Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 6, New York Governor Andrew Cuomo released a report on bank cybersecurity preparedness and directed the New York State Department of Financial Services (DFS) to conduct targeted cybersecurity preparedness assessments of the DFS-regulated banks. The DFS is revising its examination procedures to add questions to assess IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery. DFS plans to release additional details about the timing and content of these examination procedures in the coming weeks. The report follows a year-long survey of 154 DFS-regulated banks, which revealed that “most institutions experienced intrusions or attempted intrusions into their IT systems over the past three years.” The review revealed that third-party payment processor breaches were reported by 18% and 15% of small and large institutions, respectively, and that large institutions also cited mobile banking exploitation, ATM skimming/point-of-sale schemes), and insider access breaches. Last year, the DFS announced a similar inquiry into cyber preparedness at insurance companies it regulates.
On May 7, the CFPB issued a proposed rule that would provide financial institutions an alternative method for delivering annual privacy notices. The Gramm-Leach-Bliley Act (GLBA) and Regulation P require financial institutions to, among other things, provide annual privacy notices to customers—either in writing or electronically with consumer consent. Industry generally has criticized the current annual notice requirement as ineffective and burdensome, with most financial institutions providing the notices by U.S. postal mail. The proposed rule would allow financial institutions, under certain circumstances, to comply with the GLBA annual privacy notice delivery requirements by (i) continuously posting the notice in a clear and conspicuous manner on a page of their websites, without requiring a login or similar steps to access the notice; and (ii) mailing the notices promptly to customers who request them by phone.
Specifically, under the CFPB’s proposal, a financial institution subject to the GLBA privacy notice requirements would be permitted to post annual notices online, provided the institution:
- Does not share the customer’s nonpublic personal information with nonaffiliated third parties in a manner that triggers GLBA opt-out rights;
- Does not include on its annual privacy notice a Fair Credit Reporting Act (FCRA) § 603(d)(2)(A)(iii) notice regarding the ability to opt out of information sharing with the institution’s affiliates;
- Does not use its annual privacy notice as the only notice provided to satisfy affiliate marketing opt-out notice requirements under section 624 of FCRA;
- Has not changed the information included in the privacy notice since the customer received the previous notice;
- Uses the model form provided in Regulation P; and
- Inserts a clear and conspicuous statement, at least once per year on a notice or disclosure the institution issues under any other provision of law, announcing that the annual privacy notice is available on the institution’s website, such notice has not changed since the previous notice, and a copy of such notice will be mailed to customers who request it by calling a toll-free telephone number.
The CFPB cites the following benefits of the proposed rule:
- Provides consumers with constant access to privacy policies;
- Incentivizes financial institutions to limit their data sharing with unaffiliated third parties;
- Allows consumers who are concerned about their personal information to comparison shop before deciding which financial institution to use; and
- Reduces the cost for companies to provide annual privacy notices.
The proposed rule would provide some relief to industry, particularly where broader bipartisan legislative solutions have failed to gain substantial traction. Last year, the House passed legislation that would fully exempt a financial institution from the annual notice requirement if it (i) provides nonpublic personal information only in accordance with specified requirements, and (ii) has not changed its policies and practices with regard to disclosing nonpublic personal information from its most recent disclosure. A similar Senate bill introduced early last year has not moved forward, though its sponsor, Senator Sherrod Brown (D-OH), pressed the CFPB director about the issue during a hearing last fall.
The CFPB’s proposal will remain open for comment for 30 days following its publication in the Federal Register.
On May 1, the White House’s working group on “big data” and privacy published a report on the findings of its 90-day review. In addition to considering privacy issues associated with big data, the group assessed the relationship between big data and discrimination, concluding, among other things, that “there are new worries that big data technologies could be used to ‘digitally redline’ unwanted groups, either as customers, employees, tenants, or recipients of credit” and that “big data could enable new forms of discrimination and predatory practices.” The report adds, “[t]he same algorithmic and data mining technologies that enable discrimination could also help groups enforce their rights by identifying and empirically confirming instances of discrimination and characterizing the harms they caused.” The working group recommends that the DOJ, the CFPB, and the FTC “expand their technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes, and develop a plan for investigating and resolving violations of law in such cases,” and adds that the President’s Council of Economic Advisers should assess “the evolving practices of differential pricing both online and offline, assess the implications for efficient operations of markets, and consider whether new practices are needed to ensure fairness.” The working group suggests that federal civil rights offices and the civil rights community should collaborate to “employ the new and powerful tools of big data to ensure that our most vulnerable communities are treated fairly.” With regard to privacy the report states that the “ubiquitous collection” of personal information and data, combined with the difficulty of keeping data anonymous, require policymakers to “look closely at the notice and consent framework that has been a central pillar of how privacy practices have been organized for more than four decades.” Among its policy recommendations, the working group urges (i) enactment of a Consumer Privacy Bill of Rights, informed by a Department of Commerce public comment process, and (ii) the adoption of a national data breach bill along the lines of the Administration’s May 2011 Cybersecurity legislative proposal. It also calls for data brokers to provide more transparency and consumer control of data.
