InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Buckley Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation
On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually. Governor Cuomo’s directive was issued in response to a recent highly publicized security incident at a major consumer credit reporting agency. NYDFS issued a proposed regulation on the same day (CRA Regulation).
One of the primary intents of the registration directive is to make consumer credit reporting agencies subject to the state’s “First-in-the-Nation Cybersecurity Regulation” (Cybersecurity Regulation) (see previous InfoBytes coverage here) that was finalized earlier this year. The Cybersecurity Regulation applies to entities “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” and regulated by NYDFS. The Cybersecurity Regulation imposes a series of requirements on covered entities with compliance deadlines ranging from August 28, 2017 to March 1, 2019. These substantive requirements, which are in many ways more stringent and proscriptive than federal requirements for financial institutions, are described in our previous InfoBytes coverage on the Cybersecurity Regulation. Consumer credit reporting agency registrants would be subject to all of the requirements of the Cybersecurity Regulation, but under a different schedule beginning on April 4, 2018 and running through October 4, 2019.
***
Click here to read full special alert.If you have questions about the report or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.
FTC Announces First EU-U.S. Privacy Shield Enforcement Actions Over False Certification Claims
On September 8, the FTC announced settlements with three companies over allegations that they falsely claimed certification to take part in the European Union-U.S. Privacy Shield (EU-U.S. Privacy Shield) framework. These settlements mark the FTC’s first EU-U.S. Privacy Shield enforcement actions. In July 2016, the EU finalized and adopted the EU-U.S. Privacy Shield Framework, which established a mechanism for companies to transfer consumer data between the EU and the U.S. in compliance with specified obligations. (See previous InfoBytes summary here.) In separate complaints, the FTC alleges that a human resources software company, a printing services company, and a company that manages real estate leases for wireless companies, violated the FTC Act by falsely claiming that they were certified to participate in the EU-US Privacy Shield without having completed the certification process. According to the terms of the settlements as summarized in the FTC press release, the companies are all banned from “misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements.”
Legislators, State Attorneys General, and Consumers React to Credit Reporting Agency Data Breach
As previously reported in InfoBytes, a major credit reporting agency suffered a data breach from mid-May through the end of July that impacted approximately 143 million U.S. consumers. Shortly after the agency disclosed the breach, several Republican and Democratic lawmakers promised legislative action. Senator Brian Schatz (D-Haw.) reintroduced the Stop Errors in Credit Use and Reporting (SECURE) Act to address these issues. In addition, two committees—the House Financial Services Committee and the House Energy and Commerce Committee—both announced plans to hold hearings on the breach (dates still to be released). Separately, Representative Ted Lieu (D-Cal.) sent a letter to the House Judiciary Committee requesting a hearing to investigate how and why the data breach occurred, and what measures can be taken to prevent future incidents.
At least two class action lawsuits have been filed—in Georgia and Oregon—as a result of the breach, and several state attorneys general, including New York Attorney General Eric T. Schneiderman, have launched investigations into the matter. The CFPB also released a blog post for consumers on ways to identify signs of fraud or identity theft.
Notably, on September 11, the agency issued an update for consumers announcing that “in response to consumer inquiries,” the arbitration clause and class action waiver included in its terms of use will not “apply to this cybersecurity incident.” The CFPB’s final arbitration rule, which prohibits the use of mandatory pre-disputer arbitration clauses, has been a point of considerable debate this summer, with the House voting to repeal the proposed rule and the Senate introducing a similar measure (see InfoBytes post here), while a coalition of state attorneys general have issued support for the proposed rule (see InfoBytes post here).
Credit Reporting Agency Announces Widespread Consumer Data Breach
On September 7, a major credit reporting agency issued a press release announcing a data breach that impacts approximately 143 million U.S. consumers. An internal investigation revealed that from mid-May through the end of July 2017, hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers. The company discovered the breach on July 29 and “acted immediately to stop the intrusion.” A “leading, independent cybersecurity firm” has been hired to recommend security improvements, and the company is working with law enforcement authorities. Furthermore, the press release states that “the company has found no evidence of unauthorized activity on [its] core consumer or commercial credit reporting databases.” A website has been set up to assist consumers trying to determine if their information has been affected and offers credit file monitoring and identify theft protection.
