InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Democratic members ask FSOC to deem cloud providers as "systemically important"
On August 22, two members of the U.S. House of Representatives, Katie Porter (D-Calif.) and Nydia Velázquez (D-N.Y.), sent a letter to the U.S. Department of Treasury requesting that the Financial Stability Oversight Council (FSOC) consider designating the three leading providers of cloud-based storage systems for the financial industry as systemically important financial market utilities. The letter is in response to the recent data breach announcement by a national bank (covered by InfoBytes here), where an alleged former employee of the bank’s cloud-based storage system gained unauthorized access to the personal information of credit card customers and people who had applied for credit card products. According to the Congresswomen, 57 percent of the cloud services market is “cornered by” three main providers, and “a lack of substitutability for the services provided by these very few firms creates systemic risk.” The letter argues that cloud services are not currently subject to an enforced regulatory regime and, “[w]ithout a dedicated regulatory regime proportional and tailored to their very unique structure and risks, cloud comparing companies will continue to evade supervision.”
State AGs and VSPs to collaborate on robocalls
On August 22, North Carolina Attorney General Josh Stein announced a bipartisan agreement between 51 state attorneys general and 12 voice service providers, adopting eight principles for fighting illegal robocalls and preventing consumer fraud. Under the principles, the voice providers will: (i) offer no-cost call-blocking technology, including easy-to-use call blocking and labeling tools; (ii) implement STIR/SHAKEN call authentication (as previously covered by InfoBytes, in June the FCC adopted a Notice of Proposed Rulemaking requiring voice providers to implement the caller ID authentication framework); (iii) analyze and monitor high-volume voice network traffic for robocall patterns; (iv) investigate suspicious calls and calling patterns and take appropriate action; (v) confirm identities of new commercial customers; (vi) require traceback cooperation in new and renegotiated contracts; (vii) provide for timely and comprehensive law enforcement efforts through cooperation in traceback investigations; and (viii) communicate with state attorneys general about recognized robocall scams and trends and potential solutions. AG Stein noted that the principles will also “make it easier for attorneys general to investigate and prosecute bad actors.”
FCC adopts rules addressing spoofed texts and international robocalls
On August 1, the FCC announced the adoption of new rules that will extend the Truth in Caller ID’s prohibitions against robocalls to caller ID spoofing of text messages and international calls, and implement measures passed last year in the RAY BAUM’s Act. As previously covered by InfoBytes, the rules are supported by a bipartisan group of more than 40 state attorneys general, and will allow the FCC to bring enforcement actions and assess fines on international players who try to defraud U.S. residents. However, while Commissioner Michael O’Rielly voted in favor of the measure, he raised concerns that the FCC may encounter problems when trying to enforce the rules across international borders. “As I expressed before, the expanded extraterritorial jurisdiction may prove difficult to execute in uncooperative nations and come back to bite us in other contexts,” O’Rielly stated. “In addition, the definitions of text messaging and voice services are broader than my liking and may cause future unintended consequences.” However, his statement did not specify what these unintended consequences might be.
National bank announces data breach
On July 29, a national bank announced a data breach affecting approximately 100 million individuals in the United States and approximately six million in Canada. According to the announcement, the incident occurred on July 19 when an unauthorized individual obtained personal information of credit card customers and people who had applied for credit card products. The bank noted that no credit card account numbers or log-in credentials were compromised and over 99 percent of social security numbers were not compromised. The largest category of information accessed was consumer and small business information from applications submitted from 2005 through early 2019, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Upon discovery of the breach, the bank fixed the vulnerability that allowed for the individual to gain access and worked with the federal authorities, resulting in the arrest of the person allegedly responsible. The bank will notify and make free credit monitoring and identity protection available to those affected.
New York expands data breach notification laws
On July 25, the New York governor signed two bills designed to strengthen protections for consumers in the event their private information is compromised in a data breach.
