InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC to Host Third PrivacyCon Event, Issues Call for Presentations
On June 8, the FTC announced it will hold its third PrivacyCon, which will “expand collaboration among leading privacy and security researchers, academics, industry representatives, consumer advocates, and the government” to explore “the privacy and security implications of emerging technologies, such as the Internet of Things, artificial intelligence and virtual reality.” Specific topics will cover ways to quantify the harm when companies fail to secure consumer information, and how to “balance the costs and benefits of privacy-protective technologies and practices.” Additionally, the FTC issued a call for presentations to receive research and input on a several areas such as (i) the “nature and evolution of privacy and security risks”; (ii) “quantifying costs and benefits of privacy from a consumer perspective” and business perspective; and (iii) “incentives, market failures, and interventions.” Presentation submissions must be made by November 17, 2017. The event will take place on February 28, 2018 in Washington, DC.
NASAA to Convene Roundtable on Cybersecurity Developments
On May 31, the North American Securities Administrators Association (NASAA) announced it will hold a cybersecurity roundtable for industry experts to discuss latest developments as well as strategies for investment advisers and broker-dealers to protect personal client information. In addition to convening representatives from state securities agencies and the financial services industry, roundtable discussions will also feature representatives from the FBI, Treasury, and the SEC. The event will take place June 23 from 9 a.m. to 3:30 p.m. in Washington, DC. Registration information can be accessed here.
FFIEC Releases Update to Cybersecurity Assessment Tool to Aid Institution Preparedness
On May 31, the Federal Financial Institutions Examination Council (FFIEC) announced the release of an update to the Cybersecurity Assessment Tool (CAT) developed to aid institutions in determining their risk profiles, identifying risks, and determining cybersecurity preparedness. The update details changes made to the FFIEC IT Examination Handbook and provides a revised mapping in Appendix A to the updated Information Security and Management booklets. The press release notes that “[m]anagement of financial institutions and management of third-party service providers are primarily responsible for assessing and mitigating their entities’ cybersecurity risk. Outlined in Appendix A, the CAT is a framework designed to provide a “repeatable and measurable process” to measure cybersecurity in areas such as cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. The CAT also provides “additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.” Financial institutions access addition cybersecurity risk management information here.
New York AG Settles Charges with Tech Company Over WiFi Lock Vulnerabilities
On May 22, New York Attorney General Eric T. Schneiderman announced that a Utah-based tech company agreed to settle allegations that, among other things, its wireless doors and padlocks failed to protect consumers’ personal information, leaving consumers vulnerable to hacking and theft. This action marks the first time the Attorney General’s office has taken legal action against a wireless security company for failing to protect private data. Results from an August 2016 study, conducted by independent security researchers, reveal that the tech company’s Bluetooth-enabled locks “transmitted passwords between the locks and the user’s smartphone . . . without encryption” and also contained “weak default passwords.” Both issues allowed perpetrators to intercept passwords and undo the locks. Under the terms of the settlement, the company agreed to reform its data security practices and implement a comprehensive security program.
U.S. Retailer Settles States’ Investigation Over 2013 Data Breach, Fined $18.5 Million in Settlement
On May 23, a major U.S. retailer reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the retailer’s 2013 data breach, which affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. According to multiple state attorneys general, this represents the largest multistate data breach deal to date. According to the states’ investigation, the November 2013 security breach occurred when cyberattackers accessed the retailer’s customer service database to install malware that was able to capture consumers’ personal information, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs. Under the terms of the Assurance of Voluntary Compliance, the retailer agreed to do the following, including:
- develop, implement, and maintain a comprehensive Information Security Program (Program) and required safeguards;
- employ an executive or officer with information security experience responsible for executing the Program and advising the CEO and Board of Directors of security-related issues;
- develop and implement risk-based policies and procedures for auditing vendor compliance with the Program;
- maintain and support software on its network for data security purposes;
- maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
- segment its cardholder data environment from the rest of its computer network;
- undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication;
- deploy and maintain a file integrity monitoring solution; and
- hire a third-party to conduct a comprehensive security assessment.