FTC and 32 States Settle Charges with Computer Manufacturer Concerning Preinstalled Software that Allegedly Compromised Online Security
On September 5, the FTC announced that, along with 32 state attorneys general, it had entered into a consent order with a global computer manufacturer to settle charges that it had preloaded advertising software on certain laptops that compromised consumers’ security protections. According to a complaint filed by the FTC, as well as complaints filed by the state attorneys general (see New Jersey Attorney General’s complaint), the manufacturer allegedly began selling the preloaded laptops beginning in August 2014. The software program—using a technique known as a “man-in-the-middle”—was able to access and collect consumers’ personal information that was transmitted over the internet, including login credentials, social security numbers, financial details, medical information, and email communications, without the consumers’ permission. The process entailed replacing the security certificates of visited encrypted websites with the software’s own certificates that could be easily compromised. The digital certificate substitution created multiple security vulnerabilities, which, among other issues, prevented consumers’ browsers from warning users if they visited “potentially spoofed or malicious websites with invalid digital certificates.” The FTC noted in its complaint that “[t]his practice violated basic encryption key management principles because attackers could exploit this vulnerability to issue fraudulent digital certificates that would be trusted by consumers' browsers.”
According to the complaints, the manufacturer allegedly (i) did not disclose to consumers prior to purchase that the problematic software had been installed; (iii) failed to warn consumers about the security vulnerability; and (iii) unfairly preinstalled software, which acted as a “man-in-the-middle” between consumers and visited websites—all of which are violations of state consumer protection laws and the Federal Trade Commission Act. The complaints further alleged that the manufacturer failed to provide consumers with an easy way to effectively opt out of the preinstalled software.
The terms of the FTC consent order stipulate the following: (i) the manufacturer is prohibited from making misleading representations about any software feature; (ii) consumers must affirmatively grant consent before this type of software may be installed, and the manufacturer must provide instructions for consumers to revoke consent or opt out; and (iii) a comprehensive software security program must be developed and implemented to address new and existing software security risks and will be subject to third-party biennial assessments for the next 20 years. The judgment reached with the state attorneys general also imposes a $3.5 million settlement to be divided between the states.
FTC Announces Settlement with Operator of Online Tax Preparation Service Over Privacy and Security Allegations
On August 29, the FTC issued a press release announcing a settlement with the operator of a Georgia-based online tax preparation service to resolve allegations that the company failed to implement adequate security procedures to protect client information in violation of several federal privacy and security rules, including the Federal Trade Commission Act and the Gramm-Leach-Bliley Act’s Privacy Rule (Regulation P) and Safeguards Rule. In its complaint, the FTC alleged that the company violated the Safeguards Rule, which requires financial institutions under FTC jurisdiction toprotect customer information by developing, implementing, and maintaining a comprehensive information security program that satisfies certain requirements. The complaint alleged that, because the company failed to implement these requirements and did not have in place adequate risk-based authentication measures, hackers were able to conduct a “list validation attack” between October 2015 and December 2015, which gave them full access to nearly 9,000 customer accounts. Hackers then used the acquired information to engage in tax identity theft. In addition, the FTC alleges that the company failed to notify customers of the list validation attack or alterations until a user called in January 2016 to report suspicious activity, and failed to delivery privacy notices to customers as required by the Privacy Rule.
Under the terms of the decision and order, the company, among other things, is required for 10 years to obtain biennial independent third-party assessments to address the effectiveness of the company’s security programs and safeguard measures to “certify that [the company’s] security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 29, at which point the FTC will decide whether to make the proposed consent order final.
FTC Announces Settlement with Ride-Sharing Company Over Privacy Allegations
On August 15, the FTC issued a press release announcing a settlement with a ride-sharing company over allegations that it violated the Federal Trade Commission Act by making deceptive claims about its privacy and data practices. According to the complaint, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. Both counts, the FTC alleged, demonstrated false or misleading representations. In the press release, FTC Acting Chairman Maureen K. Ohlhausen said, “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
Under the terms of the decision and order, the company has agreed to establish, implement, and maintain a written “comprehensive privacy program,” reasonably designed to: (i) “address privacy risks related to the development and management of new and existing products and services for consumers,” and (ii) “protect the privacy and confidentiality of Personal Information.” The company is also required to obtain biennial independent third-party assessments to address privacy controls requirements and “certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of Personal Information and that the controls have operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 15, at which point the FTC will decide whether to make the proposed consent order final.
