InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FSB: Greater convergence needed in cyber-incident reporting
On April 13, the Financial Stability Board (FSB) released a series of recommendations for achieving “greater convergence” in cyber-incident reporting (CIR). Issued at the request of the G-20, the final report draws from FSB’s body of work on cybersecurity, as well as its engagement with external stakeholders. In order to promote greater convergence in CIR, the report focuses on three components: (i) recommendations for addressing the issues identified as impediments to achieving greater harmonization in cyber incident reporting; (ii) an updated and enhanced cyber lexicon to include new CIR terms and encourage the use of “common language”; and (iii) a common, flexible format for incident reporting exchange (FIRE) that would allow a range of adoption choices and include the most relevant data elements for financial authorities.
The report presents 16 recommendations for addressing issues associated with the collection of cyber incident information from financial institutions, including the importance of establishing clearly defined objectives for incident reporting (and practical measures for sharing such information), aligning CIR regimes on a cross-border/cross-sectoral basis to reduce fragmentation and improve interoperability, and adopting common data requirements and standardized reporting formats. The report observes that financial institutions operating across multiple jurisdictions and sectors often face operational challenges due to the current process of having to report cyber incidents to multiple authorities. FSB states it will continue to work on a concept for a common format for FIRE to enable authorities to collect information from financial institutions in a more consistent manner. “Financial authorities and institutions can choose to adopt these recommendations as appropriate and relevant, consistent with their legal and regulatory framework,” FSB states in the report.
NYDFS, crypto payment company reach AML/cybersecurity settlement
On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200. Licensees under Part 200 are required to, among other things, comply with federal and state laws mandating effective controls to guard against money laundering and certain other illegal activities. A 2022 NYDFS examination revealed that, although the company made improvements to address deficiencies within its AML and cybersecurity compliance programs that were identified during a 2018 examination, the programs still required additional improvements to achieve regulatory compliance. NYDFS concluded that the company violated sections of Part 200 by allegedly failing to develop adequate internal policies and controls to maintain compliance with applicable AML laws or to develop procedures to ensure compliance with necessary risk management requirements under applicable OFAC regulations. Furthermore, the company violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to conduct periodic cybersecurity risk assessments and failing to timely appoint a designated chief information security officer responsible for overseeing, implementing, and reporting on the company’s cybersecurity program. Under the terms of the consent order, the company agreed to pay a $1 million civil monetary penalty and submit an action plan to NYDFS within 180 days detailing its remediation efforts. The company also agreed to conduct a comprehensive cybersecurity risk assessment within 150 days and to continue to strengthen its controls, policies, and procedures to prevent future violations.
OFAC sanctions darknet marketplace for selling stolen data
On April 5, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, against one of the world’s largest darknet marketplaces for its involvement in the theft and sale of device credentials and related sensitive information. According to OFAC, the marketplace accesses victims’ devices without authorization and sells the stolen data, including usernames and passwords, on the darknet. The action was taken in coordination with the DOJ and international partners from a dozen countries who are also taking action against market users across multiple jurisdictions and seizing associated website domains. The designation built upon previous actions taken against darknet marketplaces, including sanctions issued last year against the world’s most prominent darknet market. (Covered by InfoBytes here.) OFAC also referenced FinCEN’s 2019 Advisory on Illicit Activity Involving Convertible Virtual Currency, to warn “that darknet markets frequently include offers for the sale of illicit goods and services that use virtual currencies as a method of payment.” (Covered by InfoBytes here.) As a result of the sanctions, all property and interests in property belonging to the sanctioned entity in the U.S. must be blocked and reported to OFAC. OFAC noted that U.S. persons are prohibited from participating in transactions with sanctioned persons, and that “persons that engage in certain transactions with the entity designated today may themselves be exposed to sanctions.”
The DOJ stated in its press release that, along with its partners, it had “dismantled” the marketplace and “arrested many of its users around the world.” The DOJ explained that the marketplace “was also one also one of the most prolific initial access brokers [] in the cybercrime world,” and “attract[ed] criminals looking to easily infiltrate a victim’s computer system.” The marketplace sold access to ransomware actors looking to attack computer networks in the United States and globally, the DOJ said, adding that the marketplace also sold device “fingerprints” used to trick third-party websites into thinking the marketplace user was the actual account owner.
