InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB Issues Proposed Rule Seeking to Amend Procedures for Disclosing Certain Confidential Information
On August 24, the CFPB published a proposed rule seeking to amend procedures used by persons in the public domain to obtain information from the CFPB under the Freedom of Information Act, the Privacy Act of 1974 and legal proceedings. In part, the proposal also seeks to revise the 2013 final rule related to the “exchange of confidential supervisory information (CSI) with certain agencies.” Specifically, the CFPB proposes to remove the standard for sharing CSI, thereby utilizing the same standard for sharing information that is not considered CSI and giving the CFPB the discretion to disclose CSI to another agency “to the extent that the disclosure of the information is relevant to the exercise of the [agency’s] statutory or regulatory authority.” Among other things, if accepted, the proposal may allow the CFPB to establish a CSI sharing regime to include state attorneys general and other agencies without supervisory power. Comments are due by October 24, 2016.
FTC Announces Agenda for Ransomware Event
On September 7, the FTC will host its first in a series of events to look at emerging technologies raising consumer privacy and security concerns. Scheduled to take place in Washington, D.C., the first event will focus on ransomware, “one of the most challenging cybersecurity problems affecting consumers and businesses.” Panelists will discuss the scope and state of ransomware, the best defenses against it, and how victims should respond to hacker demands. The FTC will host the second and third events in the series on October 13 and December 7 with emphases on drones and smart TVs, respectively.
New York AG Schneiderman Announces $100,000 Settlement Over Data Security Practices
On August 5, New York AG Schneiderman announced that an online retailer will pay $100,000 in penalties to settle allegations that its weak security practices led to a data breach that potentially exposed more than 25,000 credit card numbers and cardholder data. According to AG Schneiderman, after a third party accessed the retailer’s website on August 7, 2014, a merchant bank notified the retailer on June 5, 2015 that customers’ credit card accounts were showing fraudulent charges. The retailer subsequently hired a company to conduct a forensic investigation, during which malware was found on and subsequently removed from the retailer’s website. AG Schneiderman contends that the retailer violated various sections of the New York State General Business Law by failing to notify its customers or law enforcement of the breach and by misrepresenting the safety and security of its website, also in breach of Executive Law § 63(12). In addition to the $100,000 penalty, the settlement requires that the retailer (i) conduct thorough and efficient investigations of future data security breaches; (ii) promptly notify New York law enforcement and affected customers of data security breaches; (iii) “maintain reasonable security policies and procedures designed to protect the personal information of consumers in accordance with New York State General Business laws”; (iv) remediate security vulnerabilities on its websites; and (v) train its employees with the most current data security practices.
FTC Updates Consumer Information Page with New Online Tracking Guidance
Recently, the FTC updated its “Consumer Information” page with new online tracking guidance. The new guidance details how web browsers use first- and third-party “cookies” as an online tracking method to save consumers’ online preferences, eventually customizing their browsing experience and delivering ads targeted toward a specific consumer. Additional online tracking devices described in the FTC’s guidance include (i) flash cookies, which use Adobe Flash technology to store information about consumers’ online browsing activities; (ii) device fingerprinting, which identifies a specific consumer’s device based on browser configurations and settings and “can be used to track [consumers] on all kinds of internet-connected devices that have browsers, such as smart phones, tablets, laptops, and desktop computers”; and (iii) device identifiers, which monitor “different applications used on a particular device.” The guidance notes that consumers can limit the use of online tracking technologies by turning on “private browsing” in their browser settings, opting out of targeted advertising, and selecting the “Do Not Track” option, which is available in most browsers. Finally, the guidance also recommends that consumers “learn about tracker-blocking browser plugins,” which “prevent companies from using cookies or fingerprinting to track [consumers’] internet behavior.”
FTC Determines Medical Testing Lab's Data Security Practices Unreasonable
On July 29, the FTC announced the issuance of an Opinion and Final Order reversing an Administrative Law Judge (ALJ) Initial Decision to dismiss a 2013 FTC complaint against a Georgia-based medical testing laboratory (Respondent). In a 3-0 vote, the Commission determined that Respondent “failed to implement reasonable security measures to protect the sensitive consumer information on its computer network and therefore that its data security practices were unfair under Section 5 of the [FTC] Act.” In reversing the Initial Decision, the Commission concluded that Respondent’s security practices lacked “even basic precautions” to protect consumers’ sensitive information by, among other things, failing to (i) “use an intrusion detection system or file integrity monitoring”; (ii) “monitor traffic coming across its firewalls”; (iii) provide adequate data security training to its employees, finding that “essentially no data security training” was provided; and (iv) delete “any of the consumer data it had collected.” According to the Commission, such failures led to the exposure of medical and other sensitive information for 9,300 consumers on a peer-to-peer (P2P) network to which millions of users had access. The Commission reasoned that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n),” further noting that Respondent’s practices were also “likely to cause substantial injury,” as reasonably interpreted under Section 5(n), because (i) they led to the exposure of consumers’ sensitive information to the millions of P2P users; and (ii) “Complaint Counsel’s expert witnesses identified a range of harms that can and do result from the unauthorized disclosure of consumers’ sensitive personal information of the type maintained by [Respondent] on its computer network.” The Commission’s Final Order requires that Respondent, among other things, establish “a comprehensive information security program,” give notice to those consumers and companies affected by the disclosure on the P2P network, and obtain periodic independent, third-party assessments regarding the implementation of the new security program. After service of the Commission’s Opinion and Final Order, Respondent has 60 days to file a petition for review with a U.S. Court of Appeals.