The majority of the terms last five years.
States involved issued press releases announcing their portions of the settlement. California Attorney General Xavier Becerra stated that California will be receiving more than $1.4 million from the settlement, the largest share of any state. Illinois, which co-led the investigation with the state of Connecticut, will receive more than $1.2 million from the settlement, according to Attorney General Lisa Madigan, who stated, “Today’s settlement . . . establishes industry standards for companies that process payment cards and maintain secure information about their customers.” Connecticut Attorney General George Jepsen noted that the retailer “deserves credit for its actions in response to this breach, including its cooperation with our investigation and negotiations that led to this settlement. I'm also hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers' information.”
Acting FTC Chairman Ohlhausen Welcomes New FCC Approach to Internet Openness
On May 18, Acting FTC Chairman Maureen Ohlhausen issued a statement on the FCC’s publication of a Notice of Proposed Rulemaking (NPRM) to “reinstate a light-touch regulatory approach protecting Internet openness.” The Notice proposes the following actions: (i) returning to the framework under Title I of the Communications Act instead of following Title II regulatory guidance; (ii) classifying mobile broadband Internet access service as “private mobile service”; and (iii) eliminating Title II’s “vague and expansive” Internet conduct standard, thus eliminating regulatory uncertainty. “I welcome the adoption of this NPRM as further progress toward restoring the FTC’s ability to protect broadband subscribers from unfair and deceptive practices, including violations of their privacy. Those consumer protections were an unfortunate casualty of the FCC’s 2015 decision to subject broadband to utility-style regulation. This new proceeding offers an opportunity to undo that decision and thereby return broadband consumers to the expert protection of the FTC,” stated Chairman Ohlhausen.
House Passes Cyber Crime Bill
On May 16, the U.S. House of Representatives officially approved the Strengthening State and Local Cyber Crime Fighting Act of 2017 (H.R. 1616) in a vote of 408-3. The Act would amend the Homeland Security Act of 2012 to formalize the Secret Service’s National Computer Forensic Institute’s (NCFI) responsibilities for coordinating investigations into cyberattacks and hacks and would provide training and tools for state and local agencies dealing with electronic crime related threats. In an April press release issued by the bill’s sponsor, Rep. John Ratcliffe (R-Tex.), Chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, stated, “The [NCFI] has played a major role in equipping state and local law enforcement officers across the country with the tools they need to address the extra layers of complexity presented by the growing incidences of cybercrime,” Notably, the legislation, which now heads to the Senate, follows the recent international cyberattack that infected computer systems globally with the WannaCry ransomware (see previous InfoBytes coverage here).
Ransomware Attack Has Global Impact, Bipartisan Legislation Introduced to Counter Hacking
On May 12, a cyberattack spread around the world, affecting more than 230,000 computers in roughly 150 countries, according to a statement issued by the American Bankers Association. The ransomware, known as “WannaCry,” was used to exploit a vulnerability that affects computers running Microsoft Windows (see Department of Homeland Security Alert). Users of infected computers received a message that their files had been encrypted and that they must pay a ransom in bitcoin in order to decrypt their files. However, as conveyed in a press release issued by the Financial Services - Information Sharing and Analysis Center (FS-ISAC), it appears that the majority of the attacks seem to be targeting and impacting non-financial sector entities globally. FS-ISAC “believes the current attacks utilize known vulnerabilities for which there are available software patches,” but that firms and service providers need to implement the patches. Agencies continue to monitor what may be the first in a series of attacks.
SEC Office of Compliance and Examinations (OCIE) and FBI Issue Responses. The OCIE released a statement cautioning registrants to be vigilant in mitigating risk, and noted a recent OCIE study that determined a substantial number of registrants did not conduct periodic risk assessments, penetration tests, or vulnerability scans, while a smaller number had not updated critical security patches. The OCIE also provided links to guidance on cybersecurity risk management. Likewise, the FBI issued a bulletin providing guidance on additional protection measures following the attack.