A 5635B, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) updates the state’s privacy law by expanding the definition of personal information and broadening the definition of a data breach. Notably, the SHIELD Act applies to any person or entity with access to a New York resident’s private information, regardless of whether or not the company conducts business in the state. Among other provisions, the SHIELD Act:
- Requires all covered entities to adopt and implement “reasonable” administrative, technical, and physical safeguards to protect and dispose of sensitive data, as well as implement “reasonable” administrative safeguards, such as employee training;
- Stipulates that a covered entity that is already regulated by, and in compliance with, certain existing applicable state or federal data security requirements (e.g., Gramm-Leach-Bliley Act, HIPAA, and 23 NYCRR Part 500—NYDFS’ Cybersecurity Regulation) is considered a “compliant regulated entity”;
- Requires entities to promptly notify impacted individuals under new, broadened data breach notification requirements, which now include (i) “access to” private information as a trigger for notification, in addition to the existing “acquired” trigger; and (ii) expanded data types, including biometric data, email addresses, and corresponding passwords or security questions and answers;
- Applies a more flexible standard for small businesses to ease regulatory burdens (qualifying small businesses must have fewer than 50 employees, under $3 million in gross annual revenue, or less than $5 million in assets) and will consider a small business compliant if its “security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business” to protect the security, confidentiality, and integrity of private information; and
- Broadens the New York attorney general’s oversight regarding data breaches impacting state residents. The SHIELD Act further stipulates that actions may not be brought under the law’s provisions unless the action is commenced within three years following either the date on which the attorney general received notice of the violation, or the date the notice was sent to affected individuals, whichever occurs first. However, “[i]n no event shall an action be brought after six years from the date of discovery of the breach of private information by the company unless the company took steps to hide the breach.”
The SHIELD Act takes effect March 21, 2020.
A 2374, which was signed into the law the same day, prohibits consumer credit reporting agencies from charging fees to consumers if the agency’s system was involved in a data breach including social security numbers. Credit reporting agencies are required to provide “reasonable identity theft prevention services and, if applicable, identity theft mitigation services for a period not to exceed five years at no cost to such consumers.” The law applies to any breach of security of a consumer credit reporting agency that occurred in the last three years. This measure takes effect September 23.
FTC and DOJ announce $5 billion privacy settlement with social media company; SEC settles for $100 million
On July 24, the FTC and the DOJ officially announced (see here and here) that the world’s largest social media company will pay a $5 billion penalty to settle allegations that it mishandled its users’ personal information. As previously covered by InfoBytes, it was reported on July 12 that the FTC approved the penalty, in a 3-2 vote. This is the largest privacy penalty ever levied by the agency, almost “20 times greater than the largest privacy or data security penalty ever imposed worldwide,” and one of the largest ever assessed by the U.S. government for any violation. According to the complaint, filed the same day as the settlement, the company allegedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of a 2012 privacy settlement with the FTC, which allowed the company to share users’ data with third-party apps that were downloaded by users’ “friends.” Moreover, the complaint alleges that many users were unaware the company was sharing the information, and therefore did not take the steps needed to opt-out of the sharing. Relatedly, the FTC also announced a separate action against a British consulting and data analytics firm for allegedly using deceptive tactics to “harvest personal information from millions of [the social media company’s] users.”
In addition to the monetary penalty, the 20-year settlement order overhauls the company’s privacy program. Specifically, the order, among other things, (i) establishes an independent privacy committee of the company’s board of directors; (ii) requires the company to designate privacy program compliance officers who can only be removed by the board’s privacy committee; (iii) requires an independent third-party assessor to perform biennial assessments of the company’s privacy program; (iv) requires the company to conduct a specific privacy review of every new or modified product, service, or practice before it is implemented; and (v) mandates that the company report any incidents in which data of 500 or more users have been compromised to the FTC.
In dissenting statements, Commissioner Chopra and Commissioner Slaughter asserted that the settlement, while historic, does not contain terms that would effectively deter the company from engaging in future violations. Commissioner Slaughter argues, among other things, that the civil penalty is insufficient and believes the order should have contained “meaningful limitations on how [the company] collects, uses, and shares data.” Similarly, Commissioner Chopra argues that the order imposes no meaningful changes to the company’s structure or financial incentives, and the immunity provided to the company’s officers and directors is unwarranted.