District Court upholds arbitration in website terms of use
On March 28, the U.S. District Court for the Western District of North Carolina ruled that class members must arbitrate their claims against an online lending marketplace relating to a 2022 data breach that affected current, former, and prospective customers. The court found that a mandatory arbitration clause contained in the defendant’s terms of use agreement “is broad enough to encompass the claims” brought by class members, and adopted recommendations made by a magistrate judge in February, who found that the agreement not only requires users to agree to be bound by its terms of use when they make their accounts, but also requires that users consent, acknowledge, and agree to its terms of use any time they submit consumer loan searches on the website. The plaintiff argued that there was not a binding contract between the parties because he did not “fully and clearly” understand that he had agreed to arbitrate disputes with the defendant. He further attested that because he never saw the terms of use, he “lacked actual or inquiry notice.” In particular, the plaintiff complained about the placement and font size of the notice, which he claimed no reasonable consumer would have seen “as there is no reason to scroll down the page after seeing the ‘Create Account’ tab.” The magistrate judge disagreed, stating that the “[p]laintiff had multiple opportunities to read and decline the terms if he chose,” and that “[t]his is not the needle in a haystack search that [p]laintiff depicts.” In agreeing with the recommendations, the court concluded that the plaintiff failed to show that the magistrate judge’s determination “was clearly erroneous or contrary to law” and said the plaintiff is bound by the arbitration clause.
Iowa becomes sixth state to enact comprehensive privacy legislation
On March 28, the Iowa governor signed SF 262, establishing a framework for controlling and processing consumers’ personal data in the state. Iowa is now the sixth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, and Utah (covered by Special Alerts here and here and InfoBytes here, here, and here).
- Consumer rights. Iowa consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their personal data processed by a controller (“except as to personal data that is defined as personal information pursuant to section 715C.1 that is subject to security breach protection”); and (iv) opt out of the sale of their data.
- Controller responsibilities. The Act requires controllers—the persons that determine the purpose and means of processing personal data—to respond to consumers’ requests free of charge within 90 days (the response period may be extended an additional 45 days under extenuating circumstances). A controller must also provide a consumer, without undue delay, of its justification should it decline to take action regarding the consumer’s request, as well as instructions for appealing the decision. Controllers are also required to implement reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data, and must not process collected sensitive data without notifying the consumer and allowing for the opportunity to opt out of such processing (or in the case of data involving a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act). Controllers may not violate state and federal laws that prohibit discriminatory practices when processing personal data and may not discriminate against a consumer for exercising any of the provided consumer rights. Contacts that purport or waive or limit consumer rights shall be deemed void and unenforceable.
- Disclosures. Controllers are required to provide consumers “a reasonably accessible, clear, and meaningful privacy notice” that outlines the categories of personal data to be processed, the purpose for processing the data, and how consumers may submit requests to exercise their personal rights (a controller may not require a consumer to create a new account to exercise consumer rights). The privacy notice must also outline the categories of data that may be shared with third parties, as well as the categories of applicable third parties, and clearly disclose when personal data is being sold or used in targeted advertising to allow a consumer the right to opt out of such activity.
- Processor duties. Processors shall help controllers fulfill their obligations under the Act. A contract established between a controller and a processor will “govern the processor’s data processing procedures with respect to processing performed on behalf of the controller,” and must “clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties.”
- Exemptions and limitations. The Act also outlines various processing exemptions, including those related to pseudonymous data, and addresses certain actions that a controller or processor is able to take with respect to complying with federal, state, or local laws, investigations, or law enforcement agency inquiries, among others. The Act also limits the collection of personal data to what is adequate, relevant and necessary in relation to the purposes for which such data is processed, and requires controllers to implement data security protection practices.
- Enforcement. Although the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 90 days to cure the alleged violation before the attorney general can file suit. Should the controller or processor continue to violate the Act, the attorney general may seek an injunction and civil penalties of up to $7,500 for each violation.
The Act takes effect January 1, 2025.
California OAL approves CCPA regulations
On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately. The CPPA noted that the approved regulations update existing CCPA regulations to harmonize them with amendments adopted under the California Privacy Rights Act (CPRA), which was approved by ballot measure in November 2020 to amend and build on the CCPA. In February, the CPPA voted unanimously to adopt and approve the regulations, which have not been substantively changed since the CPPA voted on modifications last year (covered by InfoBytes here). The final regulations and supporting materials are now available on the CPPA’s website.