Department of Agriculture Requests Comments on Continuation of, and Changes to, Registration Form to Request Electronic Access Code Information
On July 22, the Federal Register published the U.S. Department of Agriculture’s (USDA) request for comments on the Office of the Chief Information Officer’s (OCIO) intent to “request approval for the continuation of and changes to the [USDA] Registration Form to Request Electronic Access Code information collection to allow USDA customers to securely and confidently share data and receive services electronically.” The USDA’s eAuthentication Service (eAuth) collects customer and employee information in order to provide “public citizens as well as federal government employees with a secure single sign-on capability for USDA applications, management of user credentials, and verification of identity, authorization and electronic signatures.” The online self-registration process and identity proofing service, which is voluntary, permits USDA customers and employees to access to USDA Web applications and services via the Internet. As it currently exists, the eAuth service allows customers to access USDA Web site portals through two Levels of Assurance (LOAs). LOA 1 provides limited access to portals and applications that have minimal security requirements. LOA 2 “enables users to conduct official electronic business transactions via the Internet, enter into a contract with the USDA, and submit forms electronically via the Internet to USDA agencies.” The OCIO is developing LOA 3, which, if authorized, would provide public citizens with accounts. LOA 3 would require the same level of self-registration and identity proofing, but would also incorporate strong multi-factor authentication credentials for access to secure, high risk, or sensitive systems. Comments on the USDA’s notice are due by September 20, 2016.
OCC Releases Semiannual Risk Perspective Report
On July 11, the OCC released its Semiannual Risk Perspective for Spring 2016, which generally provides an overview of supervisory concerns for the federal banking system and specifically presents data as of December 31, 2015 in the following areas: (i) operating environment; (ii) bank performance; (iii) key risk issues; and (iv) regulatory actions. Similar to the fall 2015 report, the current report identifies cybersecurity, third-party vendor management, business continuity planning, TRID, and BSA/AML compliance, among other things, as key areas of potential operational and compliance risk. Further, the report highlights the new Military Lending Act rule, effective October 3, 2016, as a new key potential risk. According to the report, the OCC’s supervisory priorities for the next twelve months will generally remain the same; moreover, the outlook for the OCC’s Large Bank Supervision and Midsize and Community Bank Supervision operating units will remain broadly similar.
European Union Approves EU-U.S. Privacy Shield
On July 12, the European Union (EU) finalized and adopted the EU-U.S. Privacy Shield for transatlantic data flows. As previously covered in InfoBytes, on October 6, 2015, the Court of Justice of the European Union declared in Shrems v. Data Protection Commissioner “invalid” a decision of the European Commission that the EU-U.S. Safe Harbor Framework provided adequate protection for personal data transferred from the EU to the U.S., thus requiring the EU and the U.S. to develop a new framework for transatlantic data transfers. The recently finalized EU-U.S. privacy shield is based on the following principles: (i) strong obligations on companies handling data, including requiring the Department of Commerce to regularly conduct updates and reviews of participating companies and tightening conditions for the onward transfers of data; (ii) clear safeguards and transparency obligations on U.S. government, assuring that “the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms”; (iii) effective protection of individual rights, including complaint-handling mechanisms and the designation of an Ombudsperson independent from U.S. intelligence services to handle redress possibility in the area of national security for EU citizens; and (iv) annual joint review mechanism to monitor the functioning of the Privacy Shield. On July 12, the Commission simultaneously released a Q&A, a Fact Sheet, the “Adequacy Decision,” which will enter into force immediately after Member States are notified, and Annexes.
CFPB Proposes to Amend Annual Privacy Notice Requirement Under Regulation P
On July 1, the CFPB issued a proposed rule to amend Regulation P, which implements the Gramm-Leach-Bliley Act (GLBA) and requires, among other things, financial institutions to provide their customers with an annual notice that describes their privacy policies and procedures. The proposed amendment would implement a December 2015 statutory change in Section 75001 of the “Fixing America’s Surface Transportation Act” (FAST Act). Pursuant to the FAST Act, the GLBA was amended so that financial institutions meeting certain criteria no longer need to send annual privacy notices. The CFPB’s recently issued proposed rule would amend Regulation P to implement the GLBA amendment. The CFPB’s proposed rule would further amend Regulation P to (i) provide timing requirements for the delivery of annual privacy notices for a financial institution that may originally qualify for the annual notice exception but then later changes its policies or practices so that it no longer meets the exception criteria; (ii) remove the Regulation P provision that allows financial institutions to post privacy notices online because the CFPB “believes the alternative delivery method will no longer be used in light of the annual notice exception”; and (iii) make a technical correction to one of its definitions.
GAO Report Addresses Weaknesses in FDIC Information Security Controls
On June 29, the GAO published a report titled “Information Security: FDIC Implemented Controls over Financial Systems, but Further Improvements are Needed.” According to the report, notwithstanding recent efforts to implement effective information security controls to protect sensitive information and systems, the FDIC “continues to have unremediated weaknesses.” After examining the FDIC’s security systems, the GAO found that the FDIC’s user-authorization controls, although improved, remain vulnerable because the corporation failed to (i) implement an effective process for performing periodic reviews of user access rights; (ii) consistently disable inactive accounts; (iii) regularly document authorized modifications to user access; and (iv) identify authorization and recertification deficiencies. The report emphasizes that weaknesses in the user authorization controls “increase the risk that individuals may have greater access to financial data” than necessary. The report further notes that the corporation failed to fully implement, among other things, (i) encryption for all mainframe connections compliant with Federal Information Processing Standards Publications; (ii) effective audit and monitoring controls; (iii) procedures for controlling physical access to facilities; and (iv) management controls of security features for all hardware and software components to control for changes during a system’s life cycle. The GAO recommends that the FDIC improve its information security program by updating and implementing “access control procedures” and implementing additional monitoring of its “critical files.”