explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The recommendations aim to address security issues related to both organization-provided and personally-owned (“bring your own device”) mobile devices.
FTC Chairwoman Announces Senior Personnel Changes
On June 17, FTC Chairwoman Edith Ramirez named several senior staff members, including Jessica Rich as Director of the Bureau of Consumer Protection. Ms. Rich has been with the FTC for more than 20 years and most recently served as Associate Director of the Division of Financial Practices. Prior to that, Ms. Rich was a Deputy Director of the Bureau and has served as the Acting Associate Director and Assistant Director of the Bureau’s Division of Privacy and Identity Protection, among numerous other positions. Ms. Ramirez also named Jonathan E. Nuechterlein as General Counsel. He joins the agency from a large law firm, where he was a partner and chair of the firm’s communications, privacy, and Internet law practice group. He previously was Deputy General Counsel for the FCC and an Assistant to the Solicitor General at the U.S. Department of Justice.
Texas Enacts Stringent Email Privacy Bill
On June 14, Texas enacted HB 2268, which amends current state law relating to “search warrants issued in [that] state and other states for certain customer data, communications, and other related information held in electronic storage” by “electronic communications services and remote computing services” providers. Among other things, the bill requires law enforcement to obtain a warrant to search emails, regardless of the age of the emails. The requirement exceeds the privacy protections granted by the federal Electronic Communications Privacy Act, which allows warrantless searches of emails left unopened for 180 days.
OCC Publishes Community Bank Best Practices Booklet, Holds Webinar on Community Bank Cyber Threats
On June 13, the OCC published a booklet titled “A Common Sense Approach to Community Banking,” which offers best practices the agency believes distinguish high-performing community banks from those that barely survive or fail. The booklet, which previously was distributed to national banks and federal thrifts and now is available on the OCC’s website, focuses on three interrelated areas: (i) risk assessment and management, (ii) strategic planning, and (iii) capital planning. Earlier in the week, the OCC hosted a webinar on cyber threats and vulnerabilities to raise awareness for community banks, and provided a collection of existing regulatory guidance that addresses actions banks should take to help mitigate the risks associated with information security.
FTC Revises Red Flags Identity Theft Rule Business Guide
On June 12, the FTC issued revised guidance to help firms comply with its Red Flags Rule, which requires covered firms to monitor for and respond to certain “red flag” warnings of customer identify theft. The updated guide reflects changes made to the rule last year to more narrowly define the types of creditor subject to the rule.
NIST Seeks Comments on Cloud Computing Security Document
On June 11, the National Institute of Standards and Technology (NIST) published a draft security document that provides a comprehensive security model to supplement other NIST efforts to develop a standard vocabulary and implementation framework for the integration of cloud-based applications across the government. NIST will accept comments on the draft document through July 12, 2013. Although NIST’s resources are developed for use by federal agencies, they can influence other policy decisions and may serve as a resource for private firms seeking to understand the benefits and risks of cloud technology.
Federal Court Holds Opened Emails Not Protected By Stored Communications Act
On June 5, the U.S. District Court for the Northern District of Ohio held that emails the intended recipient opened but did not delete were not covered by the Stored Communications Act because they were not being kept for the purposes of backup protection. Lazette v. Kulmatycki, No. 12-02416, 2013 WL 2455937 (N.D. Ohio Jun. 5, 2013). In this case, an individual alleged, among other things, that her former employer and supervisor violated the Stored Communications Act when the supervisor read numerous emails in the employees personal email account, which the supervisor accessed through the employer-issued mobile device the employee surrendered upon leaving the company. Some of these emails previously had been opened by the intended recipient, while others had not. The court held that emails in the personal account that had been opened first by the intended recipient but not deleted were not in “backup” status or “electronic storage” as those terms are defined in the SCA. The court granted the employer’s motion to dismiss with regard to such previously opened emails. The court declined to dismiss the intended recipient’s claim with respect to the emails which were first opened by the supervisor. The court rejected several other of the employer’s SCA-related arguments, holding that (i) the SCA was not designed only to apply to computer hackers and generally does apply to the supervisor’s actions, (ii) the mobile device was not the “facility” under the SCA, rather the server for the personal email service was the facility, and (iii) the employee did not implicitly consent to having her emails read by not deleting or logging out of the personal account before surrendering the employer-issued mobile device.