National Insurance Company Settles States’ Investigation over 2012 Data Breach, Pays $5.5 Million in Settlement
On August 9, a national insurance company and its wholly-owned subsidiary reached a $5.5 million settlement with 32 states and the District of Columbia to resolve the states’ investigation into a 2012 data breach, which allegedly caused the personal information of certain consumers to be compromised—including social security and driver’s license numbers, as well as credit scoring information and other data. According to the states’ investigation, the October 2012 data breach occurred when hackers were able to exploit a vulnerability in the company’s website application hosting software. A security patch was later applied. Under the terms of the Assurance of Voluntary Compliance, the company agreed to a number of requirements, including:
- providing an online disclosure notifying consumers that personal information is retained even if they do not become insured;
- appointing an individual to oversee company security practices and manage and monitor software and application security updates, including security patch monitoring; and
- hiring an outside, independent provider to conduct a “patch management audit” of the company’s covered systems.
The majority of the requirements last three years.
The company, while admitting that it experienced a data breach, denied any liability or wrongdoing.
SEC Releases Risk Alert, IMF Issues White Paper on Cybersecurity Awareness
On August 7, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert entitled “Observations from Cybersecurity Examinations,” which provides findings and observations concerning industry practices and legal and compliance issues related to cybersecurity preparedness. The SEC examined 75 SEC registered firms as part of its Cybersecurity 2 Initiative and noted an improvement overall in terms of (i) creating and implementing cybersecurity policies and procedures and response plans; (ii) conducting periodic risk assessments to identify threats and vulnerabilities; (iii) implementing measures to ensure regular system maintenance checks; (iv) maintaining processes for identifying cybersecurity roles and responsibilities; (v) receiving authority from customers and shareholders concerning fund transfer authority; and (vi) conducting vendor risk assessments or requiring risk management from vendors. However, the SEC identified areas in need of improvement, such as failure to tailor or enforce policies and procedures or conduct adequate system maintenance to safeguard customer information. Also included in the alert are examples of best practices and guidance for firms to follow when implementing cybersecurity-related policies and procedures.
Separately, that same day the International Monetary Fund (IMF) released a working paper discussing cyber risk awareness and the policy measures, regulatory frameworks, and supervisory measures affecting financial institutions’ approaches to systemic cyber risk. The IMF paper, entitled “Cyber Risk, Market Failures, and Financial Stability,” presents an overview of recent cyberattacks on the financial services industry, and stresses that cyber risk management requires that risks identified as part of a threat identification process must be “actively managed” to “ensure that cybersecurity-related measures are appropriate for and commensurate with the underlying risk.” Risk avoidance, risk reduction, and risk transfer are options for effective management. The paper further notes that, as a result of a predominance of cyber risk assessment centering on individual institutions (which constructs a relatively narrow view), insufficient attention has been given to systemic cyber risk that occurs commonly when financial institutions are exposed to “access vulnerabilities, risk concentration, risk correlations, or contagion effects (including through reputational channels).” The paper states that a need exists for regulatory reform and effective policy change “to build resilience through investment in cyber security while giving institutions flexibility to address the risks in the way they see as optimal.” Suggestions for measures—including national and international coordination—to strengthen resilience to cyber risk are also provided.
NYDFS Launches New Cybersecurity Portal, Sets Compliance Deadlines
On July 31, the New York Department of Financial Services (NYDFS) announced the launch of an online cybersecurity portal for businesses to securely report cybersecurity events as required by the state’s cybersecurity regulation that took effect March 1. (See previous InfoBytes summary here.) The regulation, Cybersecurity Requirements for Financial Services Companies, requires all banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain cybersecurity programs to safeguard consumers’ private data. The cyber portal is designed to facilitate easy reporting of cybersecurity events and will allow regulated entities to file compliance certifications. Starting August 28, 2017, all entities required to comply with NYDFS cybersecurity regulations “must file certain notifications to the [Financial Services] Superintendent including notices of certain cybersecurity events within 72 hours from a determination that a reportable event has occurred.” A cybersecurity event is reportable if it: (i) “impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body”; or (ii) “has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.” Additionally, covered entities are required to file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018.