Bipartisan Legislation Introduced. On May 17, bipartisan legislation was introduced in the House and Senate to add transparency and accountability to the federal government process for retaining or disclosing vulnerabilities in technology products, services, applications, and systems. The bill, Protecting our Ability To Counter Hacking (PATCH) Act, follows the apparently leaked NSA hacking tool which opened the door to the global “WannaCry” ransomware attack. It is sponsored by Senators Brian Schatz (D-Haw.), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.), and Representatives Ted Lieu (D-Cal.) and Blake Farenthold (R-Tex.). As described in a release issued by Sen. Schatz’s office, the proposed legislation would make the Vulnerabilities Equities Process (VEP) more permanent, while altering its structure. It would also make the Department of Homeland Security the chair of the interagency board overseeing the VEP. Under the bill, the NSA and other security agencies would still be a permanent part of the board, while other agencies and the White House's National Security Council could attend meetings if the board deems it necessary. The established board would also produce a report for Congress on the policies it establishes regarding the disclosure of vulnerabilities no later than 180 days after the enactment of the Act. An unclassified version of the report will be publicly available as well. “Striking the balance between U.S. national security and general cybersecurity is critical, but it's not easy,” Sen. Schatz noted. “This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”
Coalition for Cybersecurity Policy and Law. The legislation has already received support. The Coalition issued the following statement in support of the proposed bill: “We support the goals of the PATCH Act and we look forward to working with Chairman Johnson, Senators Schatz and Gardner, and Reps. Lieu and Farenthold as it moves forward in both chambers. The events of the past week clearly demonstrate the real-world consequences of exploited vulnerabilities. Governments have a critical role in getting vulnerability information to organizations capable of acting to protect security in a timely manner upon discovery.”
FTC, Federal, State, and International Partners Announce Crackdown on Tech Support Scams
On May 12, the FTC, along with federal, state and international law enforcement partners, announced new enforcement actions in its “Operation Tech Trap” program. The program is designed to crack down on tech support scams that, among other things, deceive consumers into believing their computers are infected with viruses and malware and then charge them for unnecessary repairs. According to FTC, its Operation Tech Trap partners have brought 29 law enforcement actions against deceptive tech support operations in the last year. Among the four new complaints announced on May 12, the FTC has already been granted temporary restraining orders in three of the cases to stop the tech support companies’ deceptive practices, freeze their assets, and appoint a temporary receiver to take control of them.
The FTC also announced a settlement in a pending action brought by the FTC and the Attorneys General of Connecticut and Pennsylvania against two defendants who allegedly participated in deceptive acts and practices in connection with the advertising, marketing, and sale of computer security or technical support products and services. Under the terms of the settlement, the defendants are subject to a money judgment in excess of $27 million. The stipulated final order has been entered by the U.S. District Court for the Eastern District of Pennsylvania. In addition to the FTC and state cases, DOJ brought federal criminal charges against seven individuals, two of whom have entered guilty pleas, for their participation in an international “Tech Support Scam.” Moreover, with respect to its international efforts, Operation Tech Trap is working with authorities in India to crack down on tech support scammers, and have also instituted consumer and business education outreach initiatives with Australia and Canada.
FTC Launches New Website for Small Businesses, Provides Resources to Avoid Scams and Cyberattacks
On May 9, the FTC announced the launch of its new website—ftc.gov/SmallBusiness—designed to provide useful information so small businesses can protect their networks and customer data from scams and cyberattacks. The website offers specific guidance such as the Small Business Computer Security Basics guide, which shares computer security basics to help companies: (i) protect their files and devices; (ii) train employees to think twice before sharing the business’s account information; (iii) keep their wireless networks protected; and (iv) respond to data breaches. Information on other cyber threats such as ransomware and phishing schemes that target small businesses is also provided. According to the FTC, the U.S. Small Business Administration reports that “there are more than 28 million small businesses nationwide” that are at risk, many of which lack the resources larger companies have to spend on cybersecurity. Further, the FTC noted that Symantec Corp. found that “the percentage of spear-phishing attacks targeting small business rose dramatically from 18 percent to 43 percent between 2011 and 2015.”