The CPPA has already begun additional rulemaking. The agency issued a preliminary request for comments on cybersecurity audits, risk assessments, and automated decision-making to inform future rulemaking in February. Comments were due at the end of March.
Law firm settles breach claims related to health care data
On March 27, the New York attorney general announced a settlement with a law firm to resolve claims that it allegedly failed to protect individuals’ personal and health care data. According to the announcement, an attacker was able to exploit a vulnerability in the law firm’s email server and gained access to the sensitive private information, including names, dates of birth, social security numbers, and/or health data, of nearly 115,000 individuals, including more than 60,000 New Yorkers. According to the AG, the law firm’s data security failures not only violated state law, but also violated HIPAA requirements relating to the adherence to certain advance data security practices. The law firm, which represents New York City area hospitals and maintains patients’ sensitive private information, is required to adopt several measures required by HIPAA, including conducting regular system risk assessments, encrypting private information housed on its servers, and adopting appropriate data minimization practices—all of which it failed to do prior to the breach.
Under the terms of the assurance of discontinuance, the law firm is required to pay $200,000 in penalties to the state and strengthen its cybersecurity measures. Required actions include encrypting private information, monitoring and logging network activity, establishing a reasonable patch management policy, developing a penetration testing program, updating its data collection and retention practices, and permanently deleting data “when there is no reasonable business or legal purpose to retain it.”
Utah amends disclosure requirements for data breaches
On March 23, the Utah governor signed SB 127, which, among other things, requires additional disclosure requirements for system security breaches and creates the Utah Cyber Center. For example, it mandates additional notice requirements to the office of the Utah attorney general (AG) and the Utah Cyber Center where an investigation “reveals that the misuse of personal information relating to 500 or more Utah residents, for identity theft or fraud purposes, has occurred or is reasonably likely to occur.” If the investigation reveals the misuse of personal information relating to 1,000 or more Utah residents, the notification must also be sent “to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.”
The Utah Cyber Center will be responsible for, among other things, developing a statewide strategic cybersecurity plan for executive branches and other governmental agencies; identifying, analyzing, and mitigating cyber threats and vulnerabilities; coordinating cybersecurity resilience planning; providing cybersecurity incident response capabilities; developing incident response plans to coordinate federal, state, local, and private sector activities; and developing and promoting cybersecurity best practices.
The amendments are effective 60 days follow adjournment of the legislature.
FTC finalizes gaming company order on dark patterns
On March 14, the FTC finalized an administrative order requiring a video game developer to pay $245 million in refunds to consumers allegedly tricked into making unwanted in-game purchases. As previously covered by InfoBytes, the FTC filed an administrative complaint claiming players were able to accumulate unauthorized charges without parental or card holder action or consent. The FTC alleged that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Under the terms of the final decision and order, the company is required to pay $245 million in refunds to affected card holders. The company is also prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the company is barred from blocking players from accessing their accounts should they dispute unauthorized charges.
Separately, last month the U.S. District Court for the Eastern District of North Carolina entered a stipulated order against the company related to alleged violations of the Children’s Online Privacy Protection Act (COPPA). The FTC claimed the company failed to protect underage players’ privacy and collected personal information without first notifying parents or obtaining parents’ verifiable consent. Under the terms of the order, the company is required to ensure parents receive direct notice of its practices with regard to the collection, use or disclosure of players’ personal information, and must delete information previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company is required to implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, obtain regular, independent audits, and pay a $275 million civil penalty (the largest amount ever imposed for a COPPA violation).
FTC asks how cloud computing affects competition and data security
On March 22, the FTC announced it is seeking information on cloud computing providers’ business practices with respect to the potential impact on competition and data security. FTC staff noted that the agency is also interested in how cloud computing is impacting specific industries, including healthcare, finance, transportation, e-commerce, and defense. The request for information (RFI) solicits feedback on a range of issues, including (i) market power and competition (e.g. do particular segments of the economy have to rely on a small handful of cloud service providers); (ii) contract negotiation flexibility; (iii) incentives given to customers to ensure they obtain more of their cloud services from a single provider; (iv) security risks (e.g. what are the data security implications if particular segments of the economy rely on a small number of cloud service providers, and are these providers competing on their ability to provide secure storage for customer data); (v) products or services tied to artificial intelligence; and (vi) how cloud providers identify and notify customers of security risks related to security design, implementation, or configuration. Comments on the RFI are due May 22.