On the same day, the SEC announced that the company also agreed to pay $100 million to settle allegations that it mislead investors about the risks it faced related to the misuse of its consumer data. The SEC’s complaint alleges that in 2015, the company was aware of the British consulting and data analytics firm’s misuse of its consumer data but did not correct its disclosures for more than two years. Additionally, the SEC alleges the company failed to have policies and procedures in place during that time that would assess the results of internal investigations for the purposes of making accurate disclosures in public filings. The company neither admitted nor denied the allegations.
U.K.’s ICO fines real estate management company for data security failures
On July 19, the United Kingdom’s Information Commissioner’s Office (ICO) issued a £80,000 fine against a London-based real estate management company for allegedly leaving over 18,000 customers’ personal data exposed for almost two years. According to the ICO, when the company transferred personal data from its server to a partner organization, the company failed to switch off an “anonymous authentication” function, which exposed all the data—including personal data such as bank statements, salary details, copies of passports, dates of birth, and addresses—stored between March 2015 and February 2017. The ICO alleges that the company failed to take appropriate technical and organizational measures to protect customers’ personal data and concluded the failures were “a serious contravention of the 1998 data protection laws which have since been replaced by the [General Data Protection Regulation] GDPR and the Data Protection Act 2018.”
FTC reportedly approves $5 billion privacy settlement with social media company
On July 12, it was reported that the FTC has approved a $5 billion penalty against the world’s largest social media company for allegedly mishandling its users’ personal information. The reported settlement would be the largest privacy penalty ever levied by the agency. According to reports, the settlement, which was approved in a 3-2 vote, resolves allegations that the company allowed a British consulting firm access to 87 million users’ personal data for political consulting purposes in violation of a 2012 privacy settlement with the FTC. Neither the FTC nor the social media company have commented on the reported settlement, which is still pending approval from the Department of Justice.
U.K.’s ICO announces two GDPR data breach actions
On July 8 and 9, the United Kingdom’s Information Commissioner’s Office (ICO) issued two notices of its intention to fine companies for infringements of the General Data Protection Regulation (GDPR). On July 8, the ICO announced it intended to fine a U.K.-based airline £183.39M for a September 2018 cyber incident, which, due to “poor security arrangements,” allowed attackers to divert user traffic on the airline’s website to a fraudulent site, making consumer details accessible. The airline notified the ICO about the incident, which compromised the data of approximately 500,000 consumers, and has cooperated with the ICO in the investigation and made improvements to its security arrangements. Additionally, on July 9, the ICO announced it intended to fine a multinational hotel chain £99,200,396 for failing to undertake sufficient due diligence when the chain purchased a hotel group in 2016, which had previously exposed 339 million guest records globally in 2014. The exposure was discovered in 2018, and the hotel chain thereafter reported the incident to the ICO, and has cooperated with the investigation and made improvements to its security arrangements. In both announcements, the ICO notes that it will, “consider carefully the representations made by the company and the other concerned data protection authorities” before issuing the final decision.
FCC Chairman proposes rules addressing spoofed texts and international robocalls
On July 8, FCC Chairman Ajit Pai proposed rules supported by a bipartisan group of more than 40 state attorneys general that would extend prohibitions against robocalls to caller ID spoofing of text messages and international calls, implementing measures passed last year in the RAY BAUM’s Act. Previously, anti-spoofing prohibitions applied only to domestic robocalls. According to Pai, “Scammers often robocall us from overseas, and when they do, they typically spoof their numbers to try and trick consumers. . . . With these new rules, we’ll close the loopholes that hamstring law enforcement when they try to pursue international scammers and scammers using text messaging.” The FCC will vote on the proposed rules at its August 1 meeting.
As previously covered by InfoBytes, the FCC authorized voice service providers last month to automatically identify and block unwanted robocalls “based on reasonable call analytics, as long as their customers are informed and have the opportunity to opt out of the blocking.”