On April 16, Comptroller of the Currency Thomas Curry spoke to attendees of the Consumer Electronics Show Government Conference, taking his concerns about banks’ vendor relationships and cybersecurity risks to potential third-party technology service providers. Comptroller Curry explained the banking system’s vulnerability to cyberattacks given its significant reliance on technology and telecommunications, and expressed particular concern about potential attacks on community banks. He reiterated several of the specific risk issues he recently discussed with community bankers. Comptroller Curry (i) outlined risks related to the consolidation of bank vendors; (ii) identified as a “special problem” banks’ reliance on foreign vendors, and cautioned banks to consider the legal and regulatory implications of where their data is stored or transmitted; and (iii) expressed concern about vendors’ access to important and confidential bank and customer data. He assured attendees that the OCC is not trying to discourage the use of third-party vendors, but in explaining the OCC’s particular focus on controls and risk management practices employed by vendors that provide services to banks and thrifts, Comptroller Curry advised vendors of the OCC’s authority under the Bank Service Company Act to issue enforcement actions and its authority to examine vendors designated as Technology Service Providers. He reported that banks have asked the OCC to more actively supervise critical service providers and stated that in working to protect the banking system the OCC will have to “look beyond individual financial institutions to the range of vendors and customers that have access to some part of its infrastructure and systems.”
On April 15, the SEC’s Office of Compliance Inspections and Examinations announced that it will be conducting cybersecurity examinations of more than 50 registered broker-dealers and registered investment advisers. The examinations will assess each firm’s cybersecurity preparedness and collect information about the industry’s recent experiences with certain types of cyber threats. Specifically, examiners will focus on (i) cybersecurity governance; (ii) identification and assessment of cybersecurity risks; (iii) protection of networks and information; (iv) risks associated with remote customer access and funds transfer requests; (v) risks associated with vendors and other third parties; (vi) detection of unauthorized activity; and (vii) and experiences with certain cybersecurity threats. The SEC included with the announcement a sample document and information request it plans to use in this examination initiative.
On April 10, Kentucky Governor Steve Beshear signed into law HB 232 to establish a data breach notice requirement. The new law requires any person or business that operates in the state to provide written or electronic notice to affected state residents of any breach of a security system that exposes unencrypted personally identifiable information. The law requires notification “in the most expedient time possible and without unreasonable delay” upon discovery or notification of a breach, and permits certain substitute forms of notice if the person or business subject to the breach demonstrates that the notice exceeds certain cost or scope thresholds. The law does not require separate notice to the state attorney general, nor does it apply to entities subject to Title V of the Gramm-Leach-Bliley Act or HIPPA. The bill takes effect July 14, 2014. Kentucky’s adoption of a data breach notice law leaves only three states—Alabama, New Mexico, and South Dakota—without such a statutory requirement.
On April 17, the FTC announced it is seeking additional public comments on issues explored during a 2013 forum on mobile security. The announcement includes a series of specific questions within the following categories: (i) secure platform design; (ii) secure distribution channels; (iii) secure development practices; and (iv) security lifecycle and updates. The announcement indicates that the FTC is planning a report based on the forum and this subsequent information request. Comments are due by May 30, 2014.
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 7, the U.S. District Court for the District of New Jersey denied a hotel company’s motion to dismiss the FTC’s claims that the company engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act by failing to maintain reasonable and appropriate data security for customers’ personal information. FTC v. Wyndham Worldwide Corp., No. 13-1887, 2014 WL 1349019 (D.N.J. Apr. 7, 2014). The company moved to dismiss the FTC’s suit, arguing that the FTC (i) lacks statutory authority to enforce data security standards outside of its explicit data security authority under statutes such as the Gramm-Leach-Bliley Act (GLBA) and FCRA; (ii) violated fair notice principles by failing to first promulgate applicable regulations; and (iii) failed to sufficiently plead certain elements of the unfairness and deception claims. The court rejected each of these arguments. First, the court held that the FTC does not need specific authority under Section 5 to enforce data security standards. The court reasoned that the data-security legislation the followed the FTC Act, such as GLBA and FCRA, provide the FTC additional data security tools that complement, rather than preclude, the FTC’s general authority under Section 5. Second, the court held that, to bring a Section 5 data security claim, the FTC is not required to provide notice of reasonable standards by issuing a new regulation because regulations are not the only means of providing sufficient fair notice. According to the court, industry standards, past FTC enforcement actions, and FTC business guidance provided sufficient notice of what constitutes reasonable security measures. Third, the court held that the FTC properly pled its unfairness and deception claims under the FTC Act.
On April 7, the FDIC reissued, as attachments to FIL-13-2014, three technology outsourcing resources. The documents, which the FDIC describes as containing “practical ideas for banks to consider when they engage in technology outsourcing” are titled: (i) Effective Practices for Selecting a Service Provider; (ii) Tools to Manage Technology Providers' Performance Risk: Service Level Agreements; and (iii) Techniques for Managing Multiple Service Providers. The FDIC advises that the resources are informational only and do not substitute for official examination guidance. On April 10, the FDIC urged financial institutions to utilize existing resources to identify and help mitigate potential cyber-related risks. The FDIC advised institutions to ensure that their information security staff are aware of and subscribe to reliable and recognized resources that can help quickly identify emerging cyber risks, including the following governmental resources: (i) the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT); (ii) U.S. Secret Service Electronic Crimes Task Force (ECTF); (iii) FBI InfraGard; (iv) financial services sector regional coalitions; and (v) Information Sharing and Analysis Centers (ISACs).
- Daniel A. Bellovin to discuss “Perspectives on proposed private flood insurance” at a CoreLogic webinar
- Jonice Gray Tucker to discuss “How the new administration sets the tone for 2021” at the American Conference Institute Legal, Regulatory and Compliance Forum on Fintech & Emerging Payment Systems
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable