InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Vermont legislation regulates data brokers and provides consumer protections
On May 22, a Vermont bill, established to regulate data brokers and provide consumers with protections against companies that collect, analyze, and sell their personal information, was enacted without the governor’s signature. Among other things, H.764: (i) requires data brokers to pay a $100 fee to register annually with the Vermont Secretary of State and publicly disclose information about data collection practices and opt-out policies; (ii) requires companies to implement measures to ensure they have “adequate security standards” to safeguard against data breaches; (iii) prohibits the “acquisition of personal information with the intent to commit wrongful acts”; and (iv) prohibits credit reporting agencies from charging consumers fees for the placement, removal, or temporary lift of a security freeze. The credit freeze provisions became effective upon passage. The data broker provisions take effect January 1, 2019.
Court preliminarily approves $80 million settlement for shareholders after global internet company data breach
On May 9, the U.S. District Court for the Northern District of California granted a preliminary approval of a settlement between a global internet media company and its shareholders over alleged securities law violations related to cybersecurity breaches in 2013 and 2014. The $80 million settlement resolves a consolidated shareholder action accusing the company of making misleading statements to shareholders about the company’s data security. According to the order, the settlement applies to all shareholders who acquired the company’s securities between April 30, 2013 and December 14, 2016. As previously covered by InfoBytes, the company was recently ordered by the SEC to pay $35 million to resolve allegations related to the same cybersecurity incidents.
FTC settles with cellphone manufacturer over data security issues
On April 30, the FTC and a Florida cellphone manufacturer entered into a settlement over allegations that the manufacturer allowed third party data collection from customer phones after falsely claiming data collection was limited only to information needed by the third parties to perform requested services. According to the complaint, released at the same time as the settlement, the manufacturer contracted with a Chinese technology company to issue security and operating system updates to the manufacturer’s devices. When issuing those updates, the Chinese company collected and transferred personal information about the device owners without their consent or knowledge, including text messages, call logs, and contact lists. In November 2016, the public became aware of this practice and the manufacturer issued a notice informing its customers that the Chinese company changed its software to no longer collect the personal information. However, the manufacturer allegedly continued to allow this practice on older devices. The FTC alleges that the manufacturer failed to perform adequate due diligence in the selection of the Chinese company and failed to adopt and implement written security standards for their third-party providers. Under the settlement, the manufacturer, among other things, is (i) prohibited from future misrepresentations about security and privacy; (ii) required to establish and implement a comprehensive data security program; and (iii) subject to data security assessments every two years by a third party for the next 20 years.
Global internet media company fined $35 million for cybersecurity breach disclosures
On April 24, the SEC ordered a global internet media company, acquired in 2017 by a global communications company, to pay $35 million to settle claims alleging that the company failed to disclose a 2014 cybersecurity breach in which Russian hackers stole data from over 500 million user accounts. Compromised private user information included usernames, email addresses, phone numbers, birthdates, passwords, and security questions and answers. According to the SEC’s cease-and-desist order, during the two years following the breach, the internet media company (i) failed to inform outside counsel or auditors of the breach in order to assess public filing disclosure obligations; (ii) failed to maintain internal disclosure controls and procedures designed to guarantee that the company’s information security team reports addressing actual data breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure; and (iii) made misleading statements in its public filings that warned investors only of the “risk of potential future data breaches” without disclosing the 2014 data breach. The SEC claimed that the disclosure violations continued as acquisition discussions were held in 2016 and resulted in renegotiation of the terms of the company’s sale, including a 7.25 percent reduction in price. The company ultimately disclosed the breach to the public in September of 2016. In agreeing to the settlement, the company neither admitted nor denied the SEC’s findings, except as to the SEC’s jurisdiction over the matter.
FDIC OIG releases Special Inquiry Report to address breach response plan
On April 16, the FDIC’s Office of Inspector General (OIG) released its Special Inquiry Report—“The FDIC’s Response, Reporting, and Interactions with Congress Concerning Information Security Incidents and Breaches”—which contains findings from an examination of the FDIC’s practices and policies related to data security, incident response and reporting, and Congressional interactions. The Special Inquiry Report is the culmination of a request made by the former Chairman of the Senate Committee on Banking, Housing, and Urban Affairs in 2016, and focuses on the circumstances surrounding eight information security incidents that occurred in 2015 and 2016—seven of which involved personally identifiable information and constituted data breaches. An eighth incident involved the removal of “highly sensitive components of resolution plans submitted by certain large systemically important financial institutions without authorization” by a departing FDIC employee.
According to the report, the OIG asserts that, among other things, the FDIC failed to (i) put in place a “comprehensive incident response program and plan” to handle security incidents and breaches; (ii) clearly document risk assessments and decisions associated with data incidents; (iii) fully consider the range of impacts on bank customers whose information was compromised; (iv) promptly notify consumers when an incident occurred and did not adequately consider notifications as a separate decision from whether it would provide credit monitoring services; (v) for at least one incident, failed to convey the seriousness of the breach; and (vi) provide timely, accurate, and complete responses to Congressional requests to gather information about how the agency was handling the incidents.
As a result of these findings, the OIG presented recommendations and timeframes for the FDIC to “address the systemic issues.” Recommendations include: (i) clearly defining roles and responsibilities within the FDIC Breach Response Plan, and establishing procedures “consistent with legal, regulatory, and/or operational requirements for records management”; (ii) establishing a separation between consumer breach notifications and the offer of credit monitoring services; (iii) adhering to established timeframes for reporting incidents to FinCEN when suspicious activity report information has been compromised; (iv) conducting an annual review of the Breach Response Plan to confirm that that the guidance has been consistently followed during the preceding year; (v) developing guidance and training to ensure that employees and contractors are fully aware of the legal consequences of removing any sensitive information from FDIC premises before they depart; (vi) ensuring that FDIC policies, procedures, and practices result in complete, accurate statements and representations to Congress, and updating and correcting prior statements and representations as necessary; (vii) clarifying “legal hold policies and processes”; and (viii) specifying that the Office of Legislative Affairs is responsible for “providing timely responses to Congressional requests and communicating with Congressional staff regarding those requests.”
The FDIC concurred with the recommendations and has completed corrective actions for two, with plans to address the remaining recommendations between June and December of this year. The FDIC has also agreed to keep the OIG informed of the progress made to address the identified performance issues.
National Institute of Standards and Technology issues updated cybersecurity framework
On April 16, the National Institute of Standards and Technology (NIST) announced the release of enhancements to its cybersecurity framework guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. Updates to Cybersecurity Framework Version 1.1 (Framework) incorporate comments received from public feedback, team members, and workshops held over the past two years, as well as stakeholder input on draft versions. Changes include the addition of (i) explanations to clarify that the Framework can be used to promote compliance with an organization’s own cybersecurity requirements; (ii) a cybersecurity risk self-assessment section; (iii) an expanded section addressing ways in which the Framework can be used to manage cybersecurity within the supply chain; (iv) refinements to authentication and identity processes; (v) new language explaining the “relationship between Implementation Tiers and Profiles” in regard to risk management programs; and (vi) a new subcategory on the lifecycle of vulnerability disclosure. The process for which changes are made to the Framework may be viewed on NIST’s website. NIST further notes that both first-time and current Framework users should experience minimal to no disruptions when implementing the updated Framework, and are encouraged to customize the Framework “to maximize individual organizational value.”
As previously covered in InfoBytes, last year President Trump issued an Executive Order directing federal agencies to follow NIST’s Framework to manage cybersecurity risk.
States pass legislation updating security freeze laws
On April 12, the Kansas governor signed HB 2580, which amends existing law to prohibit consumer reporting agencies (CRAs) from charging a fee to a consumer for placing, temporarily lifting, or removing a security freeze on his or her credit report. Moreover, it prevents CRAs from charging fees for replacing a previously requested personal identification number. The law is effective July 1.
Additionally, on April 10, the Iowa governor signed SF 2177, which updates the state’s security freeze law to prohibit CRAs from charging a fee to a consumer for placing, temporarily lifting, removing, or reinstating a security freeze on his or her credit report. Additionally, among other things, the law (i) expands the methods a consumer may use to submit a request for a security freeze; (ii) reduces the number of days CRAs must commence a security freeze after receiving a request from five to three business days; (iii) requires CRAs to send written confirmation within three business days to a consumer after placing a security freeze; and (iv) states that if a consumer requests a security freeze from a CRA that “compiles and maintains files on a nationwide basis,” the CRA must attempt to identify other CRAs that also maintain nationwide files so that the consumer may request additional security freezes. The amendments generally take effect July 1, with the exception of certain provisions that take effect January 1, 2019.
Visit here for additional InfoBytes coverage on states that have recently enacted similar prohibitions.
Arizona governor amends data breach law, updates security freeze legislation
On April 11, the Arizona governor signed HB 2154 to amend the state’s existing data breach notification law. The amendments require entities conducting business in the state that maintain, own, or licenses unencrypted and unredacted computerized data to conduct a reasonable investigation of possible breaches of personal information. Owners or licensees of personal information must then notify affected individuals within 45 days, pending the needs of law enforcement. Key amendment highlights are as follows:
- makes revisions to definitions, which include (i) expanding “personal information” to include a combination of a user’s name, password/security question, and answer that grants access to an online account; (ii) defining the term “redact”; and (iii) clarifying that a “specified data element” now includes an individual’s unique “private key” used when authenticating or signing an electronic record;
- adds a requirement that for breaches impacting more than 1,000 individuals, the Attorney General and the three largest consumer reporting agencies must be notified in writing;
- amends a provision concerning “substitute notice,” which removes requirements that a notification must to be sent to affected individuals via email as well as notifying major statewide media. The amendments now stipulate that an entity is required to notify the Attorney General’s office in writing to demonstrate the reasons for substitute notice in addition to posting a notice on the entity’s website for at least 45 days; and
- clarifies a section that states entities are no longer required to notify affected individuals if an independent third-party forensic auditor or law enforcement agency “determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”
Separately, on April 3, the governor signed SB 1163, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the placement, removal, or temporary lifting of a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password.
Both bills are scheduled to take effect 91 days after the end of the legislative session.
9th Circuit amended opinion holds company not vicariously liable under TCPA
On April 4, the U.S. Court of Appeals for the 9th Circuit issued an amended opinion to further affirm a district court’s decision to grant summary judgment in favor of a defendant concerning allegations that it was vicariously liable for telemarketing activity in violation of the Telephone Consumer Protection Act (TCPA). The three-judge panel held that the defendant, who sells vehicle service contracts (VSCs) through automobile dealers and “marketing vendors,” was not vicariously liable under the TCPA for calls made by telemarketers employed by a company that sold VSCs for the defendant and multiple other companies. Last August, the three-judge panel determined that the company’s telemarketers acted as independent contractors, rather than as the defendant’s agents. In amending their opinion, the three-judge panel further determined that the telemarketers lacked actual authority (under express language contained within the parties’ contract) to place the unlawful calls, and that the defendant “exercised insufficient control over the manner and means of the work to establish vicarious liability under the asserted theory.”
State judge says Massachusetts can sue credit reporting agency over data breach
On April 2, a state court judge denied a credit reporting agency’s motion to dismiss claims for violations of state data security regulations. The court stated that while the “mere existence of data breach” does not translate into violations of the state data security regulations, the Massachusetts Attorney General plausibly suggests that the company violated such regulations by knowing of certain vulnerabilities and failing to properly address them. As previously covered by InfoBytes, Massachusetts was the first state to file an action against the credit reporting agency after its September 2017 announcement of a data breach which affected over 143 